常用命令 – 第 27 页

生成CA公钥

sudo certtool --generate-privkey --outfile ca.key

编辑CA证书模板

cn = "Tuchine CA"
organization = "Tuchine.LTD"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key

根据模板和公钥生成证书

certtool --generate-self-signed --load-privkey ca.key --template ../template/ca.tmpl --outfile ca.crt

生成服务器证书公钥

sudo certtool --generate-privkey --outfile server.key

编辑服务器证书模板

cn = "Tuchine.com" 
o = "Tuchine Ltd." 
email = [email protected]
dns_name = "www.tuchine.com"
country = US
state = "YongZhou"
expiration_days = 3650
signing_key 
encryption_key #only if the generated key is an RSA one 
tls_www_server 
ipsec_ike_key
time_stamping_key

根据用户模板、服务器证书公钥、CA证书、CA公钥生成服务器证书

certtool --generate-certificate --load-privkey server-key --load-ca-certificate ca.crt --load-ca-privkey ca.key --template ../template/server.tmpl --outfile server.crt

编辑用户证书模板

cn = user
o = "TuchineUsers"
email = "[email protected]"
dns_name = "www.Tuchine.com"
country = US
state = "YongZhou"
expiration_days = 365
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_client
ipsec_ike_key
time_stamping_key

生成用户公钥

certtool --generate-privkey --outfile user.key

根据用户模板、用户公钥、CA证书、CA公钥生成服务器证书

certtool --generate-certificate --load-privkey user.key --load-ca-certificate ca.crt --load-ca-privkey ca.key --template ../template/user.tmpl --outfile user.crt

用户证书转P12格式证书

certtool --to-p12 --load-privkey user.key -pkcs-cipher 3des-pkcs12 --load-certificate user.crt --outfile user.p12 --outder

用户证书一键脚本


#!/bin/sh
serial=`date +%s`
l='others'
certtool --generate-privkey --outfile ./clients/$l.key
sed -i "1ccn = ${l}" ./template/client.tmpl
sed -i "3cemail = ${l}@tuchine.com" ./template/client.tmpl
sed -i "7cserial = ${serial}" ./template/client.tmpl
certtool --generate-certificate --load-privkey ./clients/$l.key --load-ca-certificate ./ca/ca.crt --load-ca-privkey ./ca/ca.key --template ./template/client.tmpl --outfile ./clients/$l.crt
openssl pkcs12 -export -inkey ./clients/$l.key -in ./clients/$l.crt -name "Tuchine VPN Client Cert" -certfile ./ca/ca.crt -out ./clients/$l.p12
exit 0

注意：请保持你的服务器主机域名与这里证书的DNS域名是同一个，且你的客户端导入了服务器证书，否则点击连接会每次都提示不信任的服务器。

sudo vi /etc/netplan/00-installer-config.yaml # 设置ip地址，必须有个局域网IP，比如这里的eth1 network: ethernets: eth0: addresses: [192.168.1.2/24] dhcp4: no eth1: addresses: [10.6.11.1/24] dhcp4: no version: 2 sudo vi /etc/sysctl.conf #编辑net.ipv4.ip_forward=1 sysctl -p #使之转发生效 sudo iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT #开启防火墙规则，允许从 eth1到ppp0的转发 sudo iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE #如果你的pppoeconf设置成功了，应该会多一个ppp0的接口，这里执行nat转换 sudo apt-get install iptables-persistent # 安装此包来保存iptables 规则，否则每次重启都需要执行sudo iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE来开启上网. sudo iptables-save > /etc/iptables/rules.v4 #此命令用来保存规则，所以设置好规则一定要测试一下，避免保存后上不了网。

sudo apt install miniupnpd #编辑配置 sudp vi /etc/miniupnpd.conf ext_ifname=ppp0 listening_ip=10.6.11.1/24 enable_natpmp=yes enable_upnp=yes #开启服务 sudo systemctl enable miniupnpd.service sudo systemctl start miniupnpd.service