Shulou(Shulou.com)06/01 Report--

I. reference example of configuration file

1. Easy-*** configuration example

1)。 Easy-*** certificate authentication * server is configured as follows:

[root@master open***] # grep-P-v "^ (# |; | $)" server.conf

Local 202.102.1.1

Port 1194

Proto udp

Dev tap

Ca ca.crt

Cert * server.crt

Key * server.key # This file should be kept secret

Dh dh2024.pem

Server 10.8.0.0 255.255.255.0

Ifconfig-pool-persist ipp.txt

Push "route 192.168.1.0 255.255.255.0"

Keepalive 10 120

Comp-lzo

User nobody

Group nobody

Persist-key

Persist-tun

Status open***-status.log

Verb 3

2)。 Easy-*** certificate authentication * client is configured as follows:

[root@slave2 open***] # grep-P-v "^ (; | # | $)" client.conf

Client

Dev tap

Proto udp

Remote * * .example.com 1194 # this FQDN must correspond to the IP of the server external network card

Resolv-retry infinite

Nobind

User nobody

Group nobody

Persist-key

Persist-tun

Ca ca.crt

Cert client.crt

Key client.key

Comp-lzo

Verb 3

1)。 Easy-*** username and password authentication * server is configured as follows:

[root@master open***] # grep-P-v "^ (; | # | $)" server.conf

Auth-user-pass-verify / etc/open***/checkpsw.sh via-env

Client-cert-not-required # this line indicates that there is no need to verify the client certificate. If there is no client, the client must provide the certificate.

Username-as-common-name

Local 202.102.1.1

Port 1194

Proto udp

Dev tap

Ca ca.crt

Cert * server.crt

Key * server.key # This file should be kept secret

Dh dh2024.pem

Server 10.8.0.0 255.255.255.0

Ifconfig-pool-persist ipp.txt

Push "route 192.168.1.0 255.255.255.0"

Keepalive 10 120

Comp-lzo

User nobody

Group nobody

Persist-key

Persist-tun

Status open***-status.log

Verb 3

[root@master open***] # ll checkpsw.sh psw-file

-rwxr-x--- 1 nobody nobody 1191 September 1 09:57 checkpsw.sh

-r-1 nobody nobody 37 September 1 09:59 psw-file

Note: the owner and group of the following two files must be nobody; psw-file files. The permission must be 400.

[root@master open***] # cat checkpsw.sh

#! / bin/sh

# # #

# checkpsw.sh (C) 2004 Mathias Sundman

#

# This script will authenticate Open*** users against

# a plain text file. The passfile should simply contain

# one row per user with the username first followed by

# one or more space (s) or tab (s) and then the password.

PASSFILE= "/ etc/open***/psw-file"

LOG_FILE= "/ var/log/open***-password.log"

TIME_STAMP= `date "+% Y-%m-%d% T" `

# # #

If [!-r "${PASSFILE}"]; then

Echo "${TIME_STAMP}: Could not open password file\" ${PASSFILE}\ "for reading." > ${LOG_FILE}

Exit 1

Fi

CORRECT_PASSWORD= `awk'! / ^; / & &! / ^ # / & & $1pm = "${username}'" {print $2X exit}'${PASSFILE} `

If ["${CORRECT_PASSWORD}" = "]; then

Echo "${TIME_STAMP}: User does not exist: username=\" ${username}\ ", password=\" ${password}\ "." > > ${LOG_FILE}

Exit 1

Fi

If ["${password}" = "${CORRECT_PASSWORD}"]; then

Echo "${TIME_STAMP}: Successful authentication: username=\" ${username}\ "." > ${LOG_FILE}

Exit 0

Fi

Echo "${TIME_STAMP}: Incorrect password: username=\" ${username}\ ", password=\" ${password}\ "." > > ${LOG_FILE}

Exit 1

[root@master open***] # cat psw-file

Robin123

Marry123

# user name password

2)。 Easy-*** username and password authentication * client is configured as follows:

[root@slave2 open***] # grep-P-v "^ (# |; | $)" client.conf

Client

Auth-user-pass

Dev tap

Proto udp

Remote * * .example.com 1194

Resolv-retry infinite

Nobind

User nobody

Group nobody

Persist-key

Persist-tun

Ca ca.crt

Comp-lzo

Verb 3

2. Site-to-Site * configuration example

1)。 The configuration file for site-to-site * * server is as follows:

[root@master open***] # grep-P-v "^ (; | # | $)" server.conf

Local 202.102.1.1

Port 1194

Proto udp

Dev tun

Ca ca.crt

Cert * server.crt

Key * server.key # This file should be kept secret

Dh dh2024.pem

Server 10.8.0.0 255.255.255.0

Ifconfig-pool-persist ipp.txt

Push "route 192.168.1.0 255.255.255.0"

Client-config-dir ccd

Route 192.168.2.0 255.255.255.0

Client-to-client

Keepalive 10 120

Tls-auth ta.key 0 # This file is secret

Cipher BF-CBC # Blowfish (default)

Comp-lzo

User nobody

Group nobody

Persist-key

Persist-tun

Status open***-status.log

Verb 3

[root@master open***] # open***-genkey-secret ta.key

[root@master open***] # mkdir / etc/open***/ccd/

[root@master open***] # echo "iroute 192.168.2.0 255.255.255.0" > / etc/open***/ccd/slave2.example.com

Note: the file name of / etc/open***/ccd/slave2.example.com must be common name in * client certificate.

2)。 The configuration file for site-to-site * * client is as follows:

[root@slave2 open***] # grep-P-v "^ (; | # | $)" client.conf

Client

Dev tun

Proto udp

Remote * * .example.com 1194 # this FQDN must correspond to the IP of the server external network card

Resolv-retry infinite

Nobind

User nobody

Group nobody

Persist-key

Persist-tun

Ca ca.crt

Cert client.crt

Key client.key

Ns-cert-type server

Tls-auth ta.key 1

Comp-lzo

Verb 3

II. Description of configuration file parameters

The # and; signs begin with comments

Local 202.102.1.1 # set listening IP. Default is to listen on all IP

Port 2194 # Open*** server listening port

; proto tcp

Does proto udp # set up using TCP or UDP protocol?

Dev tun # sets whether to create a routed IP channel for tun or an Ethernet channel for tap

# routing IP is easy to control, so it is recommended, but if it is necessary, such as IPX

# if you use layer 2 communication, you can use tap, that is, tap, which means Ethernet bridging

Server 10.9.0.0 255.255.255.0 # configure the network segment used by *, and Open*** will automatically provide DHCP based on this network segment.

# service, but cannot be duplicated with the local network segment of either party to ensure that it is unique

# server ip is set to .1 address by default.

Push "route 172.18.2.0 255.255.255.0" # creates a corresponding route for the client to reach the internal server of the corporate network

# but remember, the internal server of the corporate network also needs to have available routes back to the client

Ifconfig-pool-persist / usr/local/etc/ipp.txt # maintains a corresponding table between the client and the virtual IP to facilitate the client to revisit

# connection can get the same IP

Push "dhcp-option DNS 172.18.2.23" # use the DHCP function of Open*** to provide DNS, WINS, etc.

Push "dhcp-option DNS 202.96.128.86"

# here is the key point, you must specify SSL/TLS root certificate (ca)

# certificate (cert), and private key (key)

# ca files must be used by both the server and the client, but no ca.key is required

# server and client specify their respective .key and .key

# Please note the path. You can use a relative path rooted at the beginning of the configuration file.

# you can also use absolute paths

# Please store the .key file carefully

Ca / usr/local/etc/keys/ca.crt

Cert / usr/local/etc/keys/server.crt

Key / usr/local/etc/keys/server.key

# specify Diffie hellman parameters.

Dh / usr/local/etc/keys/dh2024.pem

Crl-verify / usr/local/etc/keys/***crl.pem # for revocation of customer certificates

# enhance security

# Generate with:

# open***-genkey-secret ta.key

# The server and each client must have

# a copy of this key.

# The second parameter should be 0

# on the server and 1 on the clients.

Tls-auth / usr/local/etc/keys/ta.key 0

# set the server detection interval and timeout ping every 10 seconds. If there is no response in 120 seconds, the other party is considered to have down.

Keepalive 10 120

Comp-lzo # Communication compressed with lzo, both the server and the client must be configured

Status / var/log/open***-status.log # outputs short logs that are refreshed every minute to show the current client

# set the level to be recorded in the log.

# 0 logs only error messages.

# 4 can record common information.

# 5 and 6 can help debug when there is a problem with the connection

# 9 is extreme, and all information will be displayed, even information such as packet headers (like tcpdump)

Verb 4

Mute 20 # the amount of the same information, if 20 pieces of the same information appear in succession, will not be recorded in the log.

# Let Open*** run as nobody users and groups (security)

User nobody

Group nobody

# The persist options will try to avoid

# accessing certain resources on restart

# that may no longer be accessible because

# of the privilege downgrade.

# still retain some status when restarting

Persist-key

Persist-tun

Description of other parameters:

# specify an IP or route for a specific client, which is usually the one after the client

# Private network segment, not the network segment connected by the server

# ccd is the directory under / etc/open***, in which there is a client Common with desired restrictions

# Name is a file with a file name, and write a fixed IP address with the following command

# for example, if Common Name is client1, write it in / etc/open***/ccd/client1:

# ifconfig-push 10.9.0.1 10.9.0.2

Client-config-dir / usr/local/etc/ccd

# if the client wants all traffic to be transmitted through *, you can use this statement

# it will automatically change the gateway of the client to * server. It is recommended to close it.

# once set up, please be careful of the DHCP setting on the server side

; push "redirect-gateway"

# if you want clients with the same Common Name, you can log in

# you can also comment on the following statement. It is recommended that each client use an unused Common Name.

# often used for testing

; duplicate-cn

# set the maximum number of users

# max-clients 3

# Open the management interface to define the IP and port for monitoring

Management localhost 7505

# the default log is recorded in the system log, but it can also be directed to other places

# it is recommended that the use of debugging is not set first, and then defined after debugging is completed

; log/ var/log/open***/open***.log

; log-append / var/log/open***/open***.log

# configured in Ethernet bridge mode, but need to use the bridging feature of the system

# there is no need to use

; server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# log and delete the original log information every time you restart open***

Log/ var/log/open***.log

# consistent with log, the original log information is retained after each restart of open***, and the new information is appended to the end of the file

; log-append open***.log

# define the user running open***

User nobody

Group nobody

# Run script or shell command cmd to validate client

# virtual addresses or routes. Check manual for details.

; learn-address. / script

# others need PUSH to Client

# used to record the IP address obtained by a Client, similar to a dhcpd.lease file

# prevent open*** from "forgetting" the IP address that Client used to use after restart

Ifconfig-pool-persist ipp.txt

# DHCPD-like configuration in Bridge, which assigns addresses to customers. Because it works in route mode, it is not used.

; server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# randomly select a Server connection, otherwise connect in order from top to bottom

; remote-random

# always re-resolve the IP address of Server (if remote is followed by a domain name)

# ensure that the Server IP address is dynamic. After updating the DNS dynamically with DDNS, Client reparses the Server when automatically reconnecting.

IP address

# in this way, you can reconnect without artificial reboot.

Resolv-retry infinite

# No port is set to listen for incoming data on this machine, and Client does not need to do so unless one-to-one * * is necessary.

Nobind

# if you use HTTP proxy to connect to Server, write the IP address and port of Proxy below

# if the agent needs authentication, use http-proxy server port [authfile] [auth-method]

# where authfile is a 2-line text file with one user name and one password. Auth-method can be omitted and detailed.

View Manual for details

; http-proxy-retry # retry on connection failures

; http-proxy [proxy server] [proxy port #]

# Server uses build-key-server scripts and adds the ns-cert-type option to the x509 v3 extension

# prevent client from using their keys + DNS hack to deceive * client to connect to their fake Server

# because they don't have this extension in their CA

Ns-cert-type server

a. Define tun as the * that uses routing.

b. Be careful with the path of the certificate,. Key files should be saved, especially ca.key.

(ca.key does not need to be used in Open***, it can be saved separately)

Note that each virtual tun Nic is paired, and only those identified by inet addr are used for communication. And must be on / 30 network segment

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.