1月 222020
 

使用自签证书进行用户身份验证,使用Let’s Encrypt权威证书作为服务器证书

启用内核包转发

[root@ocserv ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@ocserv ~]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.ip_forward = 1
[root@ocserv ~]#

开启防火墙端口及包转发特性

[root@ocserv ~]# firewall-cmd --permanent --add-port=443/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=443/udp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=80/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=8080/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-masquerade
success
[root@ocserv ~]# firewall-cmd --reload
success
[root@ocserv ~]#

安装ocserv服务包及Let’s Encrypt工具包

[root@ocserv ~]# yum -y install ocserv certbot

使用certbot生成的服务器证书和密钥路径

/etc/letsencrypt/live/ocserv.bcoc.site/fullchain.pem
/etc/letsencrypt/live/ocserv.bcoc.site/privkey.pem

修改ocserv服务端配置

[root@ocserv ~]# vi /etc/ocserv/ocserv.conf

修改认证类型为证书认证

auth = "certificate"

修改服务器证书配置

server-cert = /etc/letsencrypt/live/ocserv.bcoc.site/fullchain.pem
server-key = /etc/letsencrypt/live/ocserv.bcoc.site/privkey.pem

修改用户端证书身份识别

#cert-user-oid = 0.9.2342.19200300.100.1.1
cert-user-oid = 2.5.4.3

启用压缩

compression = true
no-compress-limit = 256

设置客户端IPv4地址池

ipv4-network = 192.168.172.0
ipv4-netmask = 255.255.255.0

设置DNS

dns = 8.8.8.8
dns = 8.8.4.4

启动服务

[root@ocserv ~]# systemctl start ocserv

安装Apache服务器,为用户证书提供下载服务

[root@ocserv ~]# yum -y install httpd

修改Apache主配置文件并启动服务

[root@ocserv ~]# vi /etc/httpd/conf/httpd.conf

修改主机名

ServerName ocserv.bcoc.site

修改服务监听端口

#Listen 80
Listen 8080

检查配置并启动服务

[root@ocserv ~]# apachectl -t
Syntax OK
[root@ocserv ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@ocserv ~]# systemctl start httpd
[root@ocserv ~]#

查看监听

使用浏览器访问服务器端口确认证书状态

生成自签CA证书

[root@ocserv ~]# certtool --generate-privkey --outfile ca-key.pem
Generating a 2048 bit RSA private key...
[root@ocserv ~]# cat << _EOF_ >ca.tmpl
> cn = "BCOC CA"
> organization = "BCOC"
> serial = 1
> expiration_days = -1
> ca
> signing_key
> cert_signing_key
> crl_signing_key
> _EOF_
[root@ocserv ~]# certtool --generate-self-signed --load-privkey ca-key.pem \
> --template ca.tmpl --outfile ca-cert.pem

生成自签用户证书

[root@ocserv ~]# certtool --generate-privkey --outfile user-key.pem
Generating a 2048 bit RSA private key...
[root@ocserv ~]# cat << _EOF_ >user.tmpl
> cn = "harveymei"
> unit = "standard"
> expiration_days = 365
> signing_key
> tls_www_client
> _EOF_
[root@ocserv ~]# certtool --generate-certificate --load-privkey user-key.pem \
> --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
> --template user.tmpl --outfile user-cert.pem

导出为PKCS12格式,为证书设置密钥(导入证书时需要输入)

[root@ocserv ~]# certtool --to-p12 --load-privkey user-key.pem \
> --pkcs-cipher 3des-pkcs12 \
> --load-certificate user-cert.pem \
> --outfile user.p12 --outder
Generating a PKCS #12 structure...
Loading private key list...
Loaded 1 private keys.
Enter a name for the key: harveymei
Enter password:
Confirm password:
[root@ocserv ~]# ls
ca-cert.pem ca.tmpl user-key.pem user.tmpl
ca-key.pem user-cert.pem user.p12
[root@ocserv ~]#

将用户证书复制到Web Server服务器根目录下以提供证书下载

[root@ocserv ~]# cp user.p12 /var/www/html/

使用自签CA证书覆盖ocserv初始CA证书

[root@ocserv ~]# cp ca-cert.pem /etc/pki/ocserv/cacerts/ca.crt
cp: overwrite ‘/etc/pki/ocserv/cacerts/ca.crt’? y

覆盖CA证书后重新启动ocserv服务

[root@ocserv ~]# systemctl restart ocserv

 

客户端新建连接并导入用户证书

客户端证书下载地址(客户端导入证书需输入密码)
http://ocserv.bcoc.site:8080/user.p12

Windows 10 系统下OpenConnect GUI的设置

1月 202020
 

基于CentOS7的安装配置命令

sudo tee /etc/yum.repos.d/mongodb-org-4.0.repo << EOF
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOF

sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/7/
gpgcheck=1
enabled=1
EOF

sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y install pritunl mongodb-org
sudo systemctl start mongod pritunl
sudo systemctl enable mongod pritunl

修改oepnfile限制

sudo sh -c 'echo "* hard nofile 64000" >> /etc/security/limits.conf'
sudo sh -c 'echo "* soft nofile 64000" >> /etc/security/limits.conf'
sudo sh -c 'echo "root hard nofile 64000" >> /etc/security/limits.conf'
sudo sh -c 'echo "root soft nofile 64000" >> /etc/security/limits.conf'

host1主机私网IP配置信息

# Private network: net5e1571b604398
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=10.25.96.3
NETMASK=255.255.240.0
MTU=1450

host2主机私网IP配置信息

# Private network: net5e1571b604398
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=10.25.96.4
NETMASK=255.255.240.0
MTU=1450

检查内网互通性


生成初始化密钥

[root@host1 ~]# pritunl setup-key
3c1cd1325ff34ae8ab1b1443c6706efb
[root@host1 ~]#

使用浏览器访问控制台并保存初始化密钥

按照提示生成初始登录信息

获取初始登录信息

[root@host1 ~]# sudo pritunl default-password
[undefined][2020-01-20 02:08:04,859][INFO] Getting default administrator password
Administrator default password:
username: "pritunl"
password: "DB2aRfaKxLmt"
[root@host1 ~]#

修改控制台用户名密码,确认服务器地址,控制台端口,证书(Let‘s Encrypt)配置信息

提示成功保存设置

添加服务器

设置服务器名称,确认监听端口,DNS服务器及内网网段

成功添加服务器,删除默认的0.0.0.0/0路由

确认删除该路由条目

添加路由,该路由条目经服务端推送给客户端(10.25.96.0/20),客户端无需手动指定

指定路由条目详情

添加路由条目成功

添加组织

设置组织名称

为组织添加用户

用户详情

将服务器附加到组织

确认附加信息

成功附加服务器到组织

启动服务器

服务器启动后的控制台状态

下载用户端配置文件

解压缩并查看用户端配置文件

 

使用Pritunl客户端导入用户端配置文件

导入配置文件

导入配置文件后的客户端界面信息

点击连接,成功获取VPN服务器端内网IP地址

查看本机IPv4路由表,显示已添加去往10.25.96.0/20网络的路由

验证,本机通过host1建立的Remote Access VPN访问内网IP为10.25.96.4的host2主机(PING)

C:\Users\harveymei>ping 10.25.96.4

正在 Ping 10.25.96.4 具有 32 字节的数据:
来自 10.25.96.4 的回复: 字节=32 时间=169ms TTL=63
来自 10.25.96.4 的回复: 字节=32 时间=174ms TTL=63
来自 10.25.96.4 的回复: 字节=32 时间=176ms TTL=63
来自 10.25.96.4 的回复: 字节=32 时间=165ms TTL=63

10.25.96.4 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 165ms,最长 = 176ms,平均 = 171ms

C:\Users\harveymei>
1月 012020
 

使用命令行手动申请通配符证书,并使用DNS验证方式,手动添加TXT记录

[root@certbot ~]# certbot certonly -d *.bcoc.site --manual --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for bcoc.site

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.bcoc.site with the following value:

hQolCyWZvWXBRcO3X8ZlNys4_dHJuGBx_bly9WGguvk

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/bcoc.site/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/bcoc.site/privkey.pem
Your cert will expire on 2020-03-31. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[root@certbot ~]#

在Windows中查看证书信息