大纲

一、前言

二、概述

三、实战拓扑

四、环境准备

五、具体配置过程详解

六、总结

注,实战环境 CentOS 5.5 x86_64,软件版本 Open*** 2.1,软件下载:http://yunpan.cn/QzT8fGsX8S75a  访问密码 e8e4。


一、前言

在上一篇博客中我们主要和大家讲解一下,在内网中如何搭建一台***服务器,相信大家应该有所了解,可是有博友说了我们没有多余的服务器做***服务器,我们只有一台Linux网关服务器,那怎么办呢?能不能将***服务器就搭建在网关服务器上呢?我想说这肯定是可以的,嘿嘿。那怎么来搭建呢?让我们一起来做吧!


二、概述

在网关服务器上搭建***服务器的要点就是做防火墙映射,下面是配置要点:

[root@gateway ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j MASQUERADE
[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d 192.168.18.0/255.255.255.0 -j SNAT --to-source 192.168.18.254

注,eth0是公网地址接口,eth1内网地址接口。下面我们来看一下实战拓扑,大家会看的更清楚一些!


三、实战拓扑

Open*** 实战拓扑2

说明:此拓扑图是典型的中小型企业内部局部网的应用案例,本文中不会涉及NAT、Web、FTP等应用的配置,只会配置与Open***的相关操作,若有其它问题欢迎大家交流讨论,谢谢。


四、环境准备

1.安装yum源

[root@gateway ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
Retrieving http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
warning: /var/tmp/rpm-xfer.qnxpWE: Header V3 DSA signature: NOKEY, key ID 217521f6   
Preparing...                ########################################### [100%]   
    package epel-release-5-4.noarch is already installed
[root@gateway ~]# yum list

2.同步服务器时间

[root@gateway ~]# yum install -y ntp
[root@gateway ~]# ntpdate 210.72.145.44  
[root@gateway ~]# hwclock -w   
[root@gateway ~]# date   
[root@gateway ~]# hwclock

3.安装相应的依赖包

[root@gateway ~]#  yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers


五、具体配置过程详解

注,简单写一下配置过程:

  • 安装lzo、open***软件包

  • 为配置做准备,copy 相关文件

  • 初始化 PKI

  • 建立 server key

  • 生成客户端 key

  • 生成 Diffie Hellman 参数

  • 将keys下的所有文件打包下载到本地 ,让客户机用。

  • 将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/open***

  • 修改服务器配置文件/etc/open***/server.conf

  • 启动***服务器

  • 配置Windows客户端

  • 设置网关服务器的端口映射

  • 测试Windows客户端连Open***

  • 最后测试

好了,下面就让我们来完成上面的实战步骤。

1.安装lzo、open***软件包

[root@gateway ~]# mkdir src  
[root@gateway ~]# cd src/   
[root@gateway src]# ls   
lzo-2.04-3.2.x86_64.rpm  open***-2.1-0.20.rc4.el5.kb.x86_64.rpm
[root@gateway src]# rpm -ivh lzo-2.04-3.2.x86_64.rpm   
warning: lzo-2.04-3.2.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID d164ce99   
Preparing...                ########################################### [100%]   
   1:lzo                    ########################################### [100%]   
[root@gateway src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.x86_64.rpm    
Preparing...                ########################################### [100%]   
   1:open***                ########################################### [100%]

2.为配置做准备,copy 相关文件

[root@gateway src]# cp -r /usr/share/open***/easy-rsa/2.0/ /etc/open***  
[root@gateway src]# cd /etc/open***   
[root@gateway open***]# ls   
2.0   
[root@gateway open***]# cp /usr/share/doc/open***-2.1/sample-config-files/server.conf /etc/open***/   
[root@gateway open***]# ls   
2.0  server.conf

3.初始化 PKI

[root@gateway open***]# cd 2.0/  
[root@gateway 2.0]# ls   
build-ca     build-key         build-key-server  clean-all      Makefile           pkitool      sign-req   
build-dh     build-key-pass    build-req         inherit-inter  openssl-0.9.6.cnf  README       vars   
build-inter  build-key-pkcs12  build-req-pass    list-crl       openssl.cnf        revoke-full  whichopensslcnf   
[root@gateway 2.0]# vim vars
#修改下面几项:
export KEY_COUNTRY="CN"  
export KEY_PROVINCE="SH"   
export KEY_CITY="SH"   
export KEY_ORG="open***"   
export KEY_EMAIL="admin@free.com"
[root@gateway 2.0]# env | grep KEY  
[root@gateway 2.0]# source ./vars    
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys   
[root@gateway 2.0]# env | grep KEY   
KEY_EXPIRE=3650   
KEY_EMAIL=admin@free.com   
KEY_SIZE=1024   
KEY_DIR=/etc/open***/2.0/keys   
KEY_CITY=SH   
KEY_PROVINCE=SH   
KEY_ORG=open***   
KEY_CONFIG=/etc/open***/2.0/openssl.cnf   
KEY_COUNTRY=CN
[root@gateway 2.0]# ./clean-all   
[root@gateway 2.0]# ls   
build-ca     build-key-pass    build-req-pass  list-crl           pkitool      vars   
build-dh     build-key-pkcs12  clean-all       Makefile           README       whichopensslcnf   
build-inter  build-key-server  inherit-inter   openssl-0.9.6.cnf  revoke-full   
build-key    build-req         keys            openssl.cnf        sign-req   
[root@gateway 2.0]# ./build-ca    
Generating a 1024 bit RSA private key   
.++++++   
.......................................++++++   
writing new private key to 'ca.key'   
-----   
You are about to be asked to enter information that will be incorporated   
into your certificate request.   
What you are about to enter is what is called a Distinguished Name or a DN.   
There are quite a few fields but you can leave some blank   
For some fields there will be a default value,   
If you enter '.', the field will be left blank.   
-----   
Country Name (2 letter code) [CN]:   
State or Province Name (full name) [SH]:   
Locality Name (eg, city) [SH]:   
Organization Name (eg, company) [open***]:   
Organizational Unit Name (eg, section) []:   
Common Name (eg, your name or your server's hostname) [open*** CA]:   
Email Address [admin@free.com]:

4.建立 server key

[root@gateway 2.0]# ./build-key-server server  
Generating a 1024 bit RSA private key   
.................++++++   
.............++++++   
writing new private key to 'server.key'   
-----   
You are about to be asked to enter information that will be incorporated   
into your certificate request.   
What you are about to enter is what is called a Distinguished Name or a DN.   
There are quite a few fields but you can leave some blank   
For some fields there will be a default value,   
If you enter '.', the field will be left blank.   
-----   
Country Name (2 letter code) [CN]:   
State or Province Name (full name) [SH]:   
Locality Name (eg, city) [SH]:   
Organization Name (eg, company) [open***]:   
Organizational Unit Name (eg, section) []:   
Common Name (eg, your name or your server's hostname) [server]:   
Email Address [admin@free.com]:
Please enter the following 'extra' attributes  
to be sent with your certificate request   
A challenge password []:   
An optional company name []:   
Using configuration from /etc/open***/2.0/openssl.cnf   
Check that the request matches the signature   
Signature ok   
The Subject's Distinguished Name is as follows   
countryName           :PRINTABLE:'CN'   
stateOrProvinceName   :PRINTABLE:'SH'   
localityName          :PRINTABLE:'SH'   
organizationName      :PRINTABLE:'open***'   
commonName            :PRINTABLE:'server'   
emailAddress          :IA5STRING:'admin@free.com'   
Certificate is to be certified until May  2 03:41:08 2024 GMT (3650 days)   
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y   
Write out database with 1 new entries   
Data Base Updated

5.生成客户端 key(我这里设置三个客户端分别为:client1、client2、client3,你可以根据需要生成多个客户端)

1).client1

[root@gateway 2.0]# ./build-key client1  
Generating a 1024 bit RSA private key   
......++++++   
...++++++   
writing new private key to 'client1.key'   
-----   
You are about to be asked to enter information that will be incorporated   
into your certificate request.   
What you are about to enter is what is called a Distinguished Name or a DN.   
There are quite a few fields but you can leave some blank   
For some fields there will be a default value,   
If you enter '.', the field will be left blank.   
-----   
Country Name (2 letter code) [CN]:   
State or Province Name (full name) [SH]:   
Locality Name (eg, city) [SH]:   
Organization Name (eg, company) [open***]:   
Organizational Unit Name (eg, section) []:   
Common Name (eg, your name or your server's hostname) [client1]:   
Email Address [admin@free.com]:
Please enter the following 'extra' attributes  
to be sent with your certificate request   
A challenge password []:   
An optional company name []:   
Using configuration from /etc/open***/2.0/openssl.cnf   
Check that the request matches the signature   
Signature ok   
The Subject's Distinguished Name is as follows   
countryName           :PRINTABLE:'CN'   
stateOrProvinceName   :PRINTABLE:'SH'   
localityName          :PRINTABLE:'SH'   
organizationName      :PRINTABLE:'open***'   
commonName            :PRINTABLE:'client1'   
emailAddress          :IA5STRING:'admin@free.com'   
Certificate is to be certified until May  2 03:46:17 2024 GMT (3650 days)   
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y   
Write out database with 1 new entries   
Data Base Updated

2).client2与client3同上我这里就不演示了,不清楚的博友可以参考上一篇博文。

6.生成 Diffie Hellman 参数

[root@gateway 2.0]# ./build-dh   
Generating DH parameters, 1024 bit long safe prime, generator 2   
This is going to take a long time   
................................................................++*++*++*

7.将keys下的所有文件打包下载到本地 ,让客户机用。

[root@gateway 2.0]# cd keys/  
[root@gateway keys]# ls   
01.pem  ca.crt       client1.key  client3.crt  index.txt           serial      server.key   
02.pem  ca.key       client2.crt  client3.csr  index.txt.attr      serial.old   
03.pem  client1.crt  client2.csr  client3.key  index.txt.attr.old  server.crt   
04.pem  client1.csr  client2.key  dh1024.pem   index.txt.old       server.csr   
[root@gateway keys]# tar zcvf client.tar.gz ./*   
./01.pem   
./02.pem   
./03.pem   
./04.pem   
./ca.crt   
./ca.key   
./client1.crt   
./client1.csr   
./client1.key   
./client2.crt   
./client2.csr   
./client2.key   
./client3.crt   
./client3.csr   
./client3.key   
./dh1024.pem   
./index.txt   
./index.txt.attr   
./index.txt.attr.old   
./index.txt.old   
./serial   
./serial.old   
./server.crt   
./server.csr   
./server.key   
[root@gateway keys]# ls   
01.pem  04.pem  client1.crt  client2.crt  client3.crt  client.tar.gz  index.txt.attr      serial      server.csr   
02.pem  ca.crt  client1.csr  client2.csr  client3.csr  dh1024.pem     index.txt.attr.old  serial.old  server.key   
03.pem  ca.key  client1.key  client2.key  client3.key  index.txt      index.txt.old       server.crt

8.将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/open***

[root@gateway keys]# cp ca.* server.* dh1024.pem /etc/open***/  
[root@gateway keys]# cd /etc/open***/   
[root@gateway open***]# ls   
2.0  ca.crt  ca.key  dh1024.pem  server.conf  server.crt  server.csr  server.key

9.修改服务器配置文件/etc/open***/server.conf

[root@gateway open***]# cp server.conf server.conf.bak.2014.5.5  
[root@gateway open***]# ls   
2.0  ca.crt  ca.key  dh1024.pem  server.conf  server.conf.bak.2014.5.5  server.crt  server.csr  server.key   
[root@gateway open***]# vim server.conf
port 1194  
proto udp   
dev tun   
ca ca.crt   
cert server.crt   
key server.key   
port 1194   
proto udp   
dev tun   
ca ca.crt   
cert server.crt   
key server.key   
dh dh1024.pem   
server 10.8.0.0 255.255.255.0   
client-to-client   
keepalive 10 120   
comp-lzo   
persist-key   
persist-tun   
status open***-status.log   
verb 4   
push "dhcp-option DNS 10.8.0.1"   
push "dhcp-option DNS 8.8.8.8"   
push "dhcp-option DNS 8.8.4.4"

10.启动***服务器

[root@gateway open***]# /etc/init.d/open*** start  
正在启动 open***:                                         [确定]   
[root@gateway open***]# netstat -ntulp | grep 1194   
udp        0      0 0.0.0.0:1194                0.0.0.0:*                               19147/open***   
[root@gateway open***]# ifconfig   
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255   
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1   
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0   
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0   
          collisions:0 txqueuelen:100    
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

11.配置Windows客户端

(1).安装一下客户端(我就不演示了,大家自己安装)

Open***2

(2).将服务器上生成的客户机证书文件放到config方件夹下

D:\Program Files\Open***\config\test

client ca

(3).新建客户端配置文件test.o***

D:\Program Files\Open***\config

test

test.o*** 文件内容:

client
dev tun
proto udp
remote x.x.x.x 1194 #工作单位外网IP
persist-key
persist-tun
ca test\\ca.crt
cert test\\client1.crt
key test\\client1.key
ns-cert-typeserver
comp-lzo
verb 3
redirect-gateway def1

12.设置网关服务器的端口映射(关键配置)并开启路由转发。

[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j MASQUERADE   
[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d 192.168.18.0/255.255.255.0 -j SNAT --to-source 192.168.18.254
[root@gateway keys]# iptables -L -t nat  
Chain PREROUTING (policy ACCEPT)   
target     prot opt source               destination        
Chain POSTROUTING (policy ACCEPT)  
target     prot opt source               destination        
MASQUERADE  all  --  localhost/24         anywhere           
SNAT       all  --  localhost/24         localhost/24        to:192.168.18.254
Chain OUTPUT (policy ACCEPT)  
target     prot opt source               destination        
[root@gateway keys]# vim /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux  
#   
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and   
# sysctl.conf(5) for more details.
# Controls IP packet forwarding  
net.ipv4.ip_forward = 1
[root@gateway keys]# sysctl -p  
net.ipv4.ip_forward = 1

13.连接并测试

1).连接***

Open***7

Open***8

注,连接成功以后会出现一个绿色的小图标。下面我们ping一下试试!

2).测试ping一下

Open***9

3).下面我们来查看一下IP所在地

***连接前:(办公室)

1

***连接后:(机房服务器)

2

好了,到这里我们的***与网关在一起的实战配置就全部完成了,下面我们来总结一下我们实战心得与问题汇总。


六、总结

前面提到的,都是由服务端先生成客户端证书,然后分发到客户端,让客户端通过证书连接到服务器上。但有时候,这样的分发是比较麻烦的(也不安全)。这样,我们可以考虑另外一种方式: 只在服务端制作客户端证书,而客户端只需要有ca.crt文件,而不需要拿到客户端证书,当登陆服务器的时候是通过用户名和密码即可登陆Open***服务器。这个功能该怎么实现呢?在下一篇博客中我们将实现这个功能。


好了,最后希望大家有所收获^_^……