大綱
一、前言
二、概述
三、環境準備
四、實戰拓撲
五、具體配置過程詳解
六、總結
注,實戰環境 CentOS 5.5 x86_64,軟件版本 Open*** 2.1,軟件下載:http://yunpan.cn/QzT8fGsX8S75a。
一、前言
在上一篇博客中我們給大家推薦了許多關於open***的理論文章,想了解一個的朋友可心點擊這裏:http://freeloda.blog.51cto.com/2033581/1354768,從這一篇博客開始我們來講open***的實戰,這是個open***實戰的專題共有下面篇博客:
Open*** 實戰1:***與網關不在同一臺服器上
Open*** 實戰2:***與網關在同一臺服器上
Open*** 實戰3:多網段互聯***(點對多點)
Open*** 實戰4:常見小問彙總
好了,下面開始我們今天的內容吧!
二、概述
1.Open***是一個用於創建虛擬專用網絡加密通道的軟件包,最早由James Yonan編寫。Open***允許參與建立***的單點使用預設的私鑰,第三方證書,或者用戶名/密碼來進行身份驗證。它大量使用了OpenSSL加密庫,以及SSLv3/TLSv1協議。
2.Open***能在Linux、xBSD、Mac OS X與Windows 2000/XP/7上運行。它並不是一個基於Web的***軟件,也不與IPsec及其他***軟件包兼容。
3.Open***所有的通信都能基於一個單一的IP端口。Open***提供了兩種虛擬網絡接口:通用tun/Tap驅動通過它們,可以建立三層IP隧道或者虛擬二層以太網,後者可以傳送任何類型的二層以太網絡數據,傳送的數據可通過LZO算法壓縮。IANA(InternetAssigned Numbers Authority) 指定給Open***的官方端口爲1194。
4.Open***使用通用網絡協議(TCP 與UDP)的特點使它成爲IPsec 等協議的理想替代,尤其是在ISP(Internet service provider)過濾某些特定*** 協議的情況下。
5.Open*** 可工作於兩種模式:
一種是IP遂道路由模式,主要應用於點對點。
另一種是基於以太網的遂道橋接模式,應用於點對多點,有多個分支機構。
好了,下面我們就來講解一下點對點***。
三、環境準備
1.時間同步
[root@open*** ~]# yum install -y ntp [root@open*** ~]# ntpdate 202.120.2.101 [root@open*** ~]# hwclock -w
2.安裝yum源
[root@open*** ~]# rpm -ivh http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
3.安裝各種依賴包
[root@open*** ~]# yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers
四、實戰拓撲
注,拓撲圖比較簡單我在這裏就不詳細說明了,大家自己看一下。(這裏是單獨一臺***服器,沒和網關放在一起)
五、具體配置過程詳解
注,簡單寫一下配置過程:
安裝lzo、open***軟件包
爲配置做準備,copy 相關文件
初始化 PKI
建立 server key
生成客戶端 key
生成 Diffie Hellman 參數
將keys下的所有文件打包下載到本地 ,讓客戶機用。
將keys下的ca.crt server.crt server.key dh1024.pem拷貝到/etc/open***
修改服務器配置文件/etc/open***/server.conf
啓動***服務器
配置Windows客戶端
設置網關服務器的端口映射
測試Windows客戶端連Open***
設置Open***訪問外網的
最後測試
好了,下面就讓我們來完成上面的實戰步驟。
1.安裝lzo、open***軟件包
[root@open*** src]# ls epel-release-5-4.noarch.rpm lzo-2.04-3.2.x86_64.rpm open***-2.1-0.20.rc4.el5.kb.x86_64.rpm [root@open*** src]# rpm -ivh lzo-2.04-3.2.x86_64.rpm warning: lzo-2.04-3.2.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID d164ce99 Preparing... ########################################### [100%] 1:lzo ########################################### [100%] [root@open*** src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.x86_64.rpm Preparing... ########################################### [100%] 1:open*** ########################################### [100%]
2.爲配置做準備,copy 相關文件
[root@open*** src]# cp -r /usr/share/open***/easy-rsa/2.0/ /etc/open***/ [root@open*** src]# cp /usr/share/doc/open***-2.1/sample-config-files/server.conf /etc/open***/ [root@open*** src]# cd /etc/open***/ [root@open*** open***]# ls 2.0 server.conf
3.初始化 PKI
[root@open*** open***]# cd 2.0/ [root@open*** 2.0]# ls build-ca build-key-pass build-req-pass Makefile README whichopensslcnf build-dh build-key-pkcs12 clean-all openssl-0.9.6.cnf revoke-full build-inter build-key-server inherit-inter openssl.cnf sign-req build-key build-req list-crl pkitool vars [root@open*** 2.0]# vim vars 修改下面幾項: export KEY_COUNTRY="CN" export KEY_PROVINCE="SH" export KEY_CITY="SH" export KEY_ORG="open***" export KEY_EMAIL="[email protected]" [root@open*** 2.0]# env | grep KEY [root@open*** 2.0]# env | grep KEY [root@open*** 2.0]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys [root@open*** 2.0]# env | grep KEY KEY_EXPIRE=3650 [email protected] KEY_SIZE=1024 KEY_DIR=/etc/open***/2.0/keys KEY_CITY=SH KEY_PROVINCE=SH KEY_ORG=open*** KEY_CONFIG=/etc/open***/2.0/openssl.cnf KEY_COUNTRY=CN [root@open*** 2.0]# ./clean-all [root@open*** 2.0]# ls build-ca build-key-pass build-req-pass list-crl pkitool vars build-dh build-key-pkcs12 clean-all Makefile README whichopensslcnf build-inter build-key-server inherit-inter openssl-0.9.6.cnf revoke-full build-key build-req keys openssl.cnf sign-req [root@open*** 2.0]# ./build-ca Generating a 1024 bit RSA private key ...........................++++++ .............++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [SH]: Organization Name (eg, company) [open***]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [open*** CA]: Email Address [[email protected]]:
4.建立 server key
[root@open*** 2.0]# ./build-key-server server Generating a 1024 bit RSA private key .........++++++ ..++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [SH]: Organization Name (eg, company) [open***]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [server]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'SH' organizationName :PRINTABLE:'open***' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Jan 24 02:40:17 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
5.生成客戶端 key(我這裏設置三個客戶端分別爲:client1、client2、client3,你可以根據需要生成多個客戶端)
client1:
[root@open*** 2.0]# ./build-key client1 Generating a 1024 bit RSA private key .....++++++ ................................++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [SH]: Organization Name (eg, company) [open***]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client1]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'SH' organizationName :PRINTABLE:'open***' commonName :PRINTABLE:'client1' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Jan 24 02:42:39 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
client2:
[root@open*** 2.0]# ./build-key client2 Generating a 1024 bit RSA private key ..................................++++++ ............................................++++++ writing new private key to 'client2.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [SH]: Organization Name (eg, company) [open***]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client2]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'SH' organizationName :PRINTABLE:'open***' commonName :PRINTABLE:'client2' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Jan 24 02:43:16 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
client3:
[root@open*** 2.0]# ./build-key client3 Generating a 1024 bit RSA private key ..............++++++ .++++++ writing new private key to 'client3.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [SH]: Organization Name (eg, company) [open***]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client3]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'SH' organizationName :PRINTABLE:'open***' commonName :PRINTABLE:'client3' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Jan 24 02:43:58 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
6.生成 Diffie Hellman 參數
[root@open*** 2.0]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ...........................................................................................................................................................................................................................................+.................................+.................................+...................+..............................................................................+.........................+.......................................................................................+...........+.....................+......................................+.......................................+............+...................................................................+....................................................................................................................................................................+.............................+......+.............+...........................+.............+..............................................................................+...........+........+............................+.......................................................................................................................................................+.................................................................................+.........................................................................................................................................................................................+....+............+........................................+..........+............................................................................+........+.+...................+........................+...................+................................................................................+.............................................................+....................................................................................................................................................................................................................+.....+.............................+...........+................................................................+.+.........+.................................................................................................................................................+..............................+...............................................+......+.....................................................................+..........................................................+........+.........+..................................................................................+......+.........+..................................................................................+........................................................................................+....+......................+.....+..........+............................................................................................................................................+................+..........+............................................+...............................................+................................................+............................................++*++*++*
7.將keys下的所有文件打包下載到本地 ,讓客戶機用。
[root@open*** 2.0]# cd keys/ [root@open*** keys]# ls 01.pem 04.pem client1.crt client2.crt client3.crt dh1024.pem index.txt.attr.old serial.old server.key 02.pem ca.crt client1.csr client2.csr client3.csr index.txt index.txt.old server.crt 03.pem ca.key client1.key client2.key client3.key index.txt.attr serial server.csr [root@open*** keys]# tar zcvf full.tar.gz ./* ./01.pem ./02.pem ./03.pem ./04.pem ./ca.crt ./ca.key ./client1.crt ./client1.csr ./client1.key ./client2.crt ./client2.csr ./client2.key ./client3.crt ./client3.csr ./client3.key ./dh1024.pem ./index.txt ./index.txt.attr ./index.txt.attr.old ./index.txt.old ./serial ./serial.old ./server.crt ./server.csr ./server.key [root@open*** keys]# ls 01.pem 04.pem client1.crt client2.crt client3.crt dh1024.pem index.txt.attr serial server.csr 02.pem ca.crt client1.csr client2.csr client3.csr full.tar.gz index.txt.attr.old serial.old server.key 03.pem ca.key client1.key client2.key client3.key index.txt index.txt.old server.crt
8.將keys下的ca.crt server.crt server.key dh1024.pem拷貝到/etc/open***
[root@open*** keys]# cp ca.* server.* dh1024.pem /etc/open***/ [root@open*** keys]# cd /etc/open***/ [root@open*** open***]# ls 2.0 ca.crt ca.key dh1024.pem server.conf server.crt server.csr server.key
9.修改服務器配置文件/etc/open***/server.conf
[root@open*** open***]# cp server.conf server.conf.bak [root@open*** open***]# >server.conf [root@open*** open***]# vim server.conf port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh1024.pem server 10.8.0.0 255.255.255.0 client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status open***-status.log verb 4 push "dhcp-option DNS 10.8.0.1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"
10.啓動***服務器
[root@open*** open***]# service open*** start
Starting open***: [ OK ]
[root@open*** open***]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:A6:19:E8
inet addr:192.168.18.248 Bcast:192.168.18.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fea6:19e8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:107910 errors:0 dropped:0 overruns:0 frame:0
TX packets:73200 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:120827874 (115.2 MiB) TX bytes:8877959 (8.4 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:34 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3918 (3.8 KiB) TX bytes:3918 (3.8 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)11.配置Windows客戶端
(1).安裝一下客戶端(我就不演示了,大家自己安裝)
(2).將服務器上生成的客戶機證書文件放到config方件夾下
D:\Program Files\Open***\config\open***
(3).新建客戶端配置文件open***.o***
D:\Program Files\Open***\config
open***.o*** 文件內容:
client dev tun proto udp remote x.x.x.x 1194 #工作單位外網IP persist-key persist-tun ca open***\\ca.crt cert open***\\client1.crt key open***\\client1.key ns-cert-type server comp-lzo verb 3 redirect-gateway def1
12.設置網關服務器的端口映射
[root@gateway ~]# /sbin/iptables -t nat -A PREROUTING -p udp -d x.x.x.x(公網IP) --dport 1194 -j DNAT --to 192.168.18.248:1194 [root@gateway ~]# /sbin/iptables -t nat -A POSTROUTING -p udp -d 192.168.18.248 --dport 1194 -j SNAT --to x.x.x.x(公網IP):1194 [root@gateway ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain AS0_WEBACCEPT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere [root@gateway ~]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT udp -- anywhere x.x.x.x(公網IP) udp dpt:open*** to:192.168.18.248:1194 Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT udp -- anywhere 192.168.18.248 udp dpt:open*** to:x.x.x.x(公網IP):1194 Chain OUTPUT (policy ACCEPT) target prot opt source destination
13.測試Windows客戶端連Open***(兩種方法分別演示一下)
(1).
(2).
(3).測試一下
注,雖然我們***能ping通了但是還不能訪問外網,下面我們來配置一下Open***訪問外網。
14.設置Open***服務器訪問外網
(1).開啓路由轉發
[root@open*** open***]# vim /etc/sysctl.conf net.ipv4.ip_forward = 1 [root@open*** open***]# sysctl -p net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296
(2).配置NAT映射
[root@open*** open***]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.18.248 [root@open*** open***]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 10.8.0.0/24 anywhere to:192.168.10.248 Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@open*** open***]# service iptables save Saving firewall rules to /etc/sysconfig/iptables: [ OK ] [root@open*** open***]# service iptables restart Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: nat [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_netbios_n[ OK ] [root@open*** open***]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 10.8.0.0/24 anywhere to:192.168.18.248 Chain OUTPUT (policy ACCEPT) target prot opt source destination
15.最後測試
好了,現在我們就可以訪問外網了。到這裏我們簡的點對點***就配置完成了!
六、總結
上面我們演示了點結點***的配置過程且***與網關不在同一臺服務器上,有博友會問了放一臺服務器做***多浪費啊,那麼網關與***在同一臺服務器上又該怎麼配置呢?在下一篇博客中我們將演示,***與網關在同一臺服務器上的點對點***配置。今天的博客就到這裏了,最後希望大家有所收穫吧^_^……