环境:CentOS Linux release 7.4.1708 (Core)
查看版本命令
[root@open***_server ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
由于被禁止某些关键词 *** 请自行替换成
安装阶段
1. 添加源
//采用阿里云yum源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum makecache
2. 安装open***
yum upgrade -y // 更新源
yum install epel-release -y //安装epel库
yum -y install open*** easy-rsa tree
http://www.cnblogs.com/airoot/p/7252987.html
生成open***必备文件
//由于yum安装是 easy-rsa-3.0.3的版本
[root@open***_server ~]# cp -r /usr/share/easy-rsa/ /etc/open***/easy-rsa
[root@open***_server ~]# cd /etc/open***/easy-rsa/
[root@open***_server easy-rsa]# \rm 3 3.0
[root@open***_server easy-rsa]# cd 3.0.3/
[root@open***_server 3.0.3]# find / -type f -name "vars.example"|xargs -i cp {} . && mv vars.example vars
[root@open***_server 3.0.3]# tree
.
├── easyrsa
├── openssl-1.0.cnf
├── vars
└── x509-types
├── ca
├── client
├── COMMON
├── san
└── server
1 directory, 8 files
说明:
正常来说easy-rsa-3.0.3安装完之后,vars.example文件在/usr/share/doc/easy-rsa-3.0.3/目录
创建一个新的PKI和CA
[root@open***_server 3.0.3]# ./easyrsa init-pki // 创建空的pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/open***/easy-rsa/3.0.3/pki
[root@open***_server 3.0.3]# ./easyrsa build-ca nopass // 创建新的CA,不使用密码
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.....+++
.......+++
writing new private key to '/etc/open***/easy-rsa/3.0.3/pki/private/ca.key.6Ryg6BLitj'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: // 回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/open***/easy-rsa/3.0.3/pki/ca.crt
创建服务端证书
[root@open***_server 3.0.3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
....................................+++
...........................................................................................................................................+++
writing new private key to '/etc/open***/easy-rsa/3.0.3/pki/private/server.key.kRVHzlQXCA'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: // 回车
Keypair and certificate request completed. Your files are:
req: /etc/open***/easy-rsa/3.0.3/pki/reqs/server.req
key: /etc/open***/easy-rsa/3.0.3/pki/private/server.key
签约服务端证书
[root@open***_server 3.0.3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Dec 16 09:26:51 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/open***/easy-rsa/3.0.3/pki/issued/server.crt
创建Diffie-Hellman
[root@open***_server 3.0.3]# ./easyrsa gen-dh
...................................................................++*++*
DH parameters of size 2048 created at /etc/open***/easy-rsa/3.0.3/pki/dh.pem
到这里服务端的证书就创建完了,然后创建客户端的证书。
创建客户端证书
复制文件
[root@open***_server 3.0.3]# cp -r /usr/share/easy-rsa/ /etc/open***/client/easy-rsa
[root@open***_server 3.0.3]# cd /etc/open***/client/easy-rsa/
[root@open***_server easy-rsa]# \rm 3 3.0
[root@open***_server easy-rsa]# cd 3.0.3/
[root@open***_server 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars[root@open***_server 3.0.3]# tree
.
├── easyrsa
├── openssl-1.0.cnf
├── vars
└── x509-types
├── ca
├── client
├── COMMON
├── san
└── server
1 directory, 8 files
生成证书
[root@open***_server 3.0.3]# pwd
/etc/open***/client/easy-rsa/3.0.3
[root@open***_server 3.0.3]# ./easyrsa init-pki # 创建新的pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/open***/client/easy-rsa/3.0.3/pki
[root@open***_server 3.0.3]# ./easyrsa gen-req dalin nopass # 客户证书名为大林,木有密码
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.....................................................................+++
...+++
writing new private key to '/etc/open***/client/easy-rsa/3.0.3/pki/private/dalin.key.CM1elrdSOe'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [dalin]: // 回车
Keypair and certificate request completed. Your files are:
req: /etc/open***/client/easy-rsa/3.0.3/pki/reqs/dalin.req
key: /etc/open***/client/easy-rsa/3.0.3/pki/private/dalin.key
最后签约客户端证书
[root@open***_server 3.0.3]# cd /etc/open***/easy-rsa/3.0.3/
[root@open***_server 3.0.3]# pwd
/etc/open***/easy-rsa/3.0.3
[root@open***_server 3.0.3]# ./easyrsa import-req /etc/open***/client/easy-rsa/3.0.3/pki/reqs/dalin.req dalin
Note: using Easy-RSA configuration from: ./vars
The request has been successfully imported with a short name of: dalin
You may now use this name to perform signing operations on this request.
[root@open***_server 3.0.3]# ./easyrsa sign client dalin
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = dalin
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'dalin'
Certificate is to be certified until Dec 16 09:40:38 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/open***/easy-rsa/3.0.3/pki/issued/dalin.crt
整理证书
现在所有的证书都已经生成完了,下面来整理一下。
服务端所需要的文件
[root@open***_server 3.0.3]# mkdir /etc/open***/certs
[root@open***_server 3.0.3]# cd /etc/open***/certs/
[root@open***_server certs]# cp /etc/open***/easy-rsa/3.0.3/pki/dh.pem .
[root@open***_server certs]# cp /etc/open***/easy-rsa/3.0.3/pki/ca.crt .
[root@open***_server certs]# cp /etc/open***/easy-rsa/3.0.3/pki/issued/server.crt .
[root@open***_server certs]# cp /etc/open***/easy-rsa/3.0.3/pki/private/server.key .
[root@open***_server certs]# ll
总用量 20
-rw------- 1 root root 1172 12月 19 17:51 ca.crt
-rw------- 1 root root 424 12月 19 17:51 dh.pem
-rw------- 1 root root 4552 12月 19 17:51 server.crt
-rw------- 1 root root 1708 12月 19 17:51 server.key
客户端所需的文件
[root@open***_server certs]# mkdir /etc/open***/client/dalin/
[root@open***_server certs]# cp /etc/open***/easy-rsa/3.0.3/pki/ca.crt /etc/open***/client/dalin/
[root@open***_server certs]# cp /etc/open***/easy-rsa/3.0.3/pki/issued/dalin.crt /etc/open***/client/dalin/
[root@open***_server certs]# cp /etc/open***/client/easy-rsa/3.0.3/pki/private/dalin.key /etc/open***/client/dalin/
[root@open***_server certs]# ll /etc/open***/client/dalin/
总用量 16
-rw------- 1 root root 1172 12月 19 17:51 ca.crt
-rw------- 1 root root 4431 12月 19 17:51 dalin.crt
-rw------- 1 root root 1704 12月 19 17:52 dalin.key
服务器配置文件
vim /etc/open***/server.conf
local 192.168.1.113
port 1194
proto tcp
dev tun
ca /etc/open***/certs/ca.crt
cert /etc/open***/certs/server.crt
key /etc/open***/certs/server.key
dh /etc/open***/certs/dh.pem
ifconfig-pool-persist /etc/open***/ipp.txt
server 17.166.221.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
client-to-client
keepalive 20 120
comp-lzo
#duplicate-cn
user open***
group open***
persist-key
persist-tun
status open***-status.log
log-append open***.log
verb 1
mute 20
启动服务
systemctl start open***@server
配置iptables及转发
[root@open***_server open***]# iptables -t nat -A POSTROUTING -s 17.166.221.0/24 -o ens34 -j MASQUERADE
注意,12.166的那个换成自己的客户端hdcp我的eth0是内网网卡,eth1是外网网卡。这条策略是将所有的12.166.221.0网段的包转发给eth0
iptables保存配置文件
[root@open***_server open***]# echo "1" >/proc/sys/net/ipv4/ip_forward # 打开路由转发
// 会把规则保存到/etc/sysconfig/iptables # 开机加载
[root@open***_server open***]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]
[root@open***_server ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 17.166.221.0/24 0.0.0.0/0
ping 不通解决方法 添加规则,允许tun0网卡进行FORWARD,两条规则。
前提是看FORWARD链,如果发现这一个,就还需要添加FORWARD规则。
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
就需要添加如下两条规则:
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -L -n
测试后发现客户端连接不能上网
删除nat规则
iptables -t nat -D POSTROUTING 1
iptables -t nat -A POSTROUTING -s 17.166.221.0/24 -j MASQUERADE
service iptables save # 保存
测试后可以客户端可以上网,但是走的线路是内网线路上网。
重启open***,然后ifconfig 看一下,会多一个tun0虚拟网卡
[root@open***_server open***]# systemctl restart open***@server
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 17.166.221.1 netmask 255.255.255.255 destination 17.166.221.2
inet6 fe80::d8:689a:a01d:8d71 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1 bytes 48 (48.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
客户端配置
# Linux客户端直接 上面的open×××安装一遍,就可以用了
# client.o***
client #这个不能改
proto tcp #要与server.conf一致
dev tun #要与server.conf一致
remote 主机外网IP 12306
ca ca.crt
cert dalin.crt
key dalin.key #对应所下载的证书
resolv-retry infinite
nobind
mute-replay-warnings
keepalive 20 120
comp-lzo
#user open***
#group open***
persist-key
persist-tun
status open***-status.log
log-append open***.log
verb 3
mute 20
# 测试Windows 可以连接
open*** --config client.o*** &