open V P N搭建
1. 关闭 selinux
[root@hxj ~]# setenforce 0 setenforce: SELinux is disabled
2. 安装 epel 源
rpm -ivh http://mirrors.sohu.com/fedora-epel/7/x86_64/e/ epel-release-7-9.noarch.rpm
3.yum 安装
yum -y install openssl openssl-devel lzo open*** easy-rsa vim
4. 配置
修改 varsls cd /usr/share/easy-rsa/2.0/ vim vars # 修改如下 export KEY_COUNTRY="CN" export KEY_PROVINCE="HuBei" export KEY_CITY="WuHan" export KEY_ORG="123" export KEY_EMAIL="123@qq.com" export KEY_OU="123"
生成秘钥文件
source ./vars ./clean-all ./build-ca ./build-key-server cty_***server ./build-dh ./build-key cloud 其他的一路回车,但遇到 yes or no 的时候要输入 y
复制生成的证书至 open××× 目录
cp -rf keys/ /etc/open***/ cd /etc/open***/
编辑 server.conf 文件
[root@localhost open***]# vim server.conf ;local a.b.c.d port 1194 proto udp dev tun ca keys/ca.crt cert keys/cty_***server.crt key keys/cty_***server.key # This file should be kept secret dh keys/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.99.0 255.255.255.0" push "route 192.168.98.0 255.255.255.0" client-to-client duplicate-cn keepalive 10 120 comp-lzo persist-key persist-tun status open***-status.log log-append open***.log verb 3 cipher AES-256-CBC
防火墙配置
yum install -y iptables-services systemctl enable iptables systemctl stop firewalld systemctl start iptables iptables -F iptables -L
开启转发
vim /etc/sysctl.conf net.ipv4.ip_forward = 1 # 在最后新增这一行
sysctl -p iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -I INPUT -p tcp --dport 1194 -m comment --comment "open***" -j ACCEPT # 针对 tcp 端口 iptables -I INPUT -p udp --dport 1194 -m comment --comment "open***" -j ACCEPT # 针对 udp 端口 service iptables save
启动
systemctl start open***@server.service systemctl status open***@server.service
配置用户密码认证
修改 server.con 配置文件
[root@localhost open***]# tail -5 server.conf # 在在最后新增以下 5 行 script-security 3 auth-user-pass-verify /etc/open***/checkpsw.sh via-env #client-cert-not-required username-as-common-name client-config-dir /etc/open***/ccd
创建认证脚本
[root@localhost open***]# cat checkpsw.sh #!/bin/sh ########################################################### # checkpsw.sh (C) 2004 Mathias Sundman <mathias@open***.se> # # This script will authenticate Open××× users against # a plain text file. The passfile should simply contain # one row per user with the username first followed by # one or more space(s) or tab(s) and then the password. PASSFILE="/etc/open***/psw-file" LOG_FILE="/var/log/open***-password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 [root@localhost open***]# chmod u+x checkpsw.sh
创建账号文件
[root@localhost open***]# cat psw-file test 123456 [root@localhost open***]# chmod 400 psw-file [root@localhost open***]# chown nobody.nobody psw-file [root@localhost open***]# systemctl restart open***@server
Windows 客户端配置文件
client dev tun proto udp remote 27.18.17.241 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert cloud.crt key cloud.key comp-lzo verb 3 auth-user-pass cloudpw.txt
添加权限控制
账号获取指定 ip
配置文件中添加
client-config-dir /etc/open***/ccd
把每个账号的 ip 配置信息单独建一个文件
[root@localhost open***]# ls ccd/ test zhangsan
echo "ifconfig-push 10.8.0.17 10.8.0.18" > ccd/zhangsan
ip 只能配套对应下表的地址集
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18] [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38] [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58] [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78] [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98] [101,102] [105,106] [109,110] [113,114] [117,118] [121,122] [125,126] [129,130] [133,134] [137,138] [141,142] [145,146] [149,150] [153,154] [157,158] [161,162] [165,166] [169,170] [173,174] [177,178] [181,182] [185,186] [189,190] [193,194] [197,198] [201,202] [205,206] [209,210] [213,214] [217,218] [221,222] [225,226] [229,230] [233,234] [237,238] [241,242] [245,246] [249,250] [253,254]
添加 iptables 规则
iptables -A FORWARD -i tun0 -s 10.8.0.13/32 -d 192.168.99.101 -j ACCEPT iptables -A FORWARD -s 10.8.0.13/32 -j DROP iptables -A FORWARD -i tun0 -s 10.8.0.17/32 -d 192.168.98.0/24 -j ACCEPT iptables -A FORWARD -s 10.8.0.17/32 -j DROP service iptables save
- 使用vs2010搭建libreoffice openoffice UNO sdk开发环境(二)
- OpenATS续篇:搭建自己的卫星地球站
- Android开发之旅:环境搭建及HelloWorld (AVD无法启动,出现Starting emulator for AVD '2.2' PANIC: Could not open: 错误提示)
- 基于【CentOS-7+ Ambari 2.7.0 + HDP 3.0】搭建HAWQ数据仓库——安装配置OPEN-SSH,设置主机节点之间免密互访
- Ubuntu+Sendmail+Dovecot+Openwebmail 邮件服务器搭建完全解决方案
- openfire+asmack搭建的安卓即时通讯(三) 15.4.9
- 搭建Openstreetmap地图服务器(Ubuntu 16.04LTS)
- 跨平台C++开发环境搭建——GNU+STL+Boost+wxWidget+OpenSceneGraph
- 用openfire+strophe搭建WEB IM平台
- Sendmail+Openwebmail 精简快速搭建
- 利用OpenStreetMap(OSM)数据搭建一个地图服务
- zookeeper集群搭建问题:Cannot open channel to * at election address
- spring3.1+openjpa+jsf2.0框架环境搭建
- XMPP学习之 Spark+OpenFire服务器的搭建(第1节)
- 入门篇之 iOSOpenDev环境搭建(一)
- openfire+asmack搭建的安卓即时通讯(四) 15.4.10
- openfire+asmack搭建的安卓即时通讯(五) 15.4.12
- 利用OpenStreetMap(OSM)数据搭建一个地图服务
- Ubuntu搭建开发openchannelssd的qemu的虚拟机