linux 搭建 open***

==========================================
环境要求：

网络：
eth0 Link encap:Ethernet HWaddr 00:0C:29:67:3C:81
inet addr:192.168.180.80 Bcast:192.168.180.255 Mask:255.255.255.0

eth1 Link encap:Ethernet HWaddr 00:0C:29:67:3C:8B
inet addr:192.168.1.80 Bcast:192.168.1.255 Mask:255.255.255.0

系统环境：
[root@localhost ~]# cat /etc/redhat-release
CentOS release 5.8 (Final)
[root@localhost ~]# uname -r
2.6.18-308.el5
[root@localhost ~]# uname -m
x86_64

==========================================================================================
配置服务器时间同步：

yum -y install ntp ntpdate

[root@localhost cron]# /usr/sbin/ntpdate pool.ntp.org
24 Jan 16:52:46 ntpdate[2347]: step time server 85.199.214.100 offset -28916.598800 sec
[root@localhost cron]# date
2018年 01月 24日 星期三 16:52:49 CST

加入到定时任务：
[root@localhost cron]# echo '#time sync' >>/var/spool/cron/root
[root@localhost cron]# echo '/5 * /usr/sbin/ntpdate time.windows.com >/dev/null 2>&1' >>/var/spool/cron/root

==========================================================================================

安装 Open××× 相关依赖软件
建立Open××× 软件存放目录
操作过程：
[root@localhost ~]# mkdir -p /home/oldboy/tools/open***
[root@localhost ~]# cd /home/oldboy/tools/open***/

安装 lzo 压缩模块
操作命令：
[root@localhost lzo-2.02]# yum install gcc
[root@localhost lzo-2.02]# yum install glibc-headers gcc-c++
[root@localhost open***]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
[root@localhost lzo-2.02]# tar zxvf lzo-2.02.tar.gz
[root@localhost open***]# cd lzo-2.02
[root@localhost lzo-2.02]# ./configure
[root@localhost lzo-2.02]# make && make install

安装 open××× 软件
[root@localhost open***]# tar zxvf open***-2.0.9.tar.gz
[root@localhost open***-2.0.9]# tar zxvf open***-2.0.9.tar.gz
[root@localhost open***-2.0.9]# ./configure --with-lzo-headers=/usr/local/include --with-lzo=/usr/local/lib
[root@localhost open***-2.0.9]# make && make install
[root@localhost open***-2.0.9]# echo $?
注意：可执行文件安装路径：/usr/local/sbin/open***
[root@localhost open***]# ll /usr/local/sbin/open***
-rwxr-xr-x. 1 root root 1873246 1月 24 17:55 /usr/local/sbin/open***

配置open*** server 建立 CA 证书
初始化配置
[root@localhost open***-2.0.9]# cd easy-rsa/2.0/
[root@localhost 2.0]# tail -6 vars

Don't leave any of these fields blank.

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"

[root@localhost 2.0]# cp vars vars.oldboy.2018

vi vars # 删除最后5行。

==========================================================================================
或
sed -i '$d' vars

sed -i '$d' vars

$ # 文件结尾，最后一行。

-i # 改变这个文件。

d # 删除。

==========================================================================================

[root@localhost 2.0]# sed -i '$d' vars # 执行 5 次
[root@localhost 2.0]# tail -1 vars

Don't leave any of these fields blank.

==========================================================================================

操作步骤：
[root@localhost 2.0]# cat >>vars<

by pengwangbo

export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="Beijing"
export KEY_ORG="oldboy"
export KEY_EMAIL="[email protected]"
EOF

[root@localhost 2.0]# tail -7 vars

Don't leave any of these fields blank.

by pengwangbo

export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="Beijing"
export KEY_ORG="oldboy"
export KEY_EMAIL="[email protected]"

快速操作命令：
cat >>vars<

by pengwangbo

export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="Beijing"
export KEY_ORG="oldboy"
export KEY_EMAIL="[email protected]"
EOF

提示： 在下文建立证书时，会提示上面配置内容，这是直接回车就好了，不需要敲字符了。

==================================创建CA 证书====================
开始初始化 PKI
修改完 vars 文件后，执行source vars 使前面对 vars 的修改生效。
[root@localhost 2.0]# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/oldboy/tools/open***/open***-2.0.9/easy-rsa/2.0/keys

然后根据提示执行：

./clean-all

./build-ca

操作步骤：
[root@localhost 2.0]# ./clean-all
[root@localhost 2.0]# ./build-ca
Generating a 1024 bit RSA private key
......................++++++
................................++++++
writing new private key to 'ca.key'

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [oldboy]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [oldboy CA]:oldboy
Email Address [[email protected]]:
[root@localhost 2.0]# ls -l keys/
总计 12
-rw-r--r-- 1 root root 1168 01-26 12:22 ca.crt
-rw------- 1 root root 887 01-26 12:22 ca.key
-rw-r--r-- 1 root root 0 01-26 11:40 index.txt
-rw-r--r-- 1 root root 3 01-26 11:40 serial

==========================================================================================
[root@localhost 2.0]# cat keys/ca.crt
-----BEGIN CERTIFICATE-----
MIIDMTCCApqgAwIBAgIJAMTLuq59PduPMA0GCSqGSIb3DQEBBQUAMG8xCzAJBgNV
BAYTAkNOMQswCQYDVQQIEwJCSjEQMA4GA1UEBxMHQmVpamluZzEPMA0GA1UEChMG
b2xkYm95MQ8wDQYDVQQDEwZvbGRib3kxHzAdBgkqhkiG9w0BCQEWEDE4NTE1MDkz
MEBxcS5jb20wHhcNMTgwMTI2MDQyMjUwWhcNMjgwMTI0MDQyMjUwWjBvMQswCQYD
VQQGEwJDTjELMAkGA1UECBMCQkoxEDAOBgNVBAcTB0JlaWppbmcxDzANBgNVBAoT

=====================================================================================================
生成服务端证书和密钥key 文件：
[root@localhost 2.0]# cat build-ca
#!/bin/bash

#

Build a root certificate

#

export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --initca $*

[root@localhost 2.0]# cat build-key-pass
#!/bin/bash

Similar to build-key, but protect the private key

with a password.

export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --pass $*

===========================================================
创建服务器生成证书
[root@localhost 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
.................++++++
...........++++++
writing new private key to 'server.key'

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [oldboy]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:server
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
Using configuration from /home/oldboy/tools/open***/open***-2.0.9/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'Beijing'
organizationName :PRINTABLE:'oldboy'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Jan 24 04:30:23 2028 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]# ls -l keys/
总计 40
-rw-r--r-- 1 root root 3799 01-26 12:31 01.pem
-rw-r--r-- 1 root root 1168 01-26 12:22 ca.crt
-rw------- 1 root root 887 01-26 12:22 ca.key
-rw-r--r-- 1 root root 99 01-26 12:31 index.txt
-rw-r--r-- 1 root root 21 01-26 12:31 index.txt.attr
-rw-r--r-- 1 root root 0 01-26 11:40 index.txt.old
-rw-r--r-- 1 root root 3 01-26 12:31 serial
-rw-r--r-- 1 root root 3 01-26 11:40 serial.old
-rw-r--r-- 1 root root 3799 01-26 12:31 server.crt
-rw-r--r-- 1 root root 725 01-26 12:30 server.csr
-rw------- 1 root root 887 01-26 12:30 server.key
[root@localhost 2.0]# ls -lrt keys/
总计 40
-rw-r--r-- 1 root root 3 01-26 11:40 serial.old
-rw-r--r-- 1 root root 0 01-26 11:40 index.txt.old
-rw------- 1 root root 887 01-26 12:22 ca.key
-rw-r--r-- 1 root root 1168 01-26 12:22 ca.crt
-rw------- 1 root root 887 01-26 12:30 server.key
-rw-r--r-- 1 root root 725 01-26 12:30 server.csr
-rw-r--r-- 1 root root 3799 01-26 12:31 server.crt
-rw-r--r-- 1 root root 3 01-26 12:31 serial
-rw-r--r-- 1 root root 21 01-26 12:31 index.txt.attr
-rw-r--r-- 1 root root 99 01-26 12:31 index.txt
-rw-r--r-- 1 root root 3799 01-26 12:31 01.pem

==========================================================================================
生成客户端证书和key 文件。
下面建立2份客户端证书，名称分别为oldboy 和 etiantian 操作过程如下：
[root@localhost 2.0]# ./build-key oldboy
Generating a 1024 bit RSA private key
.++++++
...............++++++
writing new private key to 'oldboy.key'

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [oldboy]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [oldboy]:
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:oldboy
An optional company name []:
Using configuration from /home/oldboy/tools/open***/open***-2.0.9/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'Beijing'
organizationName :PRINTABLE:'oldboy'
commonName :PRINTABLE:'oldboy'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Jan 24 04:35:48 2028 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]# ls -lrt keys/
总计 64
-rw------- 1 root root 887 01-26 12:22 ca.key
-rw-r--r-- 1 root root 1168 01-26 12:22 ca.crt
-rw------- 1 root root 887 01-26 12:30 server.key
-rw-r--r-- 1 root root 725 01-26 12:30 server.csr
-rw-r--r-- 1 root root 3799 01-26 12:31 server.crt
-rw-r--r-- 1 root root 3 01-26 12:31 serial.old
-rw-r--r-- 1 root root 99 01-26 12:31 index.txt.old
-rw-r--r-- 1 root root 21 01-26 12:31 index.txt.attr.old
-rw-r--r-- 1 root root 3799 01-26 12:31 01.pem
-rw------- 1 root root 891 01-26 12:35 oldboy.key
-rw-r--r-- 1 root root 692 01-26 12:35 oldboy.csr
-rw-r--r-- 1 root root 3 01-26 12:36 serial
-rw-r--r-- 1 root root 3677 01-26 12:36 oldboy.crt
-rw-r--r-- 1 root root 21 01-26 12:36 index.txt.attr
-rw-r--r-- 1 root root 198 01-26 12:36 index.txt
-rw-r--r-- 1 root root 3677 01-26 12:36 02.pem

依次类推成其他客户端证书/key:不同的是本例使用 build-key-pass 命令与build-key的区别见下面的官方说明。
[root@localhost 2.0]# ./build-key-pass ett
Generating a 1024 bit RSA private key
.............++++++
..................++++++
writing new private key to 'ett.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [oldboy]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [ett]:
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:oldboy
An optional company name []:
Using configuration from /home/oldboy/tools/open***/open***-2.0.9/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'Beijing'
organizationName :PRINTABLE:'oldboy'
commonName :PRINTABLE:'ett'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Jan 24 04:43:32 2028 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]# ls -lrt keys/
总计 80
-rw------- 1 root root 887 01-26 12:22 ca.key
-rw-r--r-- 1 root root 1168 01-26 12:22 ca.crt
-rw------- 1 root root 887 01-26 12:30 server.key
-rw-r--r-- 1 root root 725 01-26 12:30 server.csr
-rw-r--r-- 1 root root 3799 01-26 12:31 server.crt
-rw-r--r-- 1 root root 3799 01-26 12:31 01.pem
-rw------- 1 root root 891 01-26 12:35 oldboy.key
-rw-r--r-- 1 root root 692 01-26 12:35 oldboy.csr
-rw-r--r-- 1 root root 3 01-26 12:36 serial.old
-rw-r--r-- 1 root root 3677 01-26 12:36 oldboy.crt
-rw-r--r-- 1 root root 198 01-26 12:36 index.txt.old
-rw-r--r-- 1 root root 21 01-26 12:36 index.txt.attr.old
-rw-r--r-- 1 root root 3677 01-26 12:36 02.pem
-rw------- 1 root root 951 01-26 12:43 ett.key
-rw-r--r-- 1 root root 688 01-26 12:43 ett.csr
-rw-r--r-- 1 root root 3 01-26 12:43 serial
-rw-r--r-- 1 root root 21 01-26 12:43 index.txt.attr
-rw-r--r-- 1 root root 294 01-26 12:43 index.txt
-rw-r--r-- 1 root root 3670 01-26 12:43 ett.crt
-rw-r--r-- 1 root root 3670 01-26 12:43 03.pem
[root@localhost 2.0]# ls -lrt keys/ett.*
-rw------- 1 root root 951 01-26 12:43 keys/ett.key
-rw-r--r-- 1 root root 688 01-26 12:43 keys/ett.csr
-rw-r--r-- 1 root root 3670 01-26 12:43 keys/ett.crt

==========================================================================================
生成传输进行密钥交换时用到的交换密钥协议文件
操作过程：
[root@localhost 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.......+.....................+.......

大部分服务端的工作完成，接下来的操作就是把证书拷到指定的地点了

查看生成的证书
生成的证书目录及文件如下：
[root@localhost 2.0]# ls -lrt keys/
-rw-r--r-- 1 root root 245 01-26 12:47 dh1024.pem

配置服务端××× 配置文件server.conf
1）拷贝keys 及配置
把所有的keys和配置拷贝到/etc/open*** 目录下
操作命令：
[root@localhost 2.0]#mkdir -p /etc/open***
[root@localhost 2.0]# cp -a /home/oldboy/tools/open***/open***-2.0.9/easy-rsa/2.0/keys/ /etc/open***/
[root@localhost 2.0]# cp -a /home/oldboy/tools/open***/open***-2.0.9/sample-config-files/*.conf /etc/open***/
[root@localhost 2.0]# tree /etc/open***/
/etc/open***/
|-- client.conf
|-- keys
| |-- 01.pem
| |-- 02.pem
| |-- 03.pem
| |-- ca.crt
| |-- ca.key
| |-- dh1024.pem
| |-- ett.crt
| |-- ett.csr
| |-- ett.key
| |-- index.txt
| |-- index.txt.attr
| |-- index.txt.attr.old
| |-- index.txt.old
| |-- oldboy.crt
| |-- oldboy.csr
| |-- oldboy.key
| |-- serial
| |-- serial.old
| |-- server.crt
| |-- server.csr
| -- server.key
|-- server.conf
|-- static-home.conf
|-- static-office.conf
|-- tls-home.conf
-- tls-office.conf

1 directory, 27 files

[root@localhost open***]# cp server.conf server.conf.oldboy.2018

[root@localhost open***]# egrep -v "^#|^$|;" server.conf >oldboy-***.conf
[root@localhost open***]# cat oldboy-***.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
verb 3

==========================================================================================
server.conf 文件注释：

==========================================================================================
和默认样例配置相比，企业生产环境的配置改如下：
local
port 1194
push ""
client-to-client
log/var/log/open***.log

配置文件：
[root@localhost open***]# cat oldboy-***.conf
local 192.168.180.10
port 52115
proto tcp
dev tun
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/server.crt
key /etc/open***/keys/server.key
dh /etc/open***/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
verb 3
push "route 192.168.1.0 255.255.255.0"
client-to-client
log /var/log/open***.log

启动服务端的××× 服务：
a)取消服务器上防火墙iptables 对open*** (默认 1194 本例 52115)的拦截
b)开启内核转发功能
[root@localhost open***]# vi /etc/sysctl.conf
7 net.ipv4.ip_forward = 1

==========================================================================================
[root@localhost open***]# grep ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1

==========================================================================================

[root@localhost open***]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

==========================================================================================
启动 ××× 服务
[root@localhost open***]# /usr/local/sbin/open*** --config /etc/open***/oldboy-***.conf & # 表示后台执行
[1] 2089

检查 ××× 服务端口
[root@localhost open***]# netstat -lnt | grep 52115
tcp 0 0 192.168.180.10:52115 0.0.0.0:* LISTEN
[root@localhost open***]# ps -ef | grep ***
root 2205 4747 0 16:29 pts/2 00:00:00 /usr/local/sbin/open*** --config /etc/open***/oldboy-***.conf
root 2235 4747 0 16:31 pts/2 00:00:00 grep ***

==========================================================================================
设置开机启动：
[root@localhost open***]# echo "startup open*** by oldboy at 20180123" >>/etc/rc.local
[root@localhost open***]# echo "/usr/local/sbin/open*** --config /etc/open***/oldboy-***.conf &" >>/etc/rc.local

==============================================================================
[root@localhost open***]# tail -2 /etc/rc.local
startup open*** by oldboy at 20180123
/usr/local/sbin/open*** --config /etc/open***/oldboy-***.conf &

配置常规 ××× 启动。
说明：如果前面把启动服务加入到/etc/rc.local，刚此步忽略。
[root@localhost open***]# cp /home/oldboy/tools/open***/open***-2.0.9/sample-scripts/open***.init /etc/init.d/open***
[root@localhost open***]# chmod 755 /etc/init.d/open***
[root@localhost open***]# chkconfig open*** on
[root@localhost open***]# chkconfig --list open***
open*** 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭

==========================================================================================

[root@localhost open***]# cp client.conf client.conf_bakup
[root@localhost open***]# egrep -v "^#|^;|^$" client.conf >c-oldboy.conf
[root@localhost open***]# cat c-oldboy.conf
client
dev tun
proto tcp
remote 192.168.180.10 52115
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert oldboy.crt
key oldboy.key
comp-lzo
verb 3

认证文件，密钥。
[root@localhost open***]# sz -y c-oldboy.conf keys/ca.crt keys/oldboy.*

[root@localhost ~]# /sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -j SNAT --to-source 192.168.1.1

[root@localhost ~]# /sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth1 -j SNAT --to-source 192.168.1.1

[root@localhost ~]# iptables -L -n nat
Bad argument nat'
Tryiptables -h' or 'iptables --help' for more information.
[root@localhost ~]# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.8.0.0/24 0.0.0.0/0 to:192.168.1.1
SNAT all -- 10.8.0.0/24 0.0.0.0/0 to:192.168.1.1

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

客户端：安装，略