http://732233048.blog.51cto.com/9323668/1713088
说明:
客户端采用密钥登陆***服务端
安装部署:
软件下载地址:https://swupdate.open***.org/community/releases/
1、安装依赖包:
1
|
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
|
2、安装open***
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
cd /usr/local/src/
tar -zxf open***-2.3.8.tar.gz
cd open***-2.3.8
./configure --prefix=/opt/open***
make && make install
cp -a sample/sample-config-files/server.conf /opt/open***/ #最好放在/opt/open***/下
cp -a distro/rpm/open***.init.d.rhel /etc/init.d/open*** #创建启动脚本
ln -s /opt/open***/sbin/open*** /usr/sbin/open*** #启动脚本中会用到,也可以不执行此命令,直接在启动脚本中修改
vi /etc/init.d/open***
#在85行,修改为:work=/opt/open***
cd /opt/open***/ && mv server.conf server.conf.bak
vi server.conf #修改配置文件; ';'为注释
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
tls-auth keys/ta.key 0
server 10.8.0.0 255.255.255.0 #默认就好
ifconfig-pool-persist ipp.txt #正在连接的用户会被写到这个文件里
push "route 10.10.0.0 255.255.0.0" #推送路由
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status logs/open***-status.log
log logs/open***.log
log-append logs/open***.log
verb 3
|
1
2
|
mkdir logs #创建日志目录
mkdir keys #创建key目录
|
3、安装easy-rsa,用来生成证书和密钥:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
cd /usr/local/src/
tar -zxf easy-rsa-2.2.0_master.tar.gz
cp -a easy-rsa-2.2.0_master/easy-rsa /opt/open***/
cd /opt/open***/easy-rsa/2.0/
mv vars vars.bak
vi vars #修改配置文件
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048 #修改为2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN" #以下根据自己情况修改
export KEY_PROVINCE="ShangHai"
export KEY_CITY="ShangHai"
export KEY_ORG="jinzhuan"
export KEY_EMAIL="[email protected]"
export KEY_CN=jinzhuan
export KEY_NAME=jinzhuan
export KEY_OU=jinzhuan
|
1
2
3
4
5
6
7
8
9
|
ln -s openssl-1.0.0.cnf openssl.cnf
source vars #全局变量
##生成证书,以下命令全部一直回车
./clean-all #清空所有证书(keys目录下)
./build-ca #生成服务器ca证书
./build-key-server server #生成服务端证书
./build-dh #生成DH验证文件(dh2048.pem)
open*** --genkey --secret ta.key #降低DDoS风险
./build-key client #生成客户端证书(随便命名)
|
4、启动服务
1
2
3
4
5
|
cd /opt/open***/easy-rsa/2.0/keys/
cp -a ca.crt ta.key server.crt dh2048.pem server.key /opt/open***/keys #拷贝证书到/opt/open***/keys目录下
/etc/init.d/open*** start
chkconfig open*** on
|
5、设置外网访问:
1
2
3
4
5
6
7
8
9
|
vim /etc/sysctl.conf #将net.ipv4.ip_forward = 0 改为 1
sysctl -p
配置nat表将***网段IP转发到server内网:(很重要)
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE #注意接口(eth0)是内网的接口,其它选项不要修改
iptables -A INPUT -p TCP --dport 1194 -j ACCEPT #开启防火墙1194端口
service iptables restart #POSTROUTING需要保存并重启服务才能生效
chkconfig iptables on
|
6、windows客户端配置:
1
2
3
4
|
下载:open***-2.2.2-install.exe
下载地址:http://vdisk.weibo.com/s/z5vWLo13rACAe
点击安装,一直next,默认目录安装即可
一般会安装到 C:/Program Files/Open×××/ 目录下
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
创建client.o***文件:
client
dev tun
proto udp
remote 192.168.1.106 1194 #***服务端ip
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
comp-lzo
persist-key
persist-tun
status open***-status.log
|
1
2
3
4
5
6
|
将client.o***文件放到C:/Program Files/Open×××/config目录下
从***服务端下载ca.crt,client.crt,client.key,ta.key证书
将ca.crt,client.crt,client.key,ta.key证书放到C:/Program Files/Open×××/config目录下
点击桌面open***图标即可
|
7、吊销客户端证书:
1
2
3
4
5
6
7
|
cd /opt/open***/easy-rsa/2.0/
source vars #全局变量
./revoke-full client #会在keys目录下生成一个crl.pem文件
cp keys/crl.pem /opt/open***/keys/ #每次吊销一个客户端证书,都要重新拷贝覆盖crl.pem文件
vim /opt/open***/server.conf #在最后添加:crl-verify keys/crl.pem
/etc/init.d/open*** restart
|
8、控制访问权限:
说明:有多个客户端用户,client用户可以访问所有的内网服务器,client1用户只能访问10.10.1.0网段的服务器
参考:http://backreference.org/2010/06/18/open***s-built-in-packet-filter/
方案:采用minimal_pf.so模块和包过滤
编译minimal_pf.so模块:
1
|
cd /usr/local/src/open***-2.3.8
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
vi minimal_pf.c #创建minimal_pf.c文件
/* minimal_pf.c
* ultra-minimal Open××× plugin to enable internal packet filter */
#include
#include
#include "include/open***-plugin.h"
/* dummy context, as we need no state */
struct plugin_context {
int dummy;
};
/* Initialization function */
OPEN×××_EXPORT open***_plugin_handle_t open***_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[]) {
struct plugin_context *context;
/* Allocate our context */
context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
/* Which callbacks to intercept. */
*type_mask = OPEN×××_PLUGIN_MASK (OPEN×××_PLUGIN_ENABLE_PF);
return (open***_plugin_handle_t) context;
}
/* Worker function */
OPEN×××_EXPORT int open***_plugin_func_v2 (open***_plugin_handle_t handle,
const int type,
const char *argv[],
const char *envp[],
void *per_client_context,
struct open***_plugin_string_list **return_list) {
if (type == OPEN×××_PLUGIN_ENABLE_PF) {
return OPEN×××_PLUGIN_FUNC_SUCCESS;
} else {
/* should not happen! */
return OPEN×××_PLUGIN_FUNC_ERROR;
}
}
/* Cleanup function */
OPEN×××_EXPORT void open***_plugin_close_v1 (open***_plugin_handle_t handle) {
struct plugin_context *context = (struct plugin_context *) handle;
free (context);
}
|
编译步骤:
1
2
3
4
5
|
INCLUDE="-I/usr/local/src/open***-2.3.8/"
CC_FLAGS="-O2 -Wall -g"
NAME=minimal_pf
gcc $CC_FLAGS -fPIC -c $INCLUDE $NAME.c && gcc $CC_FLAGS -fPIC -shared -Wl,-soname,$NAME.so -o $NAME.so $NAME.o -lc
cp -a minimal_pf.so /opt/open***/lib/open***/plugins/
|
创建包过滤文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
mkdir /opt/open***/ccd
cd /opt/open***/ccd
vi client1.pf #客户client1,只对10.10.1.0网段有权限
[CLIENTS ACCEPT]
[SUBNETS DROP]
+10.10.1.0/24
[END]
vi client.pf #客户client,对所有内网服务器都有权限
[CLIENTS ACCEPT]
[SUBNETS ACCEPT]
[END]
|
包过滤文件补充:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
包过滤文件格式:
[CLIENTS DROP|ACCEPT]
{+|-}common_name1
{+|-}common_name2
. . .
[SUBNETS DROP|ACCEPT]
{+|-}subnet1
{+|-}subnet2
. . .
[END]
过滤文件语法:
CLIENTS部分用于定义common name;
SUBNETS部分用于定义IP地址、IP网段;
DROP|ACCEPT用于设置默认规则,就是没有明确指明的common name,那么他们将会使用;
{+|-}用于设置是否允许,如果是“+”,那么表示允许,如果是“-”则表示不允许;
[END]表示策略文件的结束
cat client10.pf
[CLIENTS ACCEPT]
[SUBNETS ACCEPT]
-192.168.9.7
+192.168.9.0/24
[END]
|
创建客户端连接脚本:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
cd /opt/open***
vi client-connect.sh
#!/bin/sh
# /etc/open***/client-connect.sh: sample client-connect script using pf rule files
# rules template file
template="/opt/open***/ccd/${common_name}.pf"
# create the file Open××× wants with the rules for this client
if [ -f "$template" ] && [ ! -z "$pf_file" ]; then
cp -- "$template" "$pf_file"
else
# if anything is not as expected, fail
exit 1
fi
chmod +x client-connect.sh #加执行权限
|
修改***配置文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
vim /opt/open***/server.conf
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
tls-auth keys/ta.key 0
plugin /opt/open***/lib/open***/plugins/minimal_pf.so #添加
client-connect /opt/open***/client-connect.sh #添加
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.0.0 255.255.0.0"
push "dhcp-option DNS 8.8.8.8"
client-config-dir /opt/open***/ccd #添加
client-to-client #添加
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status logs/open***-status.log
log logs/open***.log
log-append logs/open***.log
verb 3
script-security 3 #添加,脚本安全级别2及以上
##补充:
[root@localhost ~]# open*** --help | grep -A 5 script-security
--script-security level: Where level can be:
0 -- strictly no calling of external programs
1 -- (default) only call built-ins such as ifconfig
2 -- allow calling of built-ins and scripts
3 -- allow password to be passed to scripts via env
--shaper n : Restrict output to peer to n bytes per second.
|
重启服务:
1
|
/etc/init.d/open*** restart
|
9、添加***客户端账号:
1
2
3
4
5
6
7
8
|
cd /opt/open***/easy-rsa/2.0/
source vars
./build-key client2
cd /opt/open***/ccd/
vim client2.pf
/etc/init.d/open*** restart #必须重启服务
|