centos7 搭建open***
一、制作证书:[*]安装证书:
yum-yinstalleasy-rsa
[*]2.*版本:
a. 进入目录:
cd/usr/share/easy-rsa/2.*/
b. 确保vars中以下参数正确:vimvars
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_NAME="EasyRSA"
c. 使 vars 文件生效,并清除缓存:
../vars
../clean-all
d. 生成证书,Name 那一项写ca:
./build-ca
e. 生成服务器密钥和证书,在challenge password和optional company name处留空,Name 那一项写server,两个y选项选择y:
./build-key-serverserver
./build-dh
f. 生成客户端密钥和证书,在challenge password和optional company name处留空,Name 那一项写client,两个y选项选择y:
./build-keyclient
g. open***所需文件:
#server端
/usr/share/easy-rsa/2.*/keys/ca.crt
/usr/share/easy-rsa/2.*/keys/server.key
/usr/share/easy-rsa/2.*/keys/server.crt
/usr/share/easy-rsa/2.*/keys/dh.pem
#client端
/usr/share/easy-rsa/2.*/keys/ca.crt
/usr/share/easy-rsa/2.*/keys/client.crt
/usr/share/easy-rsa/2.*/keys/client.key
[*]3.*版本:
a. 创建文件夹:
mkdir/home/lee/{server,client}
b. 复制文件:
cp-arf/usr/share/easy-rsa/3.*/*/home/lee/server
cp-arf/usr/share/easy-rsa/3.*/*/home/lee/client
c. 进入server目录:
cd/home/lee/server
d. 初始化:
./easyrsainit-pki
e. 创建根证书(输入密码123456):
./easyrsabuild-ca
f. 创建server端证书:
./easyrsagen-reqserver nopass
g. 给server端证书签名:
./easyrsasignserverserver
h. 创建dh:
./easyrsagen-dh
i. 进入client目录:
cd/home/lee/client
j. 初始化:
./easyrsa init-pki
k. 创建client端证书:
./easyrsagen-reqclientnopass
l. 回到server目录:
cd/home/lee/server
m. 导入client端证书:
./easyrsaimport-req../client/pki/reqs/client.reqclient
n. 给client端证书签名:
./easyrsasignclientclient
o. open***所需文件:
#server端
/home/lee/server/pki/ca.crt
/home/lee/server/pki/private/server.key
/home/lee/server/pki/issued/server.crt
/home/lee/server/pki/dh.pem
#client端
/home/lee/server/pki/ca.crt
/home/lee/server/pki/issued/client.crt
/home/lee/client/pki/private/client.key
[*]如果觉得制作证书太麻烦,我这里有现成的:
a. 克隆:
gitclonehttps://github.com/dollarphper/easy-rsa.git
b. 目录结构:
http://i2.运维网.com/images/blog/201802/11/6be84f3fa55b1dec9819aceb591efaa9.png
http://i2.运维网.com/images/blog/201802/11/39400b88f96bdd9c7febe8f2c2301f04.png
二、服务端配置:
[*]安装open***
yum-yinstallopen***
[*]创建文件夹:
mkdir/etc/open***/{server,client}
[*]复制证书文件:
cp/path/to/ca.crt/etc/open***/server/ca.crt
cp/path/to/server.crt/etc/open***/server/server.crt
cp/path/to/server.key/etc/open***/server/server.key
cp/path/to/dh.pem/etc/open***/server/dh.pem
[*]进入open***目录:
cd/etc/open***/
[*]修改配置文件:vimserver.conf
port1337
protoudp
devtun
ca/etc/open***/server/ca.crt
cert/etc/open***/server/server.crt
key/etc/open***/server/server.key
dh/etc/open***/server/dh.pem
server 100.100.100.0255.255.255.0
push"redirect-gateway def1"
push"dhcp-option DNS 8.8.8.8"
push"dhcp-option DNS 114.114.114.114"
push"dhcp-option DNS 8.8.4.4"
duplicate-cn
keepalive1030
comp-lzo
persist-key
client-to-client
persist-tun
daemon
log-append /var/log/open***/open***.log
verb3
script-security3
auth-user-pass-verify/etc/open***/checkpwd.sh via-env
username-as-common-name
[*]新建一个 log 文件:
mkdir-p/var/log/open***/
touch/var/log/open***/open***.log
touch/var/log/open***/passwd.log
[*]创建密码验证脚本:vimcheckpwd.sh
#!/bin/sh
PASSFILE="/etc/open***/passwd"
LOG_FILE="/var/log/open***/passwd.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
[*]修改密码验证文件的权限:
chmoda+xcheckpwd.sh
[*]创建用户名、密码文件:vimpasswd
lee123456
[*]配置iptables(以下为可选):
iptables-tnat-APOSTROUTING-s192.168.100.0/24-jSNAT--to-sourcex.x.x.x
iptables-AINPUT-pudp--dport1337-jACCEPT
iptables-save
[*]配置sysctl:vim/etc/sysctl.conf
#添加
net.ipv4.ip_forward = 1
#重新加载
sysctl-p
[*]配置selinux:
yum -y install policycoreutils-python
semanageport-a-topen***_port_t-pudp1337
[*]启动服务端open***服务:
systemctlstartopen***@server
三、客户端(linux)
[*]安装open***:
yum-yinstallopen***
[*]从server端拷贝文件到client端:
scproot@x.x.x.x:/path/to/{ca.crt,client.crt,client.key}/etc/open***/
[*]创建文件:vim/etc/open/client.o
client
dev tun
proto udp
remotex.x.x.x1337
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
mute-replay-warnings
#ns-cert-type server
remote-cert-tlsserver
comp-lzo
ca/etc/open***/ca.crt
cert/etc/open***/client.crt
key/etc/open***/client.key
[*]进入目录:
cd/etc/open***/
[*]连接:
open***client.o***
[*]输入用户名、密码:
http://i2.运维网.com/images/blog/201802/11/cf09b3734d5e7f8f0d781b3086e4030c.png
四、客户端(windows):
[*]下载文件:
a. 网站:https://open***.net/index.php/open-source/downloads.html
b. 找到文件下载:
http://i2.运维网.com/images/blog/201801/14/a2329d88de74d4f202c0125d7c233b93.png
[*]安装文件:
省略,全部勾选
[*]把服务端生成的三个文件复制到安装目录下的config目录里面去:
http://i2.运维网.com/images/blog/201801/14/cefe57fadb306aa54855f3fcc295162b.png
[*]在config目录下创建client.o***文件,内容如下:
client
dev tun
proto udp
remote 120.77.59.227 1337
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
mute-replay-warnings
remote-cert-tls server
comp-lzo
ca ca.crt
cert client.crt
key client.key
[*]启动软件,连接***:
http://i2.运维网.com/images/blog/201801/14/d97fd2beddbbf8559bafad51c07fb819.png
http://i2.运维网.com/images/blog/201801/14/eec0f4dd9786107a3bf41c82132e6eab.png
五、客户端(手机):
client
dev tun
proto udp
remote 192.168.8.81 1337
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
mute-replay-warnings
ns-cert-type server
comp-lzo
内容
内容
内容
页:
[1]