第1章 環境說明:
[root@daya-03 system]# systemctl status firewalld.service
●firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
[root@daya-03 ~]# getenforce
Permissive
[root@daya-03 system]# echo "net.ipv4.ip_forword=1" >>/etc/sysctl.conf
[root@daya-03 system]# cat /proc/sys/net/ipv4/ip_forward
第2章 mysql建庫建表
mysql> CREATE DATABASE IF NOT EXISTS open*** DEFAULT CHARSET utf8;
***用戶的密碼不可以設置特殊字符,不然pam-mysql的插件無法識別!
mysql> GRANT ALL PRIVILEGES ON open***.* TO ***@'%' IDENTIFIED BY '123456';
mysql> CREATE TABLE IF NOT EXISTS user (
-> username char(32) COLLATE utf8_unicode_ci NOT NULL,
-> password char(128) COLLATE utf8_unicode_ci DEFAULT NULL,
-> active int(10) NOT NULL DEFAULT 1,
-> creation timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
-> PRIMARY KEY (username)
-> ) DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
第3章 安裝依賴
yum install pam_krb5 pam pam-devel cyrus-sasl –y
3.1啓動saslauthd服務
[root@daya-03 system]# saslauthd -a pam
3.2 配置pam配置文件
cat >/etc/pam.d/open*** <<EOF
auth sufficient /lib64/security/pam_mysql.so user=*** passwd=123456 host=10.211.55.8 db=open*** table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1
account required /lib64/security/pam_mysql.so user=*** passwd=123456 host=10.211.55.8 db=open*** table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1
#crypt(0) -- Used to decide to use MySQL's PASSWORD() function or crypt()
#0 = No encryption. Passwords in database in plaintext. NOT recommended!
#1 = Use crypt
#2 = Use MySQL PASSWORD() function
EOF
第4章 編譯安裝pam_mysql.so
[root@daya-03 pam.d]# wget http://www.huzs.net/soft/vsftpd/pam_mysql-0.7RC1.tar.gz
[root@daya-03 ~]# tar xf pam_mysql-0.7RC1.tar.gz
[root@daya-03 ~]# cd pam_mysql-0.7RC1/
[root@daya-03 pam_mysql-0.7RC1]# ./configure --with-openssl --with-pam-mods-dir=/lib64/security/
[root@daya-03 pam_mysql-0.7RC1]# make && make install
4.1進行測試
testsaslauthd -u test -p 123456 -s open***
第5章 編譯open***-auth-pam.so
5.1安裝open***
yum install open*** –y
5.2正確下載源碼包:http://swupdate.open***.org/community/releases/open***-2.0.9.tar.gz
tar xf open***-2.0.9.tar.gz
cd open***-2.0.9/plugin/auth-pam/
make
cp open***-auth-pam.so /etc/open***/
第6章 生成證書
6.1安裝easy-rsa
[root@daya-03 ~]# wget https://github.com/Open×××/easy-rsa/archive/master.zip
[root@daya-03 ~]# unzip master.zip
[root@daya-03 ~]# cd easy-rsa-master/ easyrsa3/
6.2編輯vars文件內容
[root@daya-03 easyrsa3]# cp vars.example vars
[root@daya-03 easyrsa3]# cat vars
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "SH"
set_var EASYRSA_REQ_CITY "Hangzhou"
set_var EASYRSA_REQ_ORG "*******"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "Technology department"
6.3創建證書
[root@daya-03 easyrsa3]# ./easyrsa init-pki
[root@daya-03 easyrsa3]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase: 輸入密碼
Re-Enter New CA Key Passphrase:確認密碼
Generating RSA private key, 2048 bit long modulus
....................................+++
.................................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [ChangeMe]:***
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/root/easy-rsa-master/easyrsa3/pki/ca.crt
[root@daya-03 easyrsa3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
........+++
..........................+++
writing new private key to '/root/easy-rsa-master/easyrsa3/pki/private/server.key.POy2Bx99ED'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: # 這裏直接回車
Keypair and certificate request completed. Your files are:
req: /root/easy-rsa-master/easyrsa3/pki/reqs/server.req
key: /root/easy-rsa-master/easyrsa3/pki/private/server.key
[root@daya-03 easyrsa3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 1080 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /root/easy-rsa-master/easyrsa3/pki/safessl-easyrsa.cnf
Enter pass phrase for /root/easy-rsa-master/easyrsa3/pki/private/ca.key: 上面輸入的密碼
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Feb 4 19:14:19 2022 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /root/easy-rsa-master/easyrsa3/pki/issued/server.crt
6.4創建diffie-hellman
[root@daya-03 easyrsa3]# ./easyrsa gen-dh
6.5將需要的證書拷貝到open***目錄下
[root@daya-03 easyrsa3]# cd pki/
[root@daya-03 pki]# mkdir /etc/open***/keys
[root@daya-03 pki]# cp ca.crt /etc/open***/keys/
[root@daya-03 pki]# cp issued/server.crt /etc/open***/keys/
[root@daya-03 pki]# cp private/server.key /etc/open***/keys/
[root@daya-03 pki]# cp dh.pem /etc/open***/keys/
第7章 配置open***
7.1創建服務端配置文件
[root@daya-03 pki]# mkdir /var/log/open***
[root@daya-03 open***]# cat server.conf
local 0.0.0.0
port 1194
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh.pem
server 10.0.0.0 255.255.0.0
push "route 172.16.0.0 255.255.255.0"
push "route 10.0.0.0 255.0.0.0"
push "route 100.104.231.74 255.255.255.255"
push "redirect-gateway def1"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 172.16.2.1"
push "dhcp-option DNS 223.5.5.5"
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 20 60
cipher AES-128-CBC
max-clients 2048
persist-key
persist-tun
plugin /etc/open***/open***-auth-pam.so open***
verify-client-cert none
username-as-common-name
status open***-status.log
log /var/log/open***/open***.log
script-security 3
verb 3
client-cert-not-required
7.2創建客戶端配置文件
[root@daya-03 client]# cat client.conf
client
dev tun
proto tcp
remote ***服務端公網地址1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
ns-cert-type server
;tls-auth ta.key 1
verb 3
cipher AES-128-CBC
auth-user-pass
script-security 3
第8章 配置iptables轉發
iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -t nat -A POSTROUTING -s #ifconfigtun0的網段地址 -j SNAT --to-source #本地內網地址