环境规划
| 主机名 | 内网ip | 外网ip | 网卡模式 | 角色 |
|---|---|---|---|---|
| yfm20 | 172.16.10.190 | 192.168.199.122 | NAT、LAN | Openxxxx-Server |
| yfm22 | 172.16.10.191 | LAN | 内网机器1 | |
| yfm21 | 192.168.199.121 | NAT | Openxxxx-Client | |
| windows | 192.168.0.106 | WIFI | Openxxxx-Client |
软件版本
Linux 安装:openxxxx-2.4.10.tar.gz yum安装 # GitHub地址:https://github.com/Openxxxx/openxxxx
Linux 安装:EasyRSA-3.0.8.tgz # GitHub地址:https://github.com/Openxxxx/easy-rsa
widows安装:openxxxx-install-2.4.8-I601-Win10 # Openxxxx官网
同步时区,可以查看我的其他文章,这里省略
开启转发功能并生效
grep 'net.ipv4.ip_forward = 1' /etc/sysctl.conf || echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
iptables配置
必须配置,不需要启动iptables服务
iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
原因:客户端连接xxxx后,默认分配的10.8.0.0/24网段地址,不能直接访问yfm22【172.16.10.0/24网段】,因此需要在iptables进行nat配置。
删除上面的iptables配置信息命令如下。作用:对比正常的访问和异常的访问
iptables -t nat -D POSTROUTING 1
yfm22
[root@yfm22 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="5bcf3708-5794-4000-8837-546343c22ee9"
DEVICE="ens33"
ONBOOT="yes"
IPADDR="172.16.10.191"
NETMASK="255.255.255.0"
HWADDR="00:0c:29:05:d9:8d"
yfm20
2者的uuid注意保持不一致
[root@yfm20 network-scripts]# cat ifcfg-ens33
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="5bcf3708-5794-4000-8837-546343c22ee9"
DEVICE="ens33"
ONBOOT="yes"
IPADDR="192.168.199.120"
NETMASK="255.255.255.0"
GATEWAY="192.168.199.2"
HWADDR="00:0c:29:09:70:42"
[root@yfm20 network-scripts]# cat ifcfg-ens37
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens37"
UUID="5bcf3708-5794-4000-8837-546343c22ee8"
DEVICE="ens37"
ONBOOT="yes"
IPADDR="172.16.10.190"
NETMASK="255.255.255.0"
HWADDR="00:0c:29:09:70:4c"
[root@yfm20 network-scripts]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.199.120 netmask 255.255.255.0 broadcast 192.168.199.255
inet6 fe80::ca55:13dc:df48:5984 prefixlen 64 scopeid 0x20<link>
inet6 fe80::9eb3:18eb:e154:62ef prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:09:70:42 txqueuelen 1000 (Ethernet)
RX packets 32499 bytes 11777072 (11.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 14289 bytes 1637725 (1.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.10.190 netmask 255.255.255.0 broadcast 172.16.10.255
inet6 fe80::c55d:9012:f081:ef3c prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:09:70:4c txqueuelen 1000 (Ethernet)
RX packets 161 bytes 18962 (18.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 297 bytes 26478 (25.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 2 bytes 178 (178.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 178 (178.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::b150:d36:b025:c80b prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 210 bytes 16464 (16.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 115 bytes 13730 (13.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
安装 Openxxxx及所需工具包
yum -y install openssh-server lzo openssl openssl-devel openxxxx NetworkManager-openxxxx openxxxx-auth-ldap zip unzip
wget https://github.com/Openxxxx/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
tar -zxvf EasyRSA-3.0.8.tgz
cp -a vars.example vars
初始化与创建CA根证书
初始化,会在当前目录创建PKI目录,用于存储一些中间变量及最终生成的证书
[root@yfm20 EasyRSA-3.0.8]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /data/openxxxx/EasyRSA-3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /data/openxxxx/EasyRSA-3.0.8/pki
在这部分需要输入PEM密码 PEM pass phrase,输入两次,此密码必须记住,不然以后不能为证书签名。
还需要输入common name 通用名,如:openvpen,这个你自己随便设置个独一无二的
[root@yfm20 EasyRSA-3.0.8]# ./easyrsa build-ca
Enter New CA Key Passphrase: 123456
Re-Enter New CA Key Passphrase:
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:openxxxx
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/data/openxxxx/EasyRSA-3.0.8/pki/ca.crt
生成服务端证书
为服务端生成证书对并在本地签名。nopass参数生成一个无密码的证书
[root@yfm20 EasyRSA-3.0.8]# ./easyrsa build-server-full server nopass
Note: using Easy-RSA configuration from: /data/openxxxx/EasyRSA-3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
............................................+++
会要求输入ca密码123456
创建Diffie-Hellman,确保key穿越不安全网络的命令,时间会有点长,耐心等待
[root@yfm20 EasyRSA-3.0.8]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /data/openxxxx/EasyRSA-3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
生成客户端证书
[root@yfm20 EasyRSA-3.0.8]# ./easyrsa build-client-full client nopass #无密码,实际应用中不推荐,客户端有密码可提高安全性
[root@yfm20 EasyRSA-3.0.8]# ./easyrsa build-client-full zhangsan # 让你输入密码,后续xxxx连接时会使用
[root@yfm20 EasyRSA-3.0.8]# ./easyrsa build-client-full lisi # 让你输入密码,后续xxxx连接时会使用
提高安全性,生成ta.key
加强认证方式,防攻击。如果配置文件中启用此项(默认是启用的),就需要执行上述命令,并把ta.key放到/etc/openxxxx/server目录。配置文件中服务端第二个参数为0,同时客户端也要有此文件,且client.conf中此指令的第二个参数需要为1。【服务端有该配置,那么客户端也必须要有】
[root@yfm20 EasyRSA-3.0.8]# openxxxx --genkey --secret ta.key
整理服务端证书
mkdir -p /etc/openxxxx/server/
cp -a pki/ca.crt /etc/openxxxx/server/
cp -a pki/private/server.key /etc/openxxxx/server/
cp -a pki/issued/server.crt /etc/openxxxx/server/
cp -a pki/dh.pem /etc/openxxxx/server/
cp -a ta.key /etc/openxxxx/server/
服务端配置文件
cp /usr/share/doc/openxxxx-2.4.10/sample/sample-config-files/server.conf /etc/openxxxx/server/
cat /etc/openxxxx/server/server.conf
local 0.0.0.0
port 1194
proto tcp
dev tun
ca /etc/openxxxx/server/ca.crt
cert /etc/openxxxx/server/server.crt
key /etc/openxxxx/server/server.key
dh /etc/openxxxx/server/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.16.10.0 255.255.255.0"
;client-to-client
;duplicate-cn
keepalive 10 120
tls-auth /etc/openxxxx/server/ta.key 0
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
;comp-lzo
max-clients 1000
user nobody
group nobody
persist-key
persist-tun
status openxxxx-status.log
log /var/log/openxxxx.log
verb 3
;explicit-exit-notify 1
启动openxxxx服务并查看进程与端口
/usr/sbin/openxxxx --daemon --config /etc/openxxxx/server/server.conf
[root@yfm20 network-scripts]# netstat -lntup|grep 1194
tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 11658/openxxxx
[root@yfm20 network-scripts]# ps -ef | grep 'open'
root 5855 5849 0 19:19 ? 00:00:00 /usr/libexec/openssh/sftp-server
root 5875 5871 0 19:19 ? 00:00:00 /usr/libexec/openssh/sftp-server
nobody 11658 1 0 21:00 ? 00:00:00 /usr/sbin/openxxxx --daemon --config /etc/openxxxx/server/server.conf
root 18967 11609 0 23:13 pts/0 00:00:00 grep --color=auto open
[root@yfm20 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.199.120 netmask 255.255.255.0 broadcast 192.168.199.255
inet6 fe80::ca55:13dc:df48:5984 prefixlen 64 scopeid 0x20<link>
inet6 fe80::cc2d:fb46:95cf:897e prefixlen 64 scopeid 0x20<link>
inet6 fe80::9eb3:18eb:e154:62ef prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:09:70:42 txqueuelen 1000 (Ethernet)
RX packets 23087 bytes 10263186 (9.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10475 bytes 1225852 (1.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.10.190 netmask 255.255.255.0 broadcast 172.16.10.255
inet6 fe80::c55d:9012:f081:ef3c prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:09:70:4c txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 50 bytes 3826 (3.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::b150:d36:b025:c80b prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 96 (96.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
windows客户端配置
注意路径,在Openxxxx/config目录下建立了client、zhangsan目录
ca.crt、client.crt、client.key、ta.key都是之前创建好的,只有client.oxxxx需要单独下载并修改。
ca.crt、zhangsan.crt、zhangsan.key、ta.key都是之前创建好的,只有zhangsan.oxxxx需要单独下载并修改
zhangsan.oxxxx
client
dev tun
proto tcp
remote 192.168.199.120 1194
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
ca ca.crt
cert zhangsan.crt
key zhangsan.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
compress lz4-v2
verb 3
;mute 20
client.oxxxx
client
dev tun
proto tcp
remote 192.168.199.120 1194
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
compress lz4-v2
verb 3
;mute 20
连接client用户,之前生成客户端证书的时候,加上 nopass 参数,因此直接连接无需输入密码。如果连接的是用户zhangsan,则需要输入密码123456。
验证测试
yum install -y tcpdump
[root@yfm20 network-scripts]# tcpdump -nnn -s 10000
linux客户端配置
yum -y install openssh-server lzo openssl openssl-devel openxxxx NetworkManager-openxxxx openxxxx-auth-ldap zip unzip
cd /etc/openxxxx/
mkdir lisi
cd lisi/
scp root@192.168.199.120:/data/openxxxx/EasyRSA-3.0.8/pki/ca.crt .
scp root@192.168.199.120:/data/openxxxx/EasyRSA-3.0.8/ta.key .
scp root@192.168.199.120:/data/openxxxx/EasyRSA-3.0.8/pki/private/lisi.key .
scp root@192.168.199.120:/data/openxxxx/EasyRSA-3.0.8/pki/issued/lisi.crt .
vi lisi.conf
client
dev tun
proto tcp
remote 192.168.199.120 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert lisi.crt
key lisi.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
compress lz4-v2
verb 3
;mute 20
[root@yfm09 lisi]# /usr/sbin/openxxxx --daemon --config lisi.conf
[root@yfm09 lisi]#
Broadcast message from root@yfm09 (Thu 2021-04-01 00:02:50 CST):
Password entry required for 'Enter Private Key Password:' (PID 5663).
Please enter password with the systemd-tty-ask-password-agent tool!
systemd-tty-ask-password-agent
Enter Private Key Password:123456
973
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
