open***搭建

第1章 環境說明：

[root@daya-03 system]# systemctl status firewalld.service

●firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)

   Active: inactive (dead)

 

[root@daya-03 ~]# getenforce

Permissive

 

[root@daya-03 system]# echo "net.ipv4.ip_forword=1" >>/etc/sysctl.conf

[root@daya-03 system]# cat /proc/sys/net/ipv4/ip_forward

第2章 mysql建庫建表

mysql> CREATE DATABASE IF NOT EXISTS open*** DEFAULT CHARSET utf8;

 

***用戶的密碼不可以設置特殊字符，不然pam-mysql的插件無法識別！

mysql> GRANT ALL PRIVILEGES ON open***.* TO ***@'%' IDENTIFIED BY '123456';

 

mysql> CREATE TABLE IF NOT EXISTS user (

    -> username char(32) COLLATE utf8_unicode_ci NOT NULL,

    -> password char(128) COLLATE utf8_unicode_ci DEFAULT NULL,

    -> active int(10) NOT NULL DEFAULT 1,

    -> creation timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,

    -> PRIMARY KEY (username)

-> ) DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

第3章 安裝依賴

yum install pam_krb5 pam pam-devel cyrus-sasl –y

3.1啓動saslauthd服務

[root@daya-03 system]# saslauthd -a pam

3.2 配置pam配置文件

cat >/etc/pam.d/open*** <<EOF

auth sufficient /lib64/security/pam_mysql.so user=*** passwd=123456 host=10.211.55.8 db=open*** table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1

account required /lib64/security/pam_mysql.so user=*** passwd=123456 host=10.211.55.8 db=open*** table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1 

#crypt(0) -- Used to decide to use MySQL's PASSWORD() function or crypt() 

#0 = No encryption. Passwords in database in plaintext. NOT recommended! 

#1 = Use crypt  

#2 = Use MySQL PASSWORD() function

EOF

第4章 編譯安裝pam_mysql.so

[root@daya-03 pam.d]# wget http://www.huzs.net/soft/vsftpd/pam_mysql-0.7RC1.tar.gz

[root@daya-03 ~]# tar xf pam_mysql-0.7RC1.tar.gz

[root@daya-03 ~]# cd pam_mysql-0.7RC1/

[root@daya-03 pam_mysql-0.7RC1]# ./configure --with-openssl --with-pam-mods-dir=/lib64/security/

[root@daya-03 pam_mysql-0.7RC1]# make && make install

4.1進行測試

testsaslauthd -u test -p 123456 -s open***

第5章 編譯open***-auth-pam.so

5.1安裝open***

yum install open*** –y

5.2正確下載源碼包：http://swupdate.open***.org/community/releases/open***-2.0.9.tar.gz

tar xf open***-2.0.9.tar.gz

cd open***-2.0.9/plugin/auth-pam/

make

cp open***-auth-pam.so /etc/open***/

第6章 生成證書

6.1安裝easy-rsa

[root@daya-03 ~]# wget https://github.com/Open×××/easy-rsa/archive/master.zip

[root@daya-03 ~]# unzip master.zip

[root@daya-03 ~]# cd easy-rsa-master/ easyrsa3/

6.2編輯vars文件內容

[root@daya-03 easyrsa3]# cp vars.example vars

[root@daya-03 easyrsa3]# cat vars

set_var EASYRSA_REQ_COUNTRY     "CN"

set_var EASYRSA_REQ_PROVINCE    "SH"

set_var EASYRSA_REQ_CITY        "Hangzhou"

set_var EASYRSA_REQ_ORG         "*******"

set_var EASYRSA_REQ_EMAIL       "[email protected]"

set_var EASYRSA_REQ_OU          "Technology department"

6.3創建證書

[root@daya-03 easyrsa3]# ./easyrsa init-pki

[root@daya-03 easyrsa3]# ./easyrsa build-ca

 

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

 

Enter New CA Key Passphrase: 輸入密碼

Re-Enter New CA Key Passphrase:確認密碼

Generating RSA private key, 2048 bit long modulus

....................................+++

.................................................................+++

e is 65537 (0x10001)

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Common Name (eg: your user, host, or server name) [ChangeMe]:***

 

CA creation complete and you may now import and sign cert requests.

Your new CA certificate file for publishing is at:

/root/easy-rsa-master/easyrsa3/pki/ca.crt

 

[root@daya-03 easyrsa3]# ./easyrsa gen-req server nopass

 

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Generating a 2048 bit RSA private key

........+++

..........................+++

writing new private key to '/root/easy-rsa-master/easyrsa3/pki/private/server.key.POy2Bx99ED'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Common Name (eg: your user, host, or server name) [server]: #      這裏直接回車

 

Keypair and certificate request completed. Your files are:

req: /root/easy-rsa-master/easyrsa3/pki/reqs/server.req

key: /root/easy-rsa-master/easyrsa3/pki/private/server.key

 

[root@daya-03 easyrsa3]# ./easyrsa sign server server

 

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

 

 

You are about to sign the following certificate.

Please check over the details shown below for accuracy. Note that this request

has not been cryptographically verified. Please be sure it came from a trusted

source or that you have verified the request checksum with the sender.

 

Request subject, to be signed as a server certificate for 1080 days:

 

subject=

    commonName                = server

 

 

Type the word 'yes' to continue, or any other input to abort.

  Confirm request details: yes

Using configuration from /root/easy-rsa-master/easyrsa3/pki/safessl-easyrsa.cnf

Enter pass phrase for /root/easy-rsa-master/easyrsa3/pki/private/ca.key: 上面輸入的密碼

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

commonName            :ASN.1 12:'server'

Certificate is to be certified until Feb  4 19:14:19 2022 GMT (1080 days)

 

Write out database with 1 new entries

Data Base Updated

 

Certificate created at: /root/easy-rsa-master/easyrsa3/pki/issued/server.crt

6.4創建diffie-hellman

[root@daya-03 easyrsa3]# ./easyrsa gen-dh

6.5將需要的證書拷貝到open***目錄下

[root@daya-03 easyrsa3]# cd pki/

[root@daya-03 pki]# mkdir /etc/open***/keys

[root@daya-03 pki]# cp ca.crt /etc/open***/keys/

[root@daya-03 pki]# cp issued/server.crt /etc/open***/keys/

[root@daya-03 pki]# cp private/server.key /etc/open***/keys/

[root@daya-03 pki]# cp dh.pem /etc/open***/keys/

第7章 配置open***

7.1創建服務端配置文件

[root@daya-03 pki]# mkdir /var/log/open***

[root@daya-03 open***]# cat server.conf

local 0.0.0.0

port 1194

proto tcp

dev tun

ca keys/ca.crt

cert keys/server.crt

key keys/server.key

dh keys/dh.pem

server 10.0.0.0 255.255.0.0

push "route 172.16.0.0 255.255.255.0"

push "route 10.0.0.0 255.0.0.0"

push "route 100.104.231.74 255.255.255.255"

push "redirect-gateway def1"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 172.16.2.1"

push "dhcp-option DNS 223.5.5.5"

ifconfig-pool-persist ipp.txt

client-to-client

keepalive 20 60

cipher AES-128-CBC

max-clients 2048

persist-key

persist-tun

plugin /etc/open***/open***-auth-pam.so open***

verify-client-cert none

username-as-common-name

status open***-status.log

log         /var/log/open***/open***.log

script-security 3

verb 3

client-cert-not-required

7.2創建客戶端配置文件

[root@daya-03 client]# cat client.conf

client

dev tun

proto tcp

remote ***服務端公網地址1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

ns-cert-type server

;tls-auth ta.key 1

verb 3

cipher AES-128-CBC

auth-user-pass

script-security 3

第8章 配置iptables轉發

iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT

iptables -A INPUT -i tun0 -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -t nat -A POSTROUTING -s #ifconfigtun0的網段地址 -j SNAT --to-source #本地內網地址