部署open***和控制访问权限
说明:
客户端采用密钥登陆***服务端
安装部署:
软件下载地址:https://swupdate.open***.org/community/releases/
1、安装依赖包:
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
2、安装open***
cd /usr/local/src/ tar -zxf open***-2.3.8.tar.gz cd open***-2.3.8 ./configure --prefix=/opt/open*** make && make install cp -a sample/sample-config-files/server.conf /opt/open***/ #最好放在/opt/open***/下 cp -a distro/rpm/open***.init.d.rhel /etc/init.d/open*** #创建启动脚本 ln -s /opt/open***/sbin/open*** /usr/sbin/open*** #启动脚本中会用到,也可以不执行此命令,直接在启动脚本中修改 vi /etc/init.d/open*** #在85行,修改为:work=/opt/open*** cd /opt/open***/ && mv server.conf server.conf.bak vi server.conf #修改配置文件; ';'为注释 port 1194 proto udp dev tun ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh2048.pem tls-auth keys/ta.key 0 server 10.8.0.0 255.255.255.0 #默认就好 ifconfig-pool-persist ipp.txt #正在连接的用户会被写到这个文件里 push "route 10.10.0.0 255.255.0.0" #推送路由 push "dhcp-option DNS 8.8.8.8" keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status logs/open***-status.log log logs/open***.log log-append logs/open***.log verb 3
mkdir logs #创建日志目录 mkdir keys #创建key目录
3、安装easy-rsa,用来生成证书和密钥:
cd /usr/local/src/ tar -zxf easy-rsa-2.2.0_master.tar.gz cp -a easy-rsa-2.2.0_master/easy-rsa /opt/open***/ cd /opt/open***/easy-rsa/2.0/ mv vars vars.bak vi vars #修改配置文件 export EASY_RSA="`pwd`" export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_DIR="$EASY_RSA/keys" echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" export KEY_SIZE=2048 #修改为2048 export CA_EXPIRE=3650 export KEY_EXPIRE=3650 export KEY_COUNTRY="CN" #以下根据自己情况修改 export KEY_PROVINCE="ShangHai" export KEY_CITY="ShangHai" export KEY_ORG="jinzhuan" export KEY_EMAIL="[email protected]" export KEY_CN=jinzhuan export KEY_NAME=jinzhuan export KEY_OU=jinzhuan
ln -s openssl-1.0.0.cnf openssl.cnf source vars #全局变量 ##生成证书,以下命令全部一直回车 ./clean-all #清空所有证书(keys目录下) ./build-ca #生成服务器ca证书 ./build-key-server server #生成服务端证书 ./build-dh #生成DH验证文件(dh2048.pem) open*** --genkey --secret ta.key #降低DDoS风险 ./build-key client #生成客户端证书(随便命名)
4、启动服务
cd /opt/open***/easy-rsa/2.0/keys/ cp -a ca.crt ta.key server.crt dh2048.pem server.key /opt/open***/keys #拷贝证书到/opt/open***/keys目录下 /etc/init.d/open*** start chkconfig open*** on
5、设置外网访问:
vim /etc/sysctl.conf #将net.ipv4.ip_forward = 0 改为 1 sysctl -p 配置nat表将***网段IP转发到server内网:(很重要) iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE #注意接口(eth0)是内网的接口,其它选项不要修改 iptables -A INPUT -p TCP --dport 1194 -j ACCEPT #开启防火墙1194端口 service iptables restart #POSTROUTING需要保存并重启服务才能生效 chkconfig iptables on
6、windows客户端配置:
下载:open***-2.2.2-install.exe 下载地址:http://vdisk.weibo.com/s/z5vWLo13rACAe 点击安装,一直next,默认目录安装即可 一般会安装到 C:/Program Files/Open×××/ 目录下
创建client.o***文件: client dev tun proto udp remote 192.168.1.106 1194 #***服务端ip ca ca.crt cert client.crt key client.key tls-auth ta.key 1 comp-lzo persist-key persist-tun status open***-status.log
将client.o***文件放到C:/Program Files/Open×××/config目录下 从***服务端下载ca.crt,client.crt,client.key,ta.key证书 将ca.crt,client.crt,client.key,ta.key证书放到C:/Program Files/Open×××/config目录下 点击桌面open***图标即可
7、吊销客户端证书:
cd /opt/open***/easy-rsa/2.0/ source vars #全局变量 ./revoke-full client #会在keys目录下生成一个crl.pem文件 cp keys/crl.pem /opt/open***/keys/ #每次吊销一个客户端证书,都要重新拷贝覆盖crl.pem文件 vim /opt/open***/server.conf #在最后添加:crl-verify keys/crl.pem /etc/init.d/open*** restart
8、控制访问权限:
说明:有多个客户端用户,client用户可以访问所有的内网服务器,client1用户只能访问10.10.1.0网段的服务器
参考:http://backreference.org/2010/06/18/open***s-built-in-packet-filter/
方案:采用minimal_pf.so模块和包过滤
编译minimal_pf.so模块:
cd /usr/local/src/open***-2.3.8
vi minimal_pf.c #创建minimal_pf.c文件 /* minimal_pf.c * ultra-minimal Open××× plugin to enable internal packet filter */ #include#include #include "include/open***-plugin.h" /* dummy context, as we need no state */ struct plugin_context { int dummy; }; /* Initialization function */ OPEN×××_EXPORT open***_plugin_handle_t open***_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[]) { struct plugin_context *context; /* Allocate our context */ context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context)); /* Which callbacks to intercept. */ *type_mask = OPEN×××_PLUGIN_MASK (OPEN×××_PLUGIN_ENABLE_PF); return (open***_plugin_handle_t) context; } /* Worker function */ OPEN×××_EXPORT int open***_plugin_func_v2 (open***_plugin_handle_t handle, const int type, const char *argv[], const char *envp[], void *per_client_context, struct open***_plugin_string_list **return_list) { if (type == OPEN×××_PLUGIN_ENABLE_PF) { return OPEN×××_PLUGIN_FUNC_SUCCESS; } else { /* should not happen! */ return OPEN×××_PLUGIN_FUNC_ERROR; } } /* Cleanup function */ OPEN×××_EXPORT void open***_plugin_close_v1 (open***_plugin_handle_t handle) { struct plugin_context *context = (struct plugin_context *) handle; free (context); }
编译步骤:
INCLUDE="-I/usr/local/src/open***-2.3.8/" CC_FLAGS="-O2 -Wall -g" NAME=minimal_pf gcc $CC_FLAGS -fPIC -c $INCLUDE $NAME.c && gcc $CC_FLAGS -fPIC -shared -Wl,-soname,$NAME.so -o $NAME.so $NAME.o -lc cp -a minimal_pf.so /opt/open***/lib/open***/plugins/
创建包过滤文件:
mkdir /opt/open***/ccd cd /opt/open***/ccd vi client1.pf #客户client1,只对10.10.1.0网段有权限 [CLIENTS ACCEPT] [SUBNETS DROP] +10.10.1.0/24 [END] vi client.pf #客户client,对所有内网服务器都有权限 [CLIENTS ACCEPT] [SUBNETS ACCEPT] [END]
包过滤文件补充:
包过滤文件格式:
[CLIENTS DROP|ACCEPT]
{+|-}common_name1
{+|-}common_name2
. . .
[SUBNETS DROP|ACCEPT]
{+|-}subnet1
{+|-}subnet2
. . .
[END]
过滤文件语法:
CLIENTS部分用于定义common name;
SUBNETS部分用于定义IP地址、IP网段;
DROP|ACCEPT用于设置默认规则,就是没有明确指明的common name,那么他们将会使用;
{+|-}用于设置是否允许,如果是“+”,那么表示允许,如果是“-”则表示不允许;
[END]表示策略文件的结束
cat client10.pf
[CLIENTS ACCEPT]
[SUBNETS ACCEPT]
-192.168.9.7
+192.168.9.0/24
[END]
创建客户端连接脚本:
cd /opt/open***
vi client-connect.sh
#!/bin/sh
# /etc/open***/client-connect.sh: sample client-connect script using pf rule files
# rules template file
template="/opt/open***/ccd/${common_name}.pf"
# create the file Open××× wants with the rules for this client
if [ -f "$template" ] && [ ! -z "$pf_file" ]; then
cp -- "$template" "$pf_file"
else
# if anything is not as expected, fail
exit 1
fi
chmod +x client-connect.sh #加执行权限
修改***配置文件:
vim /opt/open***/server.conf port 1194 proto udp dev tun ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh2048.pem tls-auth keys/ta.key 0 plugin /opt/open***/lib/open***/plugins/minimal_pf.so #添加 client-connect /opt/open***/client-connect.sh #添加 server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.10.0.0 255.255.0.0" push "dhcp-option DNS 8.8.8.8" client-config-dir /opt/open***/ccd #添加 client-to-client #添加 keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status logs/open***-status.log log logs/open***.log log-append logs/open***.log verb 3 script-security 3 #添加,脚本安全级别2及以上 ##补充: [root@localhost ~]# open*** --help | grep -A 5 script-security --script-security level: Where level can be: 0 -- strictly no calling of external programs 1 -- (default) only call built-ins such as ifconfig 2 -- allow calling of built-ins and scripts 3 -- allow password to be passed to scripts via env --shaper n : Restrict output to peer to n bytes per second.
重启服务:
/etc/init.d/open*** restart
9、添加***客户端账号:
cd /opt/open***/easy-rsa/2.0/ source vars ./build-key client2 cd /opt/open***/ccd/ vim client2.pf /etc/init.d/open*** restart #必须重启服务