标签:连通 word art roo 影响 没有 环境 mamicode linu
openv_n2.1编译安装3.编译安装:
/usr/local/openv_n
tar xvf openv_n-2.1_rc21.tar.gz
cd openv_n-2.1_rc21
patch -p1 < ../openv_n-2.1_rc21_eurephia.patch
./configure && make && make install
cd easy-rsa/2.0/
vim vars ;
source ./vars #修改默认国家、组织、邮件等,可不修改
创建证书的命令基本上都是在easy-rsa的目录中:
/usr/local/openv_n/openv_n-2.1_rc21/easy-rsa/2.0
最主要的几个命令:
./clean-all
./build-ca --batch
./build-key-server --batch server
./build-dh
4.创建根证书
./build-ca --batch
参数:--batch 无交互操作直接生成证书
创建的证书文件和私钥文件存放位置:/usr/local/openv_n/openv_n-2.1_rc21/easy-rsa/2.0/keys
5.创建服务器证书
./build-key-server --batch server2
创建的证书文件和私钥文件存放位置:/usr/local/openv_n/openv_n-2.1_rc21/easy-rsa/2.0/keys
6.创建客户端证书和私钥
./build-key --batch client2
创建的证书文件和私钥文件存放位置:/usr/local/openv_n/openv_n-2.1_rc21/easy-rsa/2.0/keys
将多个服务器和客户端的文件放入到一个目录中,便于管理和便于写配置文件
如果不是安装多个v_n,建议目录创建成/etc/openv_n/要不然会报错,需要修改脚本
mkdir /etc/openv_n1/
cd /usr/local/openv_n/openv_n-2.1_rc21/easy-rsa/2.0/keys
mv ca.crt ca.key dh1024.pem server2.key server2.crt client2.* /etc/openv_n1/
cd /usr/local/openv_n/openv_n-2.1_rc21/sample-config-files
cp server.conf /etc/openv_n1/
修改配置文件/etc/openv_n1/server.conf
具体图片在下面总结中
6.设置成密钥+证书的验证方式
checkpsw.sh是一个调用的密码的一个脚本
psw_file中放入的是用户名密码:
zhangsan 123456
checkpsw.sh 配置文件
#!/bin/sh
PASSFILE="/etc/openv_n/psw_file"
LOG_FILE="/var/log/v_n2/openv_n_psw.log"
TIME_STAMP=date "+%F %T"
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=awk ‘!/^;/&&!/^#/&&$1=="‘${username}‘"{print $2;exit}‘ ${PASSFILE}
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
[root@v_n pswd]# vim checkpsw.sh
[root@v_n pswd]# cat checkpsw.sh
#!/bin/sh
PASSFILE="/etc/pswd/psw_file"
LOG_FILE="/var/log/v_n2/openv_n_psw.log"
TIME_STAMP=date "+%F %T"
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=awk ‘!/^;/&&!/^#/&&$1=="‘${username}‘"{print $2;exit}‘ ${PASSFILE}
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
二.总结:
vim vars ;
1.初始化
source ./vars #修改默认国家、组织、邮件等,可不修改
./clean-all
./build-ca #创建根证书,可以加上--batch免交互确认
./build-key-server server #创建服务器证书,可以加上--batch免交互确认
./build-key-server --batch server
./build-dh ##使用DH加密
创建证书的命令基本上都是在easy-rsa的目录中:
/usr/local/openv_n/openv_n-2.1_rc21/easy-rsa/2.0
创2建多个客户端证书
./build-key client ##创建客户端证书,可以加上--batch免交互确认或使用 ./build-key --batch client
./build-key client1 ##创建客户端证书,可以加上--batch免交互确认或使用 ./build-key --batch client
./build-key client2 ##创建客户端证书,可以加上--batch免交互确认或使用 ./build-key --batch client
./build-key client3 ##创建客户端证书,可以加上--batch免交互确认或使用 ./build-key --batch client
./build-key client4 ##创建客户端证书,可以加上--batch免交互确认或使用 ./build-key --batch client
cd keys
将多个服务器和客户端的文件放入到一个目录中,便于管理和便于写配置文件
mkdir /etc/openv_n1
cp ca.crt ca.key dh1024.pem server.key server.crt client* ../../../sample-config-files/server.conf /etc/openv_n
cp ../../../sample-scripts/openv_n.init /etc/init.d/openv_n
3.粘贴server端配置和client端配置文件
两个模式均测试成功,分别是tun路由模式和tap桥接模式
相对应的客户端也分别是相应的配置
后续做了几次改动,都不影响连通性
修改配置文件/etc/openv_n1/server.conf
tun路由模式的配置
tap桥接模式的配置
;local
local 192.168.8.128
port 1194
proto udp
dev tun
ca ca.crt
cert server2.crt
key server2.key
dh dh1024.pem
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.8.0 255.255.255.0" ##向客户端推送内网网段
#push "route 10.9.0.0 255.255.255.0" ##推送v_n网段
push "dhcp-option DNS 114.114.114.114" #dhcp分配dns
push "dhcp-option DNS 8.8.8.8"
client-to-client ##允许Openv_n客户端之间通信
duplicate-cn
keepalive 10 120
comp-lzo
user nobody ##默认的程序用户,建议以低权限账户运行
group nobody
persist-key
persist-tun
status /var/log/v_n2/openv_n-status.log
log /var/log/v_n2/openv_n.log
verb 3
key-direction 0
mode server
tls-server
auth-user-pass-verify /etc/openv_n/checkpsw.sh via-env
username-as-common-name
script-security 3
启动v_n
/usr/local/sbin/openv_n --config /etc/openv_n/server.conf
开机启动需要写入开机文件中,觉得没有必要的嘛
vim /etc/rc.local
/usr/local/sbin/openv_n --config /usr/local/etc/server.conf > /dev/null 2>&1 &
4.开启转发,并关闭防火墙和 SELinux
客户端配置:
直接在D:\Program Files\Openv_n\config中新建一个文件命名为client2.ov_n
客户端配置
client
dev tun
proto tcp
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher BF-CBC
verb 3
remote 49.4.82.255 1194
ca ca.crt #根证书不用更换
cert client2.crt #客户端证书更换
key client2.key #客户端密钥更换
#tls-auth ta.key 1 #关闭了tls认证
comp-lzo
key-direction 1
auth-user-pass
cp ca.crt ca.key dh1024.pem server.key server.crt client* /etc/openv_n
客户端批量增加用户:
将服务器的这些文件
注销证书
cd /usr/local/openv_n/openv_n-2.1_rc21/easy-rsa/2.0
source ./vars
./revoke-full client3
搭建期间用到的测试明命令
route add -net 192.168.8.146 netmask 255.255.255.0 gw 10.168.10.4
route add -net 192.168.8.146 netmask 255.255.255.0 gw br0
route del -net 10.168.10.0/24 gw 192.168.8.146
route add -net 10.168.10.0/24 gw 192.168.8.128
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 tap0
tcpdump -nn icmp -i eth0
tcpdump -nn icmp -i br0
tcpdump -nn icmp -i tun0
iptables -t nat -A POSTROUTING -s 10.168.10.0/24 -o eth0 -j MASQUERADE
iptables -nL -t nat
标签:连通 word art roo 影响 没有 环境 mamicode linu
原文地址:https://blog.51cto.com/7794482/2491475
