Linux為企業(yè)搭建穩(wěn)固的SSL VPN服務(wù)

Linux為企業(yè)搭建穩(wěn)固的SSLVPN服務(wù)作者：佚名出處：論壇2013-05-1606:55一、OpenVPN是靠虛擬的TUN/TAP設(shè)備實(shí)現(xiàn)SSLVPN的，因此內(nèi)核必須支持TUN/TAP設(shè)備模塊，這個(gè)配置選項(xiàng)在2.6.x內(nèi)核中，位于DeviceDrivers->Networkdevicesupport菜單中，全稱(chēng)是UniversalTUN/TAPdevicedriversupport，通常在標(biāo)準(zhǔn)內(nèi)核中，會(huì)以模塊方式提供，在OpenVPN啟動(dòng)時(shí)，它會(huì)自動(dòng)加載此模塊，因此不需要手工加載此模塊。[root@dic1722.6.18-238.12.1.el5-i686]#pwd/usr/src/kernels/2.6.18-238.12.1.el5-i686[root@dic1722.6.18-238.12.1.el5-i686]#makemenuconfig#打開(kāi)內(nèi)核菜單DeviceDrivers>Networkdevicesupport><M>UniversalTUN/TAPdevicedriversupport#<M>即表示以模塊化加載到內(nèi)核中二、在安裝OpenVPN之前，還需要安裝一些支持包，包括OpenSSL開(kāi)發(fā)庫(kù)和LZO壓縮開(kāi)發(fā)庫(kù)1、可使用yum安裝OpenSSL開(kāi)發(fā)庫(kù)，但需要手工下載并安裝LZO開(kāi)發(fā)包。[root@dic172/]#yuminstallopenssl[root@dic172/]#yuminstallopenssl-devel2、可到/opensource/lzo/下載LZO[root@dic172src]#tarzxvflzo-2.03.tar.gz[root@dic172src]#cdlzo-2.03[root@dic172lzo-2.03]#./configure[root@dic172lzo-2.03]#make[root@dic172lzo-2.03]#makeinstall三、配置SSLVPN服務(wù)1、到/release/下載openvpn-2.0.9.tar.gz并安裝[root@dic172src]#tarzxvfopenvpn-2.0.9.tar.gz[root@dic172src]#cdopenvpn-2.0.9/[root@dic172openvpn-2.0.9]#./configure[root@dic172openvpn-2.0.9]#make[root@dic172openvpn-2.0.9]#makeinstall[root@dic172openvpn-2.0.9]#cp-psample-scripts/openvpn.init/etc/init.d/openvpn[root@dic172openvpn-2.0.9]#chkconfig--addopenvpn[root@dic172openvpn-2.0.9]#serviceopenvpnstatus#查看服務(wù)狀態(tài)openvpn:servicenotstarted[root@dic172openvpn-2.0.9]#chkconfig--level235openvpnon[root@dic172openvpn-2.0.9]#chkconfig--listopenvpnopenvpn0:off1:off2:on3:on4:on5:on6:off2、開(kāi)啟IP轉(zhuǎn)發(fā)功能[root@dic172openvpn-2.0.9]#vi/etc/.ipv4.ip_forward=1[root@dic172openvpn-2.0.9]#sysctl-p3、定義OpenVPN的配置目錄為/etc/openvpn，把服務(wù)器配置文件定義為/etc/openvpn/server.confOpenVPN是一個(gè)SSLVPN實(shí)現(xiàn)，因此，認(rèn)證中最重要的是服務(wù)器和客戶(hù)端的SSL證書(shū)管理，如果管理員之前沒(méi)有SSL證書(shū)發(fā)布機(jī)制，那么可以使用OpenVPN附帶的一組工具來(lái)完成所有的工作。在/usr/src/openvpn-2.0.9/中，有一個(gè)easy-rsa目錄，這下面就是一些一成和管理SSL證書(shū)的工具，以下為生成證書(shū)操作。[root@dic172openvpn-2.0.9]#mkdir-p/etc/openvpn[root@dic172openvpn-2.0.9]#cp-psample-config-files/server.conf/etc/openvpn/#將樣本配置文件復(fù)制到/etc/openvpn/，后面再做修改4、修改vars文件變量，設(shè)置國(guó)家代碼、省份、地市、機(jī)構(gòu)名單、單位名稱(chēng)郵件等[root@dic172openvpn-2.0.9]#cdeasy-rsa/[root@dic172easy-rsa]#grep-v"#"varsexportD=`pwd`exportKEY_CONFIG=$D/fexportKEY_DIR=$D/keysechoNOTE:whenyourun./clean-all,Iwillbedoingarm-rfon$KEY_DIRexportKEY_SIZE=1024exportKEY_COUNTRY=CNexportKEY_PROVINCE=GDexportKEY_CITY=SZexportKEY_ORG="DIC"exportKEY_EMAIL="tghfly222@126.com"[root@dic172easy-rsa]#sourcevarsNOTE:whenyourun./clean-all,Iwillbedoingarm-rfon/usr/src/openvpn-2.0.9/easy-rsa/keys#提示可使用./clean-all清除所有包括CA在內(nèi)的所有證書(shū)5、使用clean-all腳本清除包括CA在內(nèi)的所有證書(shū)，再創(chuàng)建CA證書(shū)。[root@dic172easy-rsa]#./clean-all#先清除證書(shū)，再創(chuàng)建證書(shū)[root@dic172easy-rsa]#./build-ca#創(chuàng)建CA證書(shū)Generatinga1024bitRSAprivatekey++++++++++++writingnewprivatekeyto'ca.key'Youareabouttobeaskedtoenterinformationthatwillbeoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.CountryName(2lettercode)[CN]:StateorProvinceName(fullname)[GD]:LocalityName(eg,city)[SZ]:OrganizationName(eg,company)[DIC]:OrganizationalUnitName(eg,section)[]:CommonName(eg,yournameoryourserver'shostname)[]:dic172#服務(wù)器主機(jī)名EmailAddress[tghfly222@126.com]:6、創(chuàng)建服務(wù)器密鑰。[root@dic172easy-rsa]#./build-key-serverserver#創(chuàng)建服務(wù)器端密鑰Generatinga1024bitRSAprivatekey++++++++++++writingnewprivatekeyto'server.key'Youareabouttobeaskedtoenterinformationthatwillbeoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.CountryName(2lettercode)[CN]:StateorProvinceName(fullname)[GD]:LocalityName(eg,city)[SZ]:OrganizationName(eg,company)[DIC]:OrganizationalUnitName(eg,section)[]:CommonName(eg,yournameoryourserver'shostname)[]:dic172#服務(wù)器主機(jī)名EmailAddress[tghfly222@126.com]:Pleaseenterthefollowing'extra'attributestobesentwithyourcertificaterequestAchallengepassword[]:dic172Anoptionalcompanyname[]:dic172Usingconfigurationfrom/usr/src/openvpn-2.0.9/easy-rsa/fCheckthattherequestmatchesthesignatureSignatureokTheSubject'sDistinguishedNameisasfollowscountryName:PRINTABLE:'CN'stateOrProvinceName:PRINTABLE:'GD'localityName:PRINTABLE:'SZ'organizationName:PRINTABLE:'DIC'commonName:PRINTABLE:'dic172'emailAddress:IA5STRING:'tghfly222@126.com'CertificateistobecertifieduntilJul1605:51:082021GMT(3650days)Signthecertificate?[y/n]:y1outof1certificaterequestscertified,commit?[y/n]yWriteoutdatabasewith1newentriesDataBaseUpdated[NextPage]7、創(chuàng)建客戶(hù)端密鑰，客戶(hù)端密鑰名可隨意命名。[root@dic172easy-rsa]#./build-keyclientGeneratinga1024bitRSAprivatekey++++++++++++writingnewprivatekeyto'client.key'Youareabouttobeaskedtoenterinformationthatwillbeoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.CountryName(2lettercode)[CN]:StateorProvinceName(fullname)[GD]:LocalityName(eg,city)[SZ]:OrganizationName(eg,company)[DIC]:OrganizationalUnitName(eg,section)[]:CommonName(eg,yournameoryourserver'shostname)[]:tgh#不同客戶(hù)端，命名絕不能一樣EmailAddress[tghfly222@126.com]:Pleaseenterthefollowing'extra'attributestobesentwithyourcertificaterequestAchallengepassword[]:dic172Anoptionalcompanyname[]:dic172Usingconfigurationfrom/usr/src/openvpn-2.0.9/easy-rsa/fCheckthattherequestmatchesthesignatureSignatureokTheSubject'sDistinguishedNameisasfollowscountryName:PRINTABLE:'CN'stateOrProvinceName:PRINTABLE:'GD'localityName:PRINTABLE:'SZ'organizationName:PRINTABLE:'DIC'commonName:PRINTABLE:'tgh'emailAddress:IA5STRING:'tghfly222@126.com'CertificateistobecertifieduntilJul1605:52:272021GMT(3650days)Signthecertificate?[y/n]:y1outof1certificaterequestscertified,commit?[y/n]yWriteoutdatabasewith1newentriesDataBaseUpdated8、創(chuàng)建dhDiffie-Hellman）密鑰算法文件[root@dic172easy-rsa]#./build-dhGeneratingDHparameters,1024bitlongsafeprime,generator2Thisisgoingtotakealongtime...++++++++++++++++..++++*++*++*9、生成tls-auth密鑰，tls-auth密鑰可以為點(diǎn)對(duì)點(diǎn)的VPN連接提供了進(jìn)一步的安全驗(yàn)證，如果選擇使用這一方式，服務(wù)器端和客戶(hù)端都必須擁有該密鑰文件。[root@dic172easy-rsa]#openvpn--genkey--secretkeys/ta.key[root@dic172easy-rsa]#cp-rpkeys//etc/openvpn/#將證書(shū)文件復(fù)制到/etc/openvpn/10、修改server.conf配置文件[root@dic172openvpn]#grep-v"#"server.conflocal72#服務(wù)器所使用的IPport1194#使用1194端口protoudp#使用UDP協(xié)議devtun#使用tun設(shè)備ca/etc/openvpn/keys/ca.crt#指定CA證書(shū)文件路徑cert/etc/openvpn/keys/server.crtdh/etc/openvpn/keys/dh1024.pemtls-auth/etc/openvpn/keys/ta.key0server#VPN客戶(hù)端撥入后，所獲得的IP地址池ifconfig-pool-persistipp.txtpush"dhcp-optionDNS33"#客戶(hù)端所獲得的DNSclient-to-clientkeepalive10120comp-lzopersist-keypersist-tunstatusopenvpn-status.logverb3mute20[root@dic17