open***安裝配置小結

1.         下載並安裝

cd /usr/local/src

wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz

wget http://open***.net/release/open***-2.1_rc22.tar.gz

tar zxvf lzo-2.04.tar.gz

cd lzo-2.04

./configure && make && make install

tar zxvf open***-2.1_rc22.tar.gz

cd open***-2.1_rc22

./configure && make && make install

whereis open***   查看安裝目錄

 

2.         服務器端設置：

cd /usr/local/src/open***-2.1_rc22/easy-rsa/2.0/

編輯所需的參數(能夠默認)

vi vars

export KEY_COUNTRY="CN"

export KEY_PROVINCE="SH"

export KEY_CITY="Shanghai"

export KEY_ORG="open***"

export KEY_EMAIL="tony@abc.com"

source ./vars

 

下面這個命令在第一次安裝時能夠運行，之後在添加客戶端時千萬別運行，這個命令會清除全部已經生成的

證書密鑰。

./clean-all

生成服務器端ca證書

./build-ca

生成服務器端密鑰證書, 後面這個server-name就是服務器名，能夠自定義。

./build-server-key shidc

一路Enter以後確認Y,證書生成。

生成 diffie hellman 參數

./build-dh

 

生成所需客戶端證書密鑰文件：

./build-key tony

 

3.         Open×××安全增強：

在Open×××的配置文件中，tls-auth指令能夠爲SSL/TLS協議的handshake數據包添加HMAC簽名，任何未通過簽名驗正的UDP包都會被丟棄，這就將SSL/TLS的安全提高了一個級別。它能夠爲Open×××的UDP提供防止DoS或端口洪泛***、避開對Open×××監聽端口的掃描及防止緩衝區溢出等安全特性。

 

開啓tls-auth功能須要用到一個預共享密鑰，此密鑰常常跟證書等文件一塊兒存放。此預共享密鑰可使用下面的命令生成：

/usr/local/src/open***-2.1_rc22/open*** --genkey --secret ta.key

 

然後在服務器端的配置文件中啓用以下指令：
tls-auth ta.key 0

 

客戶端的配置文件啓用以下指令：
tls-auth ta.key 1

 

4.         建立並編輯服務器端配置文件

mkdir –p /etc/open***/serverkeys

cp /usr/local/src/open***-2.1_rc22/sample-config-files/server.conf /etc/open***/

cd /usr/local/src/open***-2.1_rc22/easy-rsa/2.0/keys/

cp ca.crt dh1024.pem  shidc.crt  shidc.csr  shidc.key  /etc/open***/serverkeys

cp /usr/local/src/open***-2.1_rc22/ta.key /etc/open***/serverkeys

vi /etc/open***/server.conf 修改如下幾項

 

ca /etc/open***/serverkeys/ca.crt

cert /etc/open***/serverkeys/shidc.crt

key  /etc/open***/serverkeys/shidc.key

dh /etc/open***/serverkeys/dh1024.pem

tls-auth /etc/open***/serverkeys/ta.key 0

 

5.         修改完成以後,編輯啓動文件

vi /etc/init.d/open***

 

open***=""
open***_locations="/usr/sbin/open*** /usr/local/sbin/open***"
for location in $open***_locations
do
  if [ -f "$location" ]
  then
    open***=$location
  fi
done

lock="/var/lock/subsys/open***"

piddir="/var/run/open***"

work=/etc/open***

. /etc/rc.d/init.d/functions

. /etc/sysconfig/network

if [ ${NETWORKING} = "no" ]
then
  echo "Networking is down"
  exit 0
fi

if ! [ -f  $open*** ]
then
  echo "open*** binary not found"
  exit 0
fi

case "$1" in
  start)
        echo -n $"Starting open***: "

        /sbin/modprobe tun >/dev/null 2>&1

        # From a security perspective, I think it makes
        # sense to remove this, and have users who need
        # it explictly enable in their --up scripts or
        # firewall setups.

        #echo 1 > /proc/sys/net/ipv4/ip_forward

        # Run startup script, if defined
        if [ -f $work/open***-startup ]; then
            $work/open***-startup
        fi

        if [ ! -d  $piddir ]; then
            mkdir $piddir
        fi

        if [ -f $lock ]; then
            # we were not shut down correctly
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
              if [ -s $pidf ]; then
                kill `cat $pidf` >/dev/null 2>&1
              fi
              rm -f $pidf
            done
            rm -f $lock
            sleep 2
        fi

        rm -f $piddir/*.pid
        cd $work

        # Start every .conf in $work and run .sh if exists
        errors=0
        successes=0
        for c in `/bin/ls *.conf 2>/dev/null`; do
            bn=${c%%.conf}
            if [ -f "$bn.sh" ]; then
                . $bn.sh
            fi
            rm -f $piddir/$bn.pid
            $open*** --daemon --writepid $piddir/$bn.pid --config $c --cd $work
            if [ $? = 0 ]; then
                successes=1
            else
                errors=1
            fi
        done

        if [ $errors = 1 ]; then
            failure; echo
        else
            success; echo
        fi

        if [ $successes = 1 ]; then
            touch $lock
        fi
        ;;
  stop)
        echo -n $"Shutting down open***: "
        for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
          if [ -s $pidf ]; then
            kill `cat $pidf` >/dev/null 2>&1
          fi
          rm -f $pidf
        done

        # Run shutdown script, if defined
        if [ -f $work/open***-shutdown ]; then
            $work/open***-shutdown
        fi

        success; echo
        rm -f $lock
        ;;
  restart)
        $0 stop
        sleep 2
        $0 start
        ;;
  reload)
        if [ -f $lock ]; then
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
                if [ -s $pidf ]; then
                    kill -HUP `cat $pidf` >/dev/null 2>&1
                fi
            done
        else
            echo "open***: service not started"
            exit 1
        fi
        ;;
  reopen)
        if [ -f $lock ]; then
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
                if [ -s $pidf ]; then
                    kill -USR1 `cat $pidf` >/dev/null 2>&1
                fi
            done
        else
            echo "open***: service not started"
            exit 1
        fi
        ;;
  condrestart)
        if [ -f $lock ]; then
            $0 stop
            # avoid race
            sleep 2
            $0 start
        fi
        ;;
  status)
        if [ -f $lock ]; then
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
                if [ -s $pidf ]; then
                    kill -USR2 `cat $pidf` >/dev/null 2>&1
                fi
            done
            echo "Status written to /var/log/messages"
        else
            echo "open***: service not started"
            exit 1
        fi
        ;;
  *)
        echo "Usage: open*** {start|stop|restart|condrestart|reload|reopen|status}"
        exit 1
        ;;
esac
exit 0

 

6.         啓動open***

/etc/init.d/open*** start

查看服務狀況

Netstat –tunlp查看默認的1194端口是否開啓

開啓路由轉發

sysctl -w net.ipv4.ip_forward=1

調整iptables策略,若是open*** server非網關,如需訪問內網服務器須要添加iptables SNAT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d 172.16.0.0/24 -j SNAT --to-source 172.16.0.10

#172.16.0.10爲open*** server的內網口IP

 

7.         在window上安裝open***-2.1_rc15-install.exe

複製ca.crt  tony.crt  tony.key  ta.key到open***安裝目錄---config目錄

在config裏面編輯Open***客戶端配置文件

 

client
dev tun
proto udp
comp-lzo #對數據進行壓縮,注意Server和Client保持一致
#auth-user-pass   啓用pam-auth時使用
remote 192.168.255.193     1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca   ca.crt
cert  tony.crt
key  tony.key
ns-cert-type server
tls-auth  ta.key 1
verb 3
#log  c:\tun11-***.log

 

就能夠在客戶端進行撥號測試了

 

8.         啓用auth-pam模塊進行雙因素認證

yum –y install pam-devel

 

生成open***-auth-pam.so

cd /usr/local/src/open***-2.1_rc22/plugin/auth-pam/

make

 

mkdir /usr/lib/open***/

cp open***-auth-pam.so /usr/lib/open***/

 

vi /etc/open***/server.conf 在最後添加

plugin /usr/lib/open***/open***-auth-pam.so system-auth

 

從新加載

/etc/init.d/open*** reload

 

客戶端配置文件啓用auth-user-pass

就能夠用open***服務器系統用戶名密碼來進行驗證，同時再用證書驗證。