Open*** 实战2:***与网关在同一台服器上51CTO博客 - 千亿集团

Open*** 实战2:***与网关在同一台服器上51CTO博客

2019-01-03 13:17:02 | 作者: 元蝶 | 标签: 实战,网关,服务器 | 浏览: 2250

纲要

一、前语

二、概述

三、实战拓扑

四、环境预备

五、详细装备进程详解

六、总结

注,实战环境 CentOS 5.5 x86_64,软件版别 Open*** 2.1,软件下载:http://yunpan.cn/QzT8fGsX8S75a  拜访暗码 e8e4。


一、前语

在上一篇博客中咱们主要和咱们解说一下,在内网中怎样树立一台***服务器,信任咱们应该有所了解,可是有博友说了咱们没有剩余的服务器做***服务器,咱们只要一台Linux网关服务器,那怎样办呢?能不能将***服务器就树立在网关服务器上呢?我想说这肯定是能够的,嘿嘿。那怎样来树立呢?让咱们一起来做吧!


二、概述

在网关服务器上树立***服务器的要害便是做防火墙映射,下面是装备要害:

[root@gateway ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j MASQUERADE
[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d 192.168.18.0/255.255.255.0 -j SNAT --to-source 192.168.18.254

注,eth0是公网地址接口,eth1内网地址接口。下面咱们来看一下实战拓扑,咱们会看的更清楚一些!


三、实战拓扑

阐明:此拓扑图是典型的中小型企业内部部分网的使用事例,本文中不会触及NAT、Web、FTP等使用的装备,只会装备与Open***的相关操作,若有其它问题欢迎咱们沟通评论,谢谢。


四、环境预备

1.装置yum源

[root@gateway ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
Retrieving http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
warning: /var/tmp/rpm-xfer.qnxpWE: Header V3 DSA signature: NOKEY, key ID 217521f6   
Preparing...                ########################################### [100%]   
    package epel-release-5-4.noarch is already installed
[root@gateway ~]# yum list

2.同步服务器时刻

[root@gateway ~]# yum install -y ntp
[root@gateway ~]# ntpdate 210.72.145.44  
[root@gateway ~]# hwclock -w   
[root@gateway ~]# date   
[root@gateway ~]# hwclock

3.装置相应的依靠包

[root@gateway ~]#  yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers


五、详细装备进程详解

注,简略写一下装备进程:

  • 装置lzo、open***软件包

  • 为装备做预备,copy 相关文件

  • 初始化 PKI

  • 树立 server key

  • 生成客户端 key

  • 生成 Diffie Hellman 参数

  • 将keys下的一切文件打包下载到本地 ,让客户机用。

  • 将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/open***

  • 修正服务器装备文件/etc/open***/server.conf

  • 发动***服务器

  • 装备Windows客户端

  • 设置网关服务器的端口映射

  • 测验Windows客户端连Open***

  • 最终测验

好了,下面就让咱们来完结上面的实战过程。

1.装置lzo、open***软件包

[root@gateway ~]# mkdir src  
[root@gateway ~]# cd src/   
[root@gateway src]# ls   
lzo-2.04-3.2.x86_64.rpm  open***-2.1-0.20.rc4.el5.kb.x86_64.rpm
[root@gateway src]# rpm -ivh lzo-2.04-3.2.x86_64.rpm   
warning: lzo-2.04-3.2.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID d164ce99   
Preparing...                ########################################### [100%]   
   1:lzo                    ########################################### [100%]   
[root@gateway src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.x86_64.rpm    
Preparing...                ########################################### [100%]   
   1:open***                ########################################### [100%]

2.为装备做预备,copy 相关文件

[root@gateway src]# cp -r /usr/share/open***/easy-rsa/2.0/ /etc/open***  
[root@gateway src]# cd /etc/open***   
[root@gateway open***]# ls   
2.0   
[root@gateway open***]# cp /usr/share/doc/open***-2.1/sample-config-files/server.conf /etc/open***/   
[root@gateway open***]# ls   
2.0  server.conf

3.初始化 PKI

[root@gateway open***]# cd 2.0/  
[root@gateway 2.0]# ls   
build-ca     build-key         build-key-server  clean-all      Makefile           pkitool      sign-req   
build-dh     build-key-pass    build-req         inherit-inter  openssl-0.9.6.cnf  README       vars   
build-inter  build-key-pkcs12  build-req-pass    list-crl       openssl.cnf        revoke-full  whichopensslcnf   
[root@gateway 2.0]# vim vars
#修正下面几项:
export KEY_COUNTRY="CN"  
export KEY_PROVINCE="SH"   
export KEY_CITY="SH"   
export KEY_ORG="open***"   
export KEY_EMAIL="admin@free.com"
[root@gateway 2.0]# env | grep KEY  
[root@gateway 2.0]# source ./vars    
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys   
[root@gateway 2.0]# env | grep KEY   
KEY_EXPIRE=3650   
KEY_EMAIL=admin@free.com   
KEY_SIZE=1024   
KEY_DIR=/etc/open***/2.0/keys   
KEY_CITY=SH   
KEY_PROVINCE=SH   
KEY_ORG=open***   
KEY_CONFIG=/etc/open***/2.0/openssl.cnf   
KEY_COUNTRY=CN
[root@gateway 2.0]# ./clean-all   
[root@gateway 2.0]# ls   
build-ca     build-key-pass    build-req-pass  list-crl           pkitool      vars   
build-dh     build-key-pkcs12  clean-all       Makefile           README       whichopensslcnf   
build-inter  build-key-server  inherit-inter   openssl-0.9.6.cnf  revoke-full   
build-key    build-req         keys            openssl.cnf        sign-req   
[root@gateway 2.0]# ./build-ca    
Generating a 1024 bit RSA private key   
.++++++   
.......................................++++++   
writing new private key to ca.key   
-----   
You are about to be asked to enter information that will be incorporated   
into your certificate request.   
What you are about to enter is what is called a Distinguished Name or a DN.   
There are quite a few fields but you can leave some blank   
For some fields there will be a default value,   
If you enter ., the field will be left blank.   
-----   
Country Name (2 letter code) [CN]:   
State or Province Name (full name) [SH]:   
Locality Name (eg, city) [SH]:   
Organization Name (eg, company) [open***]:   
Organizational Unit Name (eg, section) []:   
Common Name (eg, your name or your servers hostname) [open*** CA]:   
Email Address [admin@free.com]:

4.树立 server key

[root@gateway 2.0]# ./build-key-server server  
Generating a 1024 bit RSA private key   
.................++++++   
.............++++++   
writing new private key to server.key   
-----   
You are about to be asked to enter information that will be incorporated   
into your certificate request.   
What you are about to enter is what is called a Distinguished Name or a DN.   
There are quite a few fields but you can leave some blank   
For some fields there will be a default value,   
If you enter ., the field will be left blank.   
-----   
Country Name (2 letter code) [CN]:   
State or Province Name (full name) [SH]:   
Locality Name (eg, city) [SH]:   
Organization Name (eg, company) [open***]:   
Organizational Unit Name (eg, section) []:   
Common Name (eg, your name or your servers hostname) [server]:   
Email Address [admin@free.com]:
Please enter the following extra attributes  
to be sent with your certificate request   
A challenge password []:   
An optional company name []:   
Using configuration from /etc/open***/2.0/openssl.cnf   
Check that the request matches the signature   
Signature ok   
The Subjects Distinguished Name is as follows   
countryName           :PRINTABLE:CN   
stateOrProvinceName   :PRINTABLE:SH   
localityName          :PRINTABLE:SH   
organizationName      :PRINTABLE:open***   
commonName            :PRINTABLE:server   
emailAddress          :IA5STRING:admin@free.com   
Certificate is to be certified until May  2 03:41:08 2024 GMT (3650 days)   
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y   
Write out database with 1 new entries   
Data Base Updated

5.生成客户端 key(我这儿设置三个客户端分别为:client1、client2、client3,你能够根据需要生成多个客户端)

1).client1

[root@gateway 2.0]# ./build-key client1  
Generating a 1024 bit RSA private key   
......++++++   
...++++++   
writing new private key to client1.key   
-----   
You are about to be asked to enter information that will be incorporated   
into your certificate request.   
What you are about to enter is what is called a Distinguished Name or a DN.   
There are quite a few fields but you can leave some blank   
For some fields there will be a default value,   
If you enter ., the field will be left blank.   
-----   
Country Name (2 letter code) [CN]:   
State or Province Name (full name) [SH]:   
Locality Name (eg, city) [SH]:   
Organization Name (eg, company) [open***]:   
Organizational Unit Name (eg, section) []:   
Common Name (eg, your name or your servers hostname) [client1]:   
Email Address [admin@free.com]:
Please enter the following extra attributes  
to be sent with your certificate request   
A challenge password []:   
An optional company name []:   
Using configuration from /etc/open***/2.0/openssl.cnf   
Check that the request matches the signature   
Signature ok   
The Subjects Distinguished Name is as follows   
countryName           :PRINTABLE:CN   
stateOrProvinceName   :PRINTABLE:SH   
localityName          :PRINTABLE:SH   
organizationName      :PRINTABLE:open***   
commonName            :PRINTABLE:client1   
emailAddress          :IA5STRING:admin@free.com   
Certificate is to be certified until May  2 03:46:17 2024 GMT (3650 days)   
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y   
Write out database with 1 new entries   
Data Base Updated

2).client2与client3同上我这儿就不演示了,不清楚的博友能够参考上一篇博文。

6.生成 Diffie Hellman 参数

[root@gateway 2.0]# ./build-dh   
Generating DH parameters, 1024 bit long safe prime, generator 2   
This is going to take a long time   
................................................................++*++*++*

7.将keys下的一切文件打包下载到本地 ,让客户机用。

[root@gateway 2.0]# cd keys/  
[root@gateway keys]# ls   
01.pem  ca.crt       client1.key  client3.crt  index.txt           serial      server.key   
02.pem  ca.key       client2.crt  client3.csr  index.txt.attr      serial.old   
03.pem  client1.crt  client2.csr  client3.key  index.txt.attr.old  server.crt   
04.pem  client1.csr  client2.key  dh1024.pem   index.txt.old       server.csr   
[root@gateway keys]# tar zcvf client.tar.gz ./*   
./01.pem   
./02.pem   
./03.pem   
./04.pem   
./ca.crt   
./ca.key   
./client1.crt   
./client1.csr   
./client1.key   
./client2.crt   
./client2.csr   
./client2.key   
./client3.crt   
./client3.csr   
./client3.key   
./dh1024.pem   
./index.txt   
./index.txt.attr   
./index.txt.attr.old   
./index.txt.old   
./serial   
./serial.old   
./server.crt   
./server.csr   
./server.key   
[root@gateway keys]# ls   
01.pem  04.pem  client1.crt  client2.crt  client3.crt  client.tar.gz  index.txt.attr      serial      server.csr   
02.pem  ca.crt  client1.csr  client2.csr  client3.csr  dh1024.pem     index.txt.attr.old  serial.old  server.key   
03.pem  ca.key  client1.key  client2.key  client3.key  index.txt      index.txt.old       server.crt

8.将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/open***

[root@gateway keys]# cp ca.* server.* dh1024.pem /etc/open***/  
[root@gateway keys]# cd /etc/open***/   
[root@gateway open***]# ls   
2.0  ca.crt  ca.key  dh1024.pem  server.conf  server.crt  server.csr  server.key

9.修正服务器装备文件/etc/open***/server.conf

[root@gateway open***]# cp server.conf server.conf.bak.2014.5.5  
[root@gateway open***]# ls   
2.0  ca.crt  ca.key  dh1024.pem  server.conf  server.conf.bak.2014.5.5  server.crt  server.csr  server.key   
[root@gateway open***]# vim server.conf
port 1194  
proto udp   
dev tun   
ca ca.crt   
cert server.crt   
key server.key   
port 1194   
proto udp   
dev tun   
ca ca.crt   
cert server.crt   
key server.key   
dh dh1024.pem   
server 10.8.0.0 255.255.255.0   
client-to-client   
keepalive 10 120   
comp-lzo   
persist-key   
persist-tun   
status open***-status.log   
verb 4   
push "dhcp-option DNS 10.8.0.1"   
push "dhcp-option DNS 8.8.8.8"   
push "dhcp-option DNS 8.8.4.4"

10.发动***服务器

[root@gateway open***]# /etc/init.d/open*** start  
正在发动 open***:                                         [确认]   
[root@gateway open***]# netstat -ntulp | grep 1194   
udp        0      0 0.0.0.0:1194                0.0.0.0:*                               19147/open***   
[root@gateway open***]# ifconfig   
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255   
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1   
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0   
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0   
          collisions:0 txqueuelen:100    
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

11.装备Windows客户端

(1).装置一下客户端(我就不演示了,咱们自己装置)

(2).将服务器上生成的客户机证书文件放到config方件夹下

D:\Program Files\Open***\config\test

(3).新建客户端装备文件test.o***

D:\Program Files\Open***\config

test.o*** 文件内容:

client
dev tun
proto udp
remote x.x.x.x 1194 #工作单位外网IP
persist-key
persist-tun
ca test\\ca.crt
cert test\\client1.crt
key test\\client1.key
ns-cert-typeserver
comp-lzo
verb 3
redirect-gateway def1

12.设置网关服务器的端口映射(要害装备)并敞开路由转发。

[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j MASQUERADE   
[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d 192.168.18.0/255.255.255.0 -j SNAT --to-source 192.168.18.254
[root@gateway keys]# iptables -L -t nat  
Chain PREROUTING (policy ACCEPT)   
target     prot opt source               destination        
Chain POSTROUTING (policy ACCEPT)  
target     prot opt source               destination        
MASQUERADE  all  --  localhost/24         anywhere           
SNAT       all  --  localhost/24         localhost/24        to:192.168.18.254
Chain OUTPUT (policy ACCEPT)  
target     prot opt source               destination        
[root@gateway keys]# vim /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux  
#   
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and   
# sysctl.conf(5) for more details.
# Controls IP packet forwarding  
net.ipv4.ip_forward = 1
[root@gateway keys]# sysctl -p  
net.ipv4.ip_forward = 1

13.衔接并测验

1).衔接***

注,衔接成功今后会呈现一个绿色的小图标。下面咱们ping一下试试!

2).测验ping一下

3).下面咱们来检查一下IP所在地

***衔接前:(办公室)

***衔接后:(机房服务器)

好了,到这儿咱们的***与网关在一起的实战装备就悉数完结了,下面咱们来总结一下咱们实战心得与问题汇总。


六、总结

前面说到的,都是由服务端先生成客户端证书,然后分发到客户端,让客户端经过证书衔接到服务器上。但有时分,这样的分发是比较费事的(也不安全)。这样,咱们能够考虑别的一种方法: 只在服务端制造客户端证书,而客户端只需要有ca.crt文件,而不需要拿到客户端证书,当登陆服务器的时分是经过用户名和暗码即可登陆Open***服务器。这个功用该怎样完成呢?鄙人一篇博客中咱们将完成这个功用。


好了,最终期望咱们有所收成^_^……


版权声明
本文来源于网络,版权归原作者所有,其内容与观点不代表千亿集团立场。转载文章仅为传播更有价值的信息,如采编人员采编有误或者版权原因,请与我们联系,我们核实后立即修改或删除。

猜您喜欢的文章