基於 Open***下的Lan2Lan
基於 Open***下的Lan2Lan
基於Open*** 下局域網到局域網
概述
配置Open*** 2.0的第一步是建立一個PKI(public key infrastructure 公鑰基礎設施),PKI包括:
服務端和每個客戶端都有一個證書也稱做公鑰和私鑰
一個認證機構(CA)的證書和私鑰,用來爲每一個服務端和客戶端頒發證書(sign each of the server and client certificates)。
內容包括:
1. 安裝
1.1 安裝lzo
1.2 安裝Open***
2. 配置PKI
2.1 生成認證機構(master Certificate Authority(CA))證書&私鑰
2.2 服務端生成證書&私鑰
2.3 客戶端生成證書&私鑰
2.4 生成 Diffie Hellman 參數
2.5 密鑰文件
3. 配置Open***
3.1 例子配置文件
3.2 編寫服務端配置文件
3.3 編寫客戶端配置文件
3.4 Server 啓動並測試
3.5 Client 啓動並測試
3.6 吊銷客戶端證書
4. 案例 基於Open*** 下局域網到局域網
4.1 網絡拓撲
4.2 網絡參數
4.3 Server 配置如下
4.4 Client 配置如下
4.5 測試
5 思考 爲什麼費勁周折配置open*** ,而不是用pptpd ?
1. 安裝
1.1 安裝lzo (compression support)
- wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
- tar zxf lzo-2.03.tar.gz
- cd lzo-2.03
- ./configure --prefix=/usr/local/lzo
- make && make install
1.2 安裝Open***
- wget --no-check-certificate https://open***.net/release/open***-2.0.9.tar.gz
- tar zxf open***-2.0.9.tar.gz
- cd open***-2.0.9/
- ./configure --prefix=/usr/local/open*** --with-lzo-headers=/usr/local/lzo/include/ --with-lzo-lib=/usr/local/lzo/lib/
- make && make install
2. 配置PKI
- cp -r /root/open***-2.0.9/easy-rsa/ /usr/local/open***/
- ls /usr/local/open***/easy-rsa/
2.0 build-key build-req make-crl revoke-full
build-ca build-key-pass build-req-pass openssl.cnf sign-req
build-dh build-key-pkcs12 clean-all README vars
build-inter build-key-server list-crl revoke-crt Windows
//此目錄下以許多程序及腳本, 以下爲使用到的程序及腳本說明
vars 腳本, 是用來創建環境變量,設置所需要要的變量的腳本
clean-all 腳本,是創建生成 ca證書及密鑰文件所需要的文件及目錄
build-ca 腳本, 生成 ca 證書(交互)
build-dh 腳本, 生成 Diffie-Hellman文件(交互)
build-key-server 腳本, 生成服務器端密鑰(交互)
build-key 腳本, 生成客戶端密鑰(交互)
pkitool 腳本, 直接使用 vars 的環境變量設置, 直接生成證書(非交互)
2.1 生成認證機構(master Certificate Authority(CA))證書&私鑰
//編輯 vars 文件,生成環境變量, vars 裏的參數根據自己需要改變.
- cd /usr/local/open***/easy-rsa
- vim vars
export KEY_SIZE=1024 #生成密鑰的位數
export KEY_COUNTRY=CN #定義所在的國家編碼, 2 個字符
export KEY_PROVINCE=BeiJing #定義所在的省份
export KEY_CITY=BeiJing #定義所在的城市
export KEY_ORG="test.com" #定義所在的組織
export KEY_OU="test.com" #定義所在的單位
export KEY_EMAIL="[email protected]" #定義你的郵件地址
//修改好vars 文件後就可以開始生成 ca證書及密鑰文件了!
- source ./vars
//初始化keys 目錄,創建生成 ca證書及密鑰文件所需要的文件和目錄
- ./clean-all
//生成Root Ca證書, 用於簽發Server 和 Client 證書
- ./build-ca
Generating a 1024 bit RSA private key
..................++++++
......................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [test.com]:
Organizational Unit Name (eg, section) []:#空
Common Name (eg, your name or your server's hostname) []:CA #輸入主機名,“CA”
Email Address [[email protected]]:
//上面的序列中,大多數詢問參數的默認值是在vars文件中設定的值;唯一需要明確輸入的參數是Common Name,上面的例子中輸入的是"CA"。
//可以看到生成了ca.crt 與 ca.key 文件
- ls keys/
ca.crt ca.key index.txt seria
2.2 服務端生成證書&私鑰
//生成服務器使用的 *** server Ca證書
- ./build-key-server server
Generating a 1024 bit RSA private key
....++++++
....................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [test.com]:
Organizational Unit Name (eg, section) []:#空
Common Name (eg, your name or your server's hostname) []:server #輸入主機名,"server"
Email Address [[email protected]]:
#
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []::#空
An optional company name []::#空
Using configuration from /usr/local/open***/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BeiJing'
localityName :PRINTABLE:'BeiJing'
organizationName :PRINTABLE:'test.com'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Oct 29 01:25:35 2022 GMT (3650 days)
Sign the certificate? [y/n]:y: #注意
#
1 out of 1 certificate requests certified, commit? [y/n]y #注意
Write out database with 1 new entries
Data Base Updated
//server是你爲CA 證書起的一個名字, 以 server名字爲例,生成的服務器使用的 CA證書文件爲: server.crt server.key
//當詢問Common Name時,輸入"server" ,另外兩個回答"y"
- ls keys/
01.pem ca.key index.txt.attr serial server.crt server.key
ca.crt index.txt index.txt.old serial.old server.csr
2.3 客戶端生成證書&私鑰
- ./build-key neta
Generating a 1024 bit RSA private key
.++++++
..............................................++++++
writing new private key to 'neta.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [test.com]:
Organizational Unit Name (eg, section) []:#空
Common Name (eg, your name or your server's hostname) []:neta #注意
Email Address [[email protected]]:
#
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:#空
An optional company name []:#空
Using configuration from /usr/local/open***/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BeiJing'
localityName :PRINTABLE:'BeiJing'
organizationName :PRINTABLE:'test.com'
commonName :PRINTABLE:'neta'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Oct 29 01:28:01 2022 GMT (3650 days)
Sign the certificate? [y/n]:y #注意
#
1 out of 1 certificate requests certified, commit? [y/n]y #注意
Write out database with 1 new entries
Data Base Updated
- ls keys/
01.pem ca.key neta.key index.txt.attr.old serial.old server.key
02.pem neta.crt index.txt index.txt.old server.crt
ca.crt neta.csr index.txt.attr serial server.csr
//爲每個客戶端輸入適合的Common Name,也就是"neta", "netc",等等總之是爲每個客戶端指定一個獨一無二的名字。
//如果你想使用口令保護你的客戶端私鑰,則使用build-key-pass腳本而不是build-key。
2.4 生成Diffie-Hellman文件
- ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..............
- ls keys/
01.pem ca.key neta.key index.txt.attr serial server.csr
02.pem neta.crt dh1024.pem index.txt.attr.old serial.old server.key
ca.crt neta.csr index.txt index.txt.old server.crt
2.5 密鑰文件
在keys目錄下生成的私鑰和證書。下面是這些文件的解釋:
文件名 需要者 說明 祕密
ca.crt 服務端和所有客戶端 根證書 否
ca.key 簽發私鑰的機器 根私鑰 是
dh{n}.pem 服務器 Diffie Hellman parameters 否
server.crt 服務器 服務器證書 否
server.key 服務器 服務器私鑰 是
neta.crt 客戶端 neta的證書 否
neta.key 客戶端 netb的私鑰 是
3. 配置Open***
- useradd open*** -s /sbin/nologin
- passwd open***
- mkdir /usr/local/open***/etc
- cp open***-2.0.9/sample-config-files/server.conf /usr/local/open***/etc/
- chown -R open***.open*** /usr/local/open***/
3.1 例子配置文件
用Open***的例子配置文件作爲你自己配置文件的起點,Open***源代碼包的sample-config-files目錄,在Linux/BSD/unix操作系統中,樣例配置文件是server.conf和client.conf。
3.2 編寫服務端配置文件
//編輯server.conf ,類似以下值
- vim /usr/local/open***/etc/server.conf
//awk '! /^#|^$|^ |^;/' /usr/local/open***/etc/server.conf
local 192.168.57.71
port 1194
proto udp
dev tun
ca /usr/local/open***/easy-rsa/keys/ca.crt
cert /usr/local/open***/easy-rsa/keys/server.crt
key /usr/local/open***/easy-rsa/keys/server.key # This file should be kept secret
dh /usr/local/open***/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /usr/local/open***/logs/ipp.txt
keepalive 10 120
comp-lzo
user open***
group open***
persist-key
persist-tun
status /usr/local/open***/logs/open***-status.log
log /usr/local/open***/logs/open***.log
verb 5
3.3 編寫客戶端配置文件
客戶端配置文件的例子,Linux/BSD/Unix 爲client.conf,Windows 則是 client.o***,客戶端與服務端配置文件的例子相對應。
- mkdir neta
- cp open***-2.0.9/sample-config-files/client.conf neta/
//分發到客戶端
- cp /usr/local/open***/easy-rsa/keys/ca.crt neta/
- cp /usr/local/open***/easy-rsa/keys/neta.crt neta/
- cp /usr/local/open***/easy-rsa/keys/neta.key neta/
- tar czf neta.tar.gz client
- scp neta.tar.gz [email protected]:/home/dn/
3.4 Server 啓動並測試
- /usr/local/open***/sbin/open*** --daemon --config /usr/local/open***/etc/server.conf
//監聽UDP 1194端口
- lsof -i :1194
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
open*** 16196 open*** 5u IPv4 5122558 UDP *:open***
//日誌
- tail -n1 /usr/local/open***/logs/open***.log
Tue Oct 30 13:36:16 2012 us=798885 Initialization Sequence Completed
//虛擬 ip
- ip add show tun0
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 100
link/[65534]
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
3.5 Client 啓動並測試
3.5.1 linux 系統下
//安裝open*** (ubuntu 系統)
- apt-get install open***
//解壓key與client.conf
- tar zxf client.tar.gz -C /etc/open***/
//編輯client.conf ,類似以下值
- vim neta/client.conf
//awk '! /^#|^$|^ |^;/' /etc/open***/neta/client.conf
client
dev tun
proto udp
remote 192.168.57.71 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/open***/neta/ca.crt
cert /etc/open***/neta/neta.crt
key /etc/open***/neta/neta.key
comp-lzo
verb 3
status /var/log/open***-status.log
log /var/log/open***.log
//像服務端配置文件一樣,編輯ca、cert和key 指令指向你在上一節PKI生成的文件,每一個客戶端有自己的crt/key,只有ca文件在服務端和所有客戶端之間是通用的。
//remote 指令指向服務端的主機名/IP地址和端口號,確保客戶端配置文件和服務端配置文件中指令的的一致性,
//主要檢查的是 dev(tun/tap)和proto(udp/tcp),還有comp-lzo和 fragment(如果使用了)則在客戶端和服務端的配置文件中都必須提供。
//啓動open***
- open*** --daemon --config /etc/open***/neta/client.conf
//日誌
- tail -n1 /var/log/open***.log
Wed Oct 31 10:06:46 2012 Initialization Sequence Completed
//虛擬 ip
- ip add show tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.8.0.2 peer 10.8.0.1/32 scope global tun0
//ping 測試
- ping -c3 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=0.712 ms
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=0.548 ms
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=0.598 ms
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.548/0.619/0.712/0.071 ms
3.5.2 window 系統
//安裝open***
在windows中安裝open***-2.0.9-install.exe
//配置client.o***
把*** Server 中keys目錄下的ca.crt,neta.crt,neta.key複製到在你安裝目錄下,默認是 C:\Program Files\Open***\config 文件夾
然後把C:\Program Files\Open***\sample-config\client.o***,複製到C:\Program Files\Open***\config目錄下
編輯 client.o***
remote 192.168.57.71 1194
ca ca.crt
cert neta.crt
key neta.key
//啓動open***
運行 -> services.msc -> open***
//虛擬 ip
//ping 測試
C:\Documents and Settings\zm>ping 10.8.0.1
Pinging 10.8.0.1 with 32 bytes of data:
Reply from 10.8.0.1: bytes=32 time=1ms TTL=64
Reply from 10.8.0.1: bytes=32 time=8ms TTL=64
Reply from 10.8.0.1: bytes=32 time=6ms TTL=64
Reply from 10.8.0.1: bytes=32 time=5ms TTL=64
Ping statistics for 10.8.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 8ms, Average = 5ms
3.6 吊銷客戶端證書
Open*** 服務器與 *** 客戶端之間的身份驗證, 主要是通過證書來進行的。有時我們需要禁止某個用戶連接 *** 服務器,則將其證書吊銷即可,(Revoke) Open*** 客戶端證書
//進入easy-rsa 目錄
- cd /usr/local/open***/easy-rsa/
//全局變量
- source vars
//吊銷客戶端證書
- ./revoke-full netb
Using configuration from /usr/local/open***/easy-rsa/openssl.cnf
Revoking Certificate 03.
Data Base Updated
Using configuration from /usr/local/open***/easy-rsa/openssl.cnf
netb.crt: /C=CN/ST=BeiJing/O=test.com/CN=neta/[email protected]
error 23 at 0 depth lookup:certificate revoked
//成功註銷後,在keys/生成一個crl.pem 文件,可以打開 keys/index.txt 文件,可以看到被註銷的證書前面,已標記爲R
- tail -n1 keys/index.txt
R 221029013052Z 121101073207Z 03 unknown /C=CN/ST=BeiJing/O=test.com/CN=netb/[email protected]
//服務器添加 crl-verify 選項,編輯server.conf 添加如下:
crl-verify /usr/local/open***/easy-rsa/keys/crl.pem
//重啓open*** 服務器,即可
//open*** 日誌
Thu Nov 1 15:52:46 2012 us=703814 192.168.4.157:1853 VERIFY OK: depth=1, /C=CN/ST=BeiJing/L=BeiJing/O=test.com/CN=CA/[email protected]
Thu Nov 1 15:52:46 2012 us=704003 192.168.4.157:1853 CRL CHECK FAILED: /C=CN/ST=BeiJing/O=test.com/CN=netb/[email protected] is REVOKED
Thu Nov 1 15:52:46 2012 us=704075 192.168.4.157:1853 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Thu Nov 1 15:52:46 2012 us=704087 192.168.4.157:1853 TLS Error: TLS object -> incoming plaintext read error
Thu Nov 1 15:52:46 2012 us=704095 192.168.4.157:1853 TLS Error: TLS handshake failed
Thu Nov 1 15:52:46 2012 us=704142 192.168.4.157:1853 SIGUSR1[soft,tls-error] received, client-instance restarting
4. 案例 基於Open*** 下局域網到局域網
目的:使用Open***服務器,連接兩個跨越Internet局域網
4.1 網絡拓撲:
4.2 網絡參數:
(機房A)Server(GW1)網絡參數:
eth0 192.168.57.71/24
eth1 10.0.100.71/24 (本例中作爲LAN1的網關)
LAN1:10.0.100.0/24
(機房B)Client(GW2)網絡參數:
eth0 192.168.4.35/24
eth1 10.0.2.35/24 (本例中作爲LAN2的網關)
LAN2:10.0.2.0/24
4.3 Server 配置如下:
//修改配置文件
- awk '! /^#|^$|^ |^;/' /usr/local/open***/etc/server.conf.l2l
local 192.168.57.71
port 1194
proto udp
dev tun
ca /usr/local/open***/easy-rsa/keys/ca.crt
cert /usr/local/open***/easy-rsa/keys/server.crt
key /usr/local/open***/easy-rsa/keys/server.key # This file should be kept secret
dh /usr/local/open***/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /usr/local/open***/logs/ipp.txt
push "route 10.0.100.0 255.255.255.0" #向客戶端通告服務器端LAN1網段
client-config-dir /usr/local/open***/etc/ccd #指定調用ccd子目錄下的客戶端配置文件,可在文件中指定對端的ip地址
route 10.0.2.0 255.255.255.0 #爲server端添加到client端LAN2網段的路由
client-to-client #允許各客戶端之間的互相訪問
duplicate-cn #允許client密鑰被複用
keepalive 10 120
comp-lzo
max-clients 100 #指定最大併發連接數
user open***
group open***
persist-key
persist-tun
status /usr/local/open***/logs/open***-status.log
log /usr/local/open***/logs/open***.log
verb 5
mute 20
//配置ccd
- mkdir /usr/local/open***/etc/ccd
- vim /usr/local/open***/etc/ccd/neta
- chown -R open***.open*** .
//啓動轉發
- sysctl -w net.ipv4.ip_forward=1
//添加iptables 規則
- iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
4.4 Client 配置如下:
//修改配置文件
- awk '! /^#|^$|^ |^;/' /etc/open***/neta/client.conf
client
dev tun
proto udp
remote 192.168.57.71 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/open***/neta/ca.crt
cert /etc/open***/neta/neta.crt
key /etc/open***/neta/neta.key
comp-lzo
verb 3
status /var/log/open***-status.log
log /var/log/open***.log
mute 20
//啓動轉發
sysctl -w net.ipv4.ip_forward=1
//添加iptables 規則
- iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
//虛擬 ip
- ip add show tun0
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.8.0.2 peer 10.8.0.1/32 scope global tun0
4.5 測試
(機房A) 10.0.2.36 -> (機房B) 10.0.100.82
(機房B) 10.0.100.61 -> (機房A) 10.0.2.36
5 思考 爲什麼費勁周折配置open*** ,而不是用pptpd ?
當NAT遇到PPTP
http://www.linuxidc.com/Linux/2012-08/67884.htm
NAT and GRE
http://blog.sina.com.cn/s/blog_5612993e0100mnjq.html
參考
使用Open***搭建Linux下的***服務
http://zhangbo1119.blog.51cto.com/3350269/959324
Open*** 配置和使用
http://fanqiang.chinaunix.net/app/***/2005-07-10/3395.shtml
Open***的配置和使用
blog.163.com/zswself@126/blog/static/22588036200701732155730/
Open***配置
http://www.2cto.com/net/201206/136851.html
如何在 Linux Open*** 服務端吊銷(revoke)客戶端證書
http://www.xiaohui.com/dev/server/20070904-revoke-open***-client.htm
基於Open***連接兩個遠程局域網段
http://linux.chinaunix.net/techdoc/system/2008/07/02/1014658.shtml