基于 Open***下的Lan2Lan
基于 Open***下的Lan2Lan
基于Open*** 下局域网到局域网
概述
配置Open*** 2.0的第一步是建立一个PKI(public key infrastructure 公钥基础设施),PKI包括:
服务端和每个客户端都有一个证书也称做公钥和私钥
一个认证机构(CA)的证书和私钥,用来为每一个服务端和客户端颁发证书(sign each of the server and client certificates)。
内容包括:
1. 安装
1.1 安装lzo
1.2 安装Open***
2. 配置PKI
2.1 生成认证机构(master Certificate Authority(CA))证书&私钥
2.2 服务端生成证书&私钥
2.3 客户端生成证书&私钥
2.4 生成 Diffie Hellman 参数
2.5 密钥文件
3. 配置Open***
3.1 例子配置文件
3.2 编写服务端配置文件
3.3 编写客户端配置文件
3.4 Server 启动并测试
3.5 Client 启动并测试
3.6 吊销客户端证书
4. 案例 基于Open*** 下局域网到局域网
4.1 网络拓扑
4.2 网络参数
4.3 Server 配置如下
4.4 Client 配置如下
4.5 测试
5 思考 为什么费劲周折配置open*** ,而不是用pptpd ?
1. 安装
1.1 安装lzo (compression support)
- wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
- tar zxf lzo-2.03.tar.gz
- cd lzo-2.03
- ./configure --prefix=/usr/local/lzo
- make && make install
1.2 安装Open***
- wget --no-check-certificate https://open***.net/release/open***-2.0.9.tar.gz
- tar zxf open***-2.0.9.tar.gz
- cd open***-2.0.9/
- ./configure --prefix=/usr/local/open*** --with-lzo-headers=/usr/local/lzo/include/ --with-lzo-lib=/usr/local/lzo/lib/
- make && make install
2. 配置PKI
- cp -r /root/open***-2.0.9/easy-rsa/ /usr/local/open***/
- ls /usr/local/open***/easy-rsa/
2.0 build-key build-req make-crl revoke-full
build-ca build-key-pass build-req-pass openssl.cnf sign-req
build-dh build-key-pkcs12 clean-all README vars
build-inter build-key-server list-crl revoke-crt Windows
//此目录下以许多程序及脚本, 以下为使用到的程序及脚本说明
vars 脚本, 是用来创建环境变量,设置所需要要的变量的脚本
clean-all 脚本,是创建生成 ca证书及密钥文件所需要的文件及目录
build-ca 脚本, 生成 ca 证书(交互)
build-dh 脚本, 生成 Diffie-Hellman文件(交互)
build-key-server 脚本, 生成服务器端密钥(交互)
build-key 脚本, 生成客户端密钥(交互)
pkitool 脚本, 直接使用 vars 的环境变量设置, 直接生成证书(非交互)
2.1 生成认证机构(master Certificate Authority(CA))证书&私钥
//编辑 vars 文件,生成环境变量, vars 里的参数根据自己需要改变.
- cd /usr/local/open***/easy-rsa
- vim vars
export KEY_SIZE=1024 #生成密钥的位数
export KEY_COUNTRY=CN #定义所在的国家编码, 2 个字符
export KEY_PROVINCE=BeiJing #定义所在的省份
export KEY_CITY=BeiJing #定义所在的城市
export KEY_ORG="test.com" #定义所在的组织
export KEY_OU="test.com" #定义所在的单位
export KEY_EMAIL="[email protected]" #定义你的邮件地址
//修改好vars 文件后就可以开始生成 ca证书及密钥文件了!
- source ./vars
//初始化keys 目录,创建生成 ca证书及密钥文件所需要的文件和目录
- ./clean-all
//生成Root Ca证书, 用于签发Server 和 Client 证书
- ./build-ca
Generating a 1024 bit RSA private key
..................++++++
......................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [test.com]:
Organizational Unit Name (eg, section) []:#空
Common Name (eg, your name or your server's hostname) []:CA #输入主机名,“CA”
Email Address [[email protected]]:
//上面的序列中,大多数询问参数的默认值是在vars文件中设定的值;唯一需要明确输入的参数是Common Name,上面的例子中输入的是"CA"。
//可以看到生成了ca.crt 与 ca.key 文件
- ls keys/
ca.crt ca.key index.txt seria
2.2 服务端生成证书&私钥
//生成服务器使用的 *** server Ca证书
- ./build-key-server server
Generating a 1024 bit RSA private key
....++++++
....................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [test.com]:
Organizational Unit Name (eg, section) []:#空
Common Name (eg, your name or your server's hostname) []:server #输入主机名,"server"
Email Address [[email protected]]:
#
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []::#空
An optional company name []::#空
Using configuration from /usr/local/open***/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BeiJing'
localityName :PRINTABLE:'BeiJing'
organizationName :PRINTABLE:'test.com'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Oct 29 01:25:35 2022 GMT (3650 days)
Sign the certificate? [y/n]:y: #注意
#
1 out of 1 certificate requests certified, commit? [y/n]y #注意
Write out database with 1 new entries
Data Base Updated
//server是你为CA 证书起的一个名字, 以 server名字为例,生成的服务器使用的 CA证书文件为: server.crt server.key
//当询问Common Name时,输入"server" ,另外两个回答"y"
- ls keys/
01.pem ca.key index.txt.attr serial server.crt server.key
ca.crt index.txt index.txt.old serial.old server.csr
2.3 客户端生成证书&私钥
- ./build-key neta
Generating a 1024 bit RSA private key
.++++++
..............................................++++++
writing new private key to 'neta.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [test.com]:
Organizational Unit Name (eg, section) []:#空
Common Name (eg, your name or your server's hostname) []:neta #注意
Email Address [[email protected]]:
#
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:#空
An optional company name []:#空
Using configuration from /usr/local/open***/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BeiJing'
localityName :PRINTABLE:'BeiJing'
organizationName :PRINTABLE:'test.com'
commonName :PRINTABLE:'neta'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Oct 29 01:28:01 2022 GMT (3650 days)
Sign the certificate? [y/n]:y #注意
#
1 out of 1 certificate requests certified, commit? [y/n]y #注意
Write out database with 1 new entries
Data Base Updated
- ls keys/
01.pem ca.key neta.key index.txt.attr.old serial.old server.key
02.pem neta.crt index.txt index.txt.old server.crt
ca.crt neta.csr index.txt.attr serial server.csr
//为每个客户端输入适合的Common Name,也就是"neta", "netc",等等总之是为每个客户端指定一个独一无二的名字。
//如果你想使用口令保护你的客户端私钥,则使用build-key-pass脚本而不是build-key。
2.4 生成Diffie-Hellman文件
- ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..............
- ls keys/
01.pem ca.key neta.key index.txt.attr serial server.csr
02.pem neta.crt dh1024.pem index.txt.attr.old serial.old server.key
ca.crt neta.csr index.txt index.txt.old server.crt
2.5 密钥文件
在keys目录下生成的私钥和证书。下面是这些文件的解释:
文件名 需要者 说明 秘密
ca.crt 服务端和所有客户端 根证书 否
ca.key 签发私钥的机器 根私钥 是
dh{n}.pem 服务器 Diffie Hellman parameters 否
server.crt 服务器 服务器证书 否
server.key 服务器 服务器私钥 是
neta.crt 客户端 neta的证书 否
neta.key 客户端 netb的私钥 是
3. 配置Open***
- useradd open*** -s /sbin/nologin
- passwd open***
- mkdir /usr/local/open***/etc
- cp open***-2.0.9/sample-config-files/server.conf /usr/local/open***/etc/
- chown -R open***.open*** /usr/local/open***/
3.1 例子配置文件
用Open***的例子配置文件作为你自己配置文件的起点,Open***源代码包的sample-config-files目录,在Linux/BSD/unix操作系统中,样例配置文件是server.conf和client.conf。
3.2 编写服务端配置文件
//编辑server.conf ,类似以下值
- vim /usr/local/open***/etc/server.conf
//awk '! /^#|^$|^ |^;/' /usr/local/open***/etc/server.conf
local 192.168.57.71
port 1194
proto udp
dev tun
ca /usr/local/open***/easy-rsa/keys/ca.crt
cert /usr/local/open***/easy-rsa/keys/server.crt
key /usr/local/open***/easy-rsa/keys/server.key # This file should be kept secret
dh /usr/local/open***/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /usr/local/open***/logs/ipp.txt
keepalive 10 120
comp-lzo
user open***
group open***
persist-key
persist-tun
status /usr/local/open***/logs/open***-status.log
log /usr/local/open***/logs/open***.log
verb 5
3.3 编写客户端配置文件
客户端配置文件的例子,Linux/BSD/Unix 为client.conf,Windows 则是 client.o***,客户端与服务端配置文件的例子相对应。
- mkdir neta
- cp open***-2.0.9/sample-config-files/client.conf neta/
//分发到客户端
- cp /usr/local/open***/easy-rsa/keys/ca.crt neta/
- cp /usr/local/open***/easy-rsa/keys/neta.crt neta/
- cp /usr/local/open***/easy-rsa/keys/neta.key neta/
- tar czf neta.tar.gz client
- scp neta.tar.gz [email protected]:/home/dn/
3.4 Server 启动并测试
- /usr/local/open***/sbin/open*** --daemon --config /usr/local/open***/etc/server.conf
//监听UDP 1194端口
- lsof -i :1194
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
open*** 16196 open*** 5u IPv4 5122558 UDP *:open***
//日志
- tail -n1 /usr/local/open***/logs/open***.log
Tue Oct 30 13:36:16 2012 us=798885 Initialization Sequence Completed
//虚拟 ip
- ip add show tun0
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 100
link/[65534]
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
3.5 Client 启动并测试
3.5.1 linux 系统下
//安装open*** (ubuntu 系统)
- apt-get install open***
//解压key与client.conf
- tar zxf client.tar.gz -C /etc/open***/
//编辑client.conf ,类似以下值
- vim neta/client.conf
//awk '! /^#|^$|^ |^;/' /etc/open***/neta/client.conf
client
dev tun
proto udp
remote 192.168.57.71 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/open***/neta/ca.crt
cert /etc/open***/neta/neta.crt
key /etc/open***/neta/neta.key
comp-lzo
verb 3
status /var/log/open***-status.log
log /var/log/open***.log
//像服务端配置文件一样,编辑ca、cert和key 指令指向你在上一节PKI生成的文件,每一个客户端有自己的crt/key,只有ca文件在服务端和所有客户端之间是通用的。
//remote 指令指向服务端的主机名/IP地址和端口号,确保客户端配置文件和服务端配置文件中指令的的一致性,
//主要检查的是 dev(tun/tap)和proto(udp/tcp),还有comp-lzo和 fragment(如果使用了)则在客户端和服务端的配置文件中都必须提供。
//启动open***
- open*** --daemon --config /etc/open***/neta/client.conf
//日志
- tail -n1 /var/log/open***.log
Wed Oct 31 10:06:46 2012 Initialization Sequence Completed
//虚拟 ip
- ip add show tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.8.0.2 peer 10.8.0.1/32 scope global tun0
//ping 测试
- ping -c3 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=0.712 ms
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=0.548 ms
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=0.598 ms
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.548/0.619/0.712/0.071 ms
3.5.2 window 系统
//安装open***
在windows中安装open***-2.0.9-install.exe
//配置client.o***
把*** Server 中keys目录下的ca.crt,neta.crt,neta.key复制到在你安装目录下,默认是 C:\Program Files\Open***\config 文件夹
然后把C:\Program Files\Open***\sample-config\client.o***,复制到C:\Program Files\Open***\config目录下
编辑 client.o***
remote 192.168.57.71 1194
ca ca.crt
cert neta.crt
key neta.key
//启动open***
运行 -> services.msc -> open***
//虚拟 ip
//ping 测试
C:\Documents and Settings\zm>ping 10.8.0.1
Pinging 10.8.0.1 with 32 bytes of data:
Reply from 10.8.0.1: bytes=32 time=1ms TTL=64
Reply from 10.8.0.1: bytes=32 time=8ms TTL=64
Reply from 10.8.0.1: bytes=32 time=6ms TTL=64
Reply from 10.8.0.1: bytes=32 time=5ms TTL=64
Ping statistics for 10.8.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 8ms, Average = 5ms
3.6 吊销客户端证书
Open*** 服务器与 *** 客户端之间的身份验证, 主要是通过证书来进行的。有时我们需要禁止某个用户连接 *** 服务器,则将其证书吊销即可,(Revoke) Open*** 客户端证书
//进入easy-rsa 目录
- cd /usr/local/open***/easy-rsa/
//全局变量
- source vars
//吊销客户端证书
- ./revoke-full netb
Using configuration from /usr/local/open***/easy-rsa/openssl.cnf
Revoking Certificate 03.
Data Base Updated
Using configuration from /usr/local/open***/easy-rsa/openssl.cnf
netb.crt: /C=CN/ST=BeiJing/O=test.com/CN=neta/[email protected]
error 23 at 0 depth lookup:certificate revoked
//成功注销后,在keys/生成一个crl.pem 文件,可以打开 keys/index.txt 文件,可以看到被注销的证书前面,已标记为R
- tail -n1 keys/index.txt
R 221029013052Z 121101073207Z 03 unknown /C=CN/ST=BeiJing/O=test.com/CN=netb/[email protected]
//服务器添加 crl-verify 选项,编辑server.conf 添加如下:
crl-verify /usr/local/open***/easy-rsa/keys/crl.pem
//重启open*** 服务器,即可
//open*** 日志
Thu Nov 1 15:52:46 2012 us=703814 192.168.4.157:1853 VERIFY OK: depth=1, /C=CN/ST=BeiJing/L=BeiJing/O=test.com/CN=CA/[email protected]
Thu Nov 1 15:52:46 2012 us=704003 192.168.4.157:1853 CRL CHECK FAILED: /C=CN/ST=BeiJing/O=test.com/CN=netb/[email protected] is REVOKED
Thu Nov 1 15:52:46 2012 us=704075 192.168.4.157:1853 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Thu Nov 1 15:52:46 2012 us=704087 192.168.4.157:1853 TLS Error: TLS object -> incoming plaintext read error
Thu Nov 1 15:52:46 2012 us=704095 192.168.4.157:1853 TLS Error: TLS handshake failed
Thu Nov 1 15:52:46 2012 us=704142 192.168.4.157:1853 SIGUSR1[soft,tls-error] received, client-instance restarting
4. 案例 基于Open*** 下局域网到局域网
目的:使用Open***服务器,连接两个跨越Internet局域网
4.1 网络拓扑:
4.2 网络参数:
(机房A)Server(GW1)网络参数:
eth0 192.168.57.71/24
eth1 10.0.100.71/24 (本例中作为LAN1的网关)
LAN1:10.0.100.0/24
(机房B)Client(GW2)网络参数:
eth0 192.168.4.35/24
eth1 10.0.2.35/24 (本例中作为LAN2的网关)
LAN2:10.0.2.0/24
4.3 Server 配置如下:
//修改配置文件
- awk '! /^#|^$|^ |^;/' /usr/local/open***/etc/server.conf.l2l
local 192.168.57.71
port 1194
proto udp
dev tun
ca /usr/local/open***/easy-rsa/keys/ca.crt
cert /usr/local/open***/easy-rsa/keys/server.crt
key /usr/local/open***/easy-rsa/keys/server.key # This file should be kept secret
dh /usr/local/open***/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /usr/local/open***/logs/ipp.txt
push "route 10.0.100.0 255.255.255.0" #向客户端通告服务器端LAN1网段
client-config-dir /usr/local/open***/etc/ccd #指定调用ccd子目录下的客户端配置文件,可在文件中指定对端的ip地址
route 10.0.2.0 255.255.255.0 #为server端添加到client端LAN2网段的路由
client-to-client #允许各客户端之间的互相访问
duplicate-cn #允许client密钥被复用
keepalive 10 120
comp-lzo
max-clients 100 #指定最大并发连接数
user open***
group open***
persist-key
persist-tun
status /usr/local/open***/logs/open***-status.log
log /usr/local/open***/logs/open***.log
verb 5
mute 20
//配置ccd
- mkdir /usr/local/open***/etc/ccd
- vim /usr/local/open***/etc/ccd/neta
- chown -R open***.open*** .
//启动转发
- sysctl -w net.ipv4.ip_forward=1
//添加iptables 规则
- iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
4.4 Client 配置如下:
//修改配置文件
- awk '! /^#|^$|^ |^;/' /etc/open***/neta/client.conf
client
dev tun
proto udp
remote 192.168.57.71 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/open***/neta/ca.crt
cert /etc/open***/neta/neta.crt
key /etc/open***/neta/neta.key
comp-lzo
verb 3
status /var/log/open***-status.log
log /var/log/open***.log
mute 20
//启动转发
sysctl -w net.ipv4.ip_forward=1
//添加iptables 规则
- iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
//虚拟 ip
- ip add show tun0
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.8.0.2 peer 10.8.0.1/32 scope global tun0
4.5 测试
(机房A) 10.0.2.36 -> (机房B) 10.0.100.82
(机房B) 10.0.100.61 -> (机房A) 10.0.2.36
5 思考 为什么费劲周折配置open*** ,而不是用pptpd ?
当NAT遇到PPTP
http://www.linuxidc.com/Linux/2012-08/67884.htm
NAT and GRE
http://blog.sina.com.cn/s/blog_5612993e0100mnjq.html
参考
使用Open***搭建Linux下的***服务
http://zhangbo1119.blog.51cto.com/3350269/959324
Open*** 配置和使用
http://fanqiang.chinaunix.net/app/***/2005-07-10/3395.shtml
Open***的配置和使用
blog.163.com/zswself@126/blog/static/22588036200701732155730/
Open***配置
http://www.2cto.com/net/201206/136851.html
如何在 Linux Open*** 服务端吊销(revoke)客户端证书
http://www.xiaohui.com/dev/server/20070904-revoke-open***-client.htm
基于Open***连接两个远程局域网段
http://linux.chinaunix.net/techdoc/system/2008/07/02/1014658.shtml