所需软件:lzo-2.10.tar.gz open***-2.4.3.tar.gz
其他版本下载地址:
安装软件:yum install -y gcc gcc-c++ openssl-devel pam-devel
安装lzo:
tar xf lzo-2.10.tar.gzcd lzo-2.10./configure --prefix=/usr/localmake && make install
安装路径使用/usr/local而不是/usr/local/lzo是为了解决安装open***时候找不到 lzo_lib 的问题。
tar xf open***-2.4.3.tar.gzcd open***-2.4.3./configure --prefix=/usr/local/open***make && make install
编译访问控制模块 :
在当前安装目录中新建文件 minimal_pf.c
/* minimal_pf.c * ultra-minimal Open××× plugin to enable internal packet filter */#include#include #include "include/open***-plugin.h" /* dummy context, as we need no state */struct plugin_context { int dummy;}; /* Initialization function */OPEN×××_EXPORT open***_plugin_handle_t open***_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[]) { struct plugin_context *context; /* Allocate our context */ context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context)); /* Which callbacks to intercept. */ *type_mask = OPEN×××_PLUGIN_MASK (OPEN×××_PLUGIN_ENABLE_PF); return (open***_plugin_handle_t) context;} /* Worker function */OPEN×××_EXPORT int open***_plugin_func_v2 (open***_plugin_handle_t handle, const int type, const char *argv[], const char *envp[], void *per_client_context, struct open***_plugin_string_list **return_list) { if (type == OPEN×××_PLUGIN_ENABLE_PF) { return OPEN×××_PLUGIN_FUNC_SUCCESS; } else { /* should not happen! */ return OPEN×××_PLUGIN_FUNC_ERROR; }} /* Cleanup function */OPEN×××_EXPORT void open***_plugin_close_v1 (open***_plugin_handle_t handle) { struct plugin_context *context = (struct plugin_context *) handle; free (context);}
其他版本的open***可能需要修改包含头文件(#include "include/open***-plugin.h"),2.1.4版本的open***-plugin.h是在根目录
编译:
CC_FLAGS="-O2 -Wall -g"NAME=minimal_pfgcc $CC_FLAGS -fPIC -c $NAME.c && gcc $CC_FLAGS -fPIC -shared -Wl,-soname,$NAME.so -o $NAME.so $NAME.o -lc
把编译产生的文件复制到open***文件夹中
cp -a minimal_pf.so /usr/local/open***/lib/open***/plugins/
新版本open***好像没有证书管理工具,可以从旧版本中复制过来,只是为了生成一套根证书而已,直接从其他服务器复制几个证书文件过来也可以用。
从旧版本open***-2.1.4.tar.gz中复制easy-rsa目录,使用2.0版本工具,修改vars文件中的变量(非必须),加载到当前Shell。
cp -a open***-2.4.3/easy-rsa /usr/local/open***/cd /usr/local/open***/easy-rsa/2.0/source vars
清理证书目录
./clean-all
生成CA证书,输入部分可以直接回车,[y/n]部分填y
./build-ca
生成服务器证书,server为任意名字,输入部分可以直接回车,[y/n]部分填y
./build-key-server server
生成Diffie Hellman文件,提高安全性
./build-dh
建立其他目录
cd /usr/local/open***/mkdir ccd conf logs pf
open***服务器配置:conf/server.conf
port 1194proto udpdev tunca /usr/local/open***/easy-rsa/2.0/keys/ca.crtcert /usr/local/open***/easy-rsa/2.0/keys/server.crtkey /usr/local/open***/easy-rsa/2.0/keys/server.keydh /usr/local/open***/easy-rsa/2.0/keys/dh1024.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist /usr/local/open***/conf/ipp.txtpush "route 192.168.100.0 255.255.255.0"keepalive 10 120comp-lzopersist-keypersist-tunstatus /usr/local/open***/logs/open***-status.loglog /usr/local/open***/logs/open***.logverb 3auth-user-pass-verify /usr/local/open***/sbin/checkpsw.sh via-envplugin /usr/local/open***/lib/open***/plugins/minimal_pf.soclient-connect /usr/local/open***/sbin/client-connect.shclient-config-dir /usr/local/open***/ccdclient-to-clientclient-cert-not-requiredusername-as-common-namescript-security 3
密码认证脚本/usr/local/open***/sbin/checkpsw.sh:
#!/bin/bashPASSFILE="/usr/local/open***/conf/psw-file"LOG_FILE="/usr/local/open***/logs/open***-password.log"TIME_STAMP=`date "+%Y-%m-%d %T"`if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1fiCORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1fiif [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0fiecho "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}exit 1 访问控制脚本 /usr/local/open***/sbin/client-connect.sh:
#!/bin/bashtemplate="/usr/local/open***/pf/${common_name}.pf" if [ -f "$template" ] && [ ! -z "$pf_file" ]; then cp -- "$template" "$pf_file"else exit 1fi 加可执行权限:
chmod +x sbin/checkpsw.sh sbin/client-connect.sh
增加用户名和密码文件:
cat /usr/local/open***/conf/psw-fileuser1 passd1user2 passd2
增加个人配置文件(用于根据用户分配路由等配置,非必须):
cat /usr/local/open***/ccd/user1push "route 192.168.101.0 255.255.255.0"
增加访问控制文件(必须),缺少访问控制文件则登录失败,防止权限出错:
cat /usr/local/open***/pf/user1[CLIENTS ACCEPT][SUBNETS ACCEPT]+192.168.100.0/28-0.0.0.0/0[END]
以上配置文件,+是允许,-是拒绝,ACCEPT也可以改为DROP,CLIENTS部分填写用户名,具体用法有待探讨。
开启IP转发和NAT,端口eth0和网段10.8.0.0/24根据实际配置调整:
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sysctp -piptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE/etc/init.d/iptables savechkconfig iptables on
启动open***服务:
/usr/local/open***/sbin/open*** --config /usr/local/open***/conf/server.conf --daemon
查看日志,出现 Initialization Sequence Completed 则启动成功:
tailf logs/open***.logThu Sep 28 14:06:30 2017 MULTI: multi_init called, r=256 v=256Thu Sep 28 14:06:30 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0Thu Sep 28 14:06:30 2017 ifconfig_pool_read(), in='ouzy,10.8.0.4', TODO: IPv6Thu Sep 28 14:06:30 2017 succeeded -> ifconfig_pool_set()Thu Sep 28 14:06:30 2017 ifconfig_pool_read(), in='gcc,10.8.0.8', TODO: IPv6Thu Sep 28 14:06:30 2017 succeeded -> ifconfig_pool_set()Thu Sep 28 14:06:30 2017 IFCONFIG POOL LISTThu Sep 28 14:06:30 2017 ouzy,10.8.0.4Thu Sep 28 14:06:30 2017 gcc,10.8.0.8Thu Sep 28 14:06:30 2017 Initialization Sequence Completed
Windows客户端从open***.net下载安装 open***-install-*.exe
下载页面:https://open***.net/index.php/open-source/downloads.html
把服务器的CA证书 /usr/local/open***/easy-rsa/2.0/keys/ca.crt 下载并复制到客户端的open***安装目录config下,再在config目录新建一个配置文件 client.o*** ,名字随意,后缀名要一致,把配置文件的x.x.x.x换成open***服务器IP:
setenv CLIENT_CERT 0clientdev tunproto udpremote x.x.x.x 1194resolv-retry infinitenobindpersist-keypersist-tunauth-user-passns-cert-type servercomp-lzoverb 3auth-nocachereneg-sec 0ca ca.crt
打开客户端连接,输入用户名密码即可。