環境:
1. Open***機器 (CentOS6.2 X64)
[root@localhost /]# ifconfig |grep 'inet addr'
inet addr:192.168.1.89 Bcast:192.168.1.255 Mask:255.255.255.0
inet addr:192.168.56.105 Bcast:192.168.56.255 Mask:255.255.255.0
inet addr:127.0.0.1 Mask:255.0.0.0
2. Client機器 (windows)
192.168.56.101
目標:
Client通過***撥號到Open***,獲取IP,能訪問內網192.168.1.X網段
安裝配置過程:
1.啓動並清空iptables規則
# iptables -t NAT -F
# iptables -F
# service iptables save
# service iptables restart
2.關閉SELINUX
# setenforce 0
# vi /etc/sysconfig/selinux
---------------
SELINUX=disabled
---------------
server端:
一.網絡設置
1.開啓服務器端路由轉發功能
# vi /etc/sysctl.conf
---------------------
net.ipv4.ip_forward = 1
---------------------
# sysctl -p
2.設置nat轉發:
注:保證***地址池可路由出外網
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
3.設置open***端口通過:
# iptables -A INPUT -p TCP --dport 1194 -j ACCEPT
# iptables -A INPUT -p TCP --dport 7505 -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
3.時間同步(重要):
# ntpdate asia.pool.ntp.org
二.安裝依賴庫
# yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
三.安裝open***:
# wget -c http://swupdate.open***.org/community/releases/open***-2.3.0.tar.gz
# tar zxvf open***-2.3.0.tar.gz
# cd open***-2.3.0
# ./configure --prefix=/usr/local/open***
# make && make install
# mkdir -p /etc/open***
複製模板到open***配置目錄:
# cp -rf sample /etc/open***/
複製open***配置文件到主目錄:
# cp /etc/open***/sample/sample-config-files/server.conf /etc/open***/
# cd ..
四.下載easy-rsa:
注:該包用來製作ca證書,服務端證書,客戶端證書,open***2.3.0該版本源碼不包含easy-rsa,所以需要單獨下載安裝用來配合open***實現證書生成。
# wget -c https://github.com/Open***/easy-rsa/archive/master.zip
# wget -c https://github.com/Open***/easy-rsa/archive/2.2.2.zip 用的是version 2
# unzip master
# mv easy-rsa-master easy-rsa
# cp -rf easy-rsa /etc/open***
# cd /etc/open***/easy-rsa/easy-rsa/2.0
***變量
# vi vars
修改如下參數
注:在後面生成服務端ca證書時,這裏的配置會作爲缺省配置
---------------------
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SH"
export KEY_CITY="SH"
export KEY_ORG="Renrui"
export KEY_EMAIL="[email protected]"
---------------------
做SSL配置文件軟鏈:
# ln -s openssl-1.0.0.cnf openssl.cnf
修改vars文件可執行並調用
# chmod +x vars
# source ./vars
-----------------
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/easy-rsa/easy-rsa/2.0/keys
-----------------
注:也就是如果執行./clean-all,就會清空/etc/open***/easy-rsa/easy-rsa/2.0/keys下所有文件
開始配置證書:
1.清空原有證書:
# ./clean-all
注:下面這個命令在第一次安裝時可以運行,以後在添加完客戶端後慎用,因爲這個命令會清除所有已經生成的證書密鑰,和上面的提示對應
2.生成服務器端ca證書
./build-ca
注:由於之前做過缺省配置,這裏一路回車即可
3.生成服務器端密鑰證書, 後面這個open***.example.com就是服務器名,也可以自定義
./build-key-server ***.1tjob.cn
---------------------------
Generating a 2048 bit RSA private key
...................................................+++
..................................+++
writing new private key to 'open***.example.com.key'
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [Xian]:
Organization Name (eg, company) [example]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname)
[open***.example.com]:
Name [EasyRSA]:
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:Renrui
Using configuration from /etc/open***/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SX'
localityName :PRINTABLE:'Xian'
organizationName :PRINTABLE:'example'
commonName :PRINTABLE:'open***.example.com'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Jun 10 21:58:49 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
---------------------------
4.生成所需客戶端證書密鑰文件:
# ./build-key client1
# ./build-key client2
注:這裏與生成服務端證書配置類似,中間一步提示輸入服務端密碼,其他按照缺省提示一路回車即可。
5.再生成diffie hellman參數,用於增強open***安全性(生成需要漫長等待)
# ./build-dh
6.打包keys
# tar zcvf keys.tar.gz keys/
五.配置open*** server:
# vi /etc/open***/server.conf
注:可按照默認模板配置,本例爲自定義配置文件:
--------------------------
# 設置監聽IP,默認是監聽所有IP
;local a.b.c.d
# 設置監聽端口,必須要對應的在防火牆裏面打開
port 1194
# 設置用TCP還是UDP協議?
;proto tcp
proto udp
# 設置創建tun的路由IP通道,還是創建tap的以太網通道
# 路由IP容易控制,所以推薦使用它;但如果如IPX等必須
# 使用第二層才能通過的通訊,則可以用tap方式,tap也
# 就是以太網橋接
;dev tap
dev tun
# Windows需要給網卡一個名稱,這裏設置,linux不需要
;dev-node MyTap
# 這裏是重點,必須指定SSL/TLS root certificate (ca),
# certificate(cert), and private key (key)
# ca文件是服務端和客戶端都必須使用的,但不需要ca.key
# 服務端和客戶端指定各自的.crt和.key
# 請注意路徑,可以使用以配置文件開始爲根的相對路徑,
# 也可以使用絕對路徑
# 請小心存放.key密鑰文件
ca /etc/open***/easy-rsa/easy-rsa/2.0/keys/ca.crt
cert /etc/open***/easy-rsa/easy-rsa/2.0/keys/open***.example.com.crt
key /etc/open***/easy-rsa/easy-rsa/2.0/keys/open***.example.com.key
# This file should be kept secret
# 指定Diffie hellman parameters.
dh /etc/open***/easy-rsa/easy-rsa/2.0/keys/dh2048.pem
# 配置***使用的網段,Open***會自動提供基於該網段的DHCP
# 服務,但不能和任何一方的局域網段重複,保證唯一
server 10.8.0.0 255.255.255.0
# 維持一個客戶端和virtual IP的對應表,以方便客戶端重新
# 連接可以獲得同樣的IP
ifconfig-pool-persist ipp.txt
# 配置爲以太網橋模式,但需要使用系統的橋接功能
# 這裏不需要使用
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# 爲客戶端創建對應的路由,以另其通達公司網內部服務器
# 但記住,公司網內部服務器也需要有可用路由返回到客戶端
;push "route 192.168.20.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
# 爲特定的客戶端指定IP或指定路由,該路由通常是客戶端後面的
# 內網網段,而不是服務端連接的網段
# ccd是/etc/open***下的目錄,其中建有希望限制的客戶端Common
# Name爲文件名的文件,並通過下面的命令寫入固定IP地址
# 例如Common Name爲client1,則在/etc/open***/ccd/client1寫有:
# ifconfig-push 10.9.0.1 10.9.0.2
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# 爲可以對不同的客戶端設置防火牆等權限
# 可以讓其自動運行對應腳本,可參考man
;learn-address ./script
# 若客戶端希望所有的流量都通過***傳輸,則可以使用該語句
# 其會自動改變客戶端的網關爲***服務器,推薦關閉
# 一旦設置,請小心服務端的DHCP設置問題
;push "redirect-gateway"
# 用Open***的DHCP功能爲客戶端提供指定的DNS、WINS等
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
# 默認客戶端之間是不能直接通訊的,除非把下面的語句註釋掉
client-to-client
# 如果您希望有相同Common Name的客戶端都可以登陸
# 也可以註釋下面的語句,推薦每個客戶端都使用不用的Common Name
# 常用於測試
;duplicate-cn
# 設置服務端檢測的間隔和超時時間
keepalive 10 120
# 下面是一些對安全性增強的措施
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# open*** --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be 0
# on the server and 1 on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# 使用lzo壓縮的通訊,服務端和客戶端都必須配置
comp-lzo
# 設置最大用戶數
;max-clients 100
# 讓Open***以nobody用戶和組來運行(安全)
;user nobody
;group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# 輸出短日誌,每分鐘刷新一次,以顯示當前的客戶端
status /var/log/open***/open***-status.log
# 缺省日誌會記錄在系統日誌中,但也可以導向到其他地方
# 建議調試的使用先不要設置,調試完成後再定義
log /var/log/open***/open***.log
log-append /var/log/open***/open***.log
# 設置日誌的級別
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
# 設置客戶端用賬號密碼登陸
#加入script-security消除以下警告,獲取來自客戶端的賬號和密碼
script-security 3 system
# 開啓用戶密碼腳本
auth-user-pass-verify /usr/local/open***/extend/checkpsw.sh via-env
# 取消客戶端的證書認證
client-cert-not-required
username-as-common-name
--------------------------
創建日誌目錄:
# mkdir -p /var/log/open***/
啓動open*** server
# /usr/local/open***/sbin/open*** --config /etc/open***/server.conf &
設置開機啓動:
#
客戶端用戶驗證登陸
cd /usr/local/open***/extend
wget http://open***.se/files/other/checkpsw.sh
vi psw-file
client1 trinfo #賬戶 密碼
## checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@open***.se>
#
# This script will authenticate Open*** users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/usr/local/open***/extend/psw-file"
LOG_FILE="/var/log/open***/open***-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
~
##########################################
client端:
六.安裝WINDOWS客戶端(WIN7 64bit)
1.下載客戶端,並默認安裝:
http://***tech.googlecode.com/files/open***-2.1.1-gui-1.0.3-install-cn-64bit.zip
2.將服務端打包文件解壓,並將包內ca.crt、client1.crt、client1.key複製到客戶端C:\Program Files\Open***\config下.
3.在C:\Program Files\Open***\config下創建client.o***文件
內容如下:
-----------------------
# 定義是一個客戶端
client
# 定義使用路由IP模式,與服務端一致
;dev tap
dev tun
# 定義Windows下使用的網卡名稱,linux不需要
;dev-node MyTap
# 定義使用的協議,與服務端一致
;proto tcp
proto udp
# 指定服務端地址和端口,可以用多行指定多臺服務器
# 實現負載均衡(從上往下嘗試)
remote 192.168.56.105 1194
;remote my-server-2 1194
# 若上面配置了多臺服務器,讓客戶端隨機連接
;remote-random
# 解析服務器域名
# Keep trying indefinitely to resolve the
# host name of the Open*** server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# 客戶端不需要綁定端口
# Most clients do not need to bind to
# a specific local port number.
nobind
# 也是爲了讓Open***也nobody運行(安全)
# 注意:Windows不能設置
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# 若客戶端通過HTTP Proxy,在這裏設置
# 要使用Proxy,不能使用UDP爲***的通訊協議
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# 無線網絡有很多多餘的頭文件,設置忽略它
;mute-replay-warnings
# 重點,就是指定ca和客戶端的證書
ca ca.crt
# cert client1.crt
# key client1.key
# 如果服務端打開了PAM認證模塊,客戶端需要另其有效
auth-user-pass
# 一些安全措施
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://open***.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# 使用lzo壓縮,與服務端一致
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
-----------------------
5.連接:
在右下角的open***圖標上右擊,選擇“Connect”,若能正常分配IP,則連接成功。
6.最終測試:
C:\Documents and Settings\Administrator>route print
更多文章:
基於用戶名/密碼認證和流量控制的Open***系統的實現
http://liaowake.blog.163.com/blog/static/2507510201163163531396/
深入Open***的配置
http://os.chinaunix.net/a2008/0102/963/000000963340.shtml
Open***設置訪問權限:
一般在iptables中設置。
第一步: #將iptables 的 INPUT 、OUTPUT、FORWORD鏈的默認規則由ACCEPT變爲DROP,即關閉所有端口 #
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
第二步: #打通了局域網通過此機的Forward的通道,也就是來自瑞聘228的消息轉發,可以通過
iptables -A FORWARD -d 192.168.1.228 -j ACCEPT
iptables -A FORWARD -s 192.168.1.228 -j ACCEPT
# for ssh
iptables -A OUTPUT -d 192.168.1.88 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.88 -j ACCEPT
# 放外網IP
iptables -A OUTPUT -d 192.168.56.101 -j ACCEPT
iptables -A OUTPUT -d 192.168.56.101 -j ACCEPT
查看iptables當前的規則:
iptables -L -n
查看iptables當前的nat規則:
iptables -t nat -L
另外一種方式,不管外網地址:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -d 192.168.1.228 -j ACCEPT
iptables -A FORWARD -s 192.168.1.228 -j ACCEPT