centos7.4+open***-2.4.6+easy-rsa-3.0安装部署
【生产环境物理机安装】open*2.4.6服务搭建,并可以正常运行服务器内网:172... open:10.8.0.0
http://i2.运维网.com/images/blog/201809/11/5e063c5aaf9f2e6420461ce0174b0e30.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=
第一步:先安装相关软件
yum install epel-release lsb_release -a
yum install -y opensslopenssl-devel lzo lzo-devel pam pam-devel automake pkgconfigmakecache
yum install -y open yum install -y easy-rsa
#启动open的用户 (如果已经存在就不需要再创建了)
groupadd open
useradd -g open -M -s /sbin/nologin open***
第二步:将配置文件导入指定目录
mkdir /etc/open***/ cp -R /usr/share/easy-rsa/ /etc/open***/
cp /usr/share/doc/open***-2.4.6/sample/sample-config-files/server.conf /etc/open***/
cp -r /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/open***/easy-rsa/3.0/vars
第三步:修改配置文件
vim /etc/open***/server.conf(配置文件如下:)
port 1194
proto udp
dev tun
ca /etc/open***/easy-rsa/3.0/pki/ca.crt
cert /etc/open***/easy-rsa/3.0/pki/issued/wwwserver.crt
key /etc/open***/easy-rsa/3.0/pki/private/wwwserver.key
dh /etc/open***/easy-rsa/3.0/pki/dh.pem
tls-auth /etc/open***/ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0" #这是你将要访问的内网IP网段
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 114.114.114.114"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 50
user open***
group open***
persist-key
persist-tun
status open***-status.log
log-append open***.log
verb 3
mute 20
vim /etc/open***/easy-rsa/3.0/vars
修改第45、65、76、84-89、97、105、113、117、134、139、171、180、192行:
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "BEIJING"
set_var EASYRSA_REQ_CITY "BEIJING"
set_var EASYRSA_REQ_ORG "Open××× CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL "邮箱.com"
set_var EASYRSA_REQ_OU "Open××× EASY CA"
set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7000
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "Open××× CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf" set_var EASYRSA_DIGEST "sha256"
cd /etc/open***/easy-rsa/3.0
生成ca证书
./easyrsa init-pki
./easyrsa build-ca
设置ca密码(输入两次):ca.com
http://i2.运维网.com/images/blog/201809/11/16697254e9d6fc4641adaf17855c02ab.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=
./easyrsa gen-dh
open*** --genkey --secret ta.key
cp -r ta.key /etc/open***/
创建服务端证书,生成请求,使用gen-req来生成req
./easyrsagen-req wwwserver
设置server密码(输入两次):openserver
http://i2.运维网.com/images/blog/201809/11/721f57e536b4dac279504a162215fcd6.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=
签发证书,签约服务端证书
./easyrsa sign-req server wwwserver
http://i2.运维网.com/images/blog/201809/11/e89215e77f772348f2bb93955d11468c.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=
生成windows客户端用户:
./easyrsa build-client-full www001
#注意:生成客户端用户的时候会提示设置密码
#可以直按回车密码为空、也可以设置输入密码(如设置密码,客户端连接时需输入密码)
http://i2.运维网.com/images/blog/201809/11/18d008d12b4899e1e7b580d85a8811e0.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=
查看客户端证书存放路径:
ls -l /etc/open***/easy-rsa/3.0/pki/issued/www001.crt
-rw-------. 1 root root 4517 Apr 16 00:30 /etc/open***/easy-rsa/3.0/pki/issued/www001.crt
ls -l /etc/open***/easy-rsa/3.0/pki/private/www001.key
-rw-------. 1 root root 1834 Apr 16 00:30 /etc/open***/easy-rsa/3.0/pki/private/www001.key
vim /etc/sysctl.conf
末尾加入
net.ipv4.ip_forward = 1
保存后执行:sysctl -p
http://i2.运维网.com/images/blog/201809/11/b2c1e13ee9632f3150c6d0a38e6e62b3.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=
防火墙配置:
systemctl start firewalld.service
firewall-cmd --state
firewall-cmd --zone=public --list-all
firewall-cmd --add-service=open*** --permanent
firewall-cmd --add-port=1194/ucp --permanent
firewall-cmd --add-port=22/tcp --permanent
firewall-cmd --add-source=10.8.0.0 --permanent
firewall-cmd --query-source=10.8.0.0 --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --query-masquerade --permanent
firewall-cmd --reload
启动open***
systemctl start open***@server
启动时输入服务端证书密码:openserver
第一次启动的时候可能会提示,重新执行systemctl start open*@server输入密码即可
http://i2.运维网.com/images/blog/201809/11/ffdb67d5f7807208148d49437dcac764.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=
http://i2.运维网.com/images/blog/201809/11/6524fe900e8bd1a164482d0387ac6270.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=
*客户端open版本为2.4.6(Open××× 2.4.6 x86_64)**
windows 64位官网下载就可以,也可以到网盘下载
链接:https://pan.baidu.com/s/14Q5g9oBqm-e8iPyQpEjnqw 密码:oat6
客户端需要的证书:www001.crt、www001.key、ca.crt、ta.key
存放到一个文件夹,然后将里边的文件夹拷贝到本地电脑
mkdir -p /etc/open***/client
cp -r /etc/open***/easy-rsa/3.0/pki/issued/www001.crt /etc/open***/client/
cp -r /etc/open***/easy-rsa/3.0/pki/private/www001.key /etc/open***/client/
cp -r /etc/open***/easy-rsa/3.0/pki/ca.crt /etc/open***/client/
cp -r /etc/open***/ta.key /etc/open***/client/
cp -r /usr/share/doc/open***-2.4.6/sample/sample-config-files/client.conf/etc/open***/client/www001.o***
客户端配置文件www001.o***(ip换为open***服务器外网ip)
client
dev tun
proto udp
resolv-retry infinite
nobind
remote***所在机器公网IP 1194
comp-lzo ca
ca.crt
cert www001.crt
key www001.key
tls-auth ta.key 1
keepalive 10 120
persist-key
persist-tun
verb 5
redirect-gateway
route-method exe
route-delay 2
status www001-status.log
log-append www001.log
安装Open××× 2.4.6 x86_64后,清空config文件夹,将www001.crt、www001.key、ca.crt、ta.key、www001.o***放入config中,
http://i2.运维网.com/images/blog/201809/11/6f8b3b6d9d80670cefb53894d10670f0.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=
完。。。
①如生成证书时输错密码了(如www002用户),报如下错误
http://i2.运维网.com/images/blog/201809/10/5f1f387a239f1380fda8dc8886aa1caa.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=
删除以下文件即可
rm -rf /etc/open/easy-rsa/3.0/pki/reqs/www002.req
rm -rf /etc/open/easy-rsa/3.0/pki/private/www002.key
②撤销证书(www001为例)
撤销命令revoke
cd /etc/open***/easy-rsa/3.0
./easyrsa revoke www001
生成CRL文件(撤销证书的列表)
./easyrsa gen-crl
http://i2.运维网.com/images/blog/201809/11/9e7213b31d4d11536688b83c30405e5d.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=
重启open***服务生效
systemctl stop open***@server
systemctl start open***@server
页:
[1]