标签:ali connected syslog har iptable res conf tcp ted
一.系统环境
服务端:CentOS 6.6 x86_64 使用repo:epel
客户端:CentOS 6.4 使用repo:epel,Windows
二.软件安装
服务端 yum install open*** easy-rsa
客户端 yum install open***
windows客户端 open***-install-2.3.5-I601-i686.zip,默认安装目录
三.服务端设置
密钥生成与制作
复制eay-rsa脚本到open***目录
cp -r /usr/share/easy-sra /etc/open***
修改密钥生成参数配置
vi /etc/open***/easy-rsa/2.0/vars
easy-rsa parameter settings
NOTE: If you installed from an RPM,
don‘t edit this file in place in
/usr/share/open***/easy-rsa --
instead, you should copy the whole
easy-rsa directory to another location
(such as /etc/open***) so that your
edits will not be wiped out by a future
Open××× package upgrade.
This variable should point to
the top level of the easy-rsa
tree.
export EASY_RSA="pwd
"
#
This variable should point to
the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
This variable should point to
the openssl.cnf file included
with easy-rsa.
export KEY_CONFIG=$EASY_RSA/whichopensslcnf $EASY_RSA
Edit this variable to point to
your soon-to-be-created key
directory.
#
WARNING: clean-all will do
a rm -rf on this directory
so make sure you define
it correctly!
export KEY_DIR="$EASY_RSA/keys"
Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
Increase this to 2048 if you
are paranoid. This will slow
down TLS negotiation performance
as well as the one-time DH parms
generation process.
export KEY_SIZE=2048
In how many days should the root CA key expire?
export CA_EXPIRE=3650
In how many days should certificates expire?
export KEY_EXPIRE=3650
These are the default values for fields
which will be placed in the certificate.
Don‘t leave any of these fields blank.
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BeiJing"
export KEY_ORG="example.cn"
export KEY_EMAIL="admin@example.cn"
export KEY_OU="Tech"
X509 Subject Field
export KEY_NAME="RSA"
PKCS11 Smart Card
export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
export PKCS11_PIN=1234
export PKCS11_PIN=1234
If you‘d like to sign all keys with the same Common Name, uncomment the KEY_CN export below
You will also need to make sure your Open××× server config has the duplicate-cn option set
export KEY_CN="CommonName"
#
export KEY_CN="example,Inc"
应用生效vars定义的参数
source /etc/open***/easy-rsa/2.0/vars
执行
bash /etc/open***/easy-rsa/2.0/clean-all #清理旧的密钥
bash /etc/open***/easy-rsa/2.0/build-ca #建立ca
为服务器生成密钥
bash /etc/open***/easy-rsa/2.0/build-key-server server #生成服务器密钥,名字server
为客户端生成密钥
bash /etc/open***/easy-rsa/2.0/build-key user01 #生成服务器密钥,名字user01
bash /etc/open***/easy-rsa/2.0/build-key user02 #生成服务器密钥,名字user02
建立 Diffie Hellman parameters
bash /etc/open***/easy-rsa/2.0/build-dh
在/etc/open***/easy-rsa/2.0/keys目录下会生成以下文件,注意妥善保存密钥文件,功能如表中所述
文件名 使用位置 用途 是否保密
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES
client3.crt client3 only Client3 Certificate NO
client3.key client3 only Client3 Key YES
拷贝文件
/etc/open***/easy-rsa/2.0/keys目录里面文件全部拷到 /etc/open***目录
然后启用open***服务
修改服务端配置文件
vim /etc/open***/server.conf
#################################################
Sample Open××× 2.0 config file for
multi-client server.
This file is for the server side
of a many-clients <-> one-server
Open××× configuration.
Open××× also supports
single-machine <-> single-machine
configurations (See the Examples page
on the web site for more info).
This config should work on Windows
or Linux/BSD systems. Remember on
Windows to quote pathnames and use
double backslashes, e.g.:
"C:\Program Files\Open×××\config\foo.key"
Comments are preceded with ‘#‘ or ‘;‘
#################################################
Which local IP address should Open×××
listen on? (optional)
local 0.0.0.0
Which TCP/UDP port should Open××× listen on?
If you want to run multiple Open××× instances
on the same machine, use a different port
number for each one. You will need to
open up this port on your firewall.
port 1194
TCP or UDP server?
proto tcp
;proto udp
"dev tun" will create a routed IP tunnel,
"dev tap" will create an ethernet tunnel.
Use "dev tap0" if you are ethernet bridging
and have precreated a tap0 virtual interface
and bridged it with your ethernet interface.
If you want to control access policies
over the ×××, you must create firewall
rules for the the TUN/TAP interface.
On non-Windows systems, you can give
an explicit unit number, such as tun0.
On Windows, use "dev-node" for this.
On most systems, the ××× will not function
unless you partially or fully disable
the firewall for the TUN/TAP interface.
dev tap
dev tun
Windows needs the TAP-Win32 adapter name
from the Network Connections panel if you
have more than one. On XP SP2 or higher,
you may need to selectively disable the
Windows firewall for the TAP adapter.
Non-Windows systems usually don‘t need this.
#dev-node ***
SSL/TLS root certificate (ca), certificate
(cert), and private key (key). Each client
and the server must have their own cert and
key file. The server and all clients will
use the same ca file.
#
See the "easy-rsa" directory for a series
of scripts for generating RSA certificates
and private keys. Remember to use
a unique Common Name for the server
and each of the client certificates.
#
Any X509 key management system can be used.
Open××× can also use a PKCS #12 formatted key file
(see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
Diffie hellman parameters.
Generate your own with:
openssl dhparam -out dh1024.pem 1024
Substitute 2048 for 1024 if you are using
2048 bit keys.
;dh dh1024.pem
dh dh2048.pem
Configure server mode and supply a ××× subnet
for Open××× to draw client addresses from.
The server will take 10.8.0.1 for itself,
the rest will be made available to clients.
Each client will be able to reach the server
on 10.8.0.1. Comment this line out if you are
ethernet bridging. See the man page for more info.
;server 10.8.0.0 255.255.255.0
server 10.8.0.0 255.255.255.0
Maintain a record of client <-> virtual IP address
associations in this file. If Open××× goes down or
is restarted, reconnecting clients can be assigned
the same virtual IP address from the pool that was
previously assigned.
ifconfig-pool-persist ipp.txt
Configure server mode for ethernet bridging.
You must first use your OS‘s bridging capability
to bridge the TAP interface with the ethernet
NIC interface. Then you must manually set the
IP/netmask on the bridge interface, here we
assume 10.8.0.4/255.255.255.0. Finally we
must set aside an IP range in this subnet
(start=10.8.0.50 end=10.8.0.100) to allocate
to connecting clients. Leave this line commented
out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
Configure server mode for ethernet bridging
using a DHCP-proxy, where clients talk
to the Open××× server-side DHCP server
to receive their IP address allocation
and DNS server addresses. You must first use
your OS‘s bridging capability to bridge the TAP
interface with the ethernet NIC interface.
Note: this mode only works on clients (such as
Windows), where the client-side TAP adapter is
bound to a DHCP client.
;server-bridge
Push routes to the client to allow it
to reach other private subnets behind
the server. Remember that these
private subnets will also need
to know to route the Open××× client
address pool (10.8.0.0/255.255.255.0)
back to the Open××× server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "route 10.0.2.0 255.255.255.0"
push "route 10.0.3.0 255.255.255.0"
push "route 10.0.4.0 255.255.255.0"
To assign specific IP addresses to specific
clients or if a connecting client has a private
subnet behind it that should also have ××× access,
use the subdirectory "ccd" for client-specific
configuration files (see man page for more info).
EXAMPLE: Suppose the client
having the certificate common name "Thelonious"
also has a small subnet behind his connecting
machine, such as 192.168.40.128/255.255.255.248.
First, uncomment out these lines:
;client-config-dir ccd
client-config-dir clients-conf
;route 192.168.40.128 255.255.255.248
Then create a file ccd/Thelonious with this line:
iroute 192.168.40.128 255.255.255.248
This will allow Thelonious‘ private subnet to
access the ×××. This example will only work
if you are routing, not bridging, i.e. you are
using "dev tun" and "server" directives.
EXAMPLE: Suppose you want to give
Thelonious a fixed ××× IP address of 10.9.0.1.
First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
Then add this line to ccd/Thelonious:
ifconfig-push 10.9.0.1 10.9.0.2
Suppose that you want to enable different
firewall access policies for different groups
of clients. There are two methods:
(1) Run multiple Open××× daemons, one for each
group, and firewall the TUN/TAP interface
for each group/daemon appropriately.
(2) (Advanced) Create a script to dynamically
modify the firewall in response to access
from different clients. See man
page for more info on learn-address script.
;learn-address ./script
If enabled, this directive will configure
all clients to redirect their default
network gateway through the ×××, causing
all IP traffic such as web browsing and
and DNS lookups to go through the ×××
(The Open××× server machine may need to NAT
or bridge the TUN/TAP interface to the internet
in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
Certain Windows-specific network settings
can be pushed to clients, such as DNS
or WINS server addresses. CAVEAT:
The addresses below refer to the public
DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
Uncomment this directive to allow different
clients to be able to "see" each other.
By default, clients will only see the server.
To force clients to only see the server, you
will also need to appropriately firewall the
server‘s TUN/TAP interface.
;client-to-client
Uncomment this directive if multiple clients
might connect with the same certificate/key
files or common names. This is recommended
only for testing purposes. For production use,
each client should have its own certificate/key
pair.
#
IF YOU HAVE NOT GENERATED INDIVIDUAL
CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
EACH HAVING ITS OWN UNIQUE "COMMON NAME",
UNCOMMENT THIS LINE OUT.
;duplicate-cn
The keepalive directive causes ping-like
messages to be sent back and forth over
the link so that each side knows when
the other side has gone down.
Ping every 10 seconds, assume that remote
peer is down if no ping received during
a 120 second time period.
keepalive 10 120
For extra security beyond that provided
by SSL/TLS, create an "HMAC firewall"
to help block DoS attacks and UDP port flooding.
#
Generate with:
open*** --genkey --secret ta.key
#
The server and each client must have
a copy of this key.
The second parameter should be ‘0‘
on the server and ‘1‘ on the clients.
;tls-auth ta.key 0 # This file is secret
Select a cryptographic cipher.
This config item must be copied to
the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
Enable compression on the ××× link.
If you enable it here, you must also
enable it in the client config file.
comp-lzo
The maximum number of concurrently connected
clients we want to allow.
;max-clients 100
It‘s a good idea to reduce the Open×××
daemon‘s privileges after initialization.
#
You can uncomment this out on
non-Windows systems.
user nobody
group nobody
The persist options will try to avoid
accessing certain resources on restart
that may no longer be accessible because
of the privilege downgrade.
persist-key
persist-tun
Output a short status file showing
current connections, truncated
and rewritten every minute.
status open***-status.log
By default, log messages will go to the syslog (or
on Windows, if running as a service, they will go to
the "\Program Files\Open×××\log" directory).
Use log or log-append to override this default.
"log" will truncate the log file on Open××× startup,
while "log-append" will append to it. Use one
or the other (but not both).
log open***.log
;log-append open***.log
Set the appropriate level of log
file verbosity.
#
0 is silent, except for fatal errors
4 is reasonable for general usage
5 and 6 can help to debug connection problems
9 is extremely verbose
verb 3
Silence repeating messages. At most 20
sequential messages of the same message
category will be output to the log.
;mute 20
chkconfig open*** on
service open*** start
用netstat –nl查看1194端口已经在listening状态
防火墙设置
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
查看一下服务器的IP地址:ifconfig –a
看tun0是10.8.0.1 这是初始的IP地址
至此服务端配置完成
服务端 固定IP分配,每个客户端用固定的隧道IP
四.客户端配置
linux 客户端
复制且仅复制服务端的证书权威ca.crt、相对应的客户端证书user01.crt以及相对应的客户端私玥user01.key 到客户端/etc/open*** 目录
注意不要复制多余的文件避免泄密。
建立修改客户端配置文件
vim /etc/open***/client.conf
##############################################
Sample client-side Open××× 2.0 config file
for connecting to multi-client server.
This configuration can be used by multiple
clients, however each client should have
its own cert and key files.
On Windows, you might want to rename this
file so it has a .o*** extension
##############################################
Specify that we are a client and that we
will be pulling certain config file directives
from the server.
client
Use the same setting as you are using on
the server.
On most systems, the ××× will not function
unless you partially or fully disable
the firewall for the TUN/TAP interface.
;dev tap
dev tun
Windows needs the TAP-Win32 adapter name
from the Network Connections panel
if you have more than one. On XP SP2,
you may need to disable the firewall
for the TAP adapter.
;dev-node MyTap
Are we connecting to a TCP or
UDP server? Use the same setting as
on the server.
proto tcp
;proto udp
The hostname/IP and port of the server.
You can have multiple remote entries
to load balance between the servers.
remote 122.112.12.154 1194
;remote my-server-2 1194
Choose a random host from the remote
list for load-balancing. Otherwise
try hosts in the order specified.
;remote-random
Keep trying indefinitely to resolve the
host name of the Open××× server. Very useful
on machines which are not permanently connected
to the internet such as laptops.
resolv-retry infinite
Most clients don‘t need to bind to
a specific local port number.
nobind
Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
Try to preserve some state across restarts.
persist-key
persist-tun
If you are connecting through an
HTTP proxy to reach the actual Open×××
server, put the proxy server/IP and
port number here. See the man page
if your proxy server requires
authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
Wireless networks often produce a lot
of duplicate packets. Set this flag
to silence duplicate packet warnings.
;mute-replay-warnings
SSL/TLS parms.
See the server config file for more
description. It‘s best to use
a separate .crt/.key file pair
for each client. A single ca
file can be used for all clients.
ca ca.crt
cert user01.crt
key user01.key
Verify server certificate by checking
that the certicate has the nsCertType
field set to "server". This is an
important precaution to protect against
a potential attack discussed here:
#
To use this feature, you will need to generate
your server certificates with the nsCertType
field set to "server". The build-key-server
script in the easy-rsa folder will do this.
ns-cert-type server
If a tls-auth key is used on the server
then every client must also have the key.
;tls-auth ta.key 1
Select a cryptographic cipher.
If the cipher option is used on the server
then you must also specify it here.
;cipher x
Enable compression on the ××× link.
Don‘t enable this unless it is also
enabled in the server config file.
comp-lzo
Set log file verbosity.
verb 3
Silence repeating messages
;mute 20
需要修改的内容 指定服务端IP和端口,指定客户端使用的证书和私玥文件
chkconfig open*** on
service open*** start
查看一下客户端的IP地址:ifconfig –a
ping 10.8.0.1 这是服务端初始的隧道IP地址
至此linux客户端配置完成
windows 客户端
C:\Program Files (x86)\Open×××\config 64位windows
C:\Program Files\Open×××\config 32位windows
复制且仅复制服务端的证书权威ca.crt、相对应的客户端证书user01.crt以及相对应的客户端私玥user01.key 到客户端config目录
注意不要复制多余的文件避免泄密。
建立修改客户端配置文件文件名client.o***
需要修改的内容 指定服务端IP和端口,指定客户端使用的证书和私玥文件
remote server-ip 1194
ca ca.crt
cert user01.crt
key user01.key
然后 用管理员权限打开 桌面的 Open××× GUI
windows 客户端配置完成
windows客户端多配置
不同的用户连接不同的服务端,写多个名字不同的*.o***配置文件
如何开通open***
标签:ali connected syslog har iptable res conf tcp ted
原文地址:http://blog.51cto.com/hzcto/2343728