1、環境:
cat/etc/redhat-release
CentOS release 6.8(Final)
uname -a
Linuxnfs_server_177 2.6.32-642.4.2.el6.x86_64 #1 SMP Tue Aug 23 19:58:13 UTC 2016x86_64 x86_64 x86_64 GNU/Linux
ntpdatepool.ntp.org
2、安裝軟件
lzo-2.06.tar.gz壓縮模塊
open***-2.2.2.tar.gz
2.1安裝lzo壓縮模塊:
wgethttp://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
tar xflzo-2.06.tar.gz
cd lzo-2.06
./configure
make
make install
echo $?
cd ../
2.2安裝open***軟件
wgethttp://swupdate.open***.org/community/releases/open***-2.2.2.tar.gz rpm -qaopenssl
tar xf open***-2.2.2.tar.gz
cd open***-2.2.2
./configure--with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib
make
make install
echo $?
[root@open***_Sopen***-2.2.2]# which open***
/usr/local/sbin/open***
3、配置open*** server-建立CA(certificateauthority)證書
3.1初始化配置命令:
cd /home/abu/tools/open***-2.2.2/easy-rsa/2.0/
cp vars vars.ori
vim vars
3.2到結尾把,上面的換成下面的
exportKEY_COUNTRY="US" 國家
exportKEY_PROVINCE="CA" 省名
exportKEY_CITY="SanFrancisco" 城市名
exportKEY_ORG="Fort-Funston" 組織名
exportKEY_EMAIL="[email protected]" 單元名
export [email protected]
exportKEY_CN=changeme
exportKEY_NAME=changeme
exportKEY_OU=changeme
exportPKCS11_MODULE_PATH=changeme
exportPKCS11_PIN=1234
exportKEY_COUNTRY="CN"
exportKEY_PROVINCE="GJ"
exportKEY_CITY="guangzhou"
exportKEY_ORG="abu"
exportKEY_EMAIL="[email protected]"
export KEY_CN=CN
export KEY_NAME=abu
export KEY_OU=abu
exportPKCS11_MODULE_PATH=changeme
exportPKCS11_PIN=1234
3.3生效配置文件
source vars
NOTE: If you run./clean-all, I will be doing a rm -rf on/home/abu/tools/open***-2.2.2/easy-rsa/2.0/keys
./clean-all ←清楚所有證書keys
./build-ca ←創建新的ca證書,ca.crt,ca.key。注意,下面是輸出,也就是上面配置文件裏配置的內容
Generating a 1024bit RSA private key
.++++++
.........++++++
writing newprivate key to 'ca.key'
-----
You are about tobe asked to enter information that will be incorporated
into yourcertificate request.
What you are about to enter is what iscalled a Distinguished Name or a DN.
There are quite afew fields but you can leave some blank
For some fieldsthere will be a default value,
If you enter '.',the field will be left blank.
-----
Country Name (2letter code) [CN]: ←(國家,回車)
State or ProvinceName (full name) [BJ]: ←(省份,回車)
Locality Name (eg,city) [Beijing]: ←(城市,回車)
Organization Name(eg, company) [oldboy]: ←(組織名,回車)
OrganizationalUnit Name (eg, section) [oldboy]: ←(單元名,回車)
Common Name (eg,your name or your server's hostname) [CN]:oldboy ←(主機名,回車)
Name [oldboy]: ←(回車)
Email Address[[email protected]]: ←(回車)
[root@open***_S2.0]# ll keys/
total 12
-rw-r--r-- 1 rootroot 1314 Oct 17 21:06 ca.crt ←(證書)
-rw------- 1 rootroot 912 Oct 17 21:06 ca.key ←(密鑰)
-rw-r--r-- 1 rootroot 0 Oct 17 21:04 index.txt
-rw-r--r-- 1 rootroot 3 Oct 17 21:04 serial
3.4生成服務器端證書和密鑰認證文件
[root@open***_S2.0]# ./build-key-server server
Generating a 1024bit RSA private key
...............++++++
.++++++
writing newprivate key to 'server.key'
-----
You are about tobe asked to enter information that will be incorporated
into yourcertificate request.
What you are aboutto enter is what is called a Distinguished Name or a DN.
There are quite afew fields but you can leave some blank
For some fieldsthere will be a default value,
If you enter '.',the field will be left blank.
-----
Country Name (2letter code) [CN]: ←(證書)
State or ProvinceName (full name) [BJ]: ←(證書)
Locality Name (eg,city) [Beijing]: ←(證書)
Organization Name(eg, company) [oldboy]: ←(證書)
OrganizationalUnit Name (eg, section) [oldboy]: ←(證書)
Common Name (eg,your name or your server's hostname) [server]: ←(證書)
Name [oldboy]: ←(證書)
Email Address[[email protected]]: ←(證書)
Please enter thefollowing 'extra' attributes
to be sent withyour certificate request
A challengepassword []:dev.dev.←輸入密碼(發生證書請求的密碼)
An optionalcompany name []:abu ←
Usingconfiguration from /home/abu/tools/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that therequest matches the signature
Signature ok
The Subject'sDistinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'Beijing'
organizationName :PRINTABLE:'oldboy'
organizationalUnitName:PRINTABLE:'oldboy'
commonName :PRINTABLE:'server'
name :PRINTABLE:'oldboy'
emailAddress :IA5STRING:'[email protected]'
Certificate is tobe certified until Oct 15 13:12:49 2026 GMT (3650 days)
Sign thecertificate? [y/n]:y
1 out of 1certificate requests certified, commit? [y/n]y
Write out databasewith 1 new entries
Data Base Updated
3.5服務端證書生成的文件
[root@open***_S2.0]# ll keys/
total 40
-rw-r--r-- 1 rootroot 4002 Oct 17 21:13 01.pem
-rw-r--r-- 1 rootroot 1314 Oct 17 21:06 ca.crt
-rw------- 1 rootroot 912 Oct 17 21:06 ca.key
-rw-r--r-- 1 rootroot 121 Oct 17 21:13 index.txt
-rw-r--r-- 1 rootroot 21 Oct 17 21:13 index.txt.attr
-rw-r--r-- 1 rootroot 0 Oct 17 21:04 index.txt.old
-rw-r--r-- 1 rootroot 3 Oct 17 21:13 serial
-rw-r--r-- 1 rootroot 3 Oct 17 21:04 serial.old
-rw-r--r-- 1 rootroot 4002 Oct 17 21:13 server.crt
-rw-r--r-- 1 rootroot 769 Oct 17 21:12 server.csr
-rw------- 1 rootroot 916 Oct 17 21:12 server.key
3.6生成客戶端的證書和密鑰文件無密碼的,客戶端名字爲client,客戶端登陸服務器端用
[root@open***_S2.0]# ./build-key client
Generating a 1024bit RSA private key
...............................++++++
....................++++++
writing newprivate key to 'client.key'
-----
Usingconfiguration from /home/abu/tools/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that therequest matches the signature
Signature ok
The Subject'sDistinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'Beijing'
organizationName :PRINTABLE:'oldboy'
organizationalUnitName:PRINTABLE:'oldboy'
commonName :PRINTABLE:'client'
name :PRINTABLE:'oldboy'
emailAddress :IA5STRING:'[email protected]'
Certificate is tobe certified until Oct 15 13:22:44 2026 GMT (3650 days)
Sign thecertificate? [y/n]:y
1 out of 1certificate requests certified, commit? [y/n]y
Write out databasewith 1 new entries
Data Base Updated
3.7生成客戶端的證書和密鑰文件有密碼的,客戶端名字爲abu,客戶端登陸服務器端用
[root@open***_S 2.0]# ./build-key-pass abu
Generating a 1024bit RSA private key
...................++++++
...............++++++
writing newprivate key to 'abu.key'
Enter PEM passphrase:
Verifying - EnterPEM pass phrase:
3.8生成generate diffie hellman parameters
提示:Diffie Hellmanparameters must be generated for the Open*** server.
生成傳輸進行密鑰交換時用到的交換密鑰協議文件
./build-dh ←(不能不操作這個步驟,不然後面會出錯)
[root@squid 2.0]#ll keys/dh1024.pem ←生成的就是這個密鑰協議文件
-rw-r--r-- 1 rootroot 245 Oct 18 02:08 keys/dh1024.pem
3.9生成一個防止惡意***的文件(如DOS、UDP、portflooding)
[root@squid 2.0]# open***--genkey --secret keys/ta.key
3.10上述步驟生成的文件說明註釋
[root@squid 2.0]#ll keys/dh1024.pem
-rw-r--r-- 1 rootroot 245 Oct 18 02:08 keys/dh1024.pem
[root@squid 2.0]#ll keys/
total 84
-rw-r--r-- 1 rootroot 3936 Oct 17 21:26 01.pem
-rw-r--r-- 1 rootroot 3809 Oct 17 21:26 02.pem
-rw-r--r-- 1 rootroot 3808 Oct 17 21:27 03.pem
-rw-r--r-- 1 rootroot 3808 Oct 17 21:27 abu.crt
-rw-r--r-- 1 rootroot 757 Oct 17 21:27 abu.csr
-rw------- 1 rootroot 1041 Oct 17 21:27 abu.key
-rw-r--r-- 1 rootroot 1269 Oct 17 21:25 ca.crt ←ca證書,服務端,和所有的客戶端都需要用
-rw------- 1 rootroot 916 Oct 17 21:25 ca.key ←服務端需要的
-rw-r--r-- 1 rootroot 245 Oct 18 02:08 dh1024.pem ←協議文件,服務端用
-rw-r--r-- 1 rootroot 337 Oct 17 21:27 index.txt
-rw-r--r-- 1 rootroot 21 Oct 17 21:27 index.txt.attr
-rw-r--r-- 1 rootroot 21 Oct 17 21:26 index.txt.attr.old
-rw-r--r-- 1 rootroot 226 Oct 17 21:26 index.txt.old
-rw-r--r-- 1 rootroot 3 Oct 17 21:27 serial
-rw-r--r-- 1 rootroot 3 Oct 17 21:26 serial.old
-rw-r--r-- 1 rootroot 3936 Oct 17 21:26 server.crt ←服務端的證書
-rw-r--r-- 1 rootroot 761 Oct 17 21:25 server.csr
-rw------- 1 rootroot 916 Oct 17 21:25 server.key ←服務器端的key
-rw-r--r-- 1 rootroot 3809 Oct 17 21:26 test.crt ←客戶端使用的證書
-rw-r--r-- 1 rootroot 757 Oct 17 21:26 test.csr
-rw------- 1 rootroot 916 Oct 17 21:26 test.key ←客戶端使用的key,key都是加密的
4、詳解服務器端***重要命令
vars腳本是用來創建環境變量,設置所需要用的變量的腳本
clean-all 腳本是創建生成ca證書及密鑰文件所需要的文件及目錄
build-ca 腳本生成ca證書(交互)
build-key-server 腳本生成服務器端密鑰(交互)
build-key-pass 腳本生成客戶端帶密碼的密鑰(交互)
build-dh 腳本生成Diffie-hellman文件,協議文件
pkitool 腳本直接使用vars的環境變量設置,直接生成證書(非交互)
5、配置文件
5.1統一管理配置文件
mkdir /etc/open***
cd/home/abu/tools/open***-2.2.2/easy-rsa/2.0/
cp -ap keys//etc/open***/
cd/home/abu/tools/open***-2.2.2/sample-config-files/
cp client.confserver.conf /etc/open***/keys
5.2服務端配置文件
cd /etc/open***/
cp server.confserver.conf.ori
grep -vE";|#|^$" server.conf
企業生成環境server.conf配置案例
配置參數 | 參數說明 |
Local 172.20.18.187 | 哪一個本地地址要被Open***進行監聽(which local IP address should Open***)172.20.18.187:1194 |
Port (默認1194) 52115 | 監聽的端口,默認是1194,這裏爲了安全起見,修改成52115 |
Proto udp | 指定監聽的協議,當併發訪問多時,推薦tcp |
dev tun | *** server的模式採用路由模式。可選tap或tun |
ca ca.crt | ca證書,注意此文件和server.conf在一個目錄下,否則要用絕對路徑調用 |
cert server.crt | |
Key server.key | This file should be kept secret |
Dh dh1024.pem | |
Server 10.8.0.0 255.255.255.0 | 這個是*** SERVER動態分配給*** CLIENT的地址池,一般不需要更改 |
Ifconfig-pool-persist ipp.txt | |
Push "route 10.0.0.0 255.255.255.0" | 這是*** SERVER所在的內網網段,如果有多個可以寫多個push,注意,此命令實際作用是在***客戶端本地生成 |
5.3#配置文件配置成如下(注意:如果local那個地址填的不是本機的IP地址,啓動的時候會自動退出,起不來)
[root@squidopen***]# cat server.conf
port 52115
proto tcp
dev tun
ca/etc/open***/keys/ca.crt
cert/etc/open***/keys/server.crt
key/etc/open***/keys/server.key
dh/etc/open***/keys/dh1024.pem
server 10.8.0.0255.255.255.0
push "route 192.168.1.0255.255.255.0"
ifconfig-pool-persistipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
statusopen***-status.log
verb 3
client-to-client
duplicate-cn
log/var/log/open***.log
6、處理防火牆規則,和內核
iptables -A INPUT-p tcp --dport 52115 -j ACCEPT
vim/etc/sysctl.conf
sysctl -p
net.ipv4.ip_forward= 1 ←0改成1
#查看selinux是否開啓
[root@squidopen***]# getenforce
Disabled
啓動服務器端***服務並檢查,並放到開機自啓動
/usr/local/sbin/open***--config /etc/open***/server.conf &
echo"#open*** start" >>/etc/rc.local
echo "/usr/local/sbin/open*** --config/etc/open***/server.conf &" >>/etc/rc.local
tail -2/etc/rc.local
#open*** start
/usr/local/sbin/open***--config /etc/open***/server.conf &
ifconfig會多下面這快網卡
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARPMULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0overruns:0 frame:0
TX packets:0 errors:0 dropped:0overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
#開機自chkconfig啓動
cp/home/abu/tools/open***-2.2.2/sample-scripts/open***.init /etc/init.d/open***
chmod 700 /etc/init.d/open***
chkconfig --add open***
chkconfig --list open***
#改啓動148行文件把*改成server
vim/etc/init.d/open***
148 for c in `/bin/ls *.conf2>/dev/null`; do ←原版
148 for c in `/bin/ls server.conf2>/dev/null`; do ←改後
到此,服務器端配置OK
接下來配置客戶端
服務端配置好後,安裝客戶端軟件,安裝完客戶端軟件,把服務器端剛纔添加的ca證書,祕鑰 如:
ca.crt ←ca證書
client.conf ←客戶端配置文件
test.crt ←服務器端配置的用戶證書
test.key ←服務器端配置的用戶密鑰
考到客戶端C:\Program Files (x86)\Open***\config安裝目錄下面的config目錄下面去
注意:每個客戶端都需要這麼幾個文件
客戶端原版文件內容
[root@squidopen***]# egrep -v "^#|^;|^$" client.conf
client
dev tun
proto udp ←協議
remote my-server-11194 ←客戶端連接服務器端的IP跟端口
resolv-retryinfinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt ←客戶端證書
key client.key ←客戶端密鑰
ns-cert-typeserver
comp-lzo
verb 3
客戶端改後的內容
dev tun
proto tcp
remote 172.20.18.187 52115
resolv-retryinfinite
nobind
persist-key
persist-tun
ca ca.crt
cert test.crt
key test.key
ns-cert-typeserver
comp-lzo
verb 3
在客戶端目錄下創建一個以o***爲擴展名的軟件,把配置拷貝進去
配置好後,在win7上撥號遠程連接open***服務
方法一、route add default gw 172.20.18.187
方法二、route add -net 10.8.0.0/24 gw172.20.18.187
方法三、iptables -t nat -I POSTROUTING -s10.8.0.0/24 -o eth1 -j SNAT --to-source 192.168.1.10
iptables -t nat -I POSTROUTING -s10.8.0.0/255.255.255.0 -o eth1 -j MASQUERADE
提示:
這個是iptables的NAT轉換規則,其中:
1)-o eth1爲***服務器內網網卡,
2)192.168.1.10爲***服務器的內網IP
3)-j MASQUERADE自動轉換,固定轉換-jSNAT --to-source 192.168.1.10
配置linux下open***客戶端
安裝lzo壓縮模塊:
wgethttp://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
tar xflzo-2.06.tar.gz
cd lzo-2.06
./configure
make
make install
echo $?
cd ../
安裝open***軟件
wgethttp://swupdate.open***.org/community/releases/open***-2.2.2.tar.gz rpm -qaopenssl
tar xf open***-2.2.2.tar.gz
cd open***-2.2.2
./configure --with-lzo-headers=/usr/local/include--with-lzo-lib=/usr/local/lib
make
make install
echo $?
[root@open***_Sopen***-2.2.2]# which open***
/usr/local/sbin/open***
配置open*** client
安裝好後,創建一個放置目錄
mkdir /etc/open***
然後把windows客戶端的配置直接拿上來就好了,
但是linux的不需要o***這個文件,直接
[root@testhostopen***]# ll
total 16
-rw-r--r-- 1 rootroot 3816 Oct 24 2016 abutest.crt
-rw-r--r-- 1 rootroot 916 Oct 24 2016 abutest.key
-rw-r--r-- 1 rootroot 1269 Oct 24 2016 ca.crt
-rw-r--r-- 1 rootroot 198 Oct 24 2016 client.conf
/usr/local/sbin/open***--config /etc/open***/client.conf & ←直接啓動即可
#添加開機自啓動
echo"#open*** client start" >>/etc/rc.loca
echo "/usr/local/sbin/open***--config /etc/open***/client.conf &" >>/etc/rc.local
配置文件內容
[root@testhostopen***]# cat client.conf
client
dev tun
proto tcp
remote172.20.18.187 52115
resolv-retryinfinite
nobind
persist-key
persist-tun
ca ca.crt
cert abutest.crt
key abutest.key
ns-cert-typeserver
comp-lzo
verb 3
客戶端啓動過程中容易出現的錯誤
解決方案,客戶端配置文件加一個--script-security3
第二種情況,客戶端配置文件改名
到此linux client配置完成。
多個IDC機房利用***互聯架構方案
open***多機房互聯
http://blog.csdn.net/reyleon/article/details/50554179