Open××× 簡介
×××直譯就是虛擬專用通道,是提供給企業之間或者個人與公司之間安全數據傳輸的隧道,Open×××無疑是Linux下開源×××的先鋒,提供了良好的性能和友好的用戶GUI,並且支持多平臺。
它大量使用了OpenSSL加密庫中的SSLv3/TLSv1協議函數庫。
原理
Open***的技術核心是虛擬網卡,其次是SSL協議實現,由於SSL協議在其它的詞條中介紹的比較清楚了,這裏重點對虛擬網卡及其在Open***的中的工作機理進行介紹:
虛擬網卡是使用網絡底層編程技術實現的一個驅動軟件,安裝後在主機上多出現一個網卡,可以像其它網卡一樣進行配置。服務程序可以在應用層打開虛擬網卡,如果應用軟件(如IE)向虛擬網卡發送數據,則服務程序可以讀取到該數據,如果服務程序寫合適的數據到虛擬網卡,應用軟件也可以接收得到。虛擬網卡在很多的操作系統下都有相應的實現,這也是Open***能夠跨平臺一個很重要的理由。
在Open***中,如果用戶訪問一個遠程的虛擬地址(屬於虛擬網卡配用的地址系列,區別於真實地址),則操作系統會通過路由機制將數據包(TUN模式)或數據幀(TAP模式)發送到虛擬網卡上,服務程序接收該數據並進行相應的處理後,通過SOCKET從外網上發送出去,遠程服務程序通過SOCKET從外網上接收數據,並進行相應的處理後,發送給虛擬網卡,則應用軟件可以接收到,完成了一個單向傳輸的過程,反之亦然。
加密
Open×××使用OpenSSL庫加密數據與控制信息:它使用了OpenSSL的加密以及驗證功能,意味着,它能夠使用任何OpenSSL支持的算法。它提供了可選的數據包HMAC功能以提高連接的安全性。此外,OpenSSL的硬件加速也能提高它的性能。
Open××× 部署
環境
| 系統版本 | 內核版本 | Open××× 版本 | easy-rsa 版本 | |
|---|---|---|---|---|
| CentOS 7.3 | 5.0.5-1 | open***-2.4.7 | easy-rsa-3.0.3 |
CentOS 系統使用最小化安裝
網卡使用兩塊
eth0: 192.168.1.64 # 模擬公網IP
eth1: 172.16.1.10 # 模擬內網IP
關閉 selinux、iptables、firewalld、NetworkManager
安裝
使用 yum 來安裝 Open××× 和 easy-rsa ,所以需要使用epel源,否則會找不到包,我用的是阿里的epel源。
阿里雲yum源地址爲: https://opsx.alibaba.com/mirror
或者直接複製命令: wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo ,執行後就會自動下載epel源。
1. 安裝依賴
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig makecache
2. 安裝 Open×××
yum install -y open*** easy-rsa
3. 安裝 Open×××
[root@open*** ~]# rpm -qa | grep open***open***-2.4.7-1.el7.x86_64 [root@open*** ~]# rpm -qa | grep easyeasy-rsa-3.0.3-1.el7.noarch
配置
1. 拷貝 easy-rsa
cp -R /usr/share/easy-rsa/ /etc/open***/
2. 拷貝 easy-rsa 的讀取信息的文件
cp -r /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/open***/easy-rsa/3.0/vars
3. 修改拷貝的 vars 文件
[root@open*** ~]# cd /etc/open***/easy-rsa/3.0.3/ [root@open*** 3.0.3]# cp vars vars.example # 備份一下 [root@open*** 3.0.3]#ls [root@open*** 3.0.3]# lseasyrsa openssl-1.0.cnf pki vars vars.example x509-types [root@open*** 3.0.3]# egrep '^set_var' vars # 把下面幾行解註釋 set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "San Francisco" set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" set_var EASYRSA_REQ_EMAIL "[email protected]" set_var EASYRSA_REQ_OU "My Organizational Unit"
3. 拷貝 默認 Open××× 配置文件到 Open××× 工作目錄下
cp /usr/share/doc/open***-2.4.7/sample/sample-config-files/server.conf /etc/open***/
服務端的 證書生成 和 配置
生成服務端證書
1. 初始化,生成新的pki目錄結構
這一步初始化,會自動創建一個pki目錄
[root@open*** ~]# cd /etc/open***/easy-rsa/3.0.3/[root@open*** 3.0.3]# ./easyrsa init-pkiNote: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/open***/easy-rsa/3.0.3/pki
2. 生成CA根證書
使用 nopass 參數,創建時ca證書不要密碼。
生成 ca.crt
[root@open*** 3.0.3]# ./easyrsa build-ca nopassNote: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key....................................................+++ ...............+++ writing new private key to '/etc/open***/easy-rsa/3.0.3/pki/private/ca.key.eaRLZMVt5B'----- You are about to be asked to enter information that will be incorporatedinto your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: # 這裏需要回車,什麼都不需要輸入,因爲在上面的vars文件中解註釋的內容會自動填入。CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/open***/easy-rsa/3.0.3/pki/ca.crt
3. 生成密鑰對和證書請求文件
同樣使用 nopass 參數,使證書不要密碼
生成 server.req 和 server.key
[root@open*** 3.0.3]# ./easyrsa gen-req server nopassNote: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key...................................................................+++ ................+++ writing new private key to '/etc/open***/easy-rsa/3.0.3/pki/private/server.key.nW3aKUSpAO'----- You are about to be asked to enter information that will be incorporatedinto your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.----- Common Name (eg: your user, host, or server name) [server]: # 這裏需要回車Keypair and certificate request completed. Your files are: req: /etc/open***/easy-rsa/3.0.3/pki/reqs/server.reqkey: /etc/open***/easy-rsa/3.0.3/pki/private/server.key
4. 用根證書CA與***server.req文件簽名,生成服務端證書
生成 server.crt
[root@open*** 3.0.3]# ./easyrsa sign server serverNote: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = serverType the word 'yes' to continue, or any other input to abort. Confirm request details: yes # 這裏需要輸入 yes Using configuration from ./openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Apr 16 07:59:04 2029 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/open***/easy-rsa/3.0.3/pki/issued/server.crt
5. 創建Diffie Hellman參數
生成 dh.pem
[root@open*** 3.0.3]# ./easyrsa gen-dhNote: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time# 這裏會出現很多 點 和 加號 一直等到下面的提示出現DH parameters of size 2048 created at /etc/open***/easy-rsa/3.0.3/pki/dh.pem
6. 把生成的服務端證書拷貝到工作目錄下
cp /etc/open***/easy-rsa/3.0.3/pki/ca.crt /etc/open***/server/ cp /etc/open***/easy-rsa/3.0.3/pki/dh.pem /etc/open***/server/ cp /etc/open***/easy-rsa/3.0.3/pki/private/ca.key /etc/open***/server/ cp /etc/open***/easy-rsa/3.0.3/pki/private/server.key /etc/open***/server/ cp /etc/open***/easy-rsa/3.0.3/pki/issued/server.crt /etc/open***/server/
Open××× 服務端配置文件
[root@open*** 3.0.3]# cd /etc/open***/ [root@open*** open***]# cat server.conf # Sample Open××× 2.0 local 172.16.1.10 port 1194 proto tcp dev tun ca /etc/open***/server/ca.crt cert /etc/open***/server/server.crt key /etc/open***/server/server.key dh /etc/open***/server/dh.pem # 此IP端是客戶端連接上來後獲取的ip段server 10.8.0.0 255.255.255.0# 存放用戶對應的虛10段的ip地址 ifconfig-pool-persist /etc/open***/ipp.txt # 這裏要填寫服務端內網的網段,否則客戶端連接上來後,無法訪問服務端的內網 push "route 172.16.1.0 255.255.255.0"keepalive 10 120cipher AES-256-CBC comp-lzo persist-key persist-tun ifconfig-pool-persist ipp.txt status /etc/open***/open***-status.log log-append /etc/open***/open***.log log /etc/open***/open***.log verb 3explicit-exit-notify 1
Open××× 的啓動關閉
啓動 Open××× 服務
systemctl start open***@server
關閉 Open××× 服務
systemctl stop open***@server
開啓 開機自動啓動 Open××× 服務
systemctl enable open***@server
關閉 開機自動啓動 Open××× 服務
systemctl disenable open***@server
客戶端 證書生成 和 配置
生成客戶端證書
1. 生成客戶端的 密鑰對 和 證書 請求文件
同樣使用 nopass 參數,使證書不要密碼
生成 client.req 和 client.key
[root@open*** open***]# cd /etc/open***/easy-rsa/3.0.3/[root@open*** 3.0.3]# ./easyrsa gen-req client nopassNote: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key.................+++ ..........................+++ writing new private key to '/etc/open***/easy-rsa/3.0.3/pki/private/client.key.rTBHS5Ra17'----- You are about to be asked to enter information that will be incorporatedinto your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.----- Common Name (eg: your user, host, or server name) [client]: Keypair and certificate request completed. Your files are: req: /etc/open***/easy-rsa/3.0.3/pki/reqs/client.reqkey: /etc/open***/easy-rsa/3.0.3/pki/private/client.key
2. 成功生成證書
剛纔我們是用根證書CA簽名生成服務器證書server.crt,現在以CA根證書和server.crt證書籤名得到client.crt
生成 client.crt
[root@open*** 3.0.3]# ./easyrsa sign client clientNote: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = clientType the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client' Certificate is to be certified until Apr 16 08:41:12 2029 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/open***/easy-rsa/3.0.3/pki/issued/client.crt
客戶端 鏈接配置
1. 首先下載客戶端證書和ca證書
需要把剛剛生成的客戶端證書和ca證書下載下來
使用 sz 命令下載
如果沒有sz、rz 命令,需要使用命令 yum install lrzsz -y 來安裝
sz /etc/open***/easy-rsa/3.0.3/pki/issued/client.crt sz /etc/open***/easy-rsa/3.0.3/pki/private/client.key sz /etc/open***/easy-rsa/3.0.3/pki/ca.crt
2. 客戶端配置文件
下載後,在桌面創建一個 client 文件夾,把剛剛下載的三個證書都放進去
在 client 文件夾中,創建一個 client.o*** 的文件,寫入下面內容:
client proto tcp dev tun remote 192.168.1.64 1194 resolv-retry infinite nobind ca ca.crt cert client.crt key client.key cipher AES-256-CBC comp-lzo persist-key persist-tun verb 3
注意 client.o*** 文件建議是用戶的名字,不要重複,否則客戶端會報錯
3.服務器開啓內核轉發:修改/etc/sysctl.conf:
net.ipv4.ip_forward = 1
4.開啓iptables nat 轉發
iptables -t nat -A POSTROUTING -d 172.16.1.0/24 -j SNAT --to-source 172.16.1.10
5. 安裝客戶端連接軟件
客戶端下載地址: 點擊下載
下載好後,安裝,很簡單,下一步下一步。
安裝好後,右鍵桌面 Open××× 圖標選擇屬性,點擊 打開文件位置,之後返回上一層安裝目錄,可以看到一個文件名爲config 的文件夾,把剛剛創建的 client 文件夾拷貝到 config 文件夾下.
最後運行 Open×××,在桌面右下角可以看到一個小的電腦顯示器圖標,右鍵鼠標,點擊鏈接即可。
最後:吊銷證書操作步驟
cd /etc/easy-rsa/3.0.3/ ./easyrsa revoke targetkey(證書名) ./easyrsa gen-crl
其中gen-crl會生成一份吊銷證書的名單,放在pki/crl.pem文件裏
最後再server.conf文件中增加此項:
crl-verify /etc/open***/crl.pem
特別說明:吊銷的證書不會立刻被刪除文件,所以要再次創建相同的證書則要刪除crt文件,通常放在pki/issued文件夾下。