1、实验拓扑

1、CentOS6.5 安装Open×××_CentOS6.5 Open***


2、实验目的

S1为Open***服务器端,C1、C2为Open***客户端,通过配置Open***实现C1、C2访问S1所在网段的所有主机。


3、实验环境

GNS3 0.8.7 CentOS6.5


4、安装配置Open***服务器端

4.1、在服务器S1上安装lzo和open***

[root@S1 src]# rpm -ivh lzo-2.04-3.2.i386.rpm 

warning: lzo-2.04-3.2.i386.rpm: Header V3 DSA/SHA1 Signature, key ID d164ce99: NOKEY

Preparing...                ########################################### [100%]

        file /usr/lib/liblzo2.so.2.0.0 from install of lzo-2.04-3.2.i386 conflicts with file from package lzo-2.03-3.1.el6.i686

[root@S1 src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.i386.rpm 

error: Failed dependencies:

        libcrypto.so.6 is needed by open***-2.1-0.20.rc4.el5.kb.i386

        libssl.so.6 is needed by open***-2.1-0.20.rc4.el5.kb.i386

[root@S1 src]# yum -y install openssl098e

[root@S1 src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.i386.rpm 

Preparing...                ########################################### [100%]

   1:open***                ########################################### [100%]


[root@S1 src]# cp -r /usr/share/open***/easy-rsa/2.0/ /etc/open***/

[root@S1 src]# cp /usr/share/doc/open***-2.1/sample-config-files/server.conf /etc/open***/


4.2、初始化PKI

[root@S1 src]# cd /etc/open***/2.0/

[root@S1 2.0]# vim vars 

export KEY_COUNTRY="CN"

export KEY_PROVINCE="GD"

export KEY_CITY="SZ"

export KEY_ORG="***"

export KEY_EMAIL="test@163.com"


[root@S1 2.0]# source ./vars 

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys

[root@S1 2.0]# ./clean-all 

[root@S1 2.0]# ./build-ca 

Generating a 1024 bit RSA private key

..................................................++++++

..............................................++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [GD]:

Locality Name (eg, city) [SZ]:

Organization Name (eg, company) [***]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [*** CA]:server

Email Address [test@163.com]:

[root@S1 2.0]#


4.3、生成server key

[root@S1 2.0]# ./build-key-server server

Generating a 1024 bit RSA private key

......................................++++++

...........++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [GD]:

Locality Name (eg, city) [SZ]:

Organization Name (eg, company) [***]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [server]: 

Email Address [test@163.com]:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:root123

An optional company name []:

Using configuration from /etc/open***/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'GD'

localityName          :PRINTABLE:'SZ'

organizationName      :PRINTABLE:'***'

commonName            :PRINTABLE:'server'

emailAddress          :IA5STRING:'test@163.com'

Certificate is to be certified until Sep 10 17:25:36 2025 GMT (3650 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated


4.4、生成client key

[root@S1 2.0]# ./build-key C1

Generating a 1024 bit RSA private key

.......................++++++

.....++++++

writing new private key to 'C1.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [GD]:

Locality Name (eg, city) [SZ]:

Organization Name (eg, company) [***]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [C1]:

Email Address [test@163.com]:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:root123

An optional company name []:

Using configuration from /etc/open***/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'GD'

localityName          :PRINTABLE:'SZ'

organizationName      :PRINTABLE:'***'

commonName            :PRINTABLE:'C1'

emailAddress          :IA5STRING:'test@163.com'

Certificate is to be certified until Sep 10 17:27:38 2025 GMT (3650 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@S1 2.0]#


[root@S1 2.0]# ./build-key C2

Generating a 1024 bit RSA private key

.......++++++

........++++++

writing new private key to 'C2.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [GD]:

Locality Name (eg, city) [SZ]:

Organization Name (eg, company) [***]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [C2]:

Email Address [test@163.com]:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:root123

An optional company name []:

Using configuration from /etc/open***/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'GD'

localityName          :PRINTABLE:'SZ'

organizationName      :PRINTABLE:'***'

commonName            :PRINTABLE:'C2'

emailAddress          :IA5STRING:'test@163.com'

Certificate is to be certified until Sep 10 17:28:16 2025 GMT (3650 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@S1 2.0]#


4.5、生成 Diffie Hellman 参数、创建服务端配置文件

[root@S1 2.0]# ./build-dh 

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

......+...................+.............................................+................................................................+......................................+..................................................................................................................+............+....................................+......................+................+...................+..............................................++*++*++*

[root@S1 2.0]# cd keys/

[root@S1 keys]# cp ca.crt  server.crt  server.key  dh1024.pem  /etc/open***/


4.6、修改服务器端配置文件

[root@S1 keys]# cd ../../

[root@S1 open***]# vim server.conf 

port 1194

proto udp

dev tun

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

server 10.8.0.0 255.255.255.0

client-to-client

keepalive 10 120

comp-lzo

persist-key

persist-tun

status open***-status.log

verb 4

push "dhcp-option DNS 114.114.114.114"


4.7、启动Open***

[root@S1 open***]# chkconfig open*** on

[root@S1 open***]# service open*** restart

Shutting down open***: [  OK  ]

Starting open***: [  OK  ]

[root@S1 open***]# ifconfig tun0

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  

          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100 

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


[root@S1 open***]# 


5、安装配置Open***客户端

5.1、C1客户端安装

[root@C1 src]# rpm -ivh lzo-2.04-3.2.i386.rpm 

warning: lzo-2.04-3.2.i386.rpm: Header V3 DSA/SHA1 Signature, key ID d164ce99: NOKEY

Preparing...                ########################################### [100%]

        file /usr/lib/liblzo2.so.2.0.0 from install of lzo-2.04-3.2.i386 conflicts with file from package lzo-2.03-3.1.el6.i686

[root@C1 src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.i386.rpm 

error: Failed dependencies:

        libcrypto.so.6 is needed by open***-2.1-0.20.rc4.el5.kb.i386

        libssl.so.6 is needed by open***-2.1-0.20.rc4.el5.kb.i386

[root@C1 src]# yum -y install openssl098e

[root@C1 src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.i386.rpm 

Preparing...                ########################################### [100%]

   1:open***                ########################################### [100%]

[root@C1 src]# 


将在S1服务器端生成的client证书等文件拷贝到/etc/open***目录下

[root@C1 src]# cd /etc/open***/

[root@C1 open***]# ll

total 12

-rw-r--r--. 1 root root 3577 Sep 13 13:56 C1.crt

-rw-------. 1 root root  912 Sep 13 13:56 C1.key

-rw-r--r--. 1 root root 1119 Sep 13 13:56 ca.crt

[root@C1 open***]# vim client.conf

client 

dev tun 

proto udp 

remote 8.8.8.10 1194

persist-key 

persist-tun 

ca ca.crt 

cert C1.crt 

key C1.key 

ns-cert-type server 

comp-lzo 

verb 3 

redirect-gateway def1 

[root@C1 open***]# service open*** restart

Shutting down open***: [  OK  ]

Starting open***: [  OK  ]

[root@S1 open***]# ifconfig tun0

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  

          inet addr:10.8.0.5  P-t-P:10.8.0.6  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100 

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


[root@S1 open***]#

 

5.2、C2客户端安装

将在S1服务器端生成的client证书等文件拷贝到C:\Program Files\Open***\config目录下,并将C:\Program Files\Open***\sample-config目录下的client一并拷贝过来

1、CentOS6.5 安装Open×××_CentOS6.5 Open***_02client的内容修改如下

client 

dev tun 

proto udp 

remote 8.8.8.10 1194

persist-key 

persist-tun 

ca ca.crt 

cert C2.crt 

key C2.key 

ns-cert-type server 

comp-lzo 

verb 4 

redirect-gateway def1 

1、CentOS6.5 安装Open×××_CentOS6.5 Open***_03

6、解决无法上外网和只能访问S1问题

此时C1、C2已经和S1成功建立了***。但C1、C2无法PING8.8.8.20、8.8.8.30,即无法访问外网,也无法访问除了S1外的其他主机。此时我们需要在S1上开启IP转发、添加路由。

[root@S1 2.0]# vim /etc/rc.d/rc.local 


#!/bin/sh

#

# This script will be executed *after* all the other init scripts.

# You can put your own initialization stuff in here if you don't

# want to do the full Sys V style init stuff.


touch /var/lock/subsys/local

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.1.1.1

[root@S1 2.0]#

至此,C1、C2不仅可以上外网,而且可以访问S1所在网络的所有主机了