第1章 环境说明:
[root@daya-03 system]# systemctl status firewalld.service
●firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
[root@daya-03 ~]# getenforce
Permissive
[root@daya-03 system]# echo "net.ipv4.ip_forword=1" >>/etc/sysctl.conf
[root@daya-03 system]# cat /proc/sys/net/ipv4/ip_forward
第2章 mysql建库建表
mysql> CREATE DATABASE IF NOT EXISTS open*** DEFAULT CHARSET utf8;
***用户的密码不可以设置特殊字符,不然pam-mysql的插件无法识别!
mysql> GRANT ALL PRIVILEGES ON open***.* TO ***@'%' IDENTIFIED BY '123456';
mysql> CREATE TABLE IF NOT EXISTS user (
-> username char(32) COLLATE utf8_unicode_ci NOT NULL,
-> password char(128) COLLATE utf8_unicode_ci DEFAULT NULL,
-> active int(10) NOT NULL DEFAULT 1,
-> creation timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
-> PRIMARY KEY (username)
-> ) DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
第3章 安装依赖
yum install pam_krb5 pam pam-devel cyrus-sasl –y
3.1启动saslauthd服务
[root@daya-03 system]# saslauthd -a pam
3.2 配置pam配置文件
cat >/etc/pam.d/open*** <<EOF
auth sufficient /lib64/security/pam_mysql.so user=*** passwd=123456 host=10.211.55.8 db=open*** table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1
account required /lib64/security/pam_mysql.so user=*** passwd=123456 host=10.211.55.8 db=open*** table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1
#crypt(0) -- Used to decide to use MySQL's PASSWORD() function or crypt()
#0 = No encryption. Passwords in database in plaintext. NOT recommended!
#1 = Use crypt
#2 = Use MySQL PASSWORD() function
EOF
第4章 编译安装pam_mysql.so
[root@daya-03 pam.d]# wget http://www.huzs.net/soft/vsftpd/pam_mysql-0.7RC1.tar.gz
[root@daya-03 ~]# tar xf pam_mysql-0.7RC1.tar.gz
[root@daya-03 ~]# cd pam_mysql-0.7RC1/
[root@daya-03 pam_mysql-0.7RC1]# ./configure --with-openssl --with-pam-mods-dir=/lib64/security/
[root@daya-03 pam_mysql-0.7RC1]# make && make install
4.1进行测试
testsaslauthd -u test -p 123456 -s open***
第5章 编译open***-auth-pam.so
5.1安装open***
yum install open*** –y
5.2正确下载源码包:http://swupdate.open***.org/community/releases/open***-2.0.9.tar.gz
tar xf open***-2.0.9.tar.gz
cd open***-2.0.9/plugin/auth-pam/
make
cp open***-auth-pam.so /etc/open***/
第6章 生成证书
6.1安装easy-rsa
[root@daya-03 ~]# wget https://github.com/Open×××/easy-rsa/archive/master.zip
[root@daya-03 ~]# unzip master.zip
[root@daya-03 ~]# cd easy-rsa-master/ easyrsa3/
6.2编辑vars文件内容
[root@daya-03 easyrsa3]# cp vars.example vars
[root@daya-03 easyrsa3]# cat vars
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "SH"
set_var EASYRSA_REQ_CITY "Hangzhou"
set_var EASYRSA_REQ_ORG "*******"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "Technology department"
6.3创建证书
[root@daya-03 easyrsa3]# ./easyrsa init-pki
[root@daya-03 easyrsa3]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase: 输入密码
Re-Enter New CA Key Passphrase:确认密码
Generating RSA private key, 2048 bit long modulus
....................................+++
.................................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [ChangeMe]:***
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/root/easy-rsa-master/easyrsa3/pki/ca.crt
[root@daya-03 easyrsa3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
........+++
..........................+++
writing new private key to '/root/easy-rsa-master/easyrsa3/pki/private/server.key.POy2Bx99ED'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: # 这里直接回车
Keypair and certificate request completed. Your files are:
req: /root/easy-rsa-master/easyrsa3/pki/reqs/server.req
key: /root/easy-rsa-master/easyrsa3/pki/private/server.key
[root@daya-03 easyrsa3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 1080 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /root/easy-rsa-master/easyrsa3/pki/safessl-easyrsa.cnf
Enter pass phrase for /root/easy-rsa-master/easyrsa3/pki/private/ca.key: 上面输入的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Feb 4 19:14:19 2022 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /root/easy-rsa-master/easyrsa3/pki/issued/server.crt
6.4创建diffie-hellman
[root@daya-03 easyrsa3]# ./easyrsa gen-dh
6.5将需要的证书拷贝到open***目录下
[root@daya-03 easyrsa3]# cd pki/
[root@daya-03 pki]# mkdir /etc/open***/keys
[root@daya-03 pki]# cp ca.crt /etc/open***/keys/
[root@daya-03 pki]# cp issued/server.crt /etc/open***/keys/
[root@daya-03 pki]# cp private/server.key /etc/open***/keys/
[root@daya-03 pki]# cp dh.pem /etc/open***/keys/
第7章 配置open***
7.1创建服务端配置文件
[root@daya-03 pki]# mkdir /var/log/open***
[root@daya-03 open***]# cat server.conf
local 0.0.0.0
port 1194
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh.pem
server 10.0.0.0 255.255.0.0
push "route 172.16.0.0 255.255.255.0"
push "route 10.0.0.0 255.0.0.0"
push "route 100.104.231.74 255.255.255.255"
push "redirect-gateway def1"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 172.16.2.1"
push "dhcp-option DNS 223.5.5.5"
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 20 60
cipher AES-128-CBC
max-clients 2048
persist-key
persist-tun
plugin /etc/open***/open***-auth-pam.so open***
verify-client-cert none
username-as-common-name
status open***-status.log
log /var/log/open***/open***.log
script-security 3
verb 3
client-cert-not-required
7.2创建客户端配置文件
[root@daya-03 client]# cat client.conf
client
dev tun
proto tcp
remote ***服务端公网地址1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
ns-cert-type server
;tls-auth ta.key 1
verb 3
cipher AES-128-CBC
auth-user-pass
script-security 3
第8章 配置iptables转发
iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -t nat -A POSTROUTING -s #ifconfigtun0的网段地址 -j SNAT --to-source #本地内网地址