一、Open***简介

    Open*** 是一个基于 OpenSSL 库的应用层 *** 实现。和传统 *** 相比,它的优点是简单易用。

    Open***允许参与建立***的单点使用共享金钥,电子证书,或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库中的SSLv3/TLSv1 协议函式库。Open***能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Windows 2000/XP/Vista上运行,并包含了许多安全性的功能。它并不是一个基于Web的***软件,也不与IPsec及其他***软件包兼容。

    Open***2.0后引入了用户名/口令组合的身份验证方式,它可以省略客户端证书,但是仍有一份服务器证书需要被用作加密。 Open***所有的通信都基于一个单一的IP端口, 默认且推荐使用UDP协议通讯,同时TCP也被支持。Open***连接能通过大多数的代理服务器,并且能够在NAT的环境中很好地工作。服务端具有向客 户端“推送”某些网络配置信息的功能,这些信息包括:IP地址、路由设置等。Open***提供了两种虚拟网络接口:通用Tun/Tap驱动,通过它们, 可以建立三层IP隧道,或者虚拟二层以太网,后者可以传送任何类型的二层以太网络数据。传送的数据可通过LZO算法压缩。在选择协议时候,需要注意2个加密隧道之间的网络状况,如有高延迟或者丢包较多的情况下,请选择TCP协议作为底层协议,UDP协议由于存在无连接和重传机制,导致要隧道上层的协议进行重传,效率非常低下。

 

二、Open***的安装

 

Open***服务器

   内外地址:10.0.0.41

   外网地址:211.152.xx.xx

 

本地客户端

   网段:192.168.0.0

   本机IP:192.168.0.125

 

1、安装前的准备工作

   请关闭防火墙和selinux,简单的安装方法就是使用yum安装,首先我们应该先安装epel软件仓库。

# rpm -ivh http://mirrors.ustc.edu.cn/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm

网络设置

1.开启服务器端路由转发功能

# vi /etc/sysctl.conf

---------------------

net.ipv4.ip_forward = 1

---------------------

# sysctl -p

 

设置nat转发:

注:保证***地址池可路由出外网

# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

 

2、安装open***,他会自动解决依赖关系

# yum install open*** -y

3、安装好之后我们查看安装了哪些文件

[root@*** ~]# rpm -ql open***

/etc/open***

/etc/rc.d/init.d/open***

/usr/lib64/open***

/usr/lib64/open***/plugin

/usr/lib64/open***/plugin/lib

/usr/lib64/open***/plugin/lib/open***-auth-pam.so

/usr/lib64/open***/plugin/lib/open***-down-root.so

/usr/lib64/open***/plugins

/usr/lib64/open***/plugins/open***-plugin-auth-pam.so

/usr/lib64/open***/plugins/open***-plugin-down-root.so

/usr/sbin/open***

/usr/share/doc/open***-2.3.7

.....

/usr/share/doc/open***-2.3.7/sample/sample-windows

/usr/share/doc/open***-2.3.7/sample/sample-windows/sample.o***

/usr/share/man/man8/open***.8.gz

/usr/share/open***

/var/run/open***

 

三、Open***的配置

 首先把主要配置文件复制到/etc/open***

# cp /usr/share/doc/open***-2.3.7/sample/sample-config-files/server.conf /etc/open***/

 网上有很多是编译安装的***,也主要讲解了如何生成证书,我这里就不掩饰证书创建的过程了,因为我们安装的open***里面自带了测试的证书等等,如果想自建证书的话请看本篇附录

# vim /etc/open***/server.conf

注:可按照默认模板配置,本例为自定义配置文件:

--------------------------

# 设置监听IP,默认是监听所有IP

;local a.b.c.d

# 设置监听端口,必须要对应的在防火墙里面打开

port 1194

# 设置用TCP还是UDP协议?(用UDP会比较快些)

;proto tcp

proto tcp

# 设置创建tun的路由IP通道,还是创建tap的以太网通道

# 路由IP容易控制,所以推荐使用它;但如果如IPX等必须

# 使用第二层才能通过的通讯,则可以用tap方式,tap也

# 就是以太网桥接

;dev tap

dev tun

# Windows需要给网卡一个名称,这里设置,linux不需要

;dev-node MyTap

# 这里是重点,必须指定SSL/TLS root certificate (ca),

# certificate(cert), and private key (key)

# ca文件是服务端和客户端都必须使用的,但不需要ca.key

# 服务端和客户端指定各自的.crt和.key

# 请注意路径,可以使用以配置文件开始为根的相对路径,

# 也可以使用绝对路径

# 请小心存放.key密钥文件

ca /usr/share/doc/open***-2.3.7/sample/sample-keys/ca.crt

cert /usr/share/doc/open***-2.3.7/sample/sample-keys/server.crt

key /usr/share/doc/open***-2.3.7/sample/sample-keys/server.key

# This file should be kept secret

 

# 指定Diffie hellman parameters.

dh /usr/share/doc/open***-2.3.7/sample/sample-keys/dh2048.pem

 

# 配置***使用的网段,Open***会自动提供基于该网段的DHCP

# 服务,但不能和任何一方的局域网段重复,保证唯一

# 这里我选择默认

server 10.8.0.0 255.255.255.0

 

# 维持一个客户端和virtual IP的对应表,以方便客户端重新

# 连接可以获得同样的IP

ifconfig-pool-persist ipp.txt

 

# 配置为以太网桥模式,但需要使用系统的桥接功能

# 这里不需要使用

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

 

# 为客户端创建对应的路由,以另其通达公司网内部服务器

# 但记住,公司网内部服务器也需要有可用路由返回到客户端

# 这里主要填写open***所在局域网的网段,我的open***所在的局域网是10.0.0.0

# 如果你的open***所在的局域网是其他的网段,下面请填写其他网段

;push "route 192.168.20.0 255.255.255.0"

push "route 10.0.0.0 255.255.255.0"

 

# 为特定的客户端指定IP或指定路由,该路由通常是客户端后面的

# 内网网段,而不是服务端连接的网段

# ccd是/etc/open***下的目录,其中建有希望限制的客户端Common

# Name为文件名的文件,并通过下面的命令写入固定IP地址

# 例如Common Name为client1,则在/etc/open***/ccd/client1写有:

# ifconfig-push 10.9.0.1 10.9.0.2

;client-config-dir ccd

;route 192.168.40.128 255.255.255.248

 

# 为可以对不同的客户端设置防火墙等权限

# 可以让其自动运行对应脚本,可参考man

;learn-address ./script

 

# 若客户端希望所有的流量都通过***传输,则可以使用该语句

# 其会自动改变客户端的网关为***服务器,推荐关闭

# 一旦设置,请小心服务端的DHCP设置问题

# 如果需要抓取所以连接***客户端的流量信息,需要开启

;push "redirect-gateway def1 bypass-dhcp"   所有数据都通过***

 

# 用Open***的DHCP功能为客户端提供指定的DNS、WINS等

;push "dhcp-option DNS 10.8.0.1"

;push "dhcp-option WINS 10.8.0.1"

 

# 默认客户端之间是不能直接通讯的,除非把下面的语句注释掉

client-to-client

 

# 如果您希望有相同Common Name的客户端都可以登陆

# 也可以注释下面的语句,推荐每个客户端都使用不用的Common Name

# 常用于测试,开启的话,一个证书可以多个客户端连接

;duplicate-cn

 

# 设置服务端检测的间隔和超时时间

keepalive 10 120

 

# 下面是一些对安全性增强的措施

# For extra security beyond that provided

# by SSL/TLS, create an "HMAC firewall"

# to help block DoS attacks and UDP port flooding.

#

# Generate with:

# open*** --genkey --secret ta.key

#

# The server and each client must have

# a copy of this key.

# The second parameter should be 0

# on the server and 1 on the clients.

;tls-auth ta.key 0 # This file is secret

 

# Select a cryptographic cipher.

# This config item must be copied to

# the client config file as well.

;cipher BF-CBC # Blowfish (default)

;cipher AES-128-CBC # AES

;cipher DES-EDE3-CBC # Triple-DES

 

# 使用lzo压缩的通讯,服务端和客户端都必须配置

comp-lzo

 

# 设置最大用户数

;max-clients 100

 

# 让Open***以nobody用户和组来运行(安全)

;user nobody

;group nobody

 

# The persist options will try to avoid

# accessing certain resources on restart

# that may no longer be accessible because

# of the privilege downgrade.

persist-key

persist-tun

 

# 输出短日志,每分钟刷新一次,以显示当前的客户端

status /var/log/open***/open***-status.log

 

# 缺省日志会记录在系统日志中,但也可以导向到其他地方

# 建议调试的使用先不要设置,调试完成后再定义

# 只能使用其中的一个,log会每次启动前先清楚日志,log-append会对数据追加

;log /var/log/open***/open***.log

log-append /var/log/open***/open***.log

 

# 设置日志的级别

#

# 0 is silent, except for fatal errors

# 4 is reasonable for general usage

# 5 and 6 can help to debug connection problems

# 9 is extremely verbose

verb 3

 

# Silence repeating messages. At most 20

# sequential messages of the same message

# category will be output to the log.

;mute 20

--------------------------

四、Open***的启动

 

# service open*** start

[root@*** ~]# netstat -tlnp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   

tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2381/sshd           

tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1425/master         

tcp        0      0 0.0.0.0:1194                0.0.0.0:*                   LISTEN      12947/open*** 

 

五、客户端的安装

 

1.下载客户端,并默认安装:

http://***tech.googlecode.com/files/open***-2.1.1-gui-1.0.3-install-cn-64bit.zip

 

2.将服务端内ca.crt、client.crt、client.key、client.conf复制到客户端C:\Program Files (x86)\Open***\config下.

3.把client.conf改名为client.o***

内容如下:

-----------------------

# 定义是一个客户端

client

 

# 定义使用路由IP模式,与服务端一致

;dev tap

dev tun

 

# 定义Windows下使用的网卡名称,linux不需要

;dev-node MyTap

 

# 定义使用的协议,与服务端一致

;proto tcp

proto tcp

 

# 指定服务端地址和端口,可以用多行指定多台服务器

# 实现负载均衡(从上往下尝试)

remote 211.152.x.x 1194

;remote my-server-2 1194

 

# 若上面配置了多台服务器,让客户端随机连接

;remote-random

 

# 解析服务器域名

# Keep trying indefinitely to resolve the

# host name of the Open*** server. Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

 

# 客户端不需要绑定端口

# Most clients do not need to bind to

# a specific local port number.

nobind

 

# 也是为了让Open***也nobody运行(安全)

# 注意:Windows不能设置

;user nobody

;group nobody

 

# Try to preserve some state across restarts.

persist-key

persist-tun

# 若客户端通过HTTP Proxy,在这里设置

# 要使用Proxy,不能使用UDP为***的通讯协议

;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]

# 无线网络有很多多余的头文件,设置忽略它

;mute-replay-warnings

# 重点,就是指定ca和客户端的证书

ca ca.crt

cert client.crt

key client.key

# 如果服务端打开了PAM认证模块,客户端需要另其有效

;auth-user-pass

# 一些安全措施

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server". This is an

# important precaution to protect against

# a potential attack discussed here:

# http://open***.net/howto.html#mitm

#

# To use this feature, you will need to generate

# your server certificates with the nsCertType

# field set to "server". The build-key-server

# script in the easy-rsa folder will do this.

;ns-cert-type server

 

# If a tls-auth key is used on the server

# then every client must also have the key.

;tls-auth ta.key 1

 

# Select a cryptographic cipher.

# If the cipher option is used on the server

# then you must also specify it here.

;cipher x

 

# 使用lzo压缩,与服务端一致

comp-lzo

 

# Set log file verbosity.

verb 3

# Silence repeating messages

;mute 20

-----------------------

5.连接:

在右下角的open***图标上右击,选择“Connect”,若能正常分配IP,则连接成功。

我获取的IP是10.8.0.6


附录

下载密钥制作工具easy_rsa 2:

         wget https://github.com/Open***/easy-rsa/archive/release/2.x.zip

解压easy_rsa并拷贝到/etc/open***:

         unzip 2.x.zip

         mv easy-rsa-release-2.x/ /etc/open***/

编辑easy-rsa的vars文件,设定相关变量信息:

         cd /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0

         vim vars

export KEY_COUNTRY="CN"

export KEY_PROVINCE="Shanghai"

export KEY_CITY="Shanghai"

export KEY_ORG="Comratings"

export KEY_EMAIL="ADMIN@Comratings.COM"

export KEY_OU="MyOpen***"

         编辑完之后,保存退出。

将刚才编辑的vars文件,执行如下命令:

         source vars 

         ./clean-all

         ./build-ca

创建服务器的证书和密钥:

       ./build-key-server Open***_Server

[root@cloud 2.0]# ./build-key-server Open***_Server

Generating a 2048 bit RSA private key

.................................+++

............+++

writing new private key to 'Open***_Server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [XIAOCUI]:

Organizational Unit Name (eg, section) [MyOpen***]:

Common Name (eg, your name or your server's hostname) [Open***_Server]:

Name [EasyRSA]:

Email Address [ADMIN@ XIAOCUI.COM]:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'BEIJING'

localityName          :PRINTABLE:'BEIJING'

organizationName      :PRINTABLE:' XIAOCUI '

organizationalUnitName:PRINTABLE:'MyOpen***'

commonName            :T61STRING:'Open***_Server'

name                  :PRINTABLE:'EasyRSA'

emailAddress          :IA5STRING:'ADMIN@ XIAOCUI.COM'

Certificate is to be certified until May  2 07:49:13 2025 GMT (3650 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

创建客户端的证书和密钥:

       ./build-key client-user-test1

 

[root@cloud 2.0]# ./build-key client-user-test1

Generating a 2048 bit RSA private key

....................+++

...............................................................................+++

writing new private key to 'client-user-cuiyuanrong.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [XIAOCUI]:

Organizational Unit Name (eg, section) [MyOpen***]:

Common Name (eg, your name or your server's hostname) [client-user-test1]:

Name [EasyRSA]:

Email Address [ADMIN@XIAOCUI.COM]:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'BEIJING'

localityName          :PRINTABLE:'BEIJING'

organizationName      :PRINTABLE:'XIAOCUI'

organizationalUnitName:PRINTABLE:'MyOpen***'

commonName            :PRINTABLE:'client-user-test1'

name                  :PRINTABLE:'EasyRSA'

emailAddress          :IA5STRING:'ADMIN@XIAOCUI.COM'

Certificate is to be certified until May  2 07:53:17 2025 GMT (3650 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

创建Diffie Hellman 参数:

       ./build-dh


参考网址:http://www.centoscn.com/image-text/config/2015/0717/5874.html

    http://www.centoscn.com/CentosServer/test/2014/1120/4153.html

    https://open***.net/