Open*** 實戰2：***與網關在同一臺服器上

大綱

一、前言

二、概述

三、實戰拓撲

四、環境準備

五、具體配置過程詳解

六、總結

注，實戰環境 CentOS 5.5 x86_64，軟件版本 Open*** 2.1，軟件下載：http://yunpan.cn/QzT8fGsX8S75a  訪問密碼 e8e4。

一、前言

在上一篇博客中我們主要和大家講解一下，在內網中如何搭建一臺***服務器，相信大家應該有所瞭解，可是有博友說了我們沒有多餘的服務器做***服務器，我們只有一臺Linux網關服務器，那怎麼辦呢？能不能將***服務器就搭建在網關服務器上呢？我想說這肯定是可以的，嘿嘿。那怎麼來搭建呢？讓我們一起來做吧！

二、概述

在網關服務器上搭建***服務器的要點就是做防火牆映射，下面是配置要點：

[root@gateway ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j MASQUERADE
[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d 192.168.18.0/255.255.255.0 -j SNAT --to-source 192.168.18.254

注，eth0是公網地址接口，eth1內網地址接口。下面我們來看一下實戰拓撲，大家會看的更清楚一些！

三、實戰拓撲

說明：此拓撲圖是典型的中小型企業內部局部網的應用案例，本文中不會涉及NAT、Web、FTP等應用的配置，只會配置與Open***的相關操作，若有其它問題歡迎大家交流討論，謝謝。

四、環境準備

1.安裝yum源

[root@gateway ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
Retrieving http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
warning: /var/tmp/rpm-xfer.qnxpWE: Header V3 DSA signature: NOKEY, key ID 217521f6   
Preparing...                ########################################### [100%]   
    package epel-release-5-4.noarch is already installed
[root@gateway ~]# yum list

2.同步服務器時間

[root@gateway ~]# yum install -y ntp
[root@gateway ~]# ntpdate 210.72.145.44  
[root@gateway ~]# hwclock -w   
[root@gateway ~]# date   
[root@gateway ~]# hwclock

3.安裝相應的依賴包

[root@gateway ~]#  yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers

五、具體配置過程詳解

注，簡單寫一下配置過程：

• 安裝lzo、open***軟件包

• 爲配置做準備，copy 相關文件

• 初始化 PKI

• 建立 server key

• 生成客戶端 key

• 生成 Diffie Hellman 參數

• 將keys下的所有文件打包下載到本地 ，讓客戶機用。

• 將keys下的ca.crt server.crt server.key dh1024.pem拷貝到/etc/open***

• 修改服務器配置文件/etc/open***/server.conf

• 啓動***服務器

• 配置Windows客戶端

• 設置網關服務器的端口映射

• 測試Windows客戶端連Open***

• 最後測試
  

好了，下面就讓我們來完成上面的實戰步驟。

1.安裝lzo、open***軟件包

[root@gateway ~]# mkdir src  
[root@gateway ~]# cd src/   
[root@gateway src]# ls   
lzo-2.04-3.2.x86_64.rpm  open***-2.1-0.20.rc4.el5.kb.x86_64.rpm
[root@gateway src]# rpm -ivh lzo-2.04-3.2.x86_64.rpm   
warning: lzo-2.04-3.2.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID d164ce99   
Preparing...                ########################################### [100%]   
   1:lzo                    ########################################### [100%]   
[root@gateway src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.x86_64.rpm    
Preparing...                ########################################### [100%]   
   1:open***                ########################################### [100%]

2.爲配置做準備，copy 相關文件

[root@gateway src]# cp -r /usr/share/open***/easy-rsa/2.0/ /etc/open***  
[root@gateway src]# cd /etc/open***   
[root@gateway open***]# ls   
2.0   
[root@gateway open***]# cp /usr/share/doc/open***-2.1/sample-config-files/server.conf /etc/open***/   
[root@gateway open***]# ls   
2.0  server.conf

3.初始化 PKI

[root@gateway open***]# cd 2.0/  
[root@gateway 2.0]# ls   
build-ca     build-key         build-key-server  clean-all      Makefile           pkitool      sign-req   
build-dh     build-key-pass    build-req         inherit-inter  openssl-0.9.6.cnf  README       vars   
build-inter  build-key-pkcs12  build-req-pass    list-crl       openssl.cnf        revoke-full  whichopensslcnf   
[root@gateway 2.0]# vim vars
#修改下面幾項：
export KEY_COUNTRY="CN"  
export KEY_PROVINCE="SH"   
export KEY_CITY="SH"   
export KEY_ORG="open***"   
export KEY_EMAIL="[email protected]"
[root@gateway 2.0]# env | grep KEY  
[root@gateway 2.0]# source ./vars    
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys   
[root@gateway 2.0]# env | grep KEY   
KEY_EXPIRE=3650   
[email protected]   
KEY_SIZE=1024   
KEY_DIR=/etc/open***/2.0/keys   
KEY_CITY=SH   
KEY_PROVINCE=SH   
KEY_ORG=open***   
KEY_CONFIG=/etc/open***/2.0/openssl.cnf   
KEY_COUNTRY=CN
[root@gateway 2.0]# ./clean-all   
[root@gateway 2.0]# ls   
build-ca     build-key-pass    build-req-pass  list-crl           pkitool      vars   
build-dh     build-key-pkcs12  clean-all       Makefile           README       whichopensslcnf   
build-inter  build-key-server  inherit-inter   openssl-0.9.6.cnf  revoke-full   
build-key    build-req         keys            openssl.cnf        sign-req   
[root@gateway 2.0]# ./build-ca    
Generating a 1024 bit RSA private key   
.++++++   
.......................................++++++   
writing new private key to 'ca.key'   
-----   
You are about to be asked to enter information that will be incorporated   
into your certificate request.   
What you are about to enter is what is called a Distinguished Name or a DN.   
There are quite a few fields but you can leave some blank   
For some fields there will be a default value,   
If you enter '.', the field will be left blank.   
-----   
Country Name (2 letter code) [CN]:   
State or Province Name (full name) [SH]:   
Locality Name (eg, city) [SH]:   
Organization Name (eg, company) [open***]:   
Organizational Unit Name (eg, section) []:   
Common Name (eg, your name or your server's hostname) [open*** CA]:   
Email Address [[email protected]]:

4.建立 server key

[root@gateway 2.0]# ./build-key-server server  
Generating a 1024 bit RSA private key   
.................++++++   
.............++++++   
writing new private key to 'server.key'   
-----   
You are about to be asked to enter information that will be incorporated   
into your certificate request.   
What you are about to enter is what is called a Distinguished Name or a DN.   
There are quite a few fields but you can leave some blank   
For some fields there will be a default value,   
If you enter '.', the field will be left blank.   
-----   
Country Name (2 letter code) [CN]:   
State or Province Name (full name) [SH]:   
Locality Name (eg, city) [SH]:   
Organization Name (eg, company) [open***]:   
Organizational Unit Name (eg, section) []:   
Common Name (eg, your name or your server's hostname) [server]:   
Email Address [[email protected]]:
Please enter the following 'extra' attributes  
to be sent with your certificate request   
A challenge password []:   
An optional company name []:   
Using configuration from /etc/open***/2.0/openssl.cnf   
Check that the request matches the signature   
Signature ok   
The Subject's Distinguished Name is as follows   
countryName           :PRINTABLE:'CN'   
stateOrProvinceName   :PRINTABLE:'SH'   
localityName          :PRINTABLE:'SH'   
organizationName      :PRINTABLE:'open***'   
commonName            :PRINTABLE:'server'   
emailAddress          :IA5STRING:'[email protected]'   
Certificate is to be certified until May  2 03:41:08 2024 GMT (3650 days)   
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y   
Write out database with 1 new entries   
Data Base Updated

5.生成客戶端 key（我這裏設置三個客戶端分別爲：client1、client2、client3，你可以根據需要生成多個客戶端）

1).client1

[root@gateway 2.0]# ./build-key client1  
Generating a 1024 bit RSA private key   
......++++++   
...++++++   
writing new private key to 'client1.key'   
-----   
You are about to be asked to enter information that will be incorporated   
into your certificate request.   
What you are about to enter is what is called a Distinguished Name or a DN.   
There are quite a few fields but you can leave some blank   
For some fields there will be a default value,   
If you enter '.', the field will be left blank.   
-----   
Country Name (2 letter code) [CN]:   
State or Province Name (full name) [SH]:   
Locality Name (eg, city) [SH]:   
Organization Name (eg, company) [open***]:   
Organizational Unit Name (eg, section) []:   
Common Name (eg, your name or your server's hostname) [client1]:   
Email Address [[email protected]]:
Please enter the following 'extra' attributes  
to be sent with your certificate request   
A challenge password []:   
An optional company name []:   
Using configuration from /etc/open***/2.0/openssl.cnf   
Check that the request matches the signature   
Signature ok   
The Subject's Distinguished Name is as follows   
countryName           :PRINTABLE:'CN'   
stateOrProvinceName   :PRINTABLE:'SH'   
localityName          :PRINTABLE:'SH'   
organizationName      :PRINTABLE:'open***'   
commonName            :PRINTABLE:'client1'   
emailAddress          :IA5STRING:'[email protected]'   
Certificate is to be certified until May  2 03:46:17 2024 GMT (3650 days)   
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y   
Write out database with 1 new entries   
Data Base Updated

2).client2與client3同上我這裏就不演示了，不清楚的博友可以參考上一篇博文。

6.生成 Diffie Hellman 參數

[root@gateway 2.0]# ./build-dh   
Generating DH parameters, 1024 bit long safe prime, generator 2   
This is going to take a long time   
................................................................++*++*++*

7.將keys下的所有文件打包下載到本地 ，讓客戶機用。

[root@gateway 2.0]# cd keys/  
[root@gateway keys]# ls   
01.pem  ca.crt       client1.key  client3.crt  index.txt           serial      server.key   
02.pem  ca.key       client2.crt  client3.csr  index.txt.attr      serial.old   
03.pem  client1.crt  client2.csr  client3.key  index.txt.attr.old  server.crt   
04.pem  client1.csr  client2.key  dh1024.pem   index.txt.old       server.csr   
[root@gateway keys]# tar zcvf client.tar.gz ./*   
./01.pem   
./02.pem   
./03.pem   
./04.pem   
./ca.crt   
./ca.key   
./client1.crt   
./client1.csr   
./client1.key   
./client2.crt   
./client2.csr   
./client2.key   
./client3.crt   
./client3.csr   
./client3.key   
./dh1024.pem   
./index.txt   
./index.txt.attr   
./index.txt.attr.old   
./index.txt.old   
./serial   
./serial.old   
./server.crt   
./server.csr   
./server.key   
[root@gateway keys]# ls   
01.pem  04.pem  client1.crt  client2.crt  client3.crt  client.tar.gz  index.txt.attr      serial      server.csr   
02.pem  ca.crt  client1.csr  client2.csr  client3.csr  dh1024.pem     index.txt.attr.old  serial.old  server.key   
03.pem  ca.key  client1.key  client2.key  client3.key  index.txt      index.txt.old       server.crt

8.將keys下的ca.crt server.crt server.key dh1024.pem拷貝到/etc/open***

[root@gateway keys]# cp ca.* server.* dh1024.pem /etc/open***/  
[root@gateway keys]# cd /etc/open***/   
[root@gateway open***]# ls   
2.0  ca.crt  ca.key  dh1024.pem  server.conf  server.crt  server.csr  server.key

9.修改服務器配置文件/etc/open***/server.conf

[root@gateway open***]# cp server.conf server.conf.bak.2014.5.5  
[root@gateway open***]# ls   
2.0  ca.crt  ca.key  dh1024.pem  server.conf  server.conf.bak.2014.5.5  server.crt  server.csr  server.key   
[root@gateway open***]# vim server.conf
port 1194  
proto udp   
dev tun   
ca ca.crt   
cert server.crt   
key server.key   
port 1194   
proto udp   
dev tun   
ca ca.crt   
cert server.crt   
key server.key   
dh dh1024.pem   
server 10.8.0.0 255.255.255.0   
client-to-client   
keepalive 10 120   
comp-lzo   
persist-key   
persist-tun   
status open***-status.log   
verb 4   
push "dhcp-option DNS 10.8.0.1"   
push "dhcp-option DNS 8.8.8.8"   
push "dhcp-option DNS 8.8.4.4"

10.啓動***服務器

[root@gateway open***]# /etc/init.d/open*** start  
正在啓動 open***：                                         [確定]   
[root@gateway open***]# netstat -ntulp | grep 1194   
udp        0      0 0.0.0.0:1194                0.0.0.0:*                               19147/open***   
[root@gateway open***]# ifconfig   
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255   
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1   
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0   
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0   
          collisions:0 txqueuelen:100    
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

11.配置Windows客戶端

(1).安裝一下客戶端（我就不演示了，大家自己安裝）

(2).將服務器上生成的客戶機證書文件放到config方件夾下

D:\Program Files\Open***\config\test

(3).新建客戶端配置文件test.o***

D:\Program Files\Open***\config

test.o*** 文件內容：

client
dev tun
proto udp
remote x.x.x.x 1194 #工作單位外網IP
persist-key
persist-tun
ca test\\ca.crt
cert test\\client1.crt
key test\\client1.key
ns-cert-typeserver
comp-lzo
verb 3
redirect-gateway def1

12.設置網關服務器的端口映射(關鍵配置)並開啓路由轉發。

[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j MASQUERADE   
[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d 192.168.18.0/255.255.255.0 -j SNAT --to-source 192.168.18.254
[root@gateway keys]# iptables -L -t nat  
Chain PREROUTING (policy ACCEPT)   
target     prot opt source               destination        
Chain POSTROUTING (policy ACCEPT)  
target     prot opt source               destination        
MASQUERADE  all  --  localhost/24         anywhere           
SNAT       all  --  localhost/24         localhost/24        to:192.168.18.254
Chain OUTPUT (policy ACCEPT)  
target     prot opt source               destination        
[root@gateway keys]# vim /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux  
#   
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and   
# sysctl.conf(5) for more details.
# Controls IP packet forwarding  
net.ipv4.ip_forward = 1
[root@gateway keys]# sysctl -p  
net.ipv4.ip_forward = 1

13.連接並測試

1).連接***

注，連接成功以後會出現一個綠色的小圖標。下面我們ping一下試試！

2).測試ping一下

3).下面我們來查看一下IP所在地

***連接前：(辦公室)

***連接後：（機房服務器）

好了，到這裏我們的***與網關在一起的實戰配置就全部完成了，下面我們來總結一下我們實戰心得與問題彙總。

六、總結

前面提到的，都是由服務端先生成客戶端證書，然後分發到客戶端，讓客戶端通過證書連接到服務器上。但有時候，這樣的分發是比較麻煩的（也不安全）。這樣，我們可以考慮另外一種方式： 只在服務端製作客戶端證書，而客戶端只需要有ca.crt文件，而不需要拿到客戶端證書，當登陸服務器的時候是通過用戶名和密碼即可登陸Open***服務器。這個功能該怎麼實現呢？在下一篇博客中我們將實現這個功能。

好了，最後希望大家有所收穫^_^……