如何开通open***
一.系统环境
服务端:CentOS 6.6 x86_64 使用repo:epel 客户端:CentOS 6.4 使用repo:epel,Windows 二.软件安装 服务端 yum install open*** easy-rsa 客户端 yum install open*** windows客户端 open***-install-2.3.5-I601-i686.zip,默认安装目录 三.服务端设置 密钥生成与制作 复制eay-rsa脚本到open***目录 cp -r /usr/share/easy-sra /etc/open*** 修改密钥生成参数配置 vi /etc/open***/easy-rsa/2.0/vars easy-rsa parameter settingsNOTE: If you installed from an RPM,don‘t edit this file in place in/usr/share/open***/easy-rsa --instead,you should copy the wholeeasy-rsa directory to another location(such as /etc/open***) so that youredits will not be wiped out by a futureOpen××× package upgrade.This variable should point tothe top level of the easy-rsatree.export EASY_RSA=" # This variable should point tothe requested executables# This variable should point tothe openssl.cnf file includedwith easy-rsa.export KEY_CONFIG= Edit this variable to point toyour soon-to-be-created keydirectory.# WARNING: clean-all will doa rm -rf on this directoryso make sure you defineit correctly!export KEY_DIR="$EASY_RSA/keys" Issue rm -rf warningecho NOTE: If you run ./clean-all,I will be doing a rm -rf on $KEY_DIR PKCS11 fixesexport PKCS11_MODULE_PATH="dummy" Increase this to 2048 if youare paranoid. This will slowdown TLS negotiation performanceas well as the one-time DH parmsgeneration process.export KEY_SIZE=2048 In how many days should the root CA key expire?export CA_EXPIRE=3650 In how many days should certificates expire?export KEY_EXPIRE=3650 These are the default values for fieldswhich will be placed in the certificate.Don‘t leave any of these fields blank.export KEY_COUNTRY="CN" X509 Subject Fieldexport KEY_NAME="RSA" PKCS11 Smart Cardexport PKCS11_MODULE_PATH="/usr/lib/changeme.so"export PKCS11_PIN=1234export PKCS11_PIN=1234 If you‘d like to sign all keys with the same Common Name,uncomment the KEY_CN export belowYou will also need to make sure your Open××× server config has the duplicate-cn option setexport KEY_CN="CommonName"# 在/etc/open***/easy-rsa/2.0/keys目录下会生成以下文件,注意妥善保存密钥文件,功能如表中所述 然后启用open***服务 Sample Open××× 2.0 config file formulti-client server.This file is for the server sideof a many-clients <-> one-serverOpen××× configuration.Open××× also supportssingle-machine <-> single-machineconfigurations (See the Examples pageon the web site for more info).This config should work on Windowsor Linux/BSD systems. Remember onWindows to quote pathnames and usedouble backslashes,e.g.:"C:Program FilesOpen×××configfoo.key"Comments are preceded with ‘#‘ or ‘;‘################################################# Which local IP address should Open×××listen on? (optional)local 0.0.0.0 Which TCP/UDP port should Open××× listen on?If you want to run multiple Open××× instanceson the same machine,use a different portnumber for each one. You will need toopen up this port on your firewall.port 1194 TCP or UDP server?proto tcp "dev tun" will create a routed IP tunnel,"dev tap" will create an ethernet tunnel.Use "dev tap0" if you are ethernet bridgingand have precreated a tap0 virtual interfaceand bridged it with your ethernet interface.If you want to control access policiesover the ×××,you must create firewallrules for the the TUN/TAP interface.On non-Windows systems,you can givean explicit unit number,such as tun0.On Windows,use "dev-node" for this.On most systems,the ××× will not functionunless you partially or fully disablethe firewall for the TUN/TAP interface.dev tap Windows needs the TAP-Win32 adapter namefrom the Network Connections panel if youhave more than one. On XP SP2 or higher,you may need to selectively disable theWindows firewall for the TAP adapter.Non-Windows systems usually don‘t need this.#dev-node *** SSL/TLS root certificate (ca),certificate(cert),and private key (key). Each clientand the server must have their own cert andkey file. The server and all clients willuse the same ca file.# See the "easy-rsa" directory for a seriesof scripts for generating RSA certificatesand private keys. Remember to usea unique Common Name for the serverand each of the client certificates.# Any X509 key management system can be used.Open××× can also use a PKCS #12 formatted key file(see "pkcs12" directive in man page).ca ca.crt Diffie hellman parameters.Generate your own with:openssl dhparam -out dh1024.pem 1024Substitute 2048 for 1024 if you are using2048 bit keys.;dh dh1024.pem Configure server mode and supply a ××× subnetfor Open××× to draw client addresses from.The server will take 10.8.0.1 for itself,the rest will be made available to clients.Each client will be able to reach the serveron 10.8.0.1. Comment this line out if you areethernet bridging. See the man page for more info.;server 10.8.0.0 255.255.255.0 Maintain a record of client <-> virtual IP addressassociations in this file. If Open××× goes down oris restarted,reconnecting clients can be assignedthe same virtual IP address from the pool that waspreviously assigned.ifconfig-pool-persist ipp.txt Configure server mode for ethernet bridging.You must first use your OS‘s bridging capabilityto bridge the TAP interface with the ethernetNIC interface. Then you must manually set theIP/netmask on the bridge interface,here weassume 10.8.0.4/255.255.255.0. Finally wemust set aside an IP range in this subnet(start=10.8.0.50 end=10.8.0.100) to allocateto connecting clients. Leave this line commentedout unless you are ethernet bridging.;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 Configure server mode for ethernet bridgingusing a DHCP-proxy,where clients talkto the Open××× server-side DHCP serverto receive their IP address allocationand DNS server addresses. You must first useyour OS‘s bridging capability to bridge the TAPinterface with the ethernet NIC interface.Note: this mode only works on clients (such asWindows),where the client-side TAP adapter isbound to a DHCP client.;server-bridge Push routes to the client to allow itto reach other private subnets behindthe server. Remember that theseprivate subnets will also needto know to route the Open××× clientaddress pool (10.8.0.0/255.255.255.0)back to the Open××× server.;push "route 192.168.10.0 255.255.255.0" To assign specific IP addresses to specificclients or if a connecting client has a privatesubnet behind it that should also have ××× access,use the subdirectory "ccd" for client-specificconfiguration files (see man page for more info).EXAMPLE: Suppose the clienthaving the certificate common name "Thelonious"also has a small subnet behind his connectingmachine,such as 192.168.40.128/255.255.255.248.First,uncomment out these lines:;client-config-dir ccd Then create a file ccd/Thelonious with this line:iroute 192.168.40.128 255.255.255.248This will allow Thelonious‘ private subnet toaccess the ×××. This example will only workif you are routing,not bridging,i.e. you areusing "dev tun" and "server" directives.EXAMPLE: Suppose you want to giveThelonious a fixed ××× IP address of 10.9.0.1.First uncomment out these lines:;client-config-dir ccd Then add this line to ccd/Thelonious:ifconfig-push 10.9.0.1 10.9.0.2Suppose that you want to enable differentfirewall access policies for different groupsof clients. There are two methods:(1) Run multiple Open××× daemons,one for eachgroup,and firewall the TUN/TAP interfacefor each group/daemon appropriately.(2) (Advanced) Create a script to dynamicallymodify the firewall in response to accessfrom different clients. See manpage for more info on learn-address script.;learn-address ./script If enabled,this directive will configureall clients to redirect their defaultnetwork gateway through the ×××,causingall IP traffic such as web browsing andand DNS lookups to go through the ×××(The Open××× server machine may need to NATor bridge the TUN/TAP interface to the internetin order for this to work properly).;push "redirect-gateway def1 bypass-dhcp" Certain Windows-specific network settingscan be pushed to clients,such as DNSor WINS server addresses. CAVEAT:http://open***.net/faq.html#dhcpcaveatsThe addresses below refer to the publicDNS servers provided by opendns.com.;push "dhcp-option DNS 208.67.222.222" Uncomment this directive to allow differentclients to be able to "see" each other.By default,clients will only see the server.To force clients to only see the server,youwill also need to appropriately firewall theserver‘s TUN/TAP interface.;client-to-client Uncomment this directive if multiple clientsmight connect with the same certificate/keyfiles or common names. This is recommendedonly for testing purposes. For production use,each client should have its own certificate/keypair.# IF YOU HAVE NOT GENERATED INDIVIDUALCERTIFICATE/KEY PAIRS FOR EACH CLIENT,EACH HAVING ITS OWN UNIQUE "COMMON NAME",UNCOMMENT THIS LINE OUT.;duplicate-cn The keepalive directive causes ping-likemessages to be sent back and forth overthe link so that each side knows whenthe other side has gone down.Ping every 10 seconds,assume that remotepeer is down if no ping received duringa 120 second time period.keepalive 10 120 For extra security beyond that providedby SSL/TLS,create an "HMAC firewall"to help block DoS attacks and UDP port flooding.# Generate with:open*** --genkey --secret ta.key# The server and each client must havea copy of this key.The second parameter should be ‘0‘on the server and ‘1‘ on the clients.;tls-auth ta.key 0 # This file is secret Select a cryptographic cipher.This config item must be copied tothe client config file as well.;cipher BF-CBC # Blowfish (default) Enable compression on the ××× link.If you enable it here,you must alsoenable it in the client config file.comp-lzo The maximum number of concurrently connectedclients we want to allow.;max-clients 100 It‘s a good idea to reduce the Open×××daemon‘s privileges after initialization.# You can uncomment this out onnon-Windows systems.user nobody The persist options will try to avoidaccessing certain resources on restartthat may no longer be accessible becauseof the privilege downgrade.persist-key Output a short status file showingcurrent connections,truncatedand rewritten every minute.status open***-status.log By default,log messages will go to the syslog (oron Windows,if running as a service,they will go tothe "Program FilesOpen×××log" directory).Use log or log-append to override this default."log" will truncate the log file on Open××× startup,while "log-append" will append to it. Use oneor the other (but not both).log open***.log Set the appropriate level of logfile verbosity.# 0 is silent,except for fatal errors4 is reasonable for general usage5 and 6 can help to debug connection problems9 is extremely verboseverb 3 Silence repeating messages. At most 20sequential messages of the same messagecategory will be output to the log.;mute 20 chkconfig open*** on 用netstat –nl查看1194端口已经在listening状态 查看一下服务器的IP地址:ifconfig –a 至此服务端配置完成 Sample client-side Open××× 2.0 config filefor connecting to multi-client server.This configuration can be used by multipleclients,however each client should haveits own cert and key files.On Windows,you might want to rename thisfile so it has a .o*** extension############################################## Specify that we are a client and that wewill be pulling certain config file directivesfrom the server.client Use the same setting as you are using onthe server.On most systems,the ××× will not functionunless you partially or fully disablethe firewall for the TUN/TAP interface.;dev tap Windows needs the TAP-Win32 adapter namefrom the Network Connections panelif you have more than one. On XP SP2,you may need to disable the firewallfor the TAP adapter.;dev-node MyTap Are we connecting to a TCP orUDP server? Use the same setting ason the server.proto tcp The hostname/IP and port of the server.You can have multiple remote entriesto load balance between the servers.remote 122.112.12.154 1194 Choose a random host from the remotelist for load-balancing. Otherwisetry hosts in the order specified.;remote-random Keep trying indefinitely to resolve thehost name of the Open××× server. Very usefulon machines which are not permanently connectedto the internet such as laptops.resolv-retry infinite Most clients don‘t need to bind toa specific local port number.nobind Downgrade privileges after initialization (non-Windows only);user nobody Try to preserve some state across restarts.persist-key If you are connecting through anHTTP proxy to reach the actual Open×××server,put the proxy server/IP andport number here. See the man pageif your proxy server requiresauthentication.;http-proxy-retry # retry on connection failures Wireless networks often produce a lotof duplicate packets. Set this flagto silence duplicate packet warnings.;mute-replay-warnings SSL/TLS parms.See the server config file for moredescription. It‘s best to usea separate .crt/.key file pairfor each client. A single cafile can be used for all clients.ca ca.crt Verify server certificate by checkingthat the certicate has the nsCertTypefield set to "server". This is animportant precaution to protect againsta potential attack discussed here:http://open***.net/howto.html#mitm# To use this feature,you will need to generateyour server certificates with the nsCertTypefield set to "server". The build-key-serverscript in the easy-rsa folder will do this.ns-cert-type server If a tls-auth key is used on the serverthen every client must also have the key.;tls-auth ta.key 1 Select a cryptographic cipher.If the cipher option is used on the serverthen you must also specify it here.;cipher x Enable compression on the ××× link.Don‘t enable this unless it is alsoenabled in the server config file.comp-lzo Set log file verbosity.verb 3 Silence repeating messages;mute 20 chkconfig open*** on 查看一下客户端的IP地址:ifconfig –a 至此linux客户端配置完成 windows 客户端 复制且仅复制服务端的证书权威ca.crt、相对应的客户端证书user01.crt以及相对应的客户端私玥user01.key 到客户端config目录 需要修改的内容 指定服务端IP和端口,指定客户端使用的证书和私玥文件 然后 用管理员权限打开 桌面的 Open××× GUIwindows 客户端配置完成windows客户端多配置不同的用户连接不同的服务端,写多个名字不同的*.o***配置文件 (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
- Windows server 2008 R2 配置AD域控服务并为用户设置统一桌
- 如何在Windows上获取Perl中目录的上次修改时间?
- Soap UI – Windows中存储的首选项/设置
- Windows计算机名称 – > iPhone上的IP分辨率?
- 为什么我不能从System.Object中提取ushort然后将其作为uint
- windows-phone-7 – 我可以阻止Windows Phone 7上的屏幕超时
- batch-file – 在DOS批处理不工作中比较2个数字
- 如果我的Windows Azure网站没有获得任何点击,我仍然需要为网
- Windows 下搭建 SVN服务器
- 在Windows上区分USB闪存驱动器和USB硬盘驱动器