III(二十一)Open***(1)
III(二十一)Open×××(1)
×××,virtual private network,虚拟专用网络,是依靠ISP和NSP,在公共网络中建立专用的数据通信网络的技术,可以为企业间或个人与企业间提供安全的数据传输隧道服务,在×××中任意两点之间的连接并没有传统专网所需的端到端的物理链路,而是利用公共网络资源动态组成的,可理解为通过私有的隧道技术在公共数据网络上模拟出来的,和专网有同样的功能(点到点的专线技术),所谓虚拟是指不需要去拉实际的长途物理链路,借用公共internet实现;
×××的作用:帮助公司里的远程用户(出差或家里)、公司的分支机构、商业合作伙伴、供应商等公司和自己的公司内部网络之间建立可信的安全连接或是局域网连接,确保数据的加密安全传输和业务访问,对运维来说,可连接不同的机房为LAN处理相关业务流;
×××分类,根据常见的企业应用分4类:
1、远程访问×××服务(个人电脑远程拨号到企业办公网络,访问域控制器,file server,OA system,ERP,HTTP服务,内网聊天工具等LAN应用),对运维人员,个人电脑远程拨号到企业网站IDC机房,远程维护IDC内网服务器、DB、存储等,一般server无外网IP),牤牛阵法;
2、企业内部网络之间×××服务(公司分支机构的LAN和总部的LAN间×××连接),如超市间业务结算等;
3、互联网公司多IDC机房间×××服务(运维、架构人员考虑,不同机房间业务管理和业务访问数据流动);
4、企业外部×××服务(供应商、合作伙伴的LAN和本公司的LAN间建立×××服务);
5、访问国外的网站(×××应用)
常见的隧道协议:
PPTP,point point tunneling protocol,microsoft和3com公司开发使用PAP或CHAP或MPPE加密算法,通过跨越基于tcp/ip的数据网络创建×××,PPTP允许加密IP通讯,典型的Linux平台的开源软件pptp,常用于用户client到远端企业办公,不擅长企业与企业间通信;
L2TP,layer 2 tunneling protocol,第2层隧道协议,是IETF基于L2F(cisco的第二层转发转发协议)开发的PPTP后续版本,是一种工业标准internet隧道协议;
IPSec,IP security,实际上是一套协议包而不是一个独立的协议,IPSec隧道模式的整个过程是封装路由与解封装,隧道将原始数据包隐藏(或封装)在新的数据包内部,新封装的数据包可能会有新的寻址与路由信息,从而通过网络传输,隧道与数据结合使用时,在网络上窃听通讯的人将无法获取原始数据包及最原始的源和目标,封装的数据包到达目的地后,会删除封装,原始数据包头用于将数据包路由到最终目的地,IDC机房间互联组成LAN常用IPSec;
SSL ×××,SSL协议(传输层和应用层之间)提供了数据私密性、端点验证、信息完整性等特性,SSL由许多子协议组成(握手协议和记录协议),握手协议允许server和client在应用协议传输第一个数据字节以前,彼此确认,协商一种加密算法和密码钥匙,在数据传输期间,记录协议利用握手协议生成的**加密和解密来交换数据;SSL独立于应用,任何一个应用程序都可享受它的安全性而不必理会执行细节;SSL本身被几乎所有的web browser支持;后面这两点是SSL能应用于×××的关键,典型的SSL ×××应用为open ***
注:
PPTP和L2TP都使用PPP协议对数据进行封装,再添加附加包头用于数据在互联网上传输;
PPTP只在两端点间建立单一隧道,L2TP支持在两端点间使用多隧道;
PPTP要求互联网络为tcp/ip网络,而L2TP范围更广只要求隧道媒介提供面向数据包的点对点连接,如帧中继等;
PPTP不支持隧道验证,而L2TP可提供隧道验证;
一般在使用PPTP或L2TP时都要结合IPSec一同使用,由IPSec提供隧道验证加密数据等工作
×××的开源实现:
PPTP ×××(最大优势无需在win上安装客户端,OS上本身就有拨号软件,默认支持PPTP ×××拨号连接,适合远程的企业用户拨号到企业进行办公,点对点应用,很多小区的网络设备不支持PPTP导致无法访问);
SSL ×××(open ***,不但适用于PPTP×××的场景,还适合针对企业异地总公司和分公司之间不间断的×××连接,如ERP、OA、即时通讯工具等企业级应用,需安装客户端软件);
IPSec ×××(open swan,适用于异地总公司和分公司之间或多个IDC机房间的×××不间断按需连接,在部署上使用上简单方便);
根据企业生产场景需求选择×××方案建议:
1、如果公司财力宽裕,可选择硬件产品,如防火墙firewall、LB负载均衡器等硬件产品都附带×××功能);
2、对于互联网公司,为体现运维架构师的价值,首选开源产品,优势:省钱、可扩展性强,每个机房可有两台×××做高可用、可二次开发;
3、对于开源产品,个人拨号选open***(功能强大,稳定可靠),若不想单独安装client拨号软件,可选择PPTP;多个企业之间互连或多个IDC机房间互连选择IPSec ***或open***,这两个可以满足各种企业需求;
open***(C/S架构,Linux下开源×××的先锋,提供了良好的访问性能和友好的用户GUI,允许用户使用私钥、第三方证书、用户名/密码来进行身份验证,它大量使用了openssl加密库(依赖opnenssl)和SSLv3/TLSv1协议,它可在Linux、xBSD、Mac、win平台上运行,open ***不是一个基于web的***软件,也不与IPSec及其它×××软件包兼容,是C/S架构的软件需单独安装open ***客户端(不如PPTP的唯一一点));
SSL,secure sockets layer,安全套接层,是一种安全协议,诞生的目的是为网络通信提供安全及数据完整性保障,SSL在传输层中对网络通信进行加密,SSL采用公开**技术,保证两个应用间通信的保密性和可靠性,使客户和server应用之间的通信不被***者窃听,是互联网保密通讯的工业标准;
TLS是SSL的继任者,transportlayer security,利用**算法在互联网上提供端点身份认证与通讯保密,其基础是公钥基础设施PKI,public key infrastructure;
open***加密通信原理:使用TLS加密,通过使用公开**(非对称**,public key和private key)对数据进行加密,server端和client要有相同CA签发的证书,双方通过交换证书验证双方的合法性,决定是否建立×××连接,然后使用对方的CA把自己目前使用的数据加密方法加密后发送给对方,由于使用对方CA加密的只有对方CA对应的private key才能解密该字串,保证了此**的安全性,并且此**定期改变,对于窃听者还没**出**,通信双方已更换**了;
open***的多种身份验证方式:预享**(最简单,只能用于点对点的×××);基于PKI的第三方证书(功能最完善,但需额外精力维护PKI体系);用户名/密码(需CA证书要作加密);其它(LDAP或统一验证);
open***通信原理(基于单一的ip port,1194,默认UDP,TCP也支持,技术核心(虚拟网卡和SSL协议实现));
用户远程拨号到企业Open ×××的场景:
上图注:
172.16.1.x是LAN地址,10.96.20.113模拟外网地址,用户通过连接×××server即可访问到局域网内的任何一台计算机;
***服务启动后有虚拟网卡地址10.8.0.x,client拨号到××× server上后访问LAN内的server时用的是10.8.0.x这个地址;
client与LAN server双方间建立通信,有两种方案:
方案一:LAN server{1,2...}要么添加172.16.1.11这个地址为默认网关,要么添加网络路由,否则client将收不到LAN server{1,2}的包信息;
方案二:在××× server上实现NAT,在××× server上由10.8.0.x改为172.16.1.11
企业IDC机房互连(IPCSec ×××):
上图注:
若××× server使用open***,要一端是server端,另一端是client,由client请求连接server端;
若××× server用IPCSec×××,两端都是server端,若IDC机房多的话,要避免环状连接,要一对多互联;
若3个IDC机房做ldap认证,有一个IDC机房是open***-server和ldap-primary,其它机房均为open***-client和ldap-slave,机房间任何通信走***通道,各自机房负责自己的认证,仅当主崩溃时slave替代主做远程使用
注:open***、ipsec做机房互连,更多的是功能应用,若大数据传输,实时性要求不高,这不适合应走光纤专线
上图注:
应用场景:企业间互连;数据同步、备份;异地数据读取/写入(同一业务跨机房集群架构最好是写,尽量少读)
open***实战(在个人电脑的物理机上安装open***客户端工具,在远端拨号到***server,管理LAN内的多个server):
win-client(10.96.20.252)
××× server(vmware的虚拟机上,桥接,eth0:10.96.20.113,eth1:172.16.1.11)
LAN server1(vmware的虚拟机上,桥接,eth0:172.16.1.12)
*** server端:
[[email protected] ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.5(Santiago)
[[email protected] ~]# uname -rm
2.6.32-431.el6.x86_64 x86_64
[[email protected] ~]# yum grouplist
……
Installed Groups:
Additional Development
Base
Compatibility libraries
Debugging Tools
Desktop
Desktop Platform
Desktop Platform Development
Development tools
Dial-up Networking Support
Directory Client
E-mail server
Fonts
General Purpose Desktop
Graphical Administration Tools
Hardware monitoring utilities
Internet Browser
Legacy UNIX compatibility
Legacy X Window System compatibility
MySQL Database client
Network Infrastructure Server
Networking Tools
Performance Tools
Perl Support
……
[[email protected] ~]# service ntpd status
ntpd is stopped
[[email protected] ~]# ntpdate pool.ntp.org #(当前同步,或与win的time.windows.com)
14 Jul 03:02:51 ntpdate[3187]: step timeserver 115.28.122.198 offset -61.726348 sec
[[email protected] ~]# date
Thu Jul 14 03:02:55 PDT 2016
[[email protected] ~]# crontab -e
#time sync
*/5 * * * * /usr/sbin/ntpdate pool.ntp.org &> /dev/null
[[email protected] ~]# service crond restart
Stopping crond: [ OK ]
Starting crond: [ OK ]
[[email protected] ~]# mkdir -pv /home/webgame/tools/open*** #(指定一目录存放要安装的软件,所有人安装软件都应在指定的目录下)
mkdir: created directory`/home/webgame/tools'
mkdir: created directory`/home/webgame/tools/open***'
[[email protected] ~]# cd !$
cd /home/webgame/tools/open***
http://www.oberhumer.com/opensource/lzo/(lzo下载)
https://open***.net/index.php/download/community-downloads.html(最新版下载)
http://swupdate.open***.org/community/releases/(旧版本下载)
[[email protected] open***]# rz
[[email protected] open***]# ll
total 1476
-rw-r--r--. 1 root root 594855 Jul 14 03:48lzo-2.09.tar.gz
-rw-r--r--. 1 root root 911158 Jul 14 03:58open***-2.2.2.tar.gz
[[email protected] open***]# tar xflzo-2.09.tar.gz
[[email protected] open***]# cd lzo-2.09
[[email protected] lzo-2.09]# ./configure
[[email protected] lzo-2.09]# make
[[email protected] lzo-2.09]# echo $?
0
[[email protected] lzo-2.09]# make install
……
[[email protected] lzo-2.09]# cd ../
[[email protected] open***]# rpm -qa openssl-devel
openssl-devel-1.0.1e-15.el6.x86_64
[[email protected] open***]# tar xf open***-2.2.2.tar.gz
[[email protected] open***]# cd open***-2.2.2
[[email protected] open***-2.2.2]# ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib
注:编译安装2.3.11版本时,要先安装openssl-deve、pam-devel、lzo-devel包,编译时不用选项—with-lzo-headers和—with-lzo-lib,2.3.11没自带easy-rsa要下载https://github.com/Open×××/easy-rsa/archive/master.zip
[[email protected] open***-2.2.2]# make && make install
……
[[email protected] open***-2.2.2]# cd ..
[[email protected] open***]# which open***
/usr/local/sbin/open***
[[email protected] open***]# cd open***-2.2.2/easy-rsa/2.0/ #(该目录下均是脚本文件,pkitool脚本直接使用vars脚本文件,非交互生成证书)
[[email protected] 2.0]# ls
build-ca build-key build-key-server clean-all Makefile openssl-1.0.0.cnf revoke-full whichopensslcnf
build-dh build-key-pass build-req inherit-inter openssl-0.9.6.cnf pkitool sign-req
build-inter build-key-pkcs12 build-req-pass list-crl openssl-0.9.8.cnf README vars
[[email protected] 2.0]# cp vars vars.backup_20160714
[[email protected] 2.0]# vim vars #(2.0.9(5条)和2.2.2(11条)此文件内容不一样,此文件最后export内容为创建环境变量,设置所要用的变量脚本)
……
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SH"
export KEY_CITY="ShangHai"
export KEY_ORG="qikai"
exportKEY_EMAIL="[email protected]"
export [email protected]
export KEY_CN=CN
export KEY_NAME=qikai
export KEY_OU=qikai
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
[[email protected] 2.0]# source vars
NOTE: If you run ./clean-all, I will bedoing a rm -rf on /home/webgame/tools/open***/open***-2.2.2/easy-rsa/2.0/keys
[[email protected] 2.0]# ./clean-all #(清除所有相关证书,创建生成ca证书及**文件所需的文件及目录)
[[email protected] 2.0]# ./build-ca
Generating a 1024 bit RSA private key
.++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enterinformation that will be incorporated
into your certificate request.
What you are about to enter is what iscalled a Distinguished Name or a DN.
There are quite a few fields but you canleave some blank
For some fields there will be a defaultvalue,
If you enter '.', the field will be leftblank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [qikai]:
Organizational Unit Name (eg, section)[qikai]:
Common Name (eg, yourname or your server's hostname) [CN]:qikai
Name [qikai]:
Email Address [[email protected]]:
[[email protected] 2.0]# ll keys/ #(crt,certificate;ca.key为private key)
total 12
-rw-r--r--. 1 root root 1310 Jul 14 04:30ca.crt
-rw-------. 1 root root 916 Jul 14 04:30 ca.key
-rw-r--r--. 1 root root 0 Jul 14 04:28 index.txt
-rw-r--r--. 1 root root 3 Jul 14 04:28 serial
[[email protected] 2.0]# ./build-key-server server #(生成×××server的**)
Generating a 1024 bit RSA private key
...........++++++
..............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enterinformation that will be incorporated
into your certificate request.
What you are about to enter is what iscalled a Distinguished Name or a DN.
There are quite a few fields but you canleave some blank
For some fields there will be a defaultvalue,
If you enter '.', the field will be leftblank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [qikai]:
Organizational Unit Name (eg, section)[qikai]:
Common Name (eg, yourname or your server's hostname) [server]:
Name [qikai]:
Email Address [[email protected]]:
Please enter the following 'extra'attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:qikai
Using configuration from/home/webgame/tools/open***/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches thesignature
Signature ok
The Subject's Distinguished Name is asfollows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'ShangHai'
organizationName :PRINTABLE:'qikai'
organizationalUnitName:PRINTABLE:'qikai'
commonName :PRINTABLE:'server'
name :PRINTABLE:'qikai'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Jul 1306:15:27 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified,commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] 2.0]# ll keys/ #(生成了server.crt、server.key、server.csr)
total 40
-rw-r--r--. 1 root root 4000 Jul 14 23:1501.pem
-rw-r--r--. 1 root root 1310 Jul 14 04:30ca.crt
-rw-------. 1 root root 916 Jul 14 04:30 ca.key
-rw-r--r--. 1 root root 121 Jul 14 23:15 index.txt
-rw-r--r--. 1 root root 21 Jul 14 23:15 index.txt.attr
-rw-r--r--. 1 root root 0 Jul 14 04:28 index.txt.old
-rw-r--r--. 1 root root 3 Jul 14 23:15 serial
-rw-r--r--. 1 root root 3 Jul 14 04:28 serial.old
-rw-r--r--. 1 root root 4000 Jul 14 23:15server.crt
-rw-r--r--. 1 root root 769 Jul 14 23:15 server.csr
-rw-------. 1 root root 916 Jul 14 23:15 server.key
[[email protected] 2.0]# ./build-key test (生成client的**,使用build-key这种方式生成的**拨号不再需要密码,而用build-key-pass脚本生成的**拨号时要输入密码即拨号的密码,公司中的每一个人(每一个远程登录的用户)都应有.crt和.key这样的文件)
Generating a 1024 bit RSA private key
..............++++++
.............................++++++
writing new private key to 'test.key'
-----
You are about to be asked to enterinformation that will be incorporated
into your certificate request.
What you are about to enter is what iscalled a Distinguished Name or a DN.
There are quite a few fields but you canleave some blank
For some fields there will be a defaultvalue,
If you enter '.', the field will be leftblank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [qikai]:
Organizational Unit Name (eg, section)[qikai]:
Common Name (eg, yourname or your server's hostname) [test]:
Name [qikai]:
Email Address [[email protected]]:
Please enter the following 'extra'attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:qikai
Using configuration from/home/webgame/tools/open***/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches thesignature
Signature ok
The Subject's Distinguished Name is asfollows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'ShangHai'
organizationName :PRINTABLE:'qikai'
organizationalUnitName:PRINTABLE:'qikai'
commonName :PRINTABLE:'test'
name :PRINTABLE:'qikai'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Jul 1306:22:10 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified,commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] 2.0]# ll keys/
total 64
-rw-r--r--. 1 root root 4000 Jul 14 23:1501.pem
-rw-r--r--. 1 root root 3872 Jul 14 23:2202.pem
-rw-r--r--. 1 root root 1310 Jul 14 04:30ca.crt
-rw-------. 1 root root 916 Jul 14 04:30 ca.key
-rw-r--r--. 1 root root 240 Jul 14 23:22 index.txt
-rw-r--r--. 1 root root 21 Jul 14 23:22 index.txt.attr
-rw-r--r--. 1 root root 21 Jul 14 23:15 index.txt.attr.old
-rw-r--r--. 1 root root 121 Jul 14 23:15 index.txt.old
-rw-r--r--. 1 root root 3 Jul 14 23:22 serial
-rw-r--r--. 1 root root 3 Jul 14 23:15 serial.old
-rw-r--r--. 1 root root 4000 Jul 14 23:15server.crt
-rw-r--r--. 1 root root 769 Jul 14 23:15 server.csr
-rw-------. 1 root root 916 Jul 14 23:15 server.key
-rw-r--r--. 1 root root 3872 Jul 14 23:22test.crt
-rw-r--r--. 1 root root 765 Jul 14 23:22 test.csr
-rw-------. 1 root root 916 Jul 14 23:22 test.key
[[email protected] 2.0]# ./build-key-pass ett #(生成client**,此种方式生成的拨号时需输入密码)
Generating a 1024 bit RSA private key
.............++++++
..++++++
writing new private key to 'ett.key'
Enter PEM pass phrase:
Verifying - Enter PEMpass phrase:
-----
You are about to be asked to enterinformation that will be incorporated
into your certificate request.
What you are about to enter is what iscalled a Distinguished Name or a DN.
There are quite a few fields but you canleave some blank
For some fields there will be a defaultvalue,
If you enter '.', the field will be leftblank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [qikai]:
Organizational Unit Name (eg, section)[qikai]:
Common Name (eg, your name or your server'shostname) [ett]:
Name [qikai]:
Email Address [[email protected]]:
Please enter the following 'extra'attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:qikai
Using configuration from/home/webgame/tools/open***/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches thesignature
Signature ok
The Subject's Distinguished Name is asfollows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'ShangHai'
organizationName :PRINTABLE:'qikai'
organizationalUnitName:PRINTABLE:'qikai'
commonName :PRINTABLE:'ett'
name :PRINTABLE:'qikai'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Jul 1306:28:05 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified,commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] 2.0]# ll keys/
total 80
-rw-r--r--. 1 root root 4000 Jul 14 23:1501.pem
-rw-r--r--. 1 root root 3872 Jul 14 23:2202.pem
-rw-r--r--. 1 root root 3871 Jul 14 23:2803.pem
-rw-r--r--. 1 root root 1310 Jul 14 04:30ca.crt
-rw-------. 1 root root 916 Jul 14 04:30 ca.key
-rw-r--r--. 1 root root 3871 Jul 14 23:28ett.crt
-rw-r--r--. 1 root root 765 Jul 14 23:28 ett.csr
-rw-------. 1 root root 1041 Jul 14 23:28ett.key
-rw-r--r--. 1 root root 358 Jul 14 23:28 index.txt
-rw-r--r--. 1 root root 21 Jul 14 23:28 index.txt.attr
-rw-r--r--. 1 root root 21 Jul 14 23:22 index.txt.attr.old
-rw-r--r--. 1 root root 240 Jul 14 23:22 index.txt.old
-rw-r--r--. 1 root root 3 Jul 14 23:28 serial
-rw-r--r--. 1 root root 3 Jul 14 23:22 serial.old
-rw-r--r--. 1 root root 4000 Jul 14 23:15server.crt
-rw-r--r--. 1 root root 769 Jul 14 23:15 server.csr
-rw-------. 1 root root 916 Jul 14 23:15 server.key
-rw-r--r--. 1 root root 3872 Jul 14 23:22test.crt
-rw-r--r--. 1 root root 765 Jul 14 23:22 test.csr
-rw-------. 1 root root 916 Jul 14 23:22 test.key
[[email protected] 2.0]# ./build-dh #(生成deffie-Hellman文件,generate deffie hellmanparameters生成传输进行**交换时用到的交换**协议文件)
Generating DH parameters, 1024 bit longsafe prime, generator 2
This is going to take a long time
.....................................+……
[[email protected] 2.0]# ll keys/dh1024.pem
-rw-r--r--. 1 root root 245 Jul 14 23:32keys/dh1024.pem
[[email protected] 2.0]# open*** --genkey --secret keys/ta.key #(为防止DDos、udp portfloating,生成HMAC firewall)
[[email protected] 2.0]# ll keys/ta.key
-rw-------. 1 root root 636 Jul 14 23:38keys/ta.key
注:#./make-crl ***crl.pem(生成证书吊销链文件,防止之后有人丢失证书,被非法用户接入×××)
[[email protected] 2.0]# mkdir -p /etc/open***
[[email protected] 2.0]# cp -ap /home/webgame/tools/open***/open***-2.2.2/easy-rsa/2.0/keys/ /etc/open***
[[email protected] 2.0]# cp /home/webgame/tools/open***/open***-2.2.2/sample-config-files/{server.conf,client.conf} /etc/open***
[[email protected] 2.0]# tree /etc/open***
/etc/open***
├── client.conf
├── keys
│ ├── 01.pem
│ ├── 02.pem
│ ├── 03.pem
│ ├── ca.crt
│ ├── ca.key
│ ├── dh1024.pem
│ ├── ett.crt
│ ├── ett.csr
│ ├── ett.key
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── serial
│ ├── serial.old
│ ├── server.crt
│ ├── server.csr
│ ├── server.key
│ ├── ta.key
│ ├── test.crt
│ ├── test.csr
│ └── test.key
└── server.conf
1 directory, 24 files
[[email protected] 2.0]# cd /etc/open***
[[email protected] open***]# egrep -v ";|#|^$" server.conf #(local IP_ADDRESS(open***启动时监听的地址,外网IP,client访问时指定的IP,类似nginx的*:80);port 1194(默认1194,为安全改为52115);proto udp(默认udp,为稳定改为tcp);dev tun(***server的模式采用路由模式,可选tap和tun);ca ca.crt(ca的certicate,此文件要和server.conf在一个目录下,否则要用绝对路径);server 10.8.0.0 255.255.255.0(***server动态分配给***client的地址池);push "route 172.16.1.0 255.255.255.0"(***server的内网网段,***server将路由推至client,公司内部网络已划分vLAN的话可写多个push);client-to-client(多个client连在一个***server上,有此项则他们之间是可通信的);duplicate-cn(允许多个client使用同一个帐号连接***server);keepalive 10 120(每10s ping一次,若是120s未收到包则认定client断线);comp-lzo(开启压缩功能);persist-key(当***超时后,再次重启***后,保持上一次使用的私钥,而不重新读取私钥);persist-tun(通过keepalive检测***超时后,再重启后,保持tun或tap设备自动连接状态);status open***-status.log(日志状态信息);log/var/log/open***.log(指定日志位置);verb 3(指定日志文件冗余))
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
verb 3
[[email protected] open***]# egrep -v ";|#|^$" client.conf
client
dev tun
proto udp
remote my-server-1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
[[email protected] open***]# vim server.conf
-----------file start--------------
local 10.96.20.113
port 52115
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.16.1.0255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
log /var/log/open***.log
verb 3
-------------file end------------------
[[email protected] open***]# service iptables stop #(若开启防火墙,不仅要开启对应的52115port,forward链也要打开)
[[email protected] open***]# getenforce #(selinux)
Permissive
[[email protected] open***]# sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf
[[email protected] open***]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route =0
……
[[email protected] open***]# echo "/usr/local/sbin/open*** --config /etc/open***/server.conf &" >> /etc/rc.local #(开机自启)
[[email protected] open***]# tail -1 /etc/rc.local
tail: inotify cannot be used, reverting topolling
/usr/local/sbin/open*** --config/etc/open***/server.conf &
[[email protected] open***]# open*** --config /etc/open***/server.conf &
[1] 18159
[[email protected] open***]# netstat -tnulp | grep :52115
tcp 0 0 10.96.20.113:52115 0.0.0.0:* LISTEN 18159/open***
[[email protected] open***]# lsof -i :52115
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
open*** 18159 root 5u IPv4 111541 0t0 TCP 10.96.20.113:52115 (LISTEN)
[[email protected] open***]# tail -100 /var/log/open***.log
……
Fri Jul 15 01:04:02 2016 MULTI: TCP INITmaxclients=1024 maxevents=1028
Fri Jul 15 01:04:02 2016 InitializationSequence Completed
[[email protected] open***]# ifconfig tun0 #(本地会多出虚拟网卡tun0,10.8.0.1)
tun0 Link encap:UNSPEC HWaddr00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0(0.0 b)
[[email protected] open***]# cp /home/webgame/tools/open***/open***-2.2.2/sample-scripts/open***.init /etc/init.d/open*** #(open***自带有脚本,启动前要对脚本文件稍作如下修改才能用)
[[email protected] open***]# vim /etc/init.d/open*** #(修改148行的*.conf为server.conf或确保/etc/open***下仅有server.conf这一个.conf结尾的文件;修改154行为/usr/local/sbin/open***--daemon --writepid /var/run/open***/server.pid --config server.conf --cd/etc/open***)
[[email protected] open***]# ll /etc/init.d/open***
-rwxr-xr-x. 1 root root 5481 Jul 15 01:11/etc/init.d/open***
[[email protected] open***]# chkconfig --add open***
[[email protected] open***]# chkconfig --list open***
open*** 0:off 1:off 2:off 3:on 4:on 5:on 6:off
[[email protected] open***]# pkill open***
[[email protected] open***]# netstat -tnulp | grep :52115
[1]+ Done open***--config /etc/open***/server.conf
[[email protected] open***]# lsof -i :52115
[[email protected] open***]# service open*** start
Starting open***: [ OK ]
[[email protected] open***]# service open*** restart
Shutting down open***: [ OK ]
Starting open***: [ OK ]
在win上部署client:
注:通过测试,vmware上用win的虚机能成功连接*** server但不能连接LAN的主机;直接在物理机的win OS上正常,既能连通*** server又能成功连通LAN的主机
在物理机的win上安装open***-2.2.2-install.exe;
在client的安装目录下的config/下创建test/目录;
将*** server端/etc/open***/keys/{ca.crt,test.crt,test.key}拷贝至win的Open××× GUI安装目录D:\Program Files (x86)\Open×××\config\test\下;
[[email protected] open***]# egrep -v ";|#|^$" client.conf #(在***server端将client.conf此文件修改好,拷贝到win的config/test/下并改名为test.o***)
client
dev tun
proto tcp
remote 10.96.20.113 52115
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert test.crt
key test.key
ns-cert-type server
comp-lzo
verb 3
打开win上的Open××× GUI,在任务栏图标右键Connect,图标变绿表示成功,黄和红均是有问题,右键View Log(也可查看*** server上的日志),*** server给此client分配的地址为10.8.0.6
在win上测试与*** server的连通性,ping 10.8.0.1看是否能ping通
在win的命令行下,在***拨通情况下>route print > ed.txt,然后断开Open×××,执行>route print > pre.txt,再用BeyondCompare工具比较两个文件的差别,172.16.1.0/24是*** server push过来的
LAN-server1端(172.16.1.12):
三种方案:
1、将*** server上的地址添加为默认路由,不常用
#route add default gw 172.16.1.11
2、添加网络路由,这是生产中常见的做法,所有LAN的主机都要添加这一条网络路由
#route add -net 10.8.0.0/24 gw 172.16.1.11
3、在*** server上用NAT方式实现
open***的port要开放,FORWARD要accept
[[email protected] ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT --to-source 172.16.1.11
[[email protected] ~]# iptables -t nat -L -n
……
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.8.0.0/24 0.0.0.0/0 to:172.16.1.11
……
[[email protected] ~]# vim /home/webgame/tools/open***/open***-2.2.2/sample-config-files/firewall.sh #(安装目录下有程序提供的firewall防火墙的设置脚本)
注:若没有操作以上三种方案中的任何一种,那client能连上*** server,但LAN server1的包无法返回,在client上ping 172.16.1.12不通
在LAN server1上抓包,只有ICMP echo request而没有ICMP echo reply
按以上三种方案中任一一种操作,在LAN-server1上抓包,同时在client上ping
注:配置静态路由方法,三种:
1、#echo "any net 10.8.0.0/24 gw 172.16.111" > /etc/sysconfig/static-routes
2、#echo "10.8.0.0/24 via 172.16.1.11" > /etc/sysconfig/network-scripts/route-eth0
3、#echo "route add -net 10.8.0.0/24 gw 172.16.1.11" >> /etc/rc.local #(使得开机可自动执行生效)
使用build-key-pass增加用户jowin:
[[email protected] ~]# cd /home/webgame/tools/open***/open***-2.2.2/easy-rsa/2.0/
[[email protected] 2.0]# source vars
NOTE: If you run ./clean-all, I will bedoing a rm -rf on /home/webgame/tools/open***/open***-2.2.2/easy-rsa/2.0/keys
[[email protected] 2.0]# ./build-key-pass jowin
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Common Name (eg, your name or your server'shostname) [jowin]:
A challenge password []:123456
An optional company name []:qikai
[[email protected] 2.0]# ll keys/jowin*
-rw-r--r--. 1 root root 3877 Jul 20 00:27keys/jowin.crt
-rw-r--r--. 1 root root 769 Jul 20 00:26 keys/jowin.csr
-rw-------. 1 root root 1041 Jul 20 00:26keys/jowin.key
[[email protected] 2.0]# cp keys/{jowin.crt,jowin.key} /etc/open***/keys/
[[email protected] 2.0]# szkeys/{jowin.crt,jowin.key,ca.crt} #(上传至client的config/下)
[[email protected] 2.0]# vim/etc/open***/client.conf #(修改cert和key)
……
remote 10.96.20.113 52115
……
ca ca.crt
cert jowin.crt
key jowin.key
……
[[email protected] 2.0]# sz /etc/open***/client.conf #(上传至client的config/下)
使用jowin 连接,用build-key-pass创建的用户需键入密码
[[email protected]]# cat /etc/open***/open***-status.log #(在*** server端通过查看此文件,可知当前有谁在登录,通过查看可将离职员工的证书吊销,若仍旧登录时还可实现报警功能)
Open×××CLIENT LIST
Updated,WedJul 20 00:49:43 2016
CommonName,Real Address,Bytes Received,Bytes Sent,Connected Since
jowin,10.96.20.252:2715,8562,6368,WedJul 20 00:47:43 2016
ROUTINGTABLE
VirtualAddress,Common Name,Real Address,Last Ref
10.8.0.10,jowin,10.96.20.252:2715,WedJul 20 00:47:44 2016
GLOBALSTATS
Maxbcast/mcast queue length,0
END
吊销单个证书(以用户test为例):
[[email protected]]# pwd
/home/webgame/tools/open***/open***-2.2.2/easy-rsa/2.0
[[email protected]]# source vars
NOTE: Ifyou run ./clean-all, I will be doing a rm -rf on/home/webgame/tools/open***/open***-2.2.2/easy-rsa/2.0/keys
[[email protected]]# vim openssl-1.0.0.cnf #(若open***是2.0.0版本,要注释掉这个文件中的后6行,若open***是2.2.2版本此处忽略)
[[email protected]]# ./revoke-full test
Usingconfiguration from/home/webgame/tools/open***/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
RevokingCertificate 02.
DataBase Updated
Usingconfiguration from/home/webgame/tools/open***/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
test.crt:C = CN, ST = SH, L = ShangHai, O = qikai, OU = qikai, CN = test, name = qikai,emailAddress = [email protected]
error 23at 0 depth lookup:certificate revoked
[[email protected]]# ll keys/crl.pem #(吊销后生成此文件)
-rw-r--r--.1 root root 548 Jul 20 00:56 keys/crl.pem
[[email protected]]# date
Wed Jul20 00:57:32 PDT 2016
[[email protected]]# cat keys/index.txt #(查看此文件,吊销用户后标记为R)
V 260713061527Z 01 unknown /C=CN/ST=SH/L=ShangHai/O=qikai/OU=qikai/CN=server/name=qikai/[email protected]
R 260713062210Z 160720075655Z 02 unknown /C=CN/ST=SH/L=ShangHai/O=qikai/OU=qikai/CN=test/name=qikai/[email protected]
V 260713062805Z 03 unknown /C=CN/ST=SH/L=ShangHai/O=qikai/OU=qikai/CN=ett/name=qikai/[email protected]
V 260718072655Z 04 unknown /C=CN/ST=SH/L=ShangHai/O=qikai/OU=qikai/CN=jowin/name=qikai/[email protected]
[[email protected]]# cp keys/crl.pem /etc/open***/keys/
[[email protected]]# vim /etc/open***/server.conf #(在此文件末尾加入crl-verify内容,若要恢复之前吊销的用户将此行注释掉即可)
crl-verify /etc/open***/keys/crl.pem
[[email protected]]# service open*** restart
Shuttingdown open***: [ OK ]
Startingopen***: [ OK ]
注:吊销多个用户的证书与上述步骤相同,最后将./revoke-full USERNAME生成的crl.pem文件覆盖掉之前生成的即可
Linux下使用open***做client(10.96.20.117角色与win相同):
适用场景:多机房或多企业互连时;将公司内网中svn server的资源推送至IDC机房;跨机房的数据备份
[[email protected]~]# hostname ***client
[[email protected]~]# logout
环境准备,lzo和open***-2.2.2软件安装同***server
[[email protected]***client~]# mkdir /etc/open***
[[email protected]***client~]# cd /etc/open***
[[email protected]***clientopen***]# ll
total 0
[[email protected]***clientopen***]# scp 10.96.20.113:/etc/open***/keys/{ca.crt,jowin.crt,jowin.key} ./
[[email protected]***clientopen***]# scp 10.96.20.113:/etc/open***/client.conf ./ #(client.conf不用改名)
[[email protected]***clientopen***]# vim client.conf #(更改**文件路径)
ca/etc/open***/ca.crt
cert/etc/open***/jowin.crt
key/etc/open***/jowin.key
[[email protected]***clientopen***]# cp /home/webgame/tools/open***/open***-2.2.2/sample-scripts/open***.init /etc/init.d/open***
[[email protected]***clientopen***]# service open*** start #(jowin用户是用build-key-pass生成的每次都需输入密码)
Startingopen***: Enter Private Key Password:
[ OK ]
[[email protected]***clientopen***]# ping 10.8.0.1
PING10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytesfrom 10.8.0.1: icmp_seq=1 ttl=64 time=0.532 ms
64 bytesfrom 10.8.0.1: icmp_seq=2 ttl=64 time=0.547 ms
64 bytesfrom 10.8.0.1: icmp_seq=3 ttl=64 time=0.373 ms
……
[[email protected]***clientopen***]# ping 172.16.1.12 (pingLAN-server1通,并在LAN-server1上抓包)
PING172.16.1.12 (172.16.1.12) 56(84) bytes of data.
64 bytesfrom 172.16.1.12: icmp_seq=1 ttl=63 time=0.565 ms
64 bytesfrom 172.16.1.12: icmp_seq=2 ttl=63 time=0.522 ms
64 bytesfrom 172.16.1.12: icmp_seq=3 ttl=63 time=0.821 ms
[[email protected]***clientopen***]# ssh 172.16.1.12 #(可成功登录到LAN-server1)
[email protected]'spassword:
Lastlogin: Wed Jul 20 02:18:36 2016 from 172.16.1.11
#tcpdump-nnn -s 10000 |grep ICMP
注:*** server使用的是NAT方式(方案三)
#tcpdump-nnn -i eth0 -s 10000 ' port 52115 and src host 10.96.20.117'
转载于:https://blog.51cto.com/jowin/1828262