open***搭建

第1章 环境说明：

[root@daya-03 system]# systemctl status firewalld.service

●firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)

   Active: inactive (dead)

 

[root@daya-03 ~]# getenforce

Permissive

 

[root@daya-03 system]# echo "net.ipv4.ip_forword=1" >>/etc/sysctl.conf

[root@daya-03 system]# cat /proc/sys/net/ipv4/ip_forward

第2章 mysql建库建表

mysql> CREATE DATABASE IF NOT EXISTS open*** DEFAULT CHARSET utf8;

 

***用户的密码不可以设置特殊字符，不然pam-mysql的插件无法识别！

mysql> GRANT ALL PRIVILEGES ON open***.* TO ***@'%' IDENTIFIED BY '123456';

 

mysql> CREATE TABLE IF NOT EXISTS user (

    -> username char(32) COLLATE utf8_unicode_ci NOT NULL,

    -> password char(128) COLLATE utf8_unicode_ci DEFAULT NULL,

    -> active int(10) NOT NULL DEFAULT 1,

    -> creation timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,

    -> PRIMARY KEY (username)

-> ) DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

第3章 安装依赖

yum install pam_krb5 pam pam-devel cyrus-sasl –y

3.1启动saslauthd服务

[root@daya-03 system]# saslauthd -a pam

3.2 配置pam配置文件

cat >/etc/pam.d/open*** <<EOF

auth sufficient /lib64/security/pam_mysql.so user=*** passwd=123456 host=10.211.55.8 db=open*** table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1

account required /lib64/security/pam_mysql.so user=*** passwd=123456 host=10.211.55.8 db=open*** table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1 

#crypt(0) -- Used to decide to use MySQL's PASSWORD() function or crypt() 

#0 = No encryption. Passwords in database in plaintext. NOT recommended! 

#1 = Use crypt  

#2 = Use MySQL PASSWORD() function

EOF

第4章 编译安装pam_mysql.so

[root@daya-03 pam.d]# wget http://www.huzs.net/soft/vsftpd/pam_mysql-0.7RC1.tar.gz

[root@daya-03 ~]# tar xf pam_mysql-0.7RC1.tar.gz

[root@daya-03 ~]# cd pam_mysql-0.7RC1/

[root@daya-03 pam_mysql-0.7RC1]# ./configure --with-openssl --with-pam-mods-dir=/lib64/security/

[root@daya-03 pam_mysql-0.7RC1]# make && make install

4.1进行测试

testsaslauthd -u test -p 123456 -s open***

第5章 编译open***-auth-pam.so

5.1安装open***

yum install open*** –y

5.2正确下载源码包：http://swupdate.open***.org/community/releases/open***-2.0.9.tar.gz

tar xf open***-2.0.9.tar.gz

cd open***-2.0.9/plugin/auth-pam/

make

cp open***-auth-pam.so /etc/open***/

第6章 生成证书

6.1安装easy-rsa

[root@daya-03 ~]# wget https://github.com/Open×××/easy-rsa/archive/master.zip

[root@daya-03 ~]# unzip master.zip

[root@daya-03 ~]# cd easy-rsa-master/ easyrsa3/

6.2编辑vars文件内容

[root@daya-03 easyrsa3]# cp vars.example vars

[root@daya-03 easyrsa3]# cat vars

set_var EASYRSA_REQ_COUNTRY     "CN"

set_var EASYRSA_REQ_PROVINCE    "SH"

set_var EASYRSA_REQ_CITY        "Hangzhou"

set_var EASYRSA_REQ_ORG         "*******"

set_var EASYRSA_REQ_EMAIL       "[email protected]"

set_var EASYRSA_REQ_OU          "Technology department"

6.3创建证书

[root@daya-03 easyrsa3]# ./easyrsa init-pki

[root@daya-03 easyrsa3]# ./easyrsa build-ca

 

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

 

Enter New CA Key Passphrase: 输入密码

Re-Enter New CA Key Passphrase:确认密码

Generating RSA private key, 2048 bit long modulus

....................................+++

.................................................................+++

e is 65537 (0x10001)

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Common Name (eg: your user, host, or server name) [ChangeMe]:***

 

CA creation complete and you may now import and sign cert requests.

Your new CA certificate file for publishing is at:

/root/easy-rsa-master/easyrsa3/pki/ca.crt

 

[root@daya-03 easyrsa3]# ./easyrsa gen-req server nopass

 

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Generating a 2048 bit RSA private key

........+++

..........................+++

writing new private key to '/root/easy-rsa-master/easyrsa3/pki/private/server.key.POy2Bx99ED'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Common Name (eg: your user, host, or server name) [server]: #      这里直接回车

 

Keypair and certificate request completed. Your files are:

req: /root/easy-rsa-master/easyrsa3/pki/reqs/server.req

key: /root/easy-rsa-master/easyrsa3/pki/private/server.key

 

[root@daya-03 easyrsa3]# ./easyrsa sign server server

 

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

 

 

You are about to sign the following certificate.

Please check over the details shown below for accuracy. Note that this request

has not been cryptographically verified. Please be sure it came from a trusted

source or that you have verified the request checksum with the sender.

 

Request subject, to be signed as a server certificate for 1080 days:

 

subject=

    commonName                = server

 

 

Type the word 'yes' to continue, or any other input to abort.

  Confirm request details: yes

Using configuration from /root/easy-rsa-master/easyrsa3/pki/safessl-easyrsa.cnf

Enter pass phrase for /root/easy-rsa-master/easyrsa3/pki/private/ca.key: 上面输入的密码

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

commonName            :ASN.1 12:'server'

Certificate is to be certified until Feb  4 19:14:19 2022 GMT (1080 days)

 

Write out database with 1 new entries

Data Base Updated

 

Certificate created at: /root/easy-rsa-master/easyrsa3/pki/issued/server.crt

6.4创建diffie-hellman

[root@daya-03 easyrsa3]# ./easyrsa gen-dh

6.5将需要的证书拷贝到open***目录下

[root@daya-03 easyrsa3]# cd pki/

[root@daya-03 pki]# mkdir /etc/open***/keys

[root@daya-03 pki]# cp ca.crt /etc/open***/keys/

[root@daya-03 pki]# cp issued/server.crt /etc/open***/keys/

[root@daya-03 pki]# cp private/server.key /etc/open***/keys/

[root@daya-03 pki]# cp dh.pem /etc/open***/keys/

第7章 配置open***

7.1创建服务端配置文件

[root@daya-03 pki]# mkdir /var/log/open***

[root@daya-03 open***]# cat server.conf

local 0.0.0.0

port 1194

proto tcp

dev tun

ca keys/ca.crt

cert keys/server.crt

key keys/server.key

dh keys/dh.pem

server 10.0.0.0 255.255.0.0

push "route 172.16.0.0 255.255.255.0"

push "route 10.0.0.0 255.0.0.0"

push "route 100.104.231.74 255.255.255.255"

push "redirect-gateway def1"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 172.16.2.1"

push "dhcp-option DNS 223.5.5.5"

ifconfig-pool-persist ipp.txt

client-to-client

keepalive 20 60

cipher AES-128-CBC

max-clients 2048

persist-key

persist-tun

plugin /etc/open***/open***-auth-pam.so open***

verify-client-cert none

username-as-common-name

status open***-status.log

log         /var/log/open***/open***.log

script-security 3

verb 3

client-cert-not-required

7.2创建客户端配置文件

[root@daya-03 client]# cat client.conf

client

dev tun

proto tcp

remote ***服务端公网地址1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

ns-cert-type server

;tls-auth ta.key 1

verb 3

cipher AES-128-CBC

auth-user-pass

script-security 3

第8章 配置iptables转发

iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT

iptables -A INPUT -i tun0 -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -t nat -A POSTROUTING -s #ifconfigtun0的网段地址 -j SNAT --to-source #本地内网地址