環境:CentOS Linux release 7.4.1708 (Core)
查看版本命令
[root@open***_server ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
由於被禁止某些關鍵詞 *** 請自行替換成
安裝階段
1. 添加源
//採用阿里雲yum源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum makecache
2. 安裝open***
yum upgrade -y // 更新源
yum install epel-release -y //安裝epel庫
yum -y install open*** easy-rsa tree
http://www.cnblogs.com/airoot/p/7252987.html
生成open***必備文件
//由於yum安裝是 easy-rsa-3.0.3的版本
[root@open***_server ~]# cp -r /usr/share/easy-rsa/ /etc/open***/easy-rsa
[root@open***_server ~]# cd /etc/open***/easy-rsa/
[root@open***_server easy-rsa]# \rm 3 3.0
[root@open***_server easy-rsa]# cd 3.0.3/
[root@open***_server 3.0.3]# find / -type f -name "vars.example"|xargs -i cp {} . && mv vars.example vars
[root@open***_server 3.0.3]# tree
.
├── easyrsa
├── openssl-1.0.cnf
├── vars
└── x509-types
├── ca
├── client
├── COMMON
├── san
└── server
1 directory, 8 files
說明:
正常來說easy-rsa-3.0.3安裝完之後,vars.example文件在/usr/share/doc/easy-rsa-3.0.3/目錄
創建一個新的PKI和CA
[root@open***_server 3.0.3]# ./easyrsa init-pki // 創建空的pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/open***/easy-rsa/3.0.3/pki
[root@open***_server 3.0.3]# ./easyrsa build-ca nopass // 創建新的CA,不使用密碼
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.....+++
.......+++
writing new private key to '/etc/open***/easy-rsa/3.0.3/pki/private/ca.key.6Ryg6BLitj'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: // 回車
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/open***/easy-rsa/3.0.3/pki/ca.crt
創建服務端證書
[root@open***_server 3.0.3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
....................................+++
...........................................................................................................................................+++
writing new private key to '/etc/open***/easy-rsa/3.0.3/pki/private/server.key.kRVHzlQXCA'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: // 回車
Keypair and certificate request completed. Your files are:
req: /etc/open***/easy-rsa/3.0.3/pki/reqs/server.req
key: /etc/open***/easy-rsa/3.0.3/pki/private/server.key
簽約服務端證書
[root@open***_server 3.0.3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Dec 16 09:26:51 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/open***/easy-rsa/3.0.3/pki/issued/server.crt
創建Diffie-Hellman
[root@open***_server 3.0.3]# ./easyrsa gen-dh
...................................................................++*++*
DH parameters of size 2048 created at /etc/open***/easy-rsa/3.0.3/pki/dh.pem
到這裏服務端的證書就創建完了,然後創建客戶端的證書。
創建客戶端證書
複製文件
[root@open***_server 3.0.3]# cp -r /usr/share/easy-rsa/ /etc/open***/client/easy-rsa
[root@open***_server 3.0.3]# cd /etc/open***/client/easy-rsa/
[root@open***_server easy-rsa]# \rm 3 3.0
[root@open***_server easy-rsa]# cd 3.0.3/
[root@open***_server 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars[root@open***_server 3.0.3]# tree
.
├── easyrsa
├── openssl-1.0.cnf
├── vars
└── x509-types
├── ca
├── client
├── COMMON
├── san
└── server
1 directory, 8 files
生成證書
[root@open***_server 3.0.3]# pwd
/etc/open***/client/easy-rsa/3.0.3
[root@open***_server 3.0.3]# ./easyrsa init-pki # 創建新的pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/open***/client/easy-rsa/3.0.3/pki
[root@open***_server 3.0.3]# ./easyrsa gen-req dalin nopass # 客戶證書名爲大林,木有密碼
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.....................................................................+++
...+++
writing new private key to '/etc/open***/client/easy-rsa/3.0.3/pki/private/dalin.key.CM1elrdSOe'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [dalin]: // 回車
Keypair and certificate request completed. Your files are:
req: /etc/open***/client/easy-rsa/3.0.3/pki/reqs/dalin.req
key: /etc/open***/client/easy-rsa/3.0.3/pki/private/dalin.key
最後簽約客戶端證書
[root@open***_server 3.0.3]# cd /etc/open***/easy-rsa/3.0.3/
[root@open***_server 3.0.3]# pwd
/etc/open***/easy-rsa/3.0.3
[root@open***_server 3.0.3]# ./easyrsa import-req /etc/open***/client/easy-rsa/3.0.3/pki/reqs/dalin.req dalin
Note: using Easy-RSA configuration from: ./vars
The request has been successfully imported with a short name of: dalin
You may now use this name to perform signing operations on this request.
[root@open***_server 3.0.3]# ./easyrsa sign client dalin
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = dalin
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'dalin'
Certificate is to be certified until Dec 16 09:40:38 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/open***/easy-rsa/3.0.3/pki/issued/dalin.crt
整理證書
現在所有的證書都已經生成完了,下面來整理一下。
服務端所需要的文件
[root@open***_server 3.0.3]# mkdir /etc/open***/certs
[root@open***_server 3.0.3]# cd /etc/open***/certs/
[root@open***_server certs]# cp /etc/open***/easy-rsa/3.0.3/pki/dh.pem .
[root@open***_server certs]# cp /etc/open***/easy-rsa/3.0.3/pki/ca.crt .
[root@open***_server certs]# cp /etc/open***/easy-rsa/3.0.3/pki/issued/server.crt .
[root@open***_server certs]# cp /etc/open***/easy-rsa/3.0.3/pki/private/server.key .
[root@open***_server certs]# ll
總用量 20
-rw------- 1 root root 1172 12月 19 17:51 ca.crt
-rw------- 1 root root 424 12月 19 17:51 dh.pem
-rw------- 1 root root 4552 12月 19 17:51 server.crt
-rw------- 1 root root 1708 12月 19 17:51 server.key
客戶端所需的文件
[root@open***_server certs]# mkdir /etc/open***/client/dalin/
[root@open***_server certs]# cp /etc/open***/easy-rsa/3.0.3/pki/ca.crt /etc/open***/client/dalin/
[root@open***_server certs]# cp /etc/open***/easy-rsa/3.0.3/pki/issued/dalin.crt /etc/open***/client/dalin/
[root@open***_server certs]# cp /etc/open***/client/easy-rsa/3.0.3/pki/private/dalin.key /etc/open***/client/dalin/
[root@open***_server certs]# ll /etc/open***/client/dalin/
總用量 16
-rw------- 1 root root 1172 12月 19 17:51 ca.crt
-rw------- 1 root root 4431 12月 19 17:51 dalin.crt
-rw------- 1 root root 1704 12月 19 17:52 dalin.key
服務器配置文件
vim /etc/open***/server.conf
local 192.168.1.113
port 1194
proto tcp
dev tun
ca /etc/open***/certs/ca.crt
cert /etc/open***/certs/server.crt
key /etc/open***/certs/server.key
dh /etc/open***/certs/dh.pem
ifconfig-pool-persist /etc/open***/ipp.txt
server 17.166.221.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
client-to-client
keepalive 20 120
comp-lzo
#duplicate-cn
user open***
group open***
persist-key
persist-tun
status open***-status.log
log-append open***.log
verb 1
mute 20
啓動服務
systemctl start open***@server
配置iptables及轉發
[root@open***_server open***]# iptables -t nat -A POSTROUTING -s 17.166.221.0/24 -o ens34 -j MASQUERADE
注意,12.166的那個換成自己的客戶端hdcp我的eth0是內網網卡,eth1是外網網卡。這條策略是將所有的12.166.221.0網段的包轉發給eth0
iptables保存配置文件
[root@open***_server open***]# echo "1" >/proc/sys/net/ipv4/ip_forward # 打開路由轉發
// 會把規則保存到/etc/sysconfig/iptables # 開機加載
[root@open***_server open***]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 確定 ]
[root@open***_server ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 17.166.221.0/24 0.0.0.0/0
ping 不通解決方法 添加規則,允許tun0網卡進行FORWARD,兩條規則。
前提是看FORWARD鏈,如果發現這一個,就還需要添加FORWARD規則。
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
就需要添加如下兩條規則:
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -L -n
測試後發現客戶端連接不能上網
刪除nat規則
iptables -t nat -D POSTROUTING 1
iptables -t nat -A POSTROUTING -s 17.166.221.0/24 -j MASQUERADE
service iptables save # 保存
測試後可以客戶端可以上網,但是走的線路是內網線路上網。
重啓open***,然後ifconfig 看一下,會多一個tun0虛擬網卡
[root@open***_server open***]# systemctl restart open***@server
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 17.166.221.1 netmask 255.255.255.255 destination 17.166.221.2
inet6 fe80::d8:689a:a01d:8d71 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1 bytes 48 (48.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
客戶端配置
# Linux客戶端直接 上面的open×××安裝一遍,就可以用了
# client.o***
client #這個不能改
proto tcp #要與server.conf一致
dev tun #要與server.conf一致
remote 主機外網IP 12306
ca ca.crt
cert dalin.crt
key dalin.key #對應所下載的證書
resolv-retry infinite
nobind
mute-replay-warnings
keepalive 20 120
comp-lzo
#user open***
#group open***
persist-key
persist-tun
status open***-status.log
log-append open***.log
verb 3
mute 20
# 測試Windows 可以連接
open*** --config client.o*** &