CentOS下Open×××安装、配置
安装Open***的前提条件在安装Open***之前你必须确保你已经安装了C编译器(例如gcc)、OpenSSL、LZO(一种无损压缩算法)、PAM(一种可插入式的身份验证模块),安装方法就不用再说了。
https://s5.运维网.com/wyfs02/M02/06/97/wKiom1m6dM_CIRxrAABDkCQtnQI224.jpg-wh_500x0-wm_3-wmp_4-s_1814116045.jpg
安装Linux版Open***
接着,我们使用tar命令,将该压缩文件解压到当前目录,完整命令为:tar zxf open***-2.3.3.tar.gz
https://s3.运维网.com/wyfs02/M01/A5/47/wKioL1m6dIqClQbaAADoz4tYVHs401.jpg-wh_500x0-wm_3-wmp_4-s_81410537.jpg
#调用configure
./configure
#编译
make
#安装
make install
配置防火墙规则以及IP转发
https://s3.运维网.com/wyfs02/M01/06/97/wKiom1m6dJrwmD_VAADN2LIh1c0885.jpg-wh_500x0-wm_3-wmp_4-s_3016060043.jpg
echo “1”>/proc/sys/net/ipv4/ip_forward #IP转发
sysctl –p
Open***配置
下载并解压easy-rsa,接着,我们将上图中所标注的easy-rsa-release-2.x/easy-rsa文件夹复制到Open***的解压目录中,命令如下:
https://s2.运维网.com/wyfs02/M00/06/97/wKiom1m6dHjiS4XFAABhcvgfLco687.jpg-wh_500x0-wm_3-wmp_4-s_1835912286.jpg
然后,我们执行命令cd /usr/local/open***-2.3.4/easy-rsa/2.0从而进入Open***下的easy-rsa/2.0目录。
https://s5.运维网.com/wyfs02/M02/06/97/wKiom1m6dGnw58Y7AAB6J1iBeeM370.jpg-wh_500x0-wm_3-wmp_4-s_554082526.jpg
上面说了这么多,实际上就只是下载了easy-rsa 2.0,并将解压后的easy-rsa子目录复制到了Open***的主目录下。
使用easy-rsa生成CA证书
在生成证书之前,可以对2.0目录中的vars文件稍作修改。vars文件存储的是一些用户变量设置信息,每次生成证书都会使用到其中的某些变量。如下并选择性地对其进行修改(你可以不修改这些参数,但不要把这些参数留空)。
KEY_SIZE:表示密钥的长度,一般为1024或2048(长度越长,性能耗费越多)。
#下面是一些用户相关信息配置
KEY_COUNTRY:所在国家
KEY_PROVINCE:所在省
KEY_CITY:所在城市
KEY_ORG:所在组织
KEY_EMAIL:邮箱地址
KEY_OU:机构单位或部门名称
下面,我们就开始来生成证书了。保持当前目录为Open***根目录/easy-rsa/2.0。然后依次执行下列命令:
#初始化命令,用于设置后续命令所需的相关变量信息
. ./vars
#清除之前创建的所有证书和密钥
./clean-all
#生成CA证书和密钥
./build-ca
# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/open***-2.3.3/easy-rsa/2.0/keys
# ./clean-all
# ./build-ca #生成ca证书和秘钥
Generating a 2048 bit RSA private key
............................+++
....................................................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) :GD
Locality Name (eg, city) :SZ
Organization Name (eg, company) :softown
Organizational Unit Name (eg, section) :softown_admin
Common Name (eg, your name or your server's hostname) :Open***_CA
Name :
Email Address :admin@softown.cn
#
# ls keys/
ca.crtca.keyindex.txtserial
# pwd
/root/open***-2.3.3/easy-rsa/2.0
生成服务端证书
# ./build-key-server ***S
Generating a 2048 bit RSA private key
.....+++
...............+++
writing new private key to '***S.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) :GD
Locality Name (eg, city) :SZ
Organization Name (eg, company) :softown
Organizational Unit Name (eg, section) :softown_admin
Common Name (eg, your name or your server's hostname) [***S]:***S
Name :
Email Address :admin@softown.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:server_pwd
An optional company name []:softown
Using configuration from /root/open***-2.3.3/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'softown'
organizationalUnitName:T61STRING:'softown_admin'
commonName :PRINTABLE:'***S'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'admin@softown.cn'
Certificate is to be certified until Aug 29 08:00:20 2027 GMT (3650 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
生成客户端证书
# ./build-key user1
Generating a 2048 bit RSA private key
..+++
.....................................+++
writing new private key to 'user1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) :GD
Locality Name (eg, city) :SZ
Organization Name (eg, company) :softown
Organizational Unit Name (eg, section) :softown_admin
Common Name (eg, your name or your server's hostname) :user1
Name :
Email Address :admin@softown.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:user1_pwd
An optional company name []:softown
Using configuration from /root/open***-2.3.3/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'softown'
organizationalUnitName:T61STRING:'softown_admin'
commonName :PRINTABLE:'user1'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'admin@softown.cn'
Certificate is to be certified until Aug 29 08:02:05 2027 GMT (3650 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
生成迪菲·赫尔曼交换密钥
# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.......................................................................................................................................................................+........................................................................................................................................................................................................................+..........................................................................................................................................................................................................+..................................................................................................................................................+...............................................................+...........................................................................................................................................+...............................+.......................................................................................................+.............................................................................................................................................................................................+.....................................................................+....................................+.........................................+..........................................................................................................................................................................................................................................................................................................+..+.....................................................................................................+......................++*++*
生成TLS-auth密钥
# /usr/local/sbin/open*** --genkey --secret /root/open***-2.3.3/easy-rsa/2.0/keys/ta.key
https://s1.运维网.com/wyfs02/M00/06/97/wKiom1m6dFKzOKsQAACWMPlSlWI867.jpg-wh_500x0-wm_3-wmp_4-s_3392260862.jpg
编写配置文件
在这里,我们先在Open***主目录下创建一个config目录,并将其所需的证书和密钥文件拷贝到该目录中。
# mkdir /root/open***-2.3.3/config
# cp keys/ca.crt keys/ca.key keys/dh2048.pem keys/***S.crt keys/***S.keykeys/ta.key /root/open***-2.3.3/config
此外,我们还需要为服务器和每个客户端的config目录分别编写一个配置文件,服务器端的配置文件为server.conf,客户端的配置文件为client.conf。
这两个配置文件该如何编写呢?Open***已经在sample/sample-config-files子目录中为我们提供了相关的示例文件server.conf和client.conf,并且配置文件中的每个配置选项均有详细的英文说明(配置文件中"#"或";"开头的均为注释内容)。
服务端配置文件server.conf
local 172.18.1.132 #指定监听的本机IP
port 3889
proto udp
dev tun
ca /root/open***-2.3.3/config/ca.crt
cert /root/open***-2.3.3/config/***S.crt
key /root/open***-2.3.3/config/***S.key# This file should be kept secret
dh /root/open***-2.3.3/config/dh2048.pem
server 10.8.0.0 255.255.255.0 #隧道分配的网段和掩码
ifconfig-pool-persist /root/open***-2.3.3/config/ipp.txt
push "route 192.168.40.0 255.255.255.0" #推送服务器的内网网段
;client-config-dir /root/open***-2.3.3/config/ccd #指定客户端网络配置
route 192.168.20.0 255.255.255.0 #服务器添加客户端的内网网段
client-to-client #允许客户端与客户端相连接,默认情况下客户端只能与服务器相连接
duplicate-cn
keepalive 10 120
tls-auth /root/open***-2.3.3/config/ta.key 0 #开启TLS-auth防御***服务器端的参数值为0,客户端的为1
cipher AES-128-CBC # AES 加密方式
comp-lzo #开启***连接压缩,如果服务器端开启,客户端也必须开启
max-clients 100
user nobody
group nobody
persist-key
persist-tun
verb 3 #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
mute 20
客户端配置文件client.conf
client
dev tun
proto udp
remote 172.18.1.132 3889 #服务器地址以及端口
resolv-retry infinite #断线自动重新连接
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt#指定CA证书的文件路径
cert user1.crt #指定当前客户端的证书文件路径
key user1.key #指定当前客户端的私钥文件路径
ns-cert-type server #指定采用服务器校验方式
tls-auth ta.key 1#如果服务器设置了防御DoS等***的ta.key,则必须每个客户端开启
cipher AES-128-CBC #加密方式
comp-lzo#开启***连接压缩
verb 3 #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
mute 20
接着看下一篇:Open***路由模式
页:
[1]