open***安装配置小结

1.         下载并安装

cd /usr/local/src

wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz

wget http://open***.net/release/open***-2.1_rc22.tar.gz

tar zxvf lzo-2.04.tar.gz

cd lzo-2.04

./configure && make && make install

tar zxvf open***-2.1_rc22.tar.gz

cd open***-2.1_rc22

./configure && make && make install

whereis open***   查看安装目录

 

2.         服务器端设置：

cd /usr/local/src/open***-2.1_rc22/easy-rsa/2.0/

编辑所需的参数(能够默认)

vi vars

export KEY_COUNTRY="CN"

export KEY_PROVINCE="SH"

export KEY_CITY="Shanghai"

export KEY_ORG="open***"

export KEY_EMAIL="tony@abc.com"

source ./vars

 

下面这个命令在第一次安装时能够运行，之后在添加客户端时千万别运行，这个命令会清除全部已经生成的

证书密钥。

./clean-all

生成服务器端ca证书

./build-ca

生成服务器端密钥证书, 后面这个server-name就是服务器名，能够自定义。

./build-server-key shidc

一路Enter以后确认Y,证书生成。

生成 diffie hellman 参数

./build-dh

 

生成所需客户端证书密钥文件：

./build-key tony

 

3.         Open×××安全增强：

在Open×××的配置文件中，tls-auth指令能够为SSL/TLS协议的handshake数据包添加HMAC签名，任何未通过签名验正的UDP包都会被丢弃，这就将SSL/TLS的安全提高了一个级别。它能够为Open×××的UDP提供防止DoS或端口洪泛***、避开对Open×××监听端口的扫描及防止缓冲区溢出等安全特性。

 

开启tls-auth功能须要用到一个预共享密钥，此密钥常常跟证书等文件一块儿存放。此预共享密钥可使用下面的命令生成：

/usr/local/src/open***-2.1_rc22/open*** --genkey --secret ta.key

 

然后在服务器端的配置文件中启用以下指令：
tls-auth ta.key 0

 

客户端的配置文件启用以下指令：
tls-auth ta.key 1

 

4.         建立并编辑服务器端配置文件

mkdir –p /etc/open***/serverkeys

cp /usr/local/src/open***-2.1_rc22/sample-config-files/server.conf /etc/open***/

cd /usr/local/src/open***-2.1_rc22/easy-rsa/2.0/keys/

cp ca.crt dh1024.pem  shidc.crt  shidc.csr  shidc.key  /etc/open***/serverkeys

cp /usr/local/src/open***-2.1_rc22/ta.key /etc/open***/serverkeys

vi /etc/open***/server.conf 修改如下几项

 

ca /etc/open***/serverkeys/ca.crt

cert /etc/open***/serverkeys/shidc.crt

key  /etc/open***/serverkeys/shidc.key

dh /etc/open***/serverkeys/dh1024.pem

tls-auth /etc/open***/serverkeys/ta.key 0

 

5.         修改完成以后,编辑启动文件

vi /etc/init.d/open***

 

open***=""
open***_locations="/usr/sbin/open*** /usr/local/sbin/open***"
for location in $open***_locations
do
  if [ -f "$location" ]
  then
    open***=$location
  fi
done

lock="/var/lock/subsys/open***"

piddir="/var/run/open***"

work=/etc/open***

. /etc/rc.d/init.d/functions

. /etc/sysconfig/network

if [ ${NETWORKING} = "no" ]
then
  echo "Networking is down"
  exit 0
fi

if ! [ -f  $open*** ]
then
  echo "open*** binary not found"
  exit 0
fi

case "$1" in
  start)
        echo -n $"Starting open***: "

        /sbin/modprobe tun >/dev/null 2>&1

        # From a security perspective, I think it makes
        # sense to remove this, and have users who need
        # it explictly enable in their --up scripts or
        # firewall setups.

        #echo 1 > /proc/sys/net/ipv4/ip_forward

        # Run startup script, if defined
        if [ -f $work/open***-startup ]; then
            $work/open***-startup
        fi

        if [ ! -d  $piddir ]; then
            mkdir $piddir
        fi

        if [ -f $lock ]; then
            # we were not shut down correctly
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
              if [ -s $pidf ]; then
                kill `cat $pidf` >/dev/null 2>&1
              fi
              rm -f $pidf
            done
            rm -f $lock
            sleep 2
        fi

        rm -f $piddir/*.pid
        cd $work

        # Start every .conf in $work and run .sh if exists
        errors=0
        successes=0
        for c in `/bin/ls *.conf 2>/dev/null`; do
            bn=${c%%.conf}
            if [ -f "$bn.sh" ]; then
                . $bn.sh
            fi
            rm -f $piddir/$bn.pid
            $open*** --daemon --writepid $piddir/$bn.pid --config $c --cd $work
            if [ $? = 0 ]; then
                successes=1
            else
                errors=1
            fi
        done

        if [ $errors = 1 ]; then
            failure; echo
        else
            success; echo
        fi

        if [ $successes = 1 ]; then
            touch $lock
        fi
        ;;
  stop)
        echo -n $"Shutting down open***: "
        for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
          if [ -s $pidf ]; then
            kill `cat $pidf` >/dev/null 2>&1
          fi
          rm -f $pidf
        done

        # Run shutdown script, if defined
        if [ -f $work/open***-shutdown ]; then
            $work/open***-shutdown
        fi

        success; echo
        rm -f $lock
        ;;
  restart)
        $0 stop
        sleep 2
        $0 start
        ;;
  reload)
        if [ -f $lock ]; then
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
                if [ -s $pidf ]; then
                    kill -HUP `cat $pidf` >/dev/null 2>&1
                fi
            done
        else
            echo "open***: service not started"
            exit 1
        fi
        ;;
  reopen)
        if [ -f $lock ]; then
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
                if [ -s $pidf ]; then
                    kill -USR1 `cat $pidf` >/dev/null 2>&1
                fi
            done
        else
            echo "open***: service not started"
            exit 1
        fi
        ;;
  condrestart)
        if [ -f $lock ]; then
            $0 stop
            # avoid race
            sleep 2
            $0 start
        fi
        ;;
  status)
        if [ -f $lock ]; then
            for pidf in `/bin/ls $piddir/*.pid 2>/dev/null`; do
                if [ -s $pidf ]; then
                    kill -USR2 `cat $pidf` >/dev/null 2>&1
                fi
            done
            echo "Status written to /var/log/messages"
        else
            echo "open***: service not started"
            exit 1
        fi
        ;;
  *)
        echo "Usage: open*** {start|stop|restart|condrestart|reload|reopen|status}"
        exit 1
        ;;
esac
exit 0

 

6.         启动open***

/etc/init.d/open*** start

查看服务状况

Netstat –tunlp查看默认的1194端口是否开启

开启路由转发

sysctl -w net.ipv4.ip_forward=1

调整iptables策略,若是open*** server非网关,如需访问内网服务器须要添加iptables SNAT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d 172.16.0.0/24 -j SNAT --to-source 172.16.0.10

#172.16.0.10为open*** server的内网口IP

 

7.         在window上安装open***-2.1_rc15-install.exe

复制ca.crt  tony.crt  tony.key  ta.key到open***安装目录---config目录

在config里面编辑Open***客户端配置文件

 

client
dev tun
proto udp
comp-lzo #对数据进行压缩,注意Server和Client保持一致
#auth-user-pass   启用pam-auth时使用
remote 192.168.255.193     1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca   ca.crt
cert  tony.crt
key  tony.key
ns-cert-type server
tls-auth  ta.key 1
verb 3
#log  c:\tun11-***.log

 

就能够在客户端进行拨号测试了

 

8.         启用auth-pam模块进行双因素认证

yum –y install pam-devel

 

生成open***-auth-pam.so

cd /usr/local/src/open***-2.1_rc22/plugin/auth-pam/

make

 

mkdir /usr/lib/open***/

cp open***-auth-pam.so /usr/lib/open***/

 

vi /etc/open***/server.conf 在最后添加

plugin /usr/lib/open***/open***-auth-pam.so system-auth

 

从新加载

/etc/init.d/open*** reload

 

客户端配置文件启用auth-user-pass

就能够用open***服务器系统用户名密码来进行验证，同时再用证书验证。