最近公司要求在内网部署一套open***使用,上网查了一下才发现open***版本已经升级到2.3.12了,其中最主要的改动是源码包里不再包含easy-rsa,如今部署open***要去github上面下载easy-rsa程序,并且easy-rsa也已经升级到了第三个版本(以往easy-rsa2居多),所以决定重新整理一下新版本的open***部署,以及easy-rsa3的使用。
部署open***:
一:yum源安装相关的包:
# yum -y install openssl.x86_64 pam-devel.x86_64
二:安装lzo包,lzo包需源码包编译安装,不然编译open***时会报"lzo missing"的错误:
# tar -zxvf lzo-2.03.tar.gz # cd lzo-2.03 # ./configure --prefix=/usr/local # make && make install
三:编译安装open***:
# tar -zxvf open***-2.3.12.tar.gz # cd open***-2.3.12 # ./configure --prefix=/opt/apps/open*** # make && make install
四:获取easy-rsa3应用:
创建etc目录,从https://github.com/Open×××/easy-rsa下载easy-rsa3程序包:
# mkdir /opt/apps/open***/etc && cd /opt/apps/open***/etc # unzip easy-rsa-master.zip # cd easy-rsa-master && mv ../easyrsa3 && cd ..
以上,就获取到了easyrsa3程序,easyrsa目录结构如下:
# tree easyrsa3/ easyrsa3/ ├── easyrsa ├── openssl-1.0.cnf ├── vars.example └── x509-types ├── ca ├── client ├── COMMON └── server
可以看到easy-rsa3中,少了2版本中的许多执行文件,只剩下easyrsa一个执行文件,使用这个文件,就可以创建各种所需的密钥文件。
五:创建服务端与客户端密钥:
服务端:(这里采用无密码方式创建相关文件,避免后期输入pam密码的各种麻烦)
# cp -rp easyrsa3 key_server # cd key_server ----var文件----------- # mv vars.example vars ----初始化pki目录------ # ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /opt/apps/open***/etc/key_server/pki ----以无密码方式,创建服务器ca文件----- # ./easyrsa build-ca nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ................................................................+++ ......................+++ writing new private key to '/opt/apps/open***/etc/key_server/pki/private/ca.key.xyvUlxOV9t' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /opt/apps/open***/etc/key_server/pki/ca.crt ----创建服务端key文件-------- # ./easyrsa gen-req cmhserver nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ...................................+++ ...................................................+++ writing new private key to '/opt/apps/open***/etc/key_server/pki/private/cmhserver.key.0S1X7d4NCP' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [cmhserver]: Keypair and certificate request completed. Your files are: req: /opt/apps/open***/etc/key_server/pki/reqs/cmhserver.req key: /opt/apps/open***/etc/key_server/pki/private/cmhserver.key ----注册服务端CN名,生产服务端crt文件------ # ./easyrsa sign server cmhserver Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = cmhserver Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /opt/apps/open***/etc/key_server/openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'cmhserver' Certificate is to be certified until Oct 29 03:51:14 2026 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /opt/apps/open***/etc/key_server/pki/issued/cmhserver.crt ------dh.pem文件生产------- # ./easyrsa gen-dh Note: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .................................................................................................................................................................+.................................................................................................................+................+..........................................................................................................................................+..........................................................................+.........+..............+..+..............................................................................................................................................................+...............................................................+.............................................+..................................................................................................................+..................................................+.................................................................................+..........+................................................................................................................+............................................................+..+...........+..................................................................+..............+..........................................................................+.+........+........................................................................................................................................................+..................++*++* DH parameters of size 2048 created at /opt/apps/open***/etc/key_server/pki/dh.pem
客户端:
# cd /opt/apps/open***/etc # cp -rp easyrsa3 key_client # cd key_client ----var文件----------- # mv vars.example vars ----初始化pki目录------ # ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /opt/apps/open***/etc/key_server/pki ----以无密码方式,创建客户端key文件----- # ./easyrsa gen-req cmhclient nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ...............+++ ..........................+++ writing new private key to '/opt/apps/open***/etc/key_client/pki/private/cmhclient.key.RM36zZRxnc' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [cmhclient]: Keypair and certificate request completed. Your files are: req: /opt/apps/open***/etc/key_client/pki/reqs/cmhclient.req key: /opt/apps/open***/etc/key_client/pki/private/cmhclient.key -----进入服务端key目录,关联客户端req,使之向服务端注册---- # cd ../key_server/ # ./easyrsa import-req /opt/apps/open***/etc/key_client/pki/reqs/cmhclient.req cmhclient Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: cmhclient You may now use this name to perform signing operations on this request. -----注册客户端CN名,生产客户端key文件------- # ./easyrsa sign client cmhclient Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = cmhclient Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /opt/apps/open***/etc/key_server/openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'cmhclient' Certificate is to be certified until Oct 29 03:54:56 2026 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /opt/apps/open***/etc/key_server/pki/issued/cmhclient.crt
六:服务端配置,指定相关ca、crt、key文件,打开服务器路由转发以及防火墙转发:
# cp /opt/src/open***-2.3.12/sample/sample-config-files/server.conf /opt/apps/open***/etc/ # grep -v "^#" server.conf | grep -v "^;" | grep -v "^$" local 192.168.52.135 port 1194 proto tcp dev tun ca /opt/apps/open***/etc/key_server/pki/ca.crt cert /opt/apps/open***/etc/key_server/pki/issued/cmhserver.crt key /opt/apps/open***/etc/key_server/pki/private/cmhserver.key dh /opt/apps/open***/etc/key_server/pki/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status open***-status.log verb 3
打开服务器的ip路由转发功能,并生效;
# grep ipv4 /etc/sysctl.conf net.ipv4.ip_forward= 1 # sysctl -p net.ipv4.ip_forward= 1 # iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -jMASQUERADE
七:开启服务以及客户端配置:
# /opt/apps/open***/sbin/open*** --daemon --config /opt/apps/open***/etc/server.conf
客户端下载如下文件,并应用,即可使用密钥使用×××:(各系统的客户端配置不一,故这里不赘述客户端配置)
/opt/apps/open***/etc/key_server/pki/ca.crt
/opt/apps/open***/etc/key_client/pki/private/cmhclient.key
/opt/apps/open***/etc/key_server/pki/issued/cmhclient.crt