centos7 安装open*** easy3.0教程-qq5ae5c6abb3882的博客

Windows Windows 2个月前 (08-15) 5次浏览 已收录 0个评论 扫描二维码

Open××× 简介

×××直译就是虚拟专用通道,是提供给企业之间或者个人与公司之间安全数据传输的隧道,Open×××无疑是Linux下开源×××的先锋,提供了良好的性能和友好的用户GUI,并且支持多平台。

它大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函数库。

原理

????Open***的技术核心是虚拟网卡,其次是SSL协议实现,由于SSL协议在其它的词条中介绍的比较清楚了,这里重点对虚拟网卡及其在Open***的中的工作机理进行介绍:

????虚拟网卡是使用网络底层编程技术实现的一个驱动软件,安装后在主机上多出现一个网卡,可以像其它网卡一样进行配置。服务程序可以在应用层打开虚拟网卡,如果应用软件(如IE)向虚拟网卡发送数据,则服务程序可以读取到该数据,如果服务程序写合适的数据到虚拟网卡,应用软件也可以接收得到。虚拟网卡在很多的操作系统下都有相应的实现,这也是Open***能够跨平台一个很重要的理由。

????在Open***中,如果用户访问一个远程的虚拟地址(属于虚拟网卡配用的地址系列,区别于真实地址),则操作系统会通过路由机制将数据包(TUN模式)或数据帧(TAP模式)发送到虚拟网卡上,服务程序接收该数据并进行相应的处理后,通过SOCKET从外网上发送出去,远程服务程序通过SOCKET从外网上接收数据,并进行相应的处理后,发送给虚拟网卡,则应用软件可以接收到,完成了一个单向传输的过程,反之亦然。

加密

????Open×××使用OpenSSL库加密数据与控制信息:它使用了OpenSSL的加密以及验证功能,意味着,它能够使用任何OpenSSL支持的算法。它提供了可选的数据包HMAC功能以提高连接的安全性。此外,OpenSSL的硬件加速也能提高它的性能。

Open××× 部署

环境

系统版本 内核版本 Open××× 版本 easy-rsa 版本
CentOS 7.3 5.0.5-1 open***-2.4.7 easy-rsa-3.0.3

    CentOS 系统使用最小化安装

    网卡使用两块

      eth0: 192.168.1.64 # 模拟公网IP

      eth1: 172.16.1.10 # 模拟内网IP

      关闭 selinux、iptables、firewalld、NetworkManager

      安装

      使用?yum?来安装?Open×××?和?easy-rsa?,所以需要使用epel源,否则会找不到包,我用的是阿里的epel源。

      阿里云yum源地址为: https://opsx.alibaba.com/mirror

      或者直接复制命令:?wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo?,执行后就会自动下载epel源。

      1. 安装依赖

      yum?install?-y?openssl?openssl-devel?lzo?lzo-devel?pam?pam-devel?automake?pkgconfig?makecache

      2. 安装 Open×××

      yum?install?-y?open***?easy-rsa

      3. 安装 Open×××

      [root@open***?~]#?rpm?-qa?|?grep?open***open***-2.4.7-1.el7.x86_64 [root@open***?~]#?rpm?-qa?|?grep?easyeasy-rsa-3.0.3-1.el7.noarch

      配置

      1. 拷贝 easy-rsa

      cp?-R?/usr/share/easy-rsa/?/etc/open***/

      2. 拷贝 easy-rsa 的读取信息的文件

      cp?-r?/usr/share/doc/easy-rsa-3.0.3/vars.example?/etc/open***/easy-rsa/3.0/vars

      3. 修改拷贝的 vars 文件

      [root@open***?~]#?cd?/etc/open***/easy-rsa/3.0.3/ [root@open***?3.0.3]#?cp?vars?vars.example??#?备份一下 [root@open***?3.0.3]#ls [root@open***?3.0.3]#?lseasyrsa??openssl-1.0.cnf??pki??vars??vars.example??x509-types [root@open***?3.0.3]#?egrep?'^set_var'?vars??#?把下面几行解注释 set_var?EASYRSA_REQ_COUNTRY?"CN" set_var?EASYRSA_REQ_PROVINCE????"California" set_var?EASYRSA_REQ_CITY????"San?Francisco" set_var?EASYRSA_REQ_ORG?"Copyleft?Certificate?Co" set_var?EASYRSA_REQ_EMAIL???"me@example.net" set_var?EASYRSA_REQ_OU??????"My?Organizational?Unit"

      3. 拷贝 默认 Open××× 配置文件到 Open××× 工作目录下

      cp?/usr/share/doc/open***-2.4.7/sample/sample-config-files/server.conf?/etc/open***/

      服务端的 证书生成 和 配置

      生成服务端证书

      1. 初始化,生成新的pki目录结构

      这一步初始化,会自动创建一个pki目录

      [root@open***?~]#?cd?/etc/open***/easy-rsa/3.0.3/[root@open***?3.0.3]#?./easyrsa?init-pkiNote:?using?Easy-RSA?configuration?from:?./vars
      
      init-pki?complete;?you?may?now?create?a?CA?or?requests.
      Your?newly?created?PKI?dir?is:?/etc/open***/easy-rsa/3.0.3/pki

      2. 生成CA根证书

      使用?nopass?参数,创建时ca证书不要密码。

      生成 ca.crt

      [root@open***?3.0.3]#?./easyrsa?build-ca??nopassNote:?using?Easy-RSA?configuration?from:?./vars Generating?a?2048?bit?RSA?private?key....................................................+++ ...............+++ writing?new?private?key?to?'/etc/open***/easy-rsa/3.0.3/pki/private/ca.key.eaRLZMVt5B'----- You?are?about?to?be?asked?to?enter?information?that?will?be?incorporatedinto?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blankFor?some?fields?there?will?be?a?default?value,If?you?enter?'.',?the?field?will?be?left?blank.----- Common?Name?(eg:?your?user,?host,?or?server?name)?[Easy-RSA?CA]:????#?这里需要回车,什么都不需要输入,因为在上面的vars文件中解注释的内容会自动填入。CA?creation?complete?and?you?may?now?import?and?sign?cert?requests. Your?new?CA?certificate?file?for?publishing?is?at: /etc/open***/easy-rsa/3.0.3/pki/ca.crt

      3. 生成密钥对和证书请求文件

      同样使用?nopass?参数,使证书不要密码

      生成 server.req 和 server.key

      [root@open***?3.0.3]#?./easyrsa?gen-req?server??nopassNote:?using?Easy-RSA?configuration?from:?./vars Generating?a?2048?bit?RSA?private?key...................................................................+++ ................+++ writing?new?private?key?to?'/etc/open***/easy-rsa/3.0.3/pki/private/server.key.nW3aKUSpAO'----- You?are?about?to?be?asked?to?enter?information?that?will?be?incorporatedinto?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blankFor?some?fields?there?will?be?a?default?value,If?you?enter?'.',?the?field?will?be?left?blank.----- Common?Name?(eg:?your?user,?host,?or?server?name)?[server]:?????#?这里需要回车Keypair?and?certificate?request?completed.?Your?files?are: req:?/etc/open***/easy-rsa/3.0.3/pki/reqs/server.reqkey:?/etc/open***/easy-rsa/3.0.3/pki/private/server.key

      4. 用根证书CA与***server.req文件签名,生成服务端证书

      生成 server.crt

      [root@open***?3.0.3]#?./easyrsa?sign?server?serverNote:?using?Easy-RSA?configuration?from:?./vars You?are?about?to?sign?the?following?certificate. Please?check?over?the?details?shown?below?for?accuracy.?Note?that?this?request has?not?been?cryptographically?verified.?Please?be?sure?it?came?from?a?trusted source?or?that?you?have?verified?the?request?checksum?with?the?sender. Request?subject,?to?be?signed?as?a?server?certificate?for?3650?days: subject= ????commonName????????????????=?serverType?the?word?'yes'?to?continue,?or?any?other?input?to?abort. ??Confirm?request?details:?yes??????#?这里需要输入?yes? Using?configuration?from?./openssl-1.0.cnf Check?that?the?request?matches?the?signature Signature?ok The?Subject's?Distinguished?Name?is?as?follows commonName????????????:ASN.1?12:'server' Certificate?is?to?be?certified?until?Apr?16?07:59:04?2029?GMT?(3650?days) Write?out?database?with?1?new?entries Data?Base?Updated Certificate?created?at:?/etc/open***/easy-rsa/3.0.3/pki/issued/server.crt

      5. 创建Diffie Hellman参数

      生成 dh.pem

      [root@open***?3.0.3]#?./easyrsa?gen-dhNote:?using?Easy-RSA?configuration?from:?./vars Generating?DH?parameters,?2048?bit?long?safe?prime,?generator?2This?is?going?to?take?a?long?time#?这里会出现很多?点?和?加号?一直等到下面的提示出现DH?parameters?of?size?2048?created?at?/etc/open***/easy-rsa/3.0.3/pki/dh.pem

      6. 把生成的服务端证书拷贝到工作目录下

      cp?/etc/open***/easy-rsa/3.0.3/pki/ca.crt?/etc/open***/server/ cp?/etc/open***/easy-rsa/3.0.3/pki/dh.pem?/etc/open***/server/ cp?/etc/open***/easy-rsa/3.0.3/pki/private/ca.key?/etc/open***/server/ cp?/etc/open***/easy-rsa/3.0.3/pki/private/server.key?/etc/open***/server/ cp?/etc/open***/easy-rsa/3.0.3/pki/issued/server.crt?/etc/open***/server/

      Open××× 服务端配置文件

      [root@open***?3.0.3]#?cd?/etc/open***/
      [root@open***?open***]#?cat?server.conf?
      #?Sample?Open×××?2.0
      local??172.16.1.10
      port?1194
      proto?tcp
      dev?tun
      
      ca?/etc/open***/server/ca.crt
      cert?/etc/open***/server/server.crt
      key?/etc/open***/server/server.key
      dh?/etc/open***/server/dh.pem
      
      #?此IP端是客户端连接上来后获取的ip段server?10.8.0.0?255.255.255.0#?存放用户对应的虚10段的ip地址
      ifconfig-pool-persist?/etc/open***/ipp.txt
      
      #?这里要填写服务端内网的网段,否则客户端连接上来后,无法访问服务端的内网
      push?"route?172.16.1.0?255.255.255.0"keepalive?10?120cipher?AES-256-CBC
      comp-lzo
      persist-key
      persist-tun
      ifconfig-pool-persist?ipp.txt
      status?/etc/open***/open***-status.log?????????
      log-append?/etc/open***/open***.log??
      log?/etc/open***/open***.log
      verb?
      3explicit-exit-notify?1

      Open××× 的启动关闭

      启动 Open××× 服务

      systemctl start open***@server

      关闭 Open××× 服务

      systemctl stop open***@server

      开启 开机自动启动 Open××× 服务

      systemctl enable open***@server

      关闭 开机自动启动 Open××× 服务

      systemctl disenable open***@server

      客户端 证书生成 和 配置

      生成客户端证书

      1. 生成客户端的 密钥对 和 证书 请求文件

      同样使用?nopass?参数,使证书不要密码

      生成 client.req 和 client.key

      [root@open***?open***]#?cd?/etc/open***/easy-rsa/3.0.3/[root@open***?3.0.3]#?./easyrsa?gen-req?client?nopassNote:?using?Easy-RSA?configuration?from:?./vars
      Generating?a?2048?bit?RSA?private?key.................+++
      ..........................+++
      writing?new?private?key?to?'/etc/open***/easy-rsa/3.0.3/pki/private/client.key.rTBHS5Ra17'-----
      You?are?about?to?be?asked?to?enter?information?that?will?be?incorporatedinto?your?certificate?request.
      What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN.
      There?are?quite?a?few?fields?but?you?can?leave?some?blankFor?some?fields?there?will?be?a?default?value,If?you?enter?'.',?the?field?will?be?left?blank.-----
      Common?Name?(eg:?your?user,?host,?or?server?name)?[client]:
      
      Keypair?and?certificate?request?completed.?Your?files?are:
      req:?/etc/open***/easy-rsa/3.0.3/pki/reqs/client.reqkey:?/etc/open***/easy-rsa/3.0.3/pki/private/client.key

      2. 成功生成证书

      刚才我们是用根证书CA签名生成服务器证书server.crt,现在以CA根证书和server.crt证书签名得到client.crt

      生成 client.crt

      [root@open***?3.0.3]#?./easyrsa?sign?client?clientNote:?using?Easy-RSA?configuration?from:?./vars You?are?about?to?sign?the?following?certificate. Please?check?over?the?details?shown?below?for?accuracy.?Note?that?this?request has?not?been?cryptographically?verified.?Please?be?sure?it?came?from?a?trusted source?or?that?you?have?verified?the?request?checksum?with?the?sender. Request?subject,?to?be?signed?as?a?client?certificate?for?3650?days: subject= ????commonName????????????????=?clientType?the?word?'yes'?to?continue,?or?any?other?input?to?abort. ??Confirm?request?details:?yes Using?configuration?from?./openssl-1.0.cnf Check?that?the?request?matches?the?signature Signature?ok The?Subject's?Distinguished?Name?is?as?follows commonName????????????:ASN.1?12:'client' Certificate?is?to?be?certified?until?Apr?16?08:41:12?2029?GMT?(3650?days) Write?out?database?with?1?new?entries Data?Base?Updated Certificate?created?at:?/etc/open***/easy-rsa/3.0.3/pki/issued/client.crt

      客户端 链接配置

      1. 首先下载客户端证书和ca证书

      需要把刚刚生成的客户端证书和ca证书下载下来

      使用?sz?命令下载

      如果没有szrz?命令,需要使用命令?yum install lrzsz -y?来安装

      sz?/etc/open***/easy-rsa/3.0.3/pki/issued/client.crt sz?/etc/open***/easy-rsa/3.0.3/pki/private/client.key sz?/etc/open***/easy-rsa/3.0.3/pki/ca.crt

      2. 客户端配置文件

      下载后,在桌面创建一个?client?文件夹,把刚刚下载的三个证书都放进去

      在?client?文件夹中,创建一个?client.o***?的文件,写入下面内容:

      client proto?tcp dev?tun remote?192.168.1.64?1194 resolv-retry?infinite nobind ca?ca.crt cert?client.crt key?client.key cipher?AES-256-CBC comp-lzo persist-key persist-tun verb?3

      注意?client.o***?文件建议是用户的名字,不要重复,否则客户端会报错

      3.服务器开启内核转发:修改/etc/sysctl.conf:

      net.ipv4.ip_forward = 1

      4.开启iptables nat? 转发

      iptables -t nat -A POSTROUTING -d?172.16.1.0/24?-j SNAT –to-source?172.16.1.10

      5. 安装客户端连接软件

      客户端下载地址:?点击下载

      下载好后,安装,很简单,下一步下一步。

      安装好后,右键桌面?Open×××?图标选择属性,点击?打开文件位置,之后返回上一层安装目录,可以看到一个文件名为config?的文件夹,把刚刚创建的?client?文件夹拷贝到?config?文件夹下.

      最后运行 Open×××,在桌面右下角可以看到一个小的电脑显示器图标,右键鼠标,点击链接即可。

      最后:吊销证书操作步骤

      cd?/etc/easy-rsa/3.0.3/ ./easyrsa?revoke?targetkey(证书名) ./easyrsa?gen-crl

      其中gen-crl会生成一份吊销证书的名单,放在pki/crl.pem文件里

      最后再server.conf文件中增加此项:

      crl-verify?/etc/open***/crl.pem

      特别说明:吊销的证书不会立刻被删除文件,所以要再次创建相同的证书则要删除crt文件,通常放在pki/issued文件夹下。

喜欢 (0)
[]
分享 (0)
关于作者:
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址