大纲

一、前言

二、概述

三、环境准备

四、实战拓扑

五、具体配置过程详解

六、总结

注,实战环境 CentOS 5.5 x86_64,软件版本 Open*** 2.1,软件下载http://yunpan.cn/QzT8fGsX8S75a


一、前言

在上一篇博客中我们给大家推荐了许多关于open***的理论文章,想了解一个的朋友可心点击这里:http://freeloda.blog.51cto.com/2033581/1354768,从这一篇博客开始我们来讲open***的实战,这是个open***实战的专题共有下面篇博客:

  • Open*** 实战1:***与网关不在同一台服器上

  • Open*** 实战2:***与网关在同一台服器上

  • Open*** 实战3:多网段互联***(点对多点)

  • Open*** 实战4:常见小问汇总

好了,下面开始我们今天的内容吧!


二、概述

1.Open***是一个用于创建虚拟专用网络加密通道的软件包,最早由James Yonan编写。Open***允许参与建立***的单点使用预设的私钥,第三方证书,或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库,以及SSLv3/TLSv1协议。

2.Open***能在Linux、xBSD、Mac OS X与Windows 2000/XP/7上运行。它并不是一个基于Web的***软件,也不与IPsec及其他***软件包兼容。

3.Open***所有的通信都能基于一个单一的IP端口。Open***提供了两种虚拟网络接口:通用tun/Tap驱动通过它们,可以建立三层IP隧道或者虚拟二层以太网,后者可以传送任何类型的二层以太网络数据,传送的数据可通过LZO算法压缩。IANA(InternetAssigned Numbers Authority) 指定给Open***的官方端口为1194。

4.Open***使用通用网络协议(TCP 与UDP)的特点使它成为IPsec 等协议的理想替代,尤其是在ISP(Internet service provider)过滤某些特定*** 协议的情况下。

5.Open*** 可工作于两种模式:

  • 一种是IP遂道路由模式,主要应用于点对点。

  • 另一种是基于以太网的遂道桥接模式,应用于点对多点,有多个分支机构。

好了,下面我们就来讲解一下点对点***。


三、环境准备

1.时间同步

[root@open*** ~]# yum install -y ntp
[root@open*** ~]# ntpdate 202.120.2.101
[root@open*** ~]# hwclock -w

2.安装yum源

[root@open*** ~]# rpm -ivh http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

3.安装各种依赖包

[root@open*** ~]# yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers


四、实战拓扑

Open***1

注,拓扑图比较简单我在这里就不详细说明了,大家自己看一下。(这里是单独一台***服器,没和网关放在一起)


五、具体配置过程详解

注,简单写一下配置过程:

  • 安装lzo、open***软件包

  • 为配置做准备,copy 相关文件

  • 初始化 PKI

  • 建立 server key

  • 生成客户端 key

  • 生成 Diffie Hellman 参数

  • 将keys下的所有文件打包下载到本地 ,让客户机用。

  • 将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/open***

  • 修改服务器配置文件/etc/open***/server.conf

  • 启动***服务器

  • 配置Windows客户端

  • 设置网关服务器的端口映射

  • 测试Windows客户端连Open***

  • 设置Open***访问外网的

  • 最后测试

好了,下面就让我们来完成上面的实战步骤。

1.安装lzo、open***软件包

[root@open*** src]# ls
epel-release-5-4.noarch.rpm  lzo-2.04-3.2.x86_64.rpm  open***-2.1-0.20.rc4.el5.kb.x86_64.rpm 
[root@open*** src]# rpm -ivh lzo-2.04-3.2.x86_64.rpm  
warning: lzo-2.04-3.2.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID d164ce99 
Preparing...                ########################################### [100%] 
   1:lzo                    ########################################### [100%] 
[root@open*** src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.x86_64.rpm  
Preparing...                ########################################### [100%] 
   1:open***                ########################################### [100%]

2.为配置做准备,copy 相关文件

[root@open*** src]# cp -r /usr/share/open***/easy-rsa/2.0/ /etc/open***/
[root@open*** src]# cp /usr/share/doc/open***-2.1/sample-config-files/server.conf /etc/open***/ 
[root@open*** src]# cd /etc/open***/ 
[root@open*** open***]# ls 
2.0  server.conf

3.初始化 PKI

[root@open*** open***]# cd 2.0/
[root@open*** 2.0]# ls 
build-ca     build-key-pass    build-req-pass  Makefile           README       whichopensslcnf 
build-dh     build-key-pkcs12  clean-all       openssl-0.9.6.cnf  revoke-full 
build-inter  build-key-server  inherit-inter   openssl.cnf        sign-req 
build-key    build-req         list-crl        pkitool            vars 
[root@open*** 2.0]# vim vars
修改下面几项:
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SH" 
export KEY_CITY="SH" 
export KEY_ORG="open***" 
export KEY_EMAIL="admin@test.com"
[root@open*** 2.0]# env | grep KEY
[root@open*** 2.0]# env | grep KEY
[root@open*** 2.0]# source ./vars  
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys 
[root@open*** 2.0]# env | grep KEY 
KEY_EXPIRE=3650 
KEY_EMAIL=admin@test.com 
KEY_SIZE=1024 
KEY_DIR=/etc/open***/2.0/keys 
KEY_CITY=SH 
KEY_PROVINCE=SH 
KEY_ORG=open*** 
KEY_CONFIG=/etc/open***/2.0/openssl.cnf 
KEY_COUNTRY=CN
[root@open*** 2.0]# ./clean-all 
[root@open*** 2.0]# ls 
build-ca     build-key-pass    build-req-pass  list-crl           pkitool      vars 
build-dh     build-key-pkcs12  clean-all       Makefile           README       whichopensslcnf 
build-inter  build-key-server  inherit-inter   openssl-0.9.6.cnf  revoke-full 
build-key    build-req         keys            openssl.cnf        sign-req
[root@open*** 2.0]# ./build-ca 
Generating a 1024 bit RSA private key 
...........................++++++ 
.............++++++ 
writing new private key to 'ca.key' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [CN]: 
State or Province Name (full name) [SH]: 
Locality Name (eg, city) [SH]: 
Organization Name (eg, company) [open***]: 
Organizational Unit Name (eg, section) []: 
Common Name (eg, your name or your server's hostname) [open*** CA]: 
Email Address [admin@test.com]:

4.建立 server key

[root@open*** 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key 
.........++++++ 
..++++++ 
writing new private key to 'server.key' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [CN]: 
State or Province Name (full name) [SH]: 
Locality Name (eg, city) [SH]: 
Organization Name (eg, company) [open***]: 
Organizational Unit Name (eg, section) []: 
Common Name (eg, your name or your server's hostname) [server]: 
Email Address [admin@test.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request 
A challenge password []: 
An optional company name []: 
Using configuration from /etc/open***/2.0/openssl.cnf 
Check that the request matches the signature 
Signature ok 
The Subject's Distinguished Name is as follows 
countryName           :PRINTABLE:'CN' 
stateOrProvinceName   :PRINTABLE:'SH' 
localityName          :PRINTABLE:'SH' 
organizationName      :PRINTABLE:'open***' 
commonName            :PRINTABLE:'server' 
emailAddress          :IA5STRING:'admin@test.com' 
Certificate is to be certified until Jan 24 02:40:17 2024 GMT (3650 days) 
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated

5.生成客户端 key(我这里设置三个客户端分别为:client1、client2、client3,你可以根据需要生成多个客户端)

client1:

[root@open*** 2.0]# ./build-key client1
Generating a 1024 bit RSA private key 
.....++++++ 
................................++++++ 
writing new private key to 'client1.key' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [CN]: 
State or Province Name (full name) [SH]: 
Locality Name (eg, city) [SH]: 
Organization Name (eg, company) [open***]: 
Organizational Unit Name (eg, section) []: 
Common Name (eg, your name or your server's hostname) [client1]: 
Email Address [admin@test.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request 
A challenge password []: 
An optional company name []: 
Using configuration from /etc/open***/2.0/openssl.cnf 
Check that the request matches the signature 
Signature ok 
The Subject's Distinguished Name is as follows 
countryName           :PRINTABLE:'CN' 
stateOrProvinceName   :PRINTABLE:'SH' 
localityName          :PRINTABLE:'SH' 
organizationName      :PRINTABLE:'open***' 
commonName            :PRINTABLE:'client1' 
emailAddress          :IA5STRING:'admin@test.com' 
Certificate is to be certified until Jan 24 02:42:39 2024 GMT (3650 days) 
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated

client2:

[root@open*** 2.0]# ./build-key client2
Generating a 1024 bit RSA private key 
..................................++++++ 
............................................++++++ 
writing new private key to 'client2.key' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [CN]: 
State or Province Name (full name) [SH]: 
Locality Name (eg, city) [SH]: 
Organization Name (eg, company) [open***]: 
Organizational Unit Name (eg, section) []: 
Common Name (eg, your name or your server's hostname) [client2]: 
Email Address [admin@test.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request 
A challenge password []: 
An optional company name []: 
Using configuration from /etc/open***/2.0/openssl.cnf 
Check that the request matches the signature 
Signature ok 
The Subject's Distinguished Name is as follows 
countryName           :PRINTABLE:'CN' 
stateOrProvinceName   :PRINTABLE:'SH' 
localityName          :PRINTABLE:'SH' 
organizationName      :PRINTABLE:'open***' 
commonName            :PRINTABLE:'client2' 
emailAddress          :IA5STRING:'admin@test.com' 
Certificate is to be certified until Jan 24 02:43:16 2024 GMT (3650 days) 
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated

client3:

[root@open*** 2.0]# ./build-key client3
Generating a 1024 bit RSA private key 
..............++++++ 
.++++++ 
writing new private key to 'client3.key' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [CN]: 
State or Province Name (full name) [SH]: 
Locality Name (eg, city) [SH]: 
Organization Name (eg, company) [open***]: 
Organizational Unit Name (eg, section) []: 
Common Name (eg, your name or your server's hostname) [client3]: 
Email Address [admin@test.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request 
A challenge password []: 
An optional company name []: 
Using configuration from /etc/open***/2.0/openssl.cnf 
Check that the request matches the signature 
Signature ok 
The Subject's Distinguished Name is as follows 
countryName           :PRINTABLE:'CN' 
stateOrProvinceName   :PRINTABLE:'SH' 
localityName          :PRINTABLE:'SH' 
organizationName      :PRINTABLE:'open***' 
commonName            :PRINTABLE:'client3' 
emailAddress          :IA5STRING:'admin@test.com' 
Certificate is to be certified until Jan 24 02:43:58 2024 GMT (3650 days) 
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated

6.生成 Diffie Hellman 参数

[root@open*** 2.0]# ./build-dh 
Generating DH parameters, 1024 bit long safe prime, generator 2 
This is going to take a long time 
...........................................................................................................................................................................................................................................+.................................+.................................+...................+..............................................................................+.........................+.......................................................................................+...........+.....................+......................................+.......................................+............+...................................................................+....................................................................................................................................................................+.............................+......+.............+...........................+.............+..............................................................................+...........+........+............................+.......................................................................................................................................................+.................................................................................+.........................................................................................................................................................................................+....+............+........................................+..........+............................................................................+........+.+...................+........................+...................+................................................................................+.............................................................+....................................................................................................................................................................................................................+.....+.............................+...........+................................................................+.+.........+.................................................................................................................................................+..............................+...............................................+......+.....................................................................+..........................................................+........+.........+..................................................................................+......+.........+..................................................................................+........................................................................................+....+......................+.....+..........+............................................................................................................................................+................+..........+............................................+...............................................+................................................+............................................++*++*++*

7.将keys下的所有文件打包下载到本地 ,让客户机用。

[root@open*** 2.0]# cd keys/
[root@open*** keys]# ls 
01.pem  04.pem  client1.crt  client2.crt  client3.crt  dh1024.pem      index.txt.attr.old  serial.old  server.key 
02.pem  ca.crt  client1.csr  client2.csr  client3.csr  index.txt       index.txt.old       server.crt 
03.pem  ca.key  client1.key  client2.key  client3.key  index.txt.attr  serial              server.csr 
[root@open*** keys]# tar zcvf full.tar.gz ./* 
./01.pem 
./02.pem 
./03.pem 
./04.pem 
./ca.crt 
./ca.key 
./client1.crt 
./client1.csr 
./client1.key 
./client2.crt 
./client2.csr 
./client2.key 
./client3.crt 
./client3.csr 
./client3.key 
./dh1024.pem 
./index.txt 
./index.txt.attr 
./index.txt.attr.old 
./index.txt.old 
./serial 
./serial.old 
./server.crt 
./server.csr 
./server.key 
[root@open*** keys]# ls 
01.pem  04.pem  client1.crt  client2.crt  client3.crt  dh1024.pem   index.txt.attr      serial      server.csr 
02.pem  ca.crt  client1.csr  client2.csr  client3.csr  full.tar.gz  index.txt.attr.old  serial.old  server.key 
03.pem  ca.key  client1.key  client2.key  client3.key  index.txt    index.txt.old       server.crt

8.将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/open***

[root@open*** keys]# cp ca.* server.* dh1024.pem /etc/open***/
[root@open*** keys]# cd /etc/open***/ 
[root@open*** open***]# ls 
2.0  ca.crt  ca.key  dh1024.pem  server.conf  server.crt  server.csr  server.key

9.修改服务器配置文件/etc/open***/server.conf

[root@open*** open***]# cp server.conf server.conf.bak
[root@open*** open***]# >server.conf 
[root@open*** open***]# vim server.conf
port 1194
proto udp 
dev tun 
ca ca.crt 
cert server.crt 
key server.key 
dh dh1024.pem 
server 10.8.0.0 255.255.255.0 
client-to-client 
keepalive 10 120 
comp-lzo 
persist-key 
persist-tun 
status open***-status.log 
verb 4 
push "dhcp-option DNS 10.8.0.1" 
push "dhcp-option DNS 8.8.8.8" 
push "dhcp-option DNS 8.8.4.4"

10.启动***服务器

[root@open*** open***]# service open*** start
Starting open***:                                          [  OK  ] 
[root@open*** open***]# ifconfig  
eth0      Link encap:Ethernet  HWaddr 00:50:56:A6:19:E8
          inet addr:192.168.18.248  Bcast:192.168.18.255  Mask:255.255.255.0 
          inet6 addr: fe80::250:56ff:fea6:19e8/64 Scope:Link 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1 
          RX packets:107910 errors:0 dropped:0 overruns:0 frame:0 
          TX packets:73200 errors:0 dropped:0 overruns:0 carrier:0 
          collisions:0 txqueuelen:1000  
          RX bytes:120827874 (115.2 MiB)  TX bytes:8877959 (8.4 MiB)
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0 
          inet6 addr: ::1/128 Scope:Host 
          UP LOOPBACK RUNNING  MTU:16436  Metric:1 
          RX packets:34 errors:0 dropped:0 overruns:0 frame:0 
          TX packets:34 errors:0 dropped:0 overruns:0 carrier:0 
          collisions:0 txqueuelen:0  
          RX bytes:3918 (3.8 KiB)  TX bytes:3918 (3.8 KiB)
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255 
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1 
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0 
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
          collisions:0 txqueuelen:100  
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

11.配置Windows客户端

(1).安装一下客户端(我就不演示了,大家自己安装)

Open***2

(2).将服务器上生成的客户机证书文件放到config方件夹下

D:\Program Files\Open***\config\open***

Open***3

(3).新建客户端配置文件open***.o***

D:\Program Files\Open***\config

Open***4

open***.o*** 文件内容:

client
dev tun 
proto udp 
remote x.x.x.x 1194 #工作单位外网IP 
persist-key 
persist-tun 
ca open***\\ca.crt 
cert open***\\client1.crt 
key open***\\client1.key 
ns-cert-type server 
comp-lzo 
verb 3 
redirect-gateway def1

12.设置网关服务器的端口映射

[root@gateway ~]# /sbin/iptables -t nat -A PREROUTING -p udp -d x.x.x.x(公网IP) --dport 1194 -j DNAT --to 192.168.18.248:1194
[root@gateway ~]# /sbin/iptables -t nat -A POSTROUTING -p udp -d 192.168.18.248 --dport 1194 -j SNAT --to x.x.x.x(公网IP):1194
[root@gateway ~]# iptables -L
Chain INPUT (policy ACCEPT) 
target     prot opt source               destination      
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination      
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      
Chain AS0_WEBACCEPT (2 references)
target     prot opt source               destination      
ACCEPT     all  --  anywhere             anywhere         
[root@gateway ~]# iptables -L -t nat 
Chain PREROUTING (policy ACCEPT) 
target     prot opt source               destination      
DNAT       udp  --  anywhere             x.x.x.x(公网IP)       udp dpt:open*** to:192.168.18.248:1194
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination      
SNAT       udp  --  anywhere             192.168.18.248      udp dpt:open*** to:x.x.x.x(公网IP):1194
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

13.测试Windows客户端连Open***(两种方法分别演示一下)

(1).

Open***5

Open***6

(2).

image

Open***8

(3).测试一下

Open***9

注,虽然我们***能ping通了但是还不能访问外网,下面我们来配置一下Open***访问外网。

14.设置Open***服务器访问外网

(1).开启路由转发

[root@open*** open***]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@open*** open***]# sysctl -p
net.ipv4.ip_forward = 1 
net.ipv4.conf.default.rp_filter = 1 
net.ipv4.conf.default.accept_source_route = 0 
kernel.sysrq = 0 
kernel.core_uses_pid = 1 
net.ipv4.tcp_syncookies = 1 
kernel.msgmnb = 65536 
kernel.msgmax = 65536 
kernel.shmmax = 68719476736 
kernel.shmall = 4294967296

(2).配置NAT映射

[root@open*** open***]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.18.248
[root@open*** open***]# iptables -t nat -L 
Chain PREROUTING (policy ACCEPT) 
target     prot opt source               destination      
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination      
SNAT       all  --  10.8.0.0/24          anywhere            to:192.168.10.248
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@open*** open***]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ] 
[root@open*** open***]# service iptables restart 
Flushing firewall rules:                                   [  OK  ] 
Setting chains to policy ACCEPT: nat                       [  OK  ] 
Unloading iptables modules:                                [  OK  ] 
Applying iptables firewall rules:                          [  OK  ] 
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ] 
[root@open*** open***]# iptables -t nat -L 
Chain PREROUTING (policy ACCEPT) 
target     prot opt source               destination      
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination      
SNAT       all  --  10.8.0.0/24          anywhere            to:192.168.18.248
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

15.最后测试

Open***10

好了,现在我们就可以访问外网了。到这里我们简的点对点***就配置完成了!


六、总结

上面我们演示了点结点***的配置过程且***与网关不在同一台服务器上,有博友会问了放一台服务器做***多浪费啊,那么网关与***在同一台服务器上又该怎么配置呢?在下一篇博客中我们将演示,***与网关在同一台服务器上的点对点***配置。今天的博客就到这里了,最后希望大家有所收获吧^_^……