搭建Open***服务器
[[email protected] ~]# getenforce Disabled [[email protected] ~]# /etc/init.d/iptables status iptables: Firewall is not running. [[email protected] ~]#
# 安装openssl和lzo,lzo用于压缩通讯数据加快传输速度 [[email protected] ~]# yum -y install openssl openssl-devel lzo
# 安装open***和easy-rsa [[email protected] ~]# yum -y install open*** easy-rsa
[[email protected] ~]# cd /usr/share/easy-rsa/2.0/ [[email protected] 2.0]# ls build-ca build-key-pass build-req-pass openssl-0.9.6.cnf revoke-full build-dh build-key-pkcs12 clean-all openssl-0.9.8.cnf sign-req build-inter build-key-server inherit-inter openssl-1.0.0.cnf vars build-key build-req list-crl pkitool whichopensslcnf [[email protected] 2.0]#
[[email protected] 2.0]# sed -i '/KEY_COUNTRY/s/US/CN/' vars [[email protected] 2.0]# sed -i '/KEY_PROVINCE/s/CA/GuangDong/' vars [[email protected] 2.0]# sed -i '/KEY_CITY/s/SanFrancisco/ShenZhen/' vars [[email protected] 2.0]# sed -i '/KEY_ORG/s/Fort\-Funston/ComPany/' vars [[email protected] 2.0]# sed -i '/KEY_EMAIL/s/me\@myhost\.mydomain/yfshare\@foxmail\.com/' vars [[email protected] 2.0]# sed -i '/KEY_OU/s/MyOrganizationalUnit/Market/' vars
#初始化环境变量 [[email protected] 2.0]# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys [[email protected] 2.0]#
# 清除keys目录下所有与证书相关的文件 # 下面步骤生成的证书和**都在/usr/share/easy-rsa/2.0/keys目录里 [[email protected] 2.0]# ./clean-all
# 生成根证书ca.crt和根**ca.key [[email protected] 2.0]# ./build-ca Generating a 2048 bit RSA private key .........................+++ .................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GuangDong]: Locality Name (eg, city) [ShenZhen]: Organization Name (eg, company) [ComPany]: Organizational Unit Name (eg, section) [Market]: Common Name (eg, your name or your server's hostname) [ComPany CA]:Open*** Server Name [EasyRSA]: Email Address [[email protected]]: [[email protected] 2.0]#
# 为服务端生成证书和** [[email protected] 2.0]# ./build-key-server Server Generating a 2048 bit RSA private key ...........................................................+++ ......................................+++ writing new private key to 'Server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GuangDong]: Locality Name (eg, city) [ShenZhen]: Organization Name (eg, company) [ComPany]: Organizational Unit Name (eg, section) [Market]: Common Name (eg, your name or your server's hostname) [Server]: Name [EasyRSA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:open***_password An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GuangDong' localityName :PRINTABLE:'ShenZhen' organizationName :PRINTABLE:'ComPany' organizationalUnitName:PRINTABLE:'Market' commonName :PRINTABLE:'Server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Mar 8 14:27:14 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [[email protected] 2.0]#
# 每一个登陆的×××客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接,下面建立2份 # 为客户端生成证书和** [[email protected] 2.0]# ./build-key client1 Generating a 2048 bit RSA private key ......+++ ................+++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GuangDong]: Locality Name (eg, city) [ShenZhen]: Organization Name (eg, company) [ComPany]: Organizational Unit Name (eg, section) [Market]: Common Name (eg, your name or your server's hostname) [client1]: Name [EasyRSA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:open***_password An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GuangDong' localityName :PRINTABLE:'ShenZhen' organizationName :PRINTABLE:'ComPany' organizationalUnitName:PRINTABLE:'Market' commonName :PRINTABLE:'client1' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Mar 9 19:37:20 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [[email protected] 2.0]#
# 创建迪菲·赫尔曼**,会生成dh2048.pem文件(生成过程比较慢,在此期间不要去中断它) [[email protected] 2.0]# ./build-dh
# 生成ta.key文件(防DDos***、UDP淹没等恶意***) [[email protected] 2.0]# open*** --genkey --secret keys/ta.key
[[email protected] ~]# modinfo tun
注:checkpsw.sh为检验用户登录的脚本,psw-file为存储用户密码的文件 创建服务器端配置文件 [[email protected] 2.0]# mkdir /etc/open***/keys -p [[email protected] 2.0]# mkdir /etc/open***/logs -p [[email protected] 2.0]# mkdir /etc/open***/etc -p # 将需要用到的open***证书和**复制一份到刚创建好的keys目录中 [[email protected] 2.0]# cp /usr/share/easy-rsa/2.0/keys/{ca.crt,Server.{crt,key},dh2048.pem,ta.key} /etc/open***/keys/ # 复制一份服务器端配置文件模板server.conf到/etc/open***/ [[email protected] 2.0]# cp /usr/share/doc/open***-2.3.10/sample/sample-config-files/server.conf /etc/open***/ # 查看server.conf里的配置参数 [[email protected] 2.0]# grep -v ^# /etc/open***/server.conf |grep -v ^\; |grep -v ^$ port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status open***-status.log verb 3 [[email protected] 2.0]#
# 编辑server.conf文件 # 设置为使用TCP协议 [[email protected] 2.0]# sed -i '/^\;proto/s/\;//' /etc/open***/server.conf [[email protected] 2.0]# sed -i '/proto udp/s/proto udp/\;&/' /etc/open***/server.conf # 路径前面加keys,全路径为/etc/open***/keys/ca.cr [[email protected] 2.0]# sed -i '/ca.crt/s/ca.crt/keys\/ca.crt/' /etc/open***/server.conf [[email protected] 2.0]# sed -i '/server.crt/s/sert/kver.creys\/Server.crt/' /etc/open***/server.conf [[email protected] 2.0]# sed -i '/server.key/s/server.key/keys\/Server.key/' /etc/open***/server.conf [[email protected] 2.0]# sed -i '/dh keys/s/dh2048.pem/keys\/dh2048.pem/' /etc/open***/server.conf [[email protected] 2.0]# sed -i '/tls-auth/s/ta.key/keys\/ta.key/' /etc/open***/server.conf [[email protected] 2.0]# sed -i '/^status/s/open***-status/logs\/open***-status/' /etc/open***/server.conf [[email protected] 2.0]# sed -i '/^log-append/s/open***/logs\/open***/' /etc/open***/server.conf # 默认虚拟局域网网段,不要和实际的局域网冲突即可 [[email protected] 2.0]# sed -i '/^server/s/10.8.0.0/192.168.15.0/' /etc/open***/server.conf # open***上做定制IP [[email protected] 2.0]# grep ifconfig-pool-persist /etc/open***/server.conf ifconfig-pool-persist ipp.txt [[email protected] 2.0]# # 通过××× Server往Client上Push路由 [[email protected] 2.0]# sed -i '/192.168.20.0/s/\;//' /etc/open***/server.conf [[email protected] 2.0]# sed -i '/192.168.20.0/s/20/15/' /etc/open***/server.conf # 通过××× Server给Client上Push网关和DNS [[email protected] 2.0]# sed -i '/redirect-gateway/s/\;//' /etc/open***/server.conf [[email protected] 2.0]# sed -i '/dhcp-option DNS/s/\;//' /etc/open***/server.conf # 可以让客户端之间可以访问,通过*** Server转发 [[email protected] 2.0]# sed -i '/client-to-client/s/\;//' /etc/open***/server.conf # 如果客户端都使用相同的证书和**连接×××,一定要打开这个选项,否则每个证书只允许一个人连接××× [[email protected] 2.0]# sed -i '/duplicate-cn/s/\;//' /etc/open***/server.conf # 修改服务端配置文件 [[email protected] 2.0]# sed -i '/tls-auth/s/\;//' /etc/open***/server.conf [[email protected] 2.0]# sed -i '/dh key/s/dh1548/2048/' /etc/open***/server.conf # 连接测试,意思是10秒ping一次,120秒没有返回就断开重连 [[email protected] 2.0]# sed -i '/keepalive/s/115/120/' /etc/open***/server.conf # 定义运行open***的用户和组 [[email protected] 2.0]# sed -i '/nobody/s/\;//g' /etc/open***/server.conf # 定义最大连接数 [[email protected] 2.0]# sed -i '/max-clients/s/\;//' /etc/open***/server.conf # Open×××工作在Server模式,可以支持多client同时动态接入 [[email protected] 2.0]# echo 'mode server' >> /etc/open***/server.conf # 使用TLS加密传输,本端为Server,Client端为tls-client [[email protected] 2.0]# echo 'tls-server' >> /etc/open***/server.conf # 在服务器端的配置文件中启用如下指令: tls-auth ta.key 0 客户端的配置文件启用如下指令: tls-auth ta.key 1 # Open×××的运行日志,默认为/etc/open***/open***.log [[email protected] 2.0]# sed -i '/^\;log-append/s/\;//' /etc/open***/server.conf # 改成verb 5可以多查看一些调试信息 [[email protected] 2.0]# sed -i '/^verb/s/3/5/' /etc/open***/server.conf # 开启路由转发功能 [[email protected] 2.0]# sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf # 配置防火墙,别忘记保存,MASQUERADE,地址伪装,算是snat中的一种特例,可以实现自动化的snat iptables -I INPUT -p tcp --dport 1194 -m comment --comment "open***" -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE service iptables save [[email protected] open***]# /etc/init.d/open*** start Starting open***: [ OK ] [[email protected] open***]# chkconfig open*** on
# 吊销Open×××客户端(下面例子中将×××客户端client1证书吊销) [[email protected] ~]# cd /usr/share/easy-rsa/2.0/ [[email protected] 2.0]# source vars # 吊销client1的证书 [[email protected] 2.0]# ./revoke-full client1 Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Revoking Certificate 02. Data Base Updated Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf client1.crt: C = CN, ST = GuangDong, L = ShenZhen, O = ComPany, OU = Market, CN = client1, name = EasyRSA, emailAddress = [email protected] error 23 at 0 depth lookup:certificate revoked [[email protected] 2.0]# [[email protected] 2.0]# cp keys/crl.pem /etc/open***/keys/ [[email protected] 2.0]# echo 'crl-verify /etc/open***/keys/crl.pem' >>/etc/open***/server.conf
上述命令执行完成后会在open***/easy-rsa/2.0/keys目录下生成一个crl.pem文件,该文件中包含了吊销证书的名单。也可通过open***/easy-rsa/2.0/keys/index.txt 文件,可以看到被注销的证书前面,已标记为R。
将crl.pem复制到/etc/open***,并在server.conf中加入如下内容,重启open***服务即可。
重启Open***后生效,client就连接不上了
# 创建客户端配置文件 [[email protected] 2.0]# cp /usr/share/doc/open***-2.3.10/sample/sample-config-files/client.conf /etc/open***/client.o*** #设置为使用TCP协议 [[email protected] 2.0]# sed -i '/^\;proto/s/\;//' /etc/open***/client.o*** [[email protected] 2.0]# sed -i '/proto udp/s/proto udp/\;&/' /etc/open***/client.o*** #设置Open***服务器的外网IP和端口,把my-server-1替换为IP地址 [[email protected] 2.0]# grep ^remote /etc/open***/client.o*** remote my-server-1 1194 [[email protected] 2.0]# [[email protected] 2.0]# cp keys/client1.crt /etc/open***/keys/ [[email protected] 2.0]# cp keys/client1.key /etc/open***/keys/ [[email protected] 2.0]# sed -i '/ca.crt/s/ca.crt/keys\/ca.crt/' /etc/open***/client.o*** # 设置client1的证书 [[email protected] 2.0]# sed -i '/^key/s/client/keys\/client1/' /etc/open***/client.o*** [[email protected] 2.0]# sed -i '/^cert/s/client/keys\/client1/' /etc/open***/client.o*** # 如果服务器设置了防御DoS等***的ta.key,则必须每个客户端开启;如果未设置,则注释掉这一行 [[email protected] 2.0]# sed -i '/^tls-auth/s/ta/keys\/ta/' /etc/open***/client.o*** # 指定采用服务器校验方式 [[email protected] 2.0]# echo 'ns-cert-type server' >> /etc/open***/client.o*** # 如果服务器设置了防御DoS等***的ta.key,则必须每个客户端开启;如果未设置,则注释掉这一行; [[email protected] 2.0]# sed -i '/tls-auth/s/\;//' /etc/open***/client.o*** # 指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细 [[email protected] 2.0]# grep -i verb /etc/open***/client.o***
下面是使用证书登录的:
安装open*** client, 从服务器上把下面文件拷贝出来
注:如果使用了Change Password功能,是在keys目录下client1.key文件里面写入密码,下次登录时需要输入密码
客户端从×××服务器获取的路由和DNS
open***使用用户名密码验证登录(登录的验证方式由服务器控制):
# 用户登录验证脚本 [[email protected] 2.0]# echo 'auth-user-pass-verify /etc/open***/etc/checkpsw.sh via-env' >> /etc/open***/server.conf # 代表只使用用户名密码方式验证登录,如果不加,则代表需要证书和用户名密码双重验证登录! [[email protected] 2.0]# echo 'client-cert-not-required' >> /etc/open***/server.conf # 允许用户通过验证 [[email protected] 2.0]# echo 'username-as-common-name' >> /etc/open***/server.conf # 如果要证书和用户名密码同时验证时,下面两句可以不要 [[email protected] 2.0]# sed -i '/^cert/s/cert/\;&/' /etc/open***/client.o*** [[email protected] 2.0]# sed -i '/^key/s/key/\;&/' /etc/open***/client.o*** # 增加询问用户名和密码 [[email protected] 2.0]# echo 'auth-user-pass' >> /etc/open***/client.o*** [[email protected] 2.0]# chmod 755 /etc/open***/etc/checkpsw.sh [[email protected] 2.0]# chmod 400 /etc/open***/etc/psw-file [[email protected] 2.0]# chmod 744 /etc/open***/etc/checkpsw.sh [[email protected] 2.0]# chown nobody:nobody /etc/open***/etc/psw-file [[email protected] 2.0]# chown nobody:nobody /etc/open***/etc/checkpsw.sh [[email protected] 2.0]# cat /etc/open***/etc/psw-file yfshareopen***_123 jack 123456 [[email protected] 2.0]# 注:psw-file里$1为用户名,$2为密码,$1$2之前用<Tab>隔开
报这个错,是因为open*** Server服务器无法读取输入的密码,密码位为空,在server.conf里加入下面这条解决
[[email protected] 2.0]# echo 'script-security 3' >> /etc/open***/server.conf
注释client-cert-not-required这句时,既要证书也要用户名密码,当证书不存在的时候,客户端的日志会报错,如下:
===========================================================================
下面来让Open***使用动态地址来访问
注:配置文件名不同,可出现多个连接
注:这样有个缺陷,有些网络不能访问,比如:铁通等
转载于:https://blog.51cto.com/yfshare/1758344