×××是虚拟专用网络,是提供给企业之间或者个人和公司之间安全数据传输的隧道,Open×××是Linux下面开源×××的佼佼者,提供了良好的性能和友好的用户GUI,使用OpenSSL库加密与验证功能。支持UDP和TCP协议,提供两种虚拟网络接口:Tun/Tap模式。下面是在 Centos5.5上面安装Open×××详细过程,希望对各位朋友有所帮助,采用RPM包,(tar编译包费时,配置方法一致)。
1.下载软件包,在http://rpm.pbone.net下载2个安装必须的rpm包。
lzo-2.02-3.el5.kb.i386.rpm (压缩工具) open***-2.1-0.20.rc4.el5.kb.i386.rpm (安装包)
2.安装。
[root@nagios ~]#rpm -ivh lzo-2.02-3.el5.kb.i386.rpm Preparing... ########################################### [100%] 1:lzo ########################################### [100%] [root@nagios ~]#rpm -ivh open***-2.1-0.20.rc4.el5.kb.i386.rpm Preparing... ########################################### [100%] 1:open*** ########################################### [100%]
3.1拷贝open***的配置文件到/etc/open***/目录里面。
[root@nagios ~]#cp -r /usr/share/open***/easy-rsa/2.0/ /etc/open***/ [root@nagios ~]#cp /usr/share/doc/open***-2.1/sample-config-files/server.conf /etc/open***/
3.2编辑变量定义文件在/etc/open***/2.0目录里面。
vim vars export KEY_COUNTRY="CN" #指定属于哪个国家 export KEY_PROVINCE="SHS" #指定属于哪个省份 export KEY_CITY="SH" #指定属于哪个城市 export KEY_ORG="×××-TEST" #指定属于公司 export KEY_EMAIL="" #指定邮件地址
使用source 使vars生效
[root@nagios 2.0]#source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys
查看刚才配置,是否多了下面几行,如果有就是OK的。
[root@nagios 2.0]# env |grep KEY KEY_EXPIRE=3650 KEY_SIZE=1024 KEY_DIR=/etc/open***/2.0/keys KEY_CITY=SH KEY_PROVINCE=SHS KEY_ORG=×××-TEST
执行./clean-all 清除Open×××所有证书相关的值,发现在该目录下生成keys文件
[root@nagios 2.0]# ./clean-all [root@nagios 2.0]# ls build-ca build-key-server list-crl revoke-full build-dh build-req Makefile sign-req build-inter build-req-pass openssl-0.9.6.cnf vars build-key clean-all openssl.cnf whichopensslcnf build-key-pass inherit-inter pkitool build-key-pkcs12 keys README
3.3建立CA证书。
[root@nagios 2.0]# ./build-ca Generating a 1024 bit RSA private key ...........++++++ ....................................................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: #直接回车 State or Province Name (full name) [SHS]: #直接回车 Locality Name (eg, city) [SH]: #直接回车 Organization Name (eg, company) [×××-TEST]: #直接回车 Organizational Unit Name (eg, section) []: TEST #自定义组织的名称 Common Name (eg, your name or your server's hostname) [×××-TEST CA]: server #指定×××服务器FQDN名称 Email Address [[email protected]]: #此时生成了CA的crt和key文件 [root@nagios 2.0]# ls keys/ ca.crt ca.key index.txt serial
3.4生成×××服务器的证书,端私钥文件。
[root@nagios 2.0]# ./build-key-server server #自定义私钥文件名称 Generating a 1024 bit RSA private key ...++++++ ........++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: #直接回车 State or Province Name (full name) [SHS]: #直接回车 Locality Name (eg, city) [SH]: #直接回车 Organization Name (eg, company) [×××-TEST]: #直接回车 Organizational Unit Name (eg, section) []:TEST #和CA保持一致 Common Name (eg, your name or your server's hostname) [server]:server #和CA保持一致 Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:david123 #指定密码 An optional company name []: #直接回车 Using configuration from /etc/open***/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SHS' localityName :PRINTABLE:'SH' organizationName :PRINTABLE:'×××-TEST' organizationalUnitName:PRINTABLE:'TEST' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Oct 25 13:30:31 2021 GMT (3650 days) Sign the certificate? [y/n]:y #按Y回车,证书期限是10年 1 out of 1 certificate requests certified, commit? [y/n]y #按Y回车 Write out database with 1 new entries Data Base Updated
发现生成server密钥文件
[root@nagios 2.0]# ls keys/ 01.pem ca.key index.txt.attr serial server.crt server.key ca.crt index.txt index.txt.old serial.old server.csr
3.5生成需要拨入Open×××的客户端的证书和私钥。
[root@nagios 2.0]# ./build-key sfzhang #指定×××客户端主机FQDN名称 Generating a 1024 bit RSA private key ...........++++++ ....++++++ writing new private key to 'sfzhang.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: #直接回车 State or Province Name (full name) [SHS]: #直接回车 Locality Name (eg, city) [SH]: #直接回车 Organization Name (eg, company) [×××-TEST]: #直接回车 Organizational Unit Name (eg, section) []:TEST Common Name (eg, your name or your server's hostname) [sfzhang]:sfzhang #指定客户端的主机FQDN名称sfzhang Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:david123 #和server端保持一致 An optional company name []: Using configuration from /etc/open***/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SHS' localityName :PRINTABLE:'SH' organizationName :PRINTABLE:'×××-TEST' organizationalUnitName:PRINTABLE:'TEST' commonName :PRINTABLE:'sfzhang' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Oct 25 13:35:59 2021 GMT (3650 days) Sign the certificate? [y/n]:y #按Y回车,证书有效期为10年 1 out of 1 certificate requests certified, commit? [y/n]y #按Y 回车 Write out database with 1 new entries Data Base Updated
查看客户端证书文件
[root@nagios 2.0]# ls keys/ 01.pem index.txt serial server.key 02.pem index.txt.attr serial.old sfzhang.crt ca.crt index.txt.attr.old server.crt sfzhang.csr ca.key index.txt.old server.csr sfzhang.key
安装上面的方法可以生成多个客户端的文件。
3.6创建Diffie Hellman参数,生成一个HMAC是一种经过加密的散列消息验证吗,可以对信息数据的完整性和真实性进行验证。
[root@nagios 2.0]# ./build-dh
3.7将KEY下面ca.crt ca.key sfzhang.*的文件拷贝到客户端sfzhang的Open××× GUI的安装目录里面。
4.创建服务端配置文件。
将keys下面的ca.crt server.crt server.key dh1024拷贝到/etc/open***
[root@nagios 2.0]# cp keys/ca.crt /etc/open***/ [root@nagios 2.0]# cp keys/server.* /etc/open***/ [root@nagios 2.0]# cp keys/dh1024.pem /etc/open***/
配置open***的主配置文件/etc/open***/server.conf
#侦听客户端×××请求接口的IP地址 local 192.168.1.200 #侦听客户端×××请求接口的端口,默认为1194,可以自定义修改 port 1194 #侦听客户端×××请求接口的协议 proto udp dev tun #定义使用的设备可选择Tap或tun,tap是二层设备,支持链路层协议,tun是IP层的点对点协议 #指定CA信任证书所在路径 ca /etc/open***/ca.crt #指定×××服务器所在的路径 cert /etc/open***/erver.crt #指定使用Diffie-Hellman文件所在路径 dh /etc/open***/dh1024.pem server 172.16.0.0 255.255.255.0 #×××服务器分配给×××客户端的内网IP地址范围,不要和×××客户端同一个网段 client-to-client #多台×××客户端成功拨入后,这些×××客户端之间也可以通信 keepalive 10 120 #每10秒钟ping一次,若120秒为收到封包,即认定客户端短线 push "route 192.168.1.0 255.255.255.0" #×××客户端与内网不在同一个网段,必须添加路由条目 #启动网络传输压缩 comp-lzo #指定客户端最大连接数为20 max-clients 20 persist-key persist-tun status open***-status.log log open***.log tls-auth /etc/open***/keys/ta.key 0 #指定日志文件冗余 verb 4
5.启动服务Open×××服务。
[root@nagios open***]# service open*** restart 正在关闭open***: [确定] 正在启动 open***: [确定]
ifconfig 查看网卡信息,如果配置成功的话就会多下面tun0,即Open×××采用虚拟网络模式。
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:172.16.0.1 P-t-P:172.16.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:7360 errors:0 dropped:0 overruns:0 frame:0 TX packets:8339 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:975643 (952.7 KiB) TX bytes:4564854 (4.3 MiB)
6.在公司出口的服务器上面做一个DNAT或者在路由器上面做一个端口映射,即把访问目标地址为IP(公司出口的公网IP),端口为1194(Open×××的端口)的请求转发到内网的×××服务器(192.168.1.200)上面。
iptables -t nat -A PREROUTING -P -udp -d IP --dpprt 1194 -j DNAT to 192.168.1.200:1194