2013年11月24日星期日
2011年11月10日星期四
TL-WR1043ND + dd-wrt = 翻牆利器
昨日突發其想,起個 VPN server,以便在大陸時上 facebook, twitter...等。
在網上做了功課後,買了一台 TP-Link TL-WR1043ND,灣仔電腦城 $460。3T3R、300Mbps、Gigabit on lan and wan ports、NAS等等,抵玩!
1. 先安裝 hardware,簡單。
2. 申請 DDNS,我選了 www.3322.org,因為係大陸 DDNS。
3. 去 www.dd-wrt.com download TL-WR1043ND 的 flash image.
4. 要 flash 兩次,首先 flash "factory-to-ddwrt.bin",跟著 "tl-wr1043nd-webflash.bin"。
5. Setup dd-wrt,包括:
在 Services > VPN > VPN Server
Good Luck!!!
在網上做了功課後,買了一台 TP-Link TL-WR1043ND,灣仔電腦城 $460。3T3R、300Mbps、Gigabit on lan and wan ports、NAS等等,抵玩!
1. 先安裝 hardware,簡單。
2. 申請 DDNS,我選了 www.3322.org,因為係大陸 DDNS。
3. 去 www.dd-wrt.com download TL-WR1043ND 的 flash image.
4. 要 flash 兩次,首先 flash "factory-to-ddwrt.bin",跟著 "tl-wr1043nd-webflash.bin"。
5. Setup dd-wrt,包括:
- DDNS
- SSID
- Wireless Security(WPA2 Personal)
- MAC filter
在 Services > VPN > VPN Server
- PPTP Server = Enable
- Broadcast support = Enable
- Force MPPE Encryption = Enable
- DNS1 = 8.8.8.8
- DNS2 = 8.8.4.4
- Server IP = 192.168.1.1 (= router address)
- Client IP = 192.168.1.160-190 (This range should be outside the router DHCP IP)
- CHAP-Secrets = username <space> <asterisk> <space> password <space> <asterisk>
Good Luck!!!
2010年10月2日星期六
自己做數碼証書(四):伺服器數碼証書
跟個人數碼証書差不多:
1. 用系統管理員身份執行 "cmd"。
2. 在 cmd 內,到 c:\Program Files\ssl\bin。
3. 先做 key,打上下列指令:
openssl genrsa -des3 -out server.key 1024
4. Remove passkey, 因為 windows 的 web server 是認不到的:
openssl rsa -in server.key.org -out server.key
5. Make a request
openssl req -new -key server.key -out server.csr
6. Sign the request
openssl ca -in server.csr -out server.crt
最後的兩個檔:server.key 及 server.crt ,就可以用作 server 的証書。
1. 用系統管理員身份執行 "cmd"。
2. 在 cmd 內,到 c:\Program Files\ssl\bin。
3. 先做 key,打上下列指令:
openssl genrsa -des3 -out server.key 1024
4. Remove passkey, 因為 windows 的 web server 是認不到的:
openssl rsa -in server.key.org -out server.key
5. Make a request
openssl req -new -key server.key -out server.csr
6. Sign the request
openssl ca -in server.csr -out server.crt
最後的兩個檔:server.key 及 server.crt ,就可以用作 server 的証書。
自己做數碼証書(三):個人數碼証書
個人數碼証書要求:可以做 client, email, objsign, server。
檔案類型:p12
1. 用系統管理員身份執行 "cmd"。
2. 在 cmd 內,到 c:\Program Files\ssl\bin。
3. 先做 key,打上下列指令:
openssl genrsa -des3 -out user.key 1024
4. make request:
openssl req -new -key user.key -out user.csr
5. sign request:
openssl ca -in user.csr -out user.crt
6. covert to p12 format
openssl pkcs12 -export -in user.crt -inkey user.key -out user.p12
最後這個 "user.p12",就是數碼証書。
檔案類型:p12
1. 用系統管理員身份執行 "cmd"。
2. 在 cmd 內,到 c:\Program Files\ssl\bin。
3. 先做 key,打上下列指令:
openssl genrsa -des3 -out user.key 1024
4. make request:
openssl req -new -key user.key -out user.csr
5. sign request:
openssl ca -in user.csr -out user.crt
6. covert to p12 format
openssl pkcs12 -export -in user.crt -inkey user.key -out user.p12
最後這個 "user.p12",就是數碼証書。
自己做數碼証書(二):設定 Certifying Authority
完成第一部的安裝 openssl 後,恭喜您!最難的部份已經過了!
第二部份主要建立 certifying Authoity,以便自己出數碼証書。
過程要用windows 命令處理程式 "cmd".
1. 用系統管理員身份執行 "cmd"。
2. 在 cmd 內,到 c:\Program Files\ssl\bin。
3. 打上下列指令:
openssl req -new -x509 -keyout ca-cert.key -out ca-cert.crt -days 3650
4. 在 c:\Program Files\ssl\bin,會有兩個新檔:ca-cert.key 及 ca-cert.crt
5. 將 ca-cert.key 複製到 c:\Program Files\ssl\CA\private
6. 將 ca-cert.crt 複製到 c:\Program Files\ssl\CA
7. 完成設定 Certifying Authority!
第二部份主要建立 certifying Authoity,以便自己出數碼証書。
過程要用windows 命令處理程式 "cmd".
1. 用系統管理員身份執行 "cmd"。
2. 在 cmd 內,到 c:\Program Files\ssl\bin。
3. 打上下列指令:
openssl req -new -x509 -keyout ca-cert.key -out ca-cert.crt -days 3650
4. 在 c:\Program Files\ssl\bin,會有兩個新檔:ca-cert.key 及 ca-cert.crt
5. 將 ca-cert.key 複製到 c:\Program Files\ssl\CA\private
6. 將 ca-cert.crt 複製到 c:\Program Files\ssl\CA
7. 完成設定 Certifying Authority!
自己做數碼証書(一):openssl 1.0.0a 安裝編
之前很想在自己部電腦起個 web server是行 https 的,但原來要有一張server的數碼証書是非常貴的,所以決定自己做 server用的數碼証書。
我選擇 openssl 來做數碼証書,原因簡單:Open Source 唔使錢、點玩都得。
事先聲明,我用的是 windows 7 home premium 64bit version。
先決 software:
實際安裝:
1. 先到 openssl 下載 source code: www.openssl.org/source/
2. 選最新的版本下載,我選的是 openssl-1.0.0a.tar.gz
2. 解壓。
3. 在 Program menu, 選 Microsoft Windows SDK v7.1 > Windows SDK 7.1 Command Prompt
4. 到 openssl 解壓的 directory
5. 打入:
perl Configure VC-WIN64A --prefix=c:\progra~1 <enter>
ms\do_win64a <enter>
nmake -f ms\ntdll.mak <enter>
cd out32dll <enter>
..\ms\test <enter>
最後的一句會將剛 compile 的 program 做測試,看是否全是 “OK ”。
如果全部 OK,就可以手動安裝。
6. 手動安裝其實很簡單,Copy file:
$ md c:\Program Files\ssl
$ md c:\Program Files\ssl\bin
$ md c:\Program Files\ssl\lib
$ md c:\Program Files\ssl\include
$ md c:\Program Files\ssl\include\openssl
$ copy /b inc32\openssl\* c:\Program Files\ssl\include\openssl
$ copy /b out32dll\ssleay32.lib c:\Program Files\ssl\lib
$ copy /b out32dll\libeay32.lib c:\Program Files\ssl\lib
$ copy /b out32dll\ssleay32.dll c:\Program Files\ssl\bin
$ copy /b out32dll\libeay32.dll c:\Program Files\ssl\bin
$ copy /b out32dll\openssl.exe c:\Program Files\ssl\bin
$ md c:\Program Files\ssl\CA #certifying authority 資料
$ md c:\Program Files\ssl\CA\newcerts
$ md c:\Program Files\ssl\CA\private
$ md c:\Program Files\ssl\user #用來儲存 user certificates
7. 用 notepad create 下列的 file:
c:\Program Files\ssl\CA\index.txt
內容:空白
c:\Program Files\ssl\CA\index.txt.attr
內容:unique_subject = no
c:\Program Files\ssl\CA\serial
內容:00
c:\Program Files\ssl\openssl.cnf
內容:
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
dirstring_type = nobmp
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = HK
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_default = Your Name
commonName_max = 64
emailAddress = Email Address
emailAddress_default = Your Name @hotmail.com
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = "C:/Program Files/ssl/CA" # top dir
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir
certificate = $dir/ca-cert.crt # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/private/ca-cert.key # CA private key
RANDFILE = $dir/private/.rand # random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # md to use
policy = policy_any # default policy
email_in_dn = no # Don't add the email into cert DN
nameopt = ca_default # Subject name display option
certopt = ca_default # Certificate display option
copy_extensions = none # Don't copy extensions from request
unique_subject = no
[ policy_any ]
countryName = supplied
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
nsCertType = client, email, objsign, server
# This is typical in keyUsage for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Certificate issued by Your Name"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
# This is the base URL for all others URL addresses
# if not supplied
nsBaseUrl = https://YourWebServer/ssl/
# This is the link where to download the latest Certificate
# Revocation List (CRL)
nsCaRevocationUrl = https://YourWebServer/ssl/crl.pem
# This is the link where to revoke the certificate
nsRevocationUrl = https://YourWebServer/ssl/revocation.html?
# This is the location where the certificate can be renewed
nsRenewalUrl = https://YourWebServer/ssl/renewal.html?
# This is the link where the CA policy can be found
nsCaPolicyUrl = https://YourWebServer/ssl/policy.html
# This is the link where we can get the issuer certificate
issuerAltName = URI:https://YourWebServer/ssl/ca-cert.crt
# This is the link where to get the latest CRL
crlDistributionPoints = URI:https://YourWebServer/ssl/crl.pem
我選擇 openssl 來做數碼証書,原因簡單:Open Source 唔使錢、點玩都得。
事先聲明,我用的是 windows 7 home premium 64bit version。
先決 software:
1. 7-Zip www.7-zip.org
2. ActivePerl,選windows (64-bit, x64) version www.activestate.com/activeperl
3. .Net Framework 4 msdn.microsoft.com/en-us/netframework/aa569263.aspx
4. Windows SDK go.microsoft.com/fwlink/?LinkID=191420
實際安裝:
1. 先到 openssl 下載 source code: www.openssl.org/source/
2. 選最新的版本下載,我選的是 openssl-1.0.0a.tar.gz
2. 解壓。
3. 在 Program menu, 選 Microsoft Windows SDK v7.1 > Windows SDK 7.1 Command Prompt
4. 到 openssl 解壓的 directory
5. 打入:
perl Configure VC-WIN64A --prefix=c:\progra~1 <enter>
ms\do_win64a <enter>
nmake -f ms\ntdll.mak <enter>
cd out32dll <enter>
..\ms\test <enter>
最後的一句會將剛 compile 的 program 做測試,看是否全是 “OK ”。
如果全部 OK,就可以手動安裝。
6. 手動安裝其實很簡單,Copy file:
$ md c:\Program Files\ssl
$ md c:\Program Files\ssl\bin
$ md c:\Program Files\ssl\lib
$ md c:\Program Files\ssl\include
$ md c:\Program Files\ssl\include\openssl
$ copy /b inc32\openssl\* c:\Program Files\ssl\include\openssl
$ copy /b out32dll\ssleay32.lib c:\Program Files\ssl\lib
$ copy /b out32dll\libeay32.lib c:\Program Files\ssl\lib
$ copy /b out32dll\ssleay32.dll c:\Program Files\ssl\bin
$ copy /b out32dll\libeay32.dll c:\Program Files\ssl\bin
$ copy /b out32dll\openssl.exe c:\Program Files\ssl\bin
$ md c:\Program Files\ssl\CA #certifying authority 資料
$ md c:\Program Files\ssl\CA\newcerts
$ md c:\Program Files\ssl\CA\private
$ md c:\Program Files\ssl\user #用來儲存 user certificates
7. 用 notepad create 下列的 file:
c:\Program Files\ssl\CA\index.txt
內容:空白
c:\Program Files\ssl\CA\index.txt.attr
內容:unique_subject = no
c:\Program Files\ssl\CA\serial
內容:00
c:\Program Files\ssl\openssl.cnf
內容:
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
dirstring_type = nobmp
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = HK
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_default = Your Name
commonName_max = 64
emailAddress = Email Address
emailAddress_default = Your Name @hotmail.com
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = "C:/Program Files/ssl/CA" # top dir
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir
certificate = $dir/ca-cert.crt # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/private/ca-cert.key # CA private key
RANDFILE = $dir/private/.rand # random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # md to use
policy = policy_any # default policy
email_in_dn = no # Don't add the email into cert DN
nameopt = ca_default # Subject name display option
certopt = ca_default # Certificate display option
copy_extensions = none # Don't copy extensions from request
unique_subject = no
[ policy_any ]
countryName = supplied
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
nsCertType = client, email, objsign, server
# This is typical in keyUsage for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Certificate issued by Your Name"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
# This is the base URL for all others URL addresses
# if not supplied
nsBaseUrl = https://YourWebServer/ssl/
# This is the link where to download the latest Certificate
# Revocation List (CRL)
nsCaRevocationUrl = https://YourWebServer/ssl/crl.pem
# This is the link where to revoke the certificate
nsRevocationUrl = https://YourWebServer/ssl/revocation.html?
# This is the location where the certificate can be renewed
nsRenewalUrl = https://YourWebServer/ssl/renewal.html?
# This is the link where the CA policy can be found
nsCaPolicyUrl = https://YourWebServer/ssl/policy.html
# This is the link where we can get the issuer certificate
issuerAltName = URI:https://YourWebServer/ssl/ca-cert.crt
# This is the link where to get the latest CRL
crlDistributionPoints = URI:https://YourWebServer/ssl/crl.pem
8. 完成安裝!
訂閱:
留言 (Atom)