目前最新的opevn是2.4版本,easy-rsa 是3.0版本,可以直接yum安装,但是配置会与easy-rsa的方式有点不同
、配置完后×××无法启动,提示 Failed to start Open××× Robust And Highly Flexible Tunneling Application On client
把/etc/open***/server.conf 中的 tls-auth ta.key 0 # This file is secret 并注释掉就好了
环境准备
关闭selinux
临时生效
[root@linux ~]# setenforce 0
setenforce: SELinux is disabled永久生效sed -i '/^SELINUX=/c\SELINUX=disabled' /etc/selinux/config
安装epel源
yum -y install epel-release安装open***和easy-rsa 3.0
安装open***
yum安装open***
yum -y install openssl openssl-devel lzo open*** easy-rsa
生成服务器密钥
在安装完easy-rsa后,可以看到目录结构如下
可以看到easy-rsa3中,少了2版本中的许多执行文件,只剩下easyrsa一个执行文件,使用这个文件,就可以创建各种所需的密钥文件。
服务端:(这里采用无密码方式创建相关文件,避免后期输入pam密码的各种麻烦)
cp -rp easyrsa3 keys
cd keys初始化pki目录
./easyrsa init-pki
以无密码方式,创建服务器ca文件
# ./easyrsa build-ca nopass
创建服务端key文件
# ./easyrsa gen-req cmhserver nopass
注册服务端CN名,生产服务端crt文件
# ./easyrsa sign server cmhserver
dh.pem文件生产
./easyrsa gen-dh
密钥生成完毕后,文件目录如下所示:
将生成的密钥文件复制到open***的安装目录
cp -rf keys/ /etc/open***/生成客户端密钥
cp -r /usr/share/easy-rsa/3.0.3 /etc/open***/key_client初始化pki目录
./easyrsa init-pki
以无密码方式,创建客户端key文件
./easyrsa gen-req cmhclient nopass
进入服务端key目录,关联客户端req,使之向服务端注册
# cd /etc/open***/keys
# ./easyrsa import-req /etc/open***/key_client/pki/reqs/cmhclient.req cmhclient
注册客户端CN名,生产客户端key文件
./easyrsa sign client cmhclient
完成客户端密钥后文件目录如下
在open***客户端中需要
ca.crt
cmhclient.crt
ca.key
这三个文件
创建***配置文件
vim /etc/open***/server.conf
;local a.b.c.d
port 1194
proto udp
dev tun
ca /etc/open***/keys/pki/ca.crt
cert /etc/open***/keys/pki/issued/cmhserver.crt
key /etc/open***/keys/pki/private/cmhserver.key # This file should be kept secret
dh /etc/open***/keys/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.99.0 255.255.255.0"
push "route 192.168.98.0 255.255.255.0"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
log-append open***.log
verb 3
cipher AES-256-CBC
;tls-auth ta.key 0防火墙配置
由于centos7用firewalld服务替代了iptables服务,所有先要安装iptables
yum install -y iptables-services
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables -F
iptables -L开启转发
sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf
sysctl -p
或者
vim /proc/sys/net/ipv4/
ip_forward # 添加 net.ipv4.ip_forward = 1
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens32 -j MASQUERADE #开启nat转发
iptables -I INPUT -p tcp --dport 1194 -m comment --comment "open***" -j ACCEPT #针对tcp端口
iptables -I INPUT -p udp --dport 1194 -m comment --comment "open***" -j ACCEPT #针对udp端口
service iptables save #保存iptables配置启动服务
systemctl start open***@server.service #启动服务
systemctl status open***@server.service #查看服务状态
systemctl enable open***@server.service #开机自启配置用户密码认证
修改server.conf配置文件,添加下面代码
script-security 3
auth-user-pass-verify /etc/open***/checkpsw.sh via-env
#client-cert-not-required #启用后,就关闭证书认证,只通过账号密码认证
username-as-common-name创建认证脚本,放到/etc/open***/ 目录
[root@localhost open***]# cat checkpsw.sh
#!/bin/sh
###########################################################
checkpsw.sh (C) 2004 Mathias Sundman <mathias@open***.se>
#This script will authenticate Open××× users against
#a plain text file. The passfile should simply contain
#one row per user with the username first followed by
#one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/open***/psw-file"
LOG_FILE="/var/log/open***-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1创建账号密码文件
#[root@localhost open***]# cat psw-file
test 123456添加权限控制
配置文件中添加client-config-dir /etc/open***/ccd
给每个账号创建配置文件echo "ifconfig-push 10.8.0.17 10.8.0.18" > ccd/zhangsan效果如下
[root@localhost open***]# ls ccd/
hxj lzh test zhangsan注意ip只能配套对应下表的地址集
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]添加iptables规则
以下为两个例子,基本涵盖所有需求,根据具体情况做修改
允许10.8.0.13访问192.168.99.101服务器,其他的全部拒绝
允许10.8.0.17访问192.168.98.0/24的所有ip,其他的全部拒绝
iptables -A FORWARD -i tun0 -s 10.8.0.13/32 -d 192.168.99.101 -j ACCEPT
iptables -A FORWARD -s 10.8.0.13/32 -j DROP
iptables -A FORWARD -i tun0 -s 10.8.0.17/32 -d 192.168.98.0/24 -j ACCEPT
iptables -A FORWARD -s 10.8.0.17/32 -j DROP
service iptables save最后附上windows客户端配置文件
client
dev tun
proto udp
remote 27.18.17.241 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cloud.crt
key cloud.key
comp-lzo
verb 3
auth-user-pass cloudpw.txt
转载于:https://blog.51cto.com/11555417/2045841
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
