本文详细介绍了如何在CentOS环境下安装配置Open×××软件,包括下载所需包、安装LZO和Open×××、生成证书、配置服务器和客户端等步骤。同时,还提供了防火墙配置和证书吊销的方法。
1. 用putty登录到CentOS
2. 下载LZO和Open××× 2.1.rc15
cd /usr/local/src/
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz
wget http://open***.net/release/open***-2.1_rc15.tar.gz
3. 安装LZO和Open×××
tar zxvf lzo-2.04.tar.gz
cd lzo-2.04
./configure
make
make install
cd ..
tar zxvf open***-2.1_rc15.tar.gz
cd open***-2.1_rc15
./configure
make
make install
cd /
cp /usr/local/src/open***-2.1_rc15/easy-rsa/ -r /etc/open***
4. 生成证书初始化PKI
cd /etc/open***/2.0/ #可以设置下Open×××参数(也可以修改vars文件来配置)
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=SH
export KEY_CITY=SH
export KEY_ORG=”davy”
export KEY_EMAIL=”wanwei.li@tcl.com”
#也可以不用设置直接执行下面的命令
. vars
创建证书颁发机构(CA)
./clean-all
./build-ca
./build-dh
Generating a 1024 bit RSA private key
…………….++++++
……..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:SH
Locality Name (eg, city) [SZ]:SH
Organization Name (eg, company) [efish]:davy
Organizational Unit Name (eg, section) []:davy
Common Name (eg, your name or your server’s hostname) []:open***.davy
Email Address [support@efish.tk]:wanwei.li@tcl.com
建立server key
./build-key-server server
Generating a 1024 bit RSA private key
……++++++
………………..++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [efish]:
Organizational Unit Name (eg, section) []:efish
Common Name (eg, your name or your server’s hostname) []:server
Email Address [support@efish.tk]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:efish
Using configuration from /etc/open***/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName RINTABLE:’CN’
stateOrProvinceName RINTABLE:’GD’
localityName RINTABLE:’SZ’
organizationName RINTABLE:’efish’
organizationalUnitName:PRINTABLE:’efish’
commonName RINTABLE:’server’
emailAddress :IA5STRING:’support@efish.tk’
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
生成客户端 key
./build-key client1
Generating a 1024 bit RSA private key
…..++++++
……++++++
writing new private key to ‘client1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [efish]:
Organizational Unit Name (eg, section) []:efish
Common Name (eg, your name or your server’s hostname) []:client1 #重要: 每个不同的client 生成的证书, 名字必须不同.
Email Address [support@efish.tk]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:efish
Using configuration from /etc/open***/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName RINTABLE:’CN’
stateOrProvinceName RINTABLE:’GD’
localityName RINTABLE:’SZ’
organizationName RINTABLE:’efish’
organizationalUnitName:PRINTABLE:’efish’
commonName RINTABLE:’client1′
emailAddress :IA5STRING:’support@efish.tk’
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
以此类推建立其他客户端 key
./build-key client2
./build-key client3
注意在进入 Common Name (eg, your name or your server’s hostname) []: 的输入时, 每个证书输入的名字必须不同.
5. 生成Diffie Hellman参数
./build-dh
如果出现错误提示:./build-dh: line 7: dhparam: command not found
解决办法:
vi build-dh
把$OPENSSL 改成 openssl
6. 将 keys 下的所有文件打包下载到本地(可以通过winscp,http,ftp等等……)
tar zcvf efishkeys.tar.gz keys/
7. 创建服务端配置文件
mkdir /etc/open***/2.0/conf
cp /usr/local/src/open***-2.1_rc15/sample-config-files/server.conf /etc/open***/2.0/conf/server.conf
服务端配置文件(server.conf)样例
port 1194
proto udp
dev tun
ca /etc/open***/2.0/keys/ca.crt
cert /etc/open***/2.0/keys/o***ser.crt
key /etc/open***/2.0/keys/o***ser.key # This file should be kept secret
dh /etc/open***/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 10.8.0.1″
push “dhcp-option DNS 202.103.44.150″ #客户端获得的DNS地址
push “dhcp-option DNS 202.103.24.68″ #客户端获
8. 创建服务端配置文件
vi /etc/open***/2.0/conf/server.conf
#申明本机使用的IP地址,也可以不说明
;local a.b.c.d
#申明使用的端口,默认1194
port 1194
#申明使用的协议,默认使用UDP,如果使用HTTP proxy,必须使用TCP协议
;proto tcp
proto udp
#申明使用的设备可选tap和tun,tap是二层设备,支持链路层协议。
#tun是ip层的点对点协议,限制稍微多一些
dev tap
;dev tun
#Open×××使用的ROOT CA,使用build-ca生成的,用于验证客户是证书是否合法
ca conf/ca.crt
#Server使用的证书文件
cert conf/server.crt
#Server使用的证书对应的key,注意文件的权限,防止被盗
key conf/server.key # This file should be kept secret
#CRL文件的申明,被吊销的证书链,这些证书将无法登录
crl-verify ***crl.pem
#上面提到的生成的Diffie-Hellman文件
dh conf/dh1024.pem
#这是一条命令的合集,如果你是Open×××的老用户,就知道这条命令的来由
#这条命令等效于:
#
# mode server #Open×××工作在Server模式,可以支持多client同时动态接入
# tls-server #使用TLS加密传输,本端为Server,Client端为tls-client
tls-auth conf/ta.key 0
#
# if dev tun: #如果使用tun设备,等效于以下配置
# ifconfig 10.8.0.1 10.8.0.2 #设置本地tun设备的地址
# ifconfig-pool 10.8.0.4 10.8.0.251 #说明Open×××使用的地址池(用于分配给客户),分别是起始地址、结束地址
# route 10.8.0.0 255.255.255.0 #增加一条静态路由,省略下一跳地址,下一跳为对端地址,这里是: 10.8.0.2
# if client-to-client: #如果使用client-to-client这个选项
# push “route 10.8.0.0 255.255.255.0″ #把这条路由发送给客户端,客户连接成功后自动加入路由表,省略了下一跳地址: 10.8.0.1
# else
# push “route 10.8.0.1″ #否则发送本条路由,这是一个主机路由,省略了子网掩码和下一跳地址,分别为: 255.255.255.255 10.8.0.1
#
# if dev tap: #如果使用tap设备,则等效于以下命令
# ifconfig 10.8.0.1 255.255.255.0 #配置tap设备的地址
# ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 #客户端使用的地址池,分别是起始地址、结束地址、子网掩码
# push “route-gateway 10.8.0.1″ #把环境变量route-gateway传递给客户机
#
server 10.8.0.0 255.255.255.0 #地址池
#用于记录某个Client获得的IP地址,类似于dhcpd.lease文件,
#防止open***重新启动后“忘记”Client曾经使用过的IP地址
ifconfig-pool-persist ipp.txt
#Bridge状态下类似DHCPD的配置,为客户分配地址,由于这里工作在路由模式,所以不使用
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
#通过××× Server往Client push路由,client通过pull指令获得Server push的所有选项并应用
;push “route 192.168.10.0 255.255.255.0″
;push “route 192.168.20.0 255.255.255.0″
#×××启动后,在××× Server上增加的路由,×××停止后自动删除
;route 10.9.0.0 255.255.255.252
#Run script or shell command cmd to validate client
#virtual addresses or routes. 具体查看manual
;learn-address ./script
#其他的一些需要PUSH给Client的选项
#
#使Client的默认网关指向×××,让Client的所有Traffic都通过×××走
;push “redirect-gateway”
#DHCP的一些选项,具体查看Manual
;push “dhcp-option DNS 10.8.0.1″
;push “dhcp-option WINS 10.8.0.1″
#如果可以让××× Client之间相互访问直接通过open***程序转发,
#不用发送到tun或者tap设备后重新转发,优化Client to Client的访问效率
client-to-client
#如果Client使用的CA的Common Name有重复了,或者说客户都使用相同的CA
#和keys连接×××,一定要打开这个选项,否则只允许一个人连接×××
;duplicate-cn
#NAT后面使用×××,如果×××长时间不通信,NAT Session可能会失效,
#导致×××连接丢失,为防止之类事情的发生,keepalive提供一个类似于ping的机制,
#下面表示每10秒通过×××的Control通道ping对方,如果连续120秒无法ping通,
#认为连接丢失,并重新启动×××,重新连接
#(对于mode server模式下的open***不会重新连接)。
keepalive 10 120
#上面提到的HMAC防火墙,防止DOS***,对于所有的控制信息,都使用HMAC signature,
#没有HMAC signature的控制信息不予处理,注意server端后面的数字肯定使用0,client使用1
tls-auth ta.key 0 # This file is secret
#对数据进行压缩,注意Server和Client一致
comp-lzo
#定义最大连接数
;max-clients 100
#定义运行open***的用户
user nobody
group nobody
#通过keepalive检测超时后,重新启动×××,不重新读取keys,保留第一次使用的keys
persist-key
#通过keepalive检测超时后,重新启动×××,一直保持tun或者tap设备是linkup的,
#否则网络连接会先linkdown然后linkup
persist-tun
#定期把open***的一些状态信息写到文件中,以便自己写程序计费或者进行其他操作
status /var/logs/open***-status.log
#记录日志,每次重新启动open***后删除原有的log信息
log /var/log/open***.log
#和log一致,每次重新启动open***后保留原有的log信息,新信息追加到文件最后
;log-append open***.log
#相当于debug level,具体查看manual
verb 3
9. 启动Open×××
/usr/local/sbin/open*** –daemon –config /etc/open***/2.0/conf/server.conf
echo “/usr/local/sbin/open*** –daemon –config /etc/open***/2.o/confserver.conf” >> /etc/rc.local
10. 配置Open××× Server防火墙(开启nat转发);如果出果客户端连接×××后无法上网,那应该是nat转发没打开
并且启用 IP 转发:
echo 1 > /proc/sys/net/ipv4/ip_forward
或者:
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A INPUT -p udp –dport 1194 -j ACCEPT
客户端分配静态IP:
在/etc/open***/2.0/conf/server.conf中增加
client-config-dir /etc/open***/ccd
然后在 /etc/open***/2.0/ccd目录中放针对每个客户端的个性化配置文件。
文件名就用客户端名 生成key的时候输入的 “Common Name” 名字
比如要设置客户端 kerryhu 为 10.8.0.8
只要在 /etc/open***/2.0/ccd/efish文件中包含一行:
ifconfig-push 10.8.0.8 255.255.255.0
三、客户端配置
1. 安装open***-2.1_rc20-install.exe,修改虚拟网卡名(haw),编辑安装目录config 文件中的 client.o*** 文件
client
dev tap0
dev-node haw //本地虚拟网卡名称
proto udp
remote 221.31.15.49 1194
nobind
persist-key
persist-tun
ca ca.crt
cert james.crt //客户端证书名称
key james.key
ns-cert-type server
comp-lzo
verb 3
tls-auth ta.key 1
2. 吊销Open×××客户端(下面例子中将×××客户端king证书吊销)。
生成吊销证书列表。
cd open***/easy-rsa/2.0
source ./vars
./revoke-full king
在上述命令执行完成后会在open***/easy-rsa/2.0 /keys目录下生成一个crl.pem文件,该文件中包含了吊销证书的名单。也可通过open***/easy-rsa/2.0/keys /index.txt 文件,可以看到被注销的证书前面,已标记为R。
将crl.pem复制到/etc/open***,并在server.conf中加入如下内容,重启open***服务即可。 crl-verify /etc/open***/crl.pem
转载于:https://blog.51cto.com/davideylee/1386490
扫一扫
2647
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
