Shulou(Shulou.com)06/03 Report--

Some introduction of open0pn to the principle of open0pn

The technical core of Open0pn is the virtual network card, followed by the implementation of SSL protocol:

The virtual network card is a driver software realized by using the underlying network programming technology. After installation, there is one more network card on the host, which can be configured like other network cards. The service program can open the virtual network card in the application layer. If the application software (such as IE) sends data to the virtual network card, the service program can read the data, and if the service program writes appropriate data to the virtual network card, the application software can receive it. Virtual network cards are implemented in many operating systems, which is a very important reason why Open0pn can cross platforms.

In Open0pn, if the user accesses a remote virtual address (which belongs to the address family allocated to the virtual network card, which is different from the real address), the operating system will send the data packet (TUN mode) or data frame (TAP mode) to the virtual network card through the routing mechanism. After receiving the data and processing it accordingly, the service program will send it out from the extranet through SOCKET. The remote service program receives data from the external network through SOCKET, and after corresponding processing, sends it to the virtual network card, then the application software can receive it and complete an one-way transmission process, and vice versa.

Advantages and disadvantages of open0pn

Advantages: low cost, it is a cheap and effective way to build a VPC, which can be used to replace expensive physical private lines; it is flexible and more flexible than physical private lines. For example, a company can adjust the number of 0pn sites to meet changing needs.

Disadvantages: not easy to build, very technical requirements, need to have a high level of understanding of network and security issues and careful planning and configuration. Lack of quality service (QoS) management on the Internet can lead to packet loss and other performance problems. If there is a problem with the public network conditions, the administrator of the private network cannot control it. For this reason, many large companies generally buy to use trusted 0pn to use private networks to ensure the quality of service.

The role of 0pn to access the public network to improve network speed (case online games acceleration) 0pn category PPTP

Point-to-Point tunneling Protocol (PPTP) is a point-to-point tunneling protocol developed by the PPTP Forum, which includes Microsoft and 3Com. Based on the PPP protocol used in dialing, it uses encryption algorithms such as PAP or CHAP, or uses Microsoft's point-to-point encryption algorithm MPPE. It realizes the secure transmission of data from remote clients to dedicated enterprise servers by creating 0pn across TCP/IP-based data networks. PPTP supports the establishment of on-demand, multiprotocol, virtual private networks over public networks, such as Internet. PPTP allows IP traffic to be encrypted and then encapsulated in IP headers to be sent across a corporate IP network or a public IP network, such as Internet. L2TP

Layer 2 tunneling Protocol (L2TP) is a successor to PPTP developed by IETF based on L2F, the layer 2 forwarding protocol of Cisco. Is an industry standard Internet tunneling protocol that provides encapsulation across the point-to-point protocol (PPP) framework for packet-oriented media delivery. Both PPTP and L2TP encapsulate the data using the PPP protocol, and then add additional headers for data transmission over the Internet. PPTP can only establish a single tunnel between two endpoints. L2TP supports the use of multiple tunnels between two endpoints, and users can create different tunnels for different quality of service. L2TP can provide tunnel authentication, while PPTP does not support tunnel authentication. However, when L2TP or PPTP is used with IPSEC, IPSEC can provide tunnel authentication, and there is no need to verify that the tunnel uses L2TP on the layer 2 protocol. PPTP requires the Internet to be an IP network. L2TP only requires tunnel media to provide packet-oriented point-to-point connectivity, and L2TP can be used on IP (using UDP), frame relay permanent virtual circuit (PVCs), X.25 virtual circuit (VCs), or ATM VCs network. IPSec

The tunnel of IPSec is the whole process of encapsulation, routing and de-encapsulation. The tunnel hides (or encapsulates) the original packet inside the new packet. The new packet may have new addressing and routing information so that it can be transmitted over the network. When tunneling is used in conjunction with data confidentiality, people who eavesdrop on the network will not be able to obtain the original packet data (as well as the original source and destination). When the encapsulated packet arrives at the destination, the encapsulation is removed, and the original packet header is used to route the packet to the final destination. SSL0pn

SSL protocol provides the characteristics of data privacy, endpoint authentication, information integrity and so on. SSL protocol consists of many subprotocols, of which the two main subprotocols are handshake protocol and recording protocol. The handshake protocol allows the server and client to confirm each other and negotiate an encryption algorithm and password key before the application protocol transmits the first byte of data. During data transmission, the recording protocol encrypts and decrypts later exchanged data using a key generated by the handshake protocol. Deployment of open0pn

1. Close selinux

Setenforce 0

two。 Install the compilation environment

Yum-y install gcc gcc-c++ makeyum-y install pam-devel.x86_64

3. Configure 0pn time synchronization server

Install ntpdateyum-y install ntp ntpdate set time synchronization ntpdate cn.pool.ntp.org set timing task synchronization time crontab-e00 12 * / usr/sbin/ntpdate cn.pool.ntp.org# parent test caused connection failure due to time problem

4. Install the lzo compression module

# prepare the package wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz# to extract and install tar xf lzo-2.10.tar.gzcd lzo-2.10.tar.gz./configuremake & & make install

5. Install open0pn softwar

# install sslyum-y install openssl*# source package wget https://swupdate.open***.org/community/releases/open***-2.4.6.tar.gz# decompress install tar xf open***-2.4.6.tar.gzcd open***-2.4.6./configure-- prefix=/usr/local/open***-- with-lzo-headers=/usr/local/include-- with-lzo-lib=/usr/local/libmake & & Make install check version # softlink the script in the package ln-sv / home/open***-2.4.6/src/open***/open***/usr/bin/open***open***-- version

7. Configure CA certificates

# download easy-rsawget http://build.open***.net/downloads/releases/easy-rsa-2.2.0_master.tar.gztar xf easy-rsa-2.2.0_master.tar.gzcd easy-rsa-2.2.0_master./configuremake & & make install# Placement / etc/open0pnmkdir / etc/open***cp-rf / home/easy-rsa / etc/open***/# configuration varsvi / etc/open***/easy-rsa/vars

When cd / etc/open***/easy-rsasource vars / / executes the script to generate the certificate, you need to set some environment variables # to generate the root certificate-CA certificate The CA certificate needs to be deployed on both the server and the client. / build-ca # enter all the way # View [root @ aliyun ~] # ll / etc/open***/keys/ca*-rw-r--r-- 1 root root 1643 Dec 12 11:05 / etc/open***/keys/ca.crt-rw- 1 root root 1704 Dec 12 11:05 / etc/open***/keys/ca.key introduce the tool features of easy-rsa

[root@aliyun easy-rsa] # ll

Build-ca # generate CA certificate

Build-dh # generate cryptographic protocol exchange file

Build-key # generates a password-free client key pair

Build-key-pass # generate client key pair with password

Build-key-server # generate server key pair

Clean-all # initializes the configuration and clears all keys

Pkitool # each certificate generation mainly calls this command to execute

Revoke-full # Certificate revocation

Vars # predefined certificate basic information

8. Generate server certificate and key key

. / build-key-server jhrdc

[root@aliyun ~] # ll / etc/open***/easy-rsa/keys/jhrdc.*# View Certificate-rw-r--r-- 1 root root 5340 Dec 12 11:08 / etc/open***/easy-rsa/keys/jhrdc.crt # Server Certificate-rw-r--r-- 1 root root 1115 Dec 12 11:08 / etc/open***/easy-rsa/keys/jhrdc.csr # Server Certificate request File-rw-- -1 root root 1708 Dec 12 11:08 / etc/open***/easy-rsa/keys/jhrdc.key # server private key

8. Generate client certificates and keys. To generate multiple certificates, repeat the steps (one certificate can only be used by one person)

. / build-key test# can enter all the way as before server.

9. Generate a client key ett that requires password authentication

. / build-key-pass ettGenerating a 2024 bit RSA private key.+++...+++writing new private key to 'ett.key'Enter PEM pass phrase: # enter user password (* dialed password) Verifying-Enter PEM pass phrase: # confirm password-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value If you enter'., the field will be left blank.-Country Name (2 letter code) [cn]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [Beijing]: Organization Name (eg, company) [oldboy]: Organizational Unit Name (eg, section) [oldboy]: Common Name (eg) Your name or your server's hostname) [ett]: Name [oldboy]: Email Address [mail@host.domain]: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: 123456An optional company name []: oldboyUsing configuration from / etc/open***/easy-rsa/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName: PRINTABLE:'cn'stateOrProvinceName: PRINTABLE:'BJ'localityName: PRINTABLE:'Beijing'organizationName: PRINTABLE:'oldboy'organizationalUnitName:PRINTABLE:'oldboy'commonName: PRINTABLE:'ett'name: PRINTABLE:'oldboy'emailAddress: IA5STRING:'mail@host.domain'Certificate is to be certified until Oct 23 08:45:44 2028 GMT (3650 days) Sign the certificate? [y/n]: y1 out of 1 certificate requests certified, commit? YWrite out database with 1 new entriesData Base Updated# View Certificate [root@aliyun ~] # ll / etc/open***/easy-rsa/keys/ett*-rw-r--r-- 1 root root 5217 Dec 12 11:12 / etc/open***/easy-rsa/keys/ett.crt-rw-r--r-- 1 root root 1110 Dec 12 11:12 / etc/open***/easy-rsa/keys/ett.csr-rw- 1 root root 1834 Dec 12 11:12 / etc/open***/easy-rsa/keys/ett.key

10. Generate key protocol exchange file

. / build-dh # depending on the network environment, just wait

11. Prevent malicious connections (such as DOS, UDP port flooding) and generate a "HMAC firewalls"

Open***-- genkey-- secret keys/ta.key [root@aliyun ~] # ll / etc/open***/easy-rsa/keys/ta*-rw- 1 root root 636 Dec 12 11:20 / etc/open***/easy-rsa/keys/ta.key# replication certificate cp-ap keys/ etc/open***/ copy server configuration file to / etc/open***/ directory [root@aliyun ~] # Cp open***-2.4.6/sample/sample-config-files/ {client Server} .conf / etc/open***/ [root@aliyun open***] lsclient.conf easy-rsa keys server.conf

twelve。 Backup configuration fil

Cp client.conf client.conf.bakcp server.conf server.conf.bak#server configuration [root@aliyun ~] # grep-vE "; | # | ^ $" / etc/open***/server.confport 52115proto tcp # specifies the listening protocol. When there are too many concurrent accesses, it is recommended that tcpdev tun # * server mode be used. Optional tap or tunca / etc/open***/keys/ca.crt # write the absolute path cert / etc/open***/keys/jhrdc.crtdh / etc/open***/keys/dh3048.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "route 172.18.249.0 255.255.240.0" # plus a route client-to-client # allows dialing multiple client to communicate with each other Many clients use one account to connect to keepalive 10 120cipher AES-256-CBCpersist-key # when timeout When rebooted, keep the last used private key without rereading the private key persist-tunstatus open***-status.loglog / var/log/open***.logverb keys

13. Debug service startup

# enable route forwarding function sed-I 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1' / etc/sysctl.conf# enable service / usr/local/sbin/open***-- config / etc/open***/server.conf & # check * Service port: netstat-lntup | grep * * # join boot echo "# startup open***" > > / etc/rc.localecho "/ usr / local/sbin/open***-- config / etc/open***/server.conf & "> > / etc/rc.local

14.window client configuration

Download client https://swupdate.open***.org/community/releases/open***-install-2.4.1-I601.exe

Configure client certificates

Download ca.crt test.crt test.key

The configuration file is as follows:

Clientdev tunproto tcpremote IP 52115resolv-retry infinitenobindpersist-keypersist-tunca D:\\ Open***\\ config\\ test\\ ca.crt # Note the file format of window is different Linux: cert D:\\ Open***\\ config\\ test\\ test.crtkey D:\\ Open***\\ config\\ test\\ test.keyns-cert-type servercomp-lzoverb 3log D:\\ Open***\\ config\\ test\\ open***.log

Click to log in to import the configuration, and the following is a success

Reference https://idc.wanyunshuju.com/***/915.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.