码迷,mamicode.com
首页 > 其他好文 > 详细

如何开通open***

时间:2019-01-17 14:04:05      阅读:161      评论:0      收藏:0      [点我收藏+]

标签:ali   connected   syslog   har   iptable   res   conf   tcp   ted   

一.系统环境
服务端:CentOS 6.6 x86_64 使用repo:epel
客户端:CentOS 6.4 使用repo:epel,Windows
二.软件安装
服务端 yum install open*** easy-rsa
客户端 yum install open***
windows客户端 open***-install-2.3.5-I601-i686.zip,默认安装目录
三.服务端设置
密钥生成与制作
复制eay-rsa脚本到open***目录
cp -r /usr/share/easy-sra /etc/open***
修改密钥生成参数配置
vi /etc/open***/easy-rsa/2.0/vars

easy-rsa parameter settings

NOTE: If you installed from an RPM,

don‘t edit this file in place in

/usr/share/open***/easy-rsa --

instead, you should copy the whole

easy-rsa directory to another location

(such as /etc/open***) so that your

edits will not be wiped out by a future

Open××× package upgrade.

This variable should point to

the top level of the easy-rsa

tree.

export EASY_RSA="pwd"

#

This variable should point to

the requested executables

#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"

This variable should point to

the openssl.cnf file included

with easy-rsa.

export KEY_CONFIG=$EASY_RSA/whichopensslcnf $EASY_RSA

Edit this variable to point to

your soon-to-be-created key

directory.

#

WARNING: clean-all will do

a rm -rf on this directory

so make sure you define

it correctly!

export KEY_DIR="$EASY_RSA/keys"

Issue rm -rf warning

echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

PKCS11 fixes

export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

Increase this to 2048 if you

are paranoid. This will slow

down TLS negotiation performance

as well as the one-time DH parms

generation process.

export KEY_SIZE=2048

In how many days should the root CA key expire?

export CA_EXPIRE=3650

In how many days should certificates expire?

export KEY_EXPIRE=3650

These are the default values for fields

which will be placed in the certificate.

Don‘t leave any of these fields blank.

export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BeiJing"
export KEY_ORG="example.cn"
export KEY_EMAIL="admin@example.cn"
export KEY_OU="Tech"

X509 Subject Field

export KEY_NAME="RSA"

PKCS11 Smart Card

export PKCS11_MODULE_PATH="/usr/lib/changeme.so"

export PKCS11_PIN=1234

export PKCS11_PIN=1234

If you‘d like to sign all keys with the same Common Name, uncomment the KEY_CN export below

You will also need to make sure your Open××× server config has the duplicate-cn option set

export KEY_CN="CommonName"

#
export KEY_CN="example,Inc"
应用生效vars定义的参数
source /etc/open***/easy-rsa/2.0/vars
执行
bash /etc/open***/easy-rsa/2.0/clean-all #清理旧的密钥
bash /etc/open***/easy-rsa/2.0/build-ca #建立ca
为服务器生成密钥
bash /etc/open***/easy-rsa/2.0/build-key-server server #生成服务器密钥,名字server
为客户端生成密钥
bash /etc/open***/easy-rsa/2.0/build-key user01 #生成服务器密钥,名字user01
bash /etc/open***/easy-rsa/2.0/build-key user02 #生成服务器密钥,名字user02
建立 Diffie Hellman parameters
bash /etc/open***/easy-rsa/2.0/build-dh

在/etc/open***/easy-rsa/2.0/keys目录下会生成以下文件,注意妥善保存密钥文件,功能如表中所述
文件名 使用位置 用途 是否保密
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES
client3.crt client3 only Client3 Certificate NO
client3.key client3 only Client3 Key YES
拷贝文件
/etc/open***/easy-rsa/2.0/keys目录里面文件全部拷到 /etc/open***目录

然后启用open***服务
修改服务端配置文件
vim /etc/open***/server.conf
#################################################

Sample Open××× 2.0 config file for

multi-client server.

This file is for the server side

of a many-clients <-> one-server

Open××× configuration.

Open××× also supports

single-machine <-> single-machine

configurations (See the Examples page

on the web site for more info).

This config should work on Windows

or Linux/BSD systems. Remember on

Windows to quote pathnames and use

double backslashes, e.g.:

"C:\Program Files\Open×××\config\foo.key"

Comments are preceded with ‘#‘ or ‘;‘

#################################################

Which local IP address should Open×××

listen on? (optional)

local 0.0.0.0

Which TCP/UDP port should Open××× listen on?

If you want to run multiple Open××× instances

on the same machine, use a different port

number for each one. You will need to

open up this port on your firewall.

port 1194

TCP or UDP server?

proto tcp
;proto udp

"dev tun" will create a routed IP tunnel,

"dev tap" will create an ethernet tunnel.

Use "dev tap0" if you are ethernet bridging

and have precreated a tap0 virtual interface

and bridged it with your ethernet interface.

If you want to control access policies

over the ×××, you must create firewall

rules for the the TUN/TAP interface.

On non-Windows systems, you can give

an explicit unit number, such as tun0.

On Windows, use "dev-node" for this.

On most systems, the ××× will not function

unless you partially or fully disable

the firewall for the TUN/TAP interface.

dev tap
dev tun

Windows needs the TAP-Win32 adapter name

from the Network Connections panel if you

have more than one. On XP SP2 or higher,

you may need to selectively disable the

Windows firewall for the TAP adapter.

Non-Windows systems usually don‘t need this.

#dev-node ***

SSL/TLS root certificate (ca), certificate

(cert), and private key (key). Each client

and the server must have their own cert and

key file. The server and all clients will

use the same ca file.

#

See the "easy-rsa" directory for a series

of scripts for generating RSA certificates

and private keys. Remember to use

a unique Common Name for the server

and each of the client certificates.

#

Any X509 key management system can be used.

Open××× can also use a PKCS #12 formatted key file

(see "pkcs12" directive in man page).

ca ca.crt
cert server.crt
key server.key # This file should be kept secret

Diffie hellman parameters.

Generate your own with:

openssl dhparam -out dh1024.pem 1024

Substitute 2048 for 1024 if you are using

2048 bit keys.

;dh dh1024.pem
dh dh2048.pem

Configure server mode and supply a ××× subnet

for Open××× to draw client addresses from.

The server will take 10.8.0.1 for itself,

the rest will be made available to clients.

Each client will be able to reach the server

on 10.8.0.1. Comment this line out if you are

ethernet bridging. See the man page for more info.

;server 10.8.0.0 255.255.255.0
server 10.8.0.0 255.255.255.0

Maintain a record of client <-> virtual IP address

associations in this file. If Open××× goes down or

is restarted, reconnecting clients can be assigned

the same virtual IP address from the pool that was

previously assigned.

ifconfig-pool-persist ipp.txt

Configure server mode for ethernet bridging.

You must first use your OS‘s bridging capability

to bridge the TAP interface with the ethernet

NIC interface. Then you must manually set the

IP/netmask on the bridge interface, here we

assume 10.8.0.4/255.255.255.0. Finally we

must set aside an IP range in this subnet

(start=10.8.0.50 end=10.8.0.100) to allocate

to connecting clients. Leave this line commented

out unless you are ethernet bridging.

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

Configure server mode for ethernet bridging

using a DHCP-proxy, where clients talk

to the Open××× server-side DHCP server

to receive their IP address allocation

and DNS server addresses. You must first use

your OS‘s bridging capability to bridge the TAP

interface with the ethernet NIC interface.

Note: this mode only works on clients (such as

Windows), where the client-side TAP adapter is

bound to a DHCP client.

;server-bridge

Push routes to the client to allow it

to reach other private subnets behind

the server. Remember that these

private subnets will also need

to know to route the Open××× client

address pool (10.8.0.0/255.255.255.0)

back to the Open××× server.

;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "route 10.0.2.0 255.255.255.0"
push "route 10.0.3.0 255.255.255.0"
push "route 10.0.4.0 255.255.255.0"

To assign specific IP addresses to specific

clients or if a connecting client has a private

subnet behind it that should also have ××× access,

use the subdirectory "ccd" for client-specific

configuration files (see man page for more info).

EXAMPLE: Suppose the client

having the certificate common name "Thelonious"

also has a small subnet behind his connecting

machine, such as 192.168.40.128/255.255.255.248.

First, uncomment out these lines:

;client-config-dir ccd
client-config-dir clients-conf
;route 192.168.40.128 255.255.255.248

Then create a file ccd/Thelonious with this line:

iroute 192.168.40.128 255.255.255.248

This will allow Thelonious‘ private subnet to

access the ×××. This example will only work

if you are routing, not bridging, i.e. you are

using "dev tun" and "server" directives.

EXAMPLE: Suppose you want to give

Thelonious a fixed ××× IP address of 10.9.0.1.

First uncomment out these lines:

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252

Then add this line to ccd/Thelonious:

ifconfig-push 10.9.0.1 10.9.0.2

Suppose that you want to enable different

firewall access policies for different groups

of clients. There are two methods:

(1) Run multiple Open××× daemons, one for each

group, and firewall the TUN/TAP interface

for each group/daemon appropriately.

(2) (Advanced) Create a script to dynamically

modify the firewall in response to access

from different clients. See man

page for more info on learn-address script.

;learn-address ./script

If enabled, this directive will configure

all clients to redirect their default

network gateway through the ×××, causing

all IP traffic such as web browsing and

and DNS lookups to go through the ×××

(The Open××× server machine may need to NAT

or bridge the TUN/TAP interface to the internet

in order for this to work properly).

;push "redirect-gateway def1 bypass-dhcp"

Certain Windows-specific network settings

can be pushed to clients, such as DNS

or WINS server addresses. CAVEAT:

http://open***.net/faq.html#dhcpcaveats

The addresses below refer to the public

DNS servers provided by opendns.com.

;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

Uncomment this directive to allow different

clients to be able to "see" each other.

By default, clients will only see the server.

To force clients to only see the server, you

will also need to appropriately firewall the

server‘s TUN/TAP interface.

;client-to-client

Uncomment this directive if multiple clients

might connect with the same certificate/key

files or common names. This is recommended

only for testing purposes. For production use,

each client should have its own certificate/key

pair.

#

IF YOU HAVE NOT GENERATED INDIVIDUAL

CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

EACH HAVING ITS OWN UNIQUE "COMMON NAME",

UNCOMMENT THIS LINE OUT.

;duplicate-cn

The keepalive directive causes ping-like

messages to be sent back and forth over

the link so that each side knows when

the other side has gone down.

Ping every 10 seconds, assume that remote

peer is down if no ping received during

a 120 second time period.

keepalive 10 120

For extra security beyond that provided

by SSL/TLS, create an "HMAC firewall"

to help block DoS attacks and UDP port flooding.

#

Generate with:

open*** --genkey --secret ta.key

#

The server and each client must have

a copy of this key.

The second parameter should be ‘0‘

on the server and ‘1‘ on the clients.

;tls-auth ta.key 0 # This file is secret

Select a cryptographic cipher.

This config item must be copied to

the client config file as well.

;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

Enable compression on the ××× link.

If you enable it here, you must also

enable it in the client config file.

comp-lzo

The maximum number of concurrently connected

clients we want to allow.

;max-clients 100

It‘s a good idea to reduce the Open×××

daemon‘s privileges after initialization.

#

You can uncomment this out on

non-Windows systems.

user nobody
group nobody

The persist options will try to avoid

accessing certain resources on restart

that may no longer be accessible because

of the privilege downgrade.

persist-key
persist-tun

Output a short status file showing

current connections, truncated

and rewritten every minute.

status open***-status.log

By default, log messages will go to the syslog (or

on Windows, if running as a service, they will go to

the "\Program Files\Open×××\log" directory).

Use log or log-append to override this default.

"log" will truncate the log file on Open××× startup,

while "log-append" will append to it. Use one

or the other (but not both).

log open***.log
;log-append open***.log

Set the appropriate level of log

file verbosity.

#

0 is silent, except for fatal errors

4 is reasonable for general usage

5 and 6 can help to debug connection problems

9 is extremely verbose

verb 3

Silence repeating messages. At most 20

sequential messages of the same message

category will be output to the log.

;mute 20

chkconfig open*** on
service open*** start

用netstat –nl查看1194端口已经在listening状态
防火墙设置
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE

查看一下服务器的IP地址:ifconfig –a
看tun0是10.8.0.1 这是初始的IP地址

至此服务端配置完成
服务端 固定IP分配,每个客户端用固定的隧道IP
四.客户端配置
linux 客户端
复制且仅复制服务端的证书权威ca.crt、相对应的客户端证书user01.crt以及相对应的客户端私玥user01.key 到客户端/etc/open*** 目录
注意不要复制多余的文件避免泄密。
建立修改客户端配置文件
vim /etc/open***/client.conf
##############################################

Sample client-side Open××× 2.0 config file

for connecting to multi-client server.

This configuration can be used by multiple

clients, however each client should have

its own cert and key files.

On Windows, you might want to rename this

file so it has a .o*** extension

##############################################

Specify that we are a client and that we

will be pulling certain config file directives

from the server.

client

Use the same setting as you are using on

the server.

On most systems, the ××× will not function

unless you partially or fully disable

the firewall for the TUN/TAP interface.

;dev tap
dev tun

Windows needs the TAP-Win32 adapter name

from the Network Connections panel

if you have more than one. On XP SP2,

you may need to disable the firewall

for the TAP adapter.

;dev-node MyTap

Are we connecting to a TCP or

UDP server? Use the same setting as

on the server.

proto tcp
;proto udp

The hostname/IP and port of the server.

You can have multiple remote entries

to load balance between the servers.

remote 122.112.12.154 1194
;remote my-server-2 1194

Choose a random host from the remote

list for load-balancing. Otherwise

try hosts in the order specified.

;remote-random

Keep trying indefinitely to resolve the

host name of the Open××× server. Very useful

on machines which are not permanently connected

to the internet such as laptops.

resolv-retry infinite

Most clients don‘t need to bind to

a specific local port number.

nobind

Downgrade privileges after initialization (non-Windows only)

;user nobody
;group nobody

Try to preserve some state across restarts.

persist-key
persist-tun

If you are connecting through an

HTTP proxy to reach the actual Open×××

server, put the proxy server/IP and

port number here. See the man page

if your proxy server requires

authentication.

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

Wireless networks often produce a lot

of duplicate packets. Set this flag

to silence duplicate packet warnings.

;mute-replay-warnings

SSL/TLS parms.

See the server config file for more

description. It‘s best to use

a separate .crt/.key file pair

for each client. A single ca

file can be used for all clients.

ca ca.crt
cert user01.crt
key user01.key

Verify server certificate by checking

that the certicate has the nsCertType

field set to "server". This is an

important precaution to protect against

a potential attack discussed here:

http://open***.net/howto.html#mitm

#

To use this feature, you will need to generate

your server certificates with the nsCertType

field set to "server". The build-key-server

script in the easy-rsa folder will do this.

ns-cert-type server

If a tls-auth key is used on the server

then every client must also have the key.

;tls-auth ta.key 1

Select a cryptographic cipher.

If the cipher option is used on the server

then you must also specify it here.

;cipher x

Enable compression on the ××× link.

Don‘t enable this unless it is also

enabled in the server config file.

comp-lzo

Set log file verbosity.

verb 3

Silence repeating messages

;mute 20
需要修改的内容 指定服务端IP和端口,指定客户端使用的证书和私玥文件

chkconfig open*** on
service open*** start

查看一下客户端的IP地址:ifconfig –a
ping 10.8.0.1 这是服务端初始的隧道IP地址

至此linux客户端配置完成

windows 客户端
C:\Program Files (x86)\Open×××\config 64位windows
C:\Program Files\Open×××\config 32位windows

复制且仅复制服务端的证书权威ca.crt、相对应的客户端证书user01.crt以及相对应的客户端私玥user01.key 到客户端config目录
注意不要复制多余的文件避免泄密。
建立修改客户端配置文件文件名client.o***

需要修改的内容 指定服务端IP和端口,指定客户端使用的证书和私玥文件
remote server-ip 1194
ca ca.crt
cert user01.crt
key user01.key

然后 用管理员权限打开 桌面的 Open××× GUI
windows 客户端配置完成
windows客户端多配置
不同的用户连接不同的服务端,写多个名字不同的*.o***配置文件

如何开通open***

标签:ali   connected   syslog   har   iptable   res   conf   tcp   ted   

原文地址:http://blog.51cto.com/hzcto/2343728

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!