Centos6.4下快速构建基于用户名密码验证的open***服务器

Centos6.4下快速构建基于用户名密码验证的open***服务器

       如今×××应用已经非常广泛了，之前就写过一篇关于PPTPD的博文。链接是http://cyr520.blog.51cto.com/714067/1161788。

         家里最近新换了一个宽带。居然没办法用拨上公司的Pptpd×××，一直拨号状态一直停留在正在验证用户名和密码这一步。百度谷歌了一大圈，也没解决这个问题。貌似是因为宽带运营商屏蔽GRE协议的原因。作为运维人员，不能及时的连上公司的内部网络是一件很让人不爽的事情。

         干脆再搞一套Open×××吧，据说Open×××非常强大，可以适应很复杂的网络环境，并且配置也非常灵活。

 

服务端系统环境：

         1、Centos6.4 x86_64

         2、单网卡

 

网络架构：

        

         环境说明：Open×××采用公司内网的一台单网卡服务器部署，通过路由器做端口映射到外网，客户端连上×××服务器需要实现能连上公司内部的其他服务器。

 

 

安装方法分两种，编译安装和使用YUM安装，因为本文讲的是快速构建，所以使用YUM来安装。

 

服务端 *** 作步骤：

添加EPEL仓库：

         yum install http://mirrors.zju.edu.cn/epel/6/i386/epel-release-6-8.noarch.rpm

检查TUN模块：

        modinfo tun

安装Open×××：

         yum install open*** openssl -y

下载密钥制作工具easy_rsa 2：

         wget https://github.com/Open×××/easy-rsa/archive/release/2.x.zip

解压easy_rsa并拷贝到/etc/open***：

         unzip 2.x.zip

         mv easy-rsa-release-2.x/ /etc/open***/

编辑easy-rsa的vars文件，设定相关变量信息：

         cd /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0

         vim vars

export KEY_COUNTRY="CN"

export KEY_PROVINCE="BEIJING"

export KEY_CITY="BEIJING"

export KEY_ORG="XIAOCUI"

export KEY_EMAIL="[email protected]"

export KEY_OU="MyOpen×××"

         编辑完之后，保存退出。

将刚才编辑的vars文件，执行如下命令：

         source vars 

         ./clean-all

         ./build-ca

创建服务器的证书和密钥：

       ./build-key-server Open×××_Server

[root@cloud 2.0]# ./build-key-server Open×××_Server

Generating a 2048 bit RSA private key

.................................+++

............+++

writing new private key to 'Open×××_Server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [XIAOCUI]:

Organizational Unit Name (eg, section) [MyOpen×××]:

Common Name (eg, your name or your server's hostname) [Open×××_Server]:

Name [EasyRSA]:

Email Address [ADMIN@ XIAOCUI.COM]:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'BEIJING'

localityName          :PRINTABLE:'BEIJING'

organizationName      :PRINTABLE:' XIAOCUI '

organizationalUnitName:PRINTABLE:'MyOpen×××'

commonName            :T61STRING:'Open×××_Server'

name                  :PRINTABLE:'EasyRSA'

emailAddress          :IA5STRING:'ADMIN@ XIAOCUI.COM'

Certificate is to be certified until May  2 07:49:13 2025 GMT (3650 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

创建客户端的证书和密钥：

       ./build-key client-user-test1

 

[root@cloud 2.0]# ./build-key client-user-test1

Generating a 2048 bit RSA private key

....................+++

...............................................................................+++

writing new private key to 'client-user-cuiyuanrong.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [XIAOCUI]:

Organizational Unit Name (eg, section) [MyOpen×××]:

Common Name (eg, your name or your server's hostname) [client-user-test1]:

Name [EasyRSA]:

Email Address [[email protected]]:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'BEIJING'

localityName          :PRINTABLE:'BEIJING'

organizationName      :PRINTABLE:'XIAOCUI'

organizationalUnitName:PRINTABLE:'MyOpen×××'

commonName            :PRINTABLE:'client-user-test1'

name                  :PRINTABLE:'EasyRSA'

emailAddress          :IA5STRING:'[email protected]'

Certificate is to be certified until May  2 07:53:17 2025 GMT (3650 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

创建Diffie Hellman 参数：

       ./build-dh

 

创建Open×××服务端配置文件：

         cd /etc/open***/

         vim server.conf

local 0.0.0.0

port 1194

proto tcp

dev tun

ca /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/keys/ca.crt

cert /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/keys/Open×××_Server.crt

key /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/keys/Open×××_Server.key

dh /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/keys/dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist /var/log/ipp.txt

push "route 10.0.0.0 255.255.255.0"

client-to-client

keepalive 10 120

comp-lzo

persist-key

persist-tun

status open***-status.log

log /var/log/open***.log

log-append /var/log/open***.log

verb 3

script-security 3 system

auth-user-pass-verify /etc/open***/checkpsw.sh via-env

client-cert-not-required

username-as-common-name

创建checkpsw.sh脚本：

         cd /etc/open***

         vim checkpsw.sh

#!/bin/sh

###########################################################

# checkpsw.sh (C) 2004 Mathias Sundman <mathias@open***.se>

#

# This script will authenticate Open××× users against

# a plain text file. The passfile should simply contain

# one row per user with the username first followed by

# one or more space(s) or tab(s) and then the password.

 

PASSFILE="/etc/open***/psw-file"

LOG_FILE="/var/log/open***/open***-password.log"

TIME_STAMP=`date "+%Y-%m-%d %T"`

 

###########################################################

 

if [ ! -r "${PASSFILE}" ]; then

  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}

  exit 1

fi

 

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&=="'${username}'"{print ;exit}' ${PASSFILE}`

 

if [ "${CORRECT_PASSWORD}" = "" ]; then

  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

  exit 1

fi

 

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then

  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}

  exit 0

fi

 

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

exit 1

         chmod +x checkpsw.sh

创建psw-file文件：

         cd /etc/open***

         echo "test1 test1" > psw-file

         chmod 400 psw-file

加入开机启动项：

         chkconfig open*** on

启动open***服务端：

         /etc/init.d/open*** start

打包客户端需要的证书和密钥：

         cd /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/keys/

         tar zcvf client_key.tar.gz ca.crt client-user-test1.*

 

防火墙策略

         cat /etc/sysconfig/iptables

# Generated by iptables-save v1.4.7 on Tue May  5 11:25:43 2015

*nat

:PREROUTING ACCEPT [74:10890]

:POSTROUTING ACCEPT [1:156]

:OUTPUT ACCEPT [1:156]

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

COMMIT

# Completed on Tue May  5 11:25:43 2015

# Generated by iptables-save v1.4.7 on Tue May  5 11:25:43 2015

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [24:3392]

-A INPUT -i lo -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -s 10.8.0.0/24 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT

-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT

-A INPUT -i tun+ -j ACCEPT

-A FORWARD -d 10.8.0.0/24 -j ACCEPT

-A FORWARD -i tun+ -j ACCEPT

-A INPUT -j DROP

COMMIT

# Completed on Tue May  5 11:25:43 2015

 

客户端已windows为例：

客户端 *** 作步骤：

下载windows客户端：

         http://open***.ustc.edu.cn/open***-install-2.3.6-I603-x86_64.exe

安装好客户端软件之后，把之前从服务端打包的客户端需要的证书解压到客户端安装目录下的config目录中。

并且创建客户端配置文件：

         client.o***

client

dev tun

proto tcp

remote 115.183.9.106 1194

nobind

user nobody

group nobody

persist-key

persist-tun

ca ca.crt

;cert client-user-test1.crt

;key client-user-test1.key

comp-lzo

verb 3

auth-user-pass

reneg-sec 360000

测试连接：

到此基于用户名密码的验证方式就部署好了，需要单独证书验证或证书和密码组合验证的，请参考网上其它教程，实际上只需要在客户端和服务端的两个配置文件稍微做下调整即可。

======================================================================================

下面是一些网友客户端链接时遇到的问题：

There are no TAP-Win32 adapters on this system. You should be able to create a TAP-Win32 adapter by going to Start -> All Programs -> Open××× -> Add a new TAP-Win32 virtual ethernet adapter.

这个问题是客户端没有安装TAP-Windows Adapter V9虚拟网卡。

Wed May 20 17:40:44 2015 TLS: Initial packet from [AF_INET]10.176.190.148:1194, sid=45a0da91 b5384f05

Wed May 20 17:40:44 2015 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=CN, ST=BEIJING, L=BEIJING, O=XIAOCUI, OU=MyOpen×××, CN=XIAOCUI CA, name=EasyRSA, [email protected]

Wed May 20 17:40:44 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Wed May 20 17:40:44 2015 TLS Error: TLS object -> incoming plaintext read error

Wed May 20 17:40:44 2015 TLS Error: TLS handshake failed

Wed May 20 17:40:44 2015 Fatal TLS error (check_tls_errors_co), restarting

Wed May 20 17:40:44 2015 SIGUSR1[soft,tls-error] received, process restarting

Wed May 20 17:40:44 2015 MANAGEMENT: >STATE:1432114844,RECONNECTING,tls-error,,

Wed May 20 17:40:44 2015 Restart pause, 5 second(s)

这个大概有两个问题存在：

1. 证书生成的有问题

2. 服务端和客户端时间不一致

Thu Feb 10 11:13:07 2015 us=3362 61.4.***.**:45771 TLS: Initial packet from 61.4.***.**:45771, sid=eec450eb 8673ceef

Thu Feb 10 11:13:10 2015 us=798063 61.4.***.**:45771 open***_execve: external program may not be called unless '--script-secur ity 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help t ext or man page for detailed info.

Thu Feb 10 11:13:10 2015 us=798127 61.4.***.**:45771 TLS Auth Error: user-pass-verify script failed to execute: /usr/bin/php - q /home/xiaohui/open***-manager/admin/open***-auth.php

Thu Feb 10 11:13:10 2015 us=798141 61.4.***.**:45771 TLS Auth Error: Auth Username/Password verification failed for peer

这个问题多半是试用用户名密码验证的时候回出现的问题，需要在服务端配置文件加如下参数：

script-security 3 system