因为新版本open***里面没有包含最重要的证书制作部分:easy-rsa所以,需要事先下载好easyrsa,可以到GitHub上进行下载,配置过程将在下面第3步进行,本次部署使用了easy-rsa3,与easy-rsa2.0的操作完全不同,网上其它关于easy-rsa2.0的教程不适合本次部署
在部署open***之前,最好用ntpdate同步一下服务器的时间,否则生成证书的时间也不准确,会造成那个什么centificate error等的错误!
基础环境
#同步服务器时间
# crontab –e
添加脚本例子如下:
*/20 * * * * /usr/sbin/ntpdate 1.cn.pool.ntp.org //每20分钟执行一次
#关闭selinux
setenforce 0
sed -i '/^SELINUX=/c\SELINUX=disabled' /etc/selinux/config
#安装openssl和lzo,lzo用于压缩通讯数据加快传输速度.
yum -y install openssl openssl-devel lzo
#安装epel源
rpm -ivh http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm
sed -i 's/^mirrorlist=https/mirrorlist=http/' /etc/yum.repos.d/epel.repo
1、安装open***
yum -y install open*** easy-rsa
#修改基本信息
cd /usr/share/easy-rsa/2.0/
chmod +x *
vim vars
[root@*** ~]# yum install -y openssl-devel
[root@*** ~]# wget https://swupdate.open***.org/community/releases/open***-2.3.11.tar.gz
[root@*** ~]# tar zxvf open***-2.3.11.tar.gz
[root@*** ~]# cd open***-2.3.11
[root@*** open***-2.3.4]# ./configure --prefix=/usr/local/open*** --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib
[root@*** open***-2.3.4]# make && make install
[root@*** open***-2.3.4]# ln -s /usr/local/open***/sbin/open*** /usr/local/sbin/open***
[root@*** open***-2.3.4]# which open***
/usr/local/sbin/open*** #
看到这里,说明安装open***成功
|
3、配置easyrsa服务端
open***-2.3.11软件包不包含证书(ca证书,服务端证书,客户端证书)制作工具,所以还需要单独下载easy-rsa,最新的为easy-rsa3
[root@*** ~]# wget https://github.com/Open***/easy-rsa/archive/master.zip
[root@*** ~]# unzip master.zip
[root@*** ~]# mv easy-rsa-master easy-rsa
[root@*** ~]# cp -R easy-rsa /usr/local/open***/
[root@*** ~]# cd /usr/local/open***/easy-rsa/easyrsa3/
[root@*** easyrsa3]# cp vars.example vars
[root@*** easyrsa3]# vim vars
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Beijing"
set_var EASYRSA_REQ_CITY "Beijing"
set_var EASYRSA_REQ_ORG "qiangshCertificate"
set_var EASYRSA_REQ_EMAIL "503579266@qq.com"
set_var EASYRSA_REQ_OU "My Open***"
|
4、创建服务端证书及key
(1)初始化
[root@*** easyrsa3]# ls
easyrsa openssl-1.0.cnf vars vars.example x509-types
[root@*** easyrsa3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/open***/easy-rsa/easyrsa3/pki
|
(2)创建根证书
[root@*** easyrsa3]# ./easyrsa build-ca
Note: using Easy-RSAconfiguration from: ./vars
Generating a 2048 bit RSA privatekey
..+++
..........................+++
writing new private key to'/usr/local/open***/easy-rsa/easyrsa3/pki/private/ca.key.SueAMWTlxi'
Enter PEM pass phrase: #输入密码,此密码用途证书签名
Verifying - Enter PEM passphrase: #再次输入密码
-----
You are about to be asked toenter information that will be incorporated
into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Common Name (eg: your user, host,or server name) [Easy-RSA CA]:ylsh #输入一个Common Name
CA creation complete and you maynow import and sign cert requests.
Your new CA certificate file forpublishing is at:
/usr/local/open***/easy-rsa/easyrsa3/pki/ca.crt
|
(3)创建服务器端证书
[root@*** easyrsa3]# ./easyrsa gen-req server nopass
Note: using Easy-RSAconfiguration from: ./vars
Generating a 2048 bit RSA privatekey
.......................................+++
......................................+++
writing new private key to '/usr/local/open***/easy-rsa/easyrsa3/pki/private/server.key.YyWK7tSjws'
-----
You are about to be asked toenter information that will be incorporated
into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Common Name (eg: your user, host,or server name) [server]:ylsh-BJ #该Common Name一定不要与创建根证书时的一样 !!!
Keypair and certificate requestcompleted. Your files are:
req: /usr/local/open***/easy-rsa/easyrsa3/pki/reqs/server.req
key: /usr/local/open***/easy-rsa/easyrsa3/pki/private/server.key
|
(4)签约服务器端证书
[root@*** easyrsa3]# ./easyrsa sign server server
Note: using Easy-RSAconfiguration from: ./vars
You are about to sign thefollowing certificate.
Please check over the detailsshown below for accuracy. Note that this request
has not been cryptographicallyverified. Please be sure it came from a trusted
source or that you have verifiedthe request checksum with the sender.
Request subject, to be signed asa server certificate for 3650 days:
subject=
commonName = ylsh-BJ
Type the word 'yes' to continue,or any other input to abort.
Confirm request details:yes #输入yes继续
Using configuration from /usr/local/open***/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /usr/local/open***/easy-rsa/easyrsa3/pki/private/ca.key: #输入刚才创建根证书时的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'ylsh-BJ'
Certificate is to be certified until Jun 11 04:01:47 2026 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /usr/local/open***/easy-rsa/easyrsa3/pki/issued/server.crt
|
(5)创建Diffie-Hellman,确保key穿越不安全网络的命令:
[root@*** easyrsa3]# ./easyrsa gen-dh
Note: using Easy-RSAconfiguration from: ./vars
Generating DH parameters, 2048bit long safe prime, generator 2
This is going to take a long time
..........................................................................+...........................+.............................................................+...........................+.................................................................................................................................................................................................................................................+...............................................................................................................................+..+.................................................................+..........................................................................................+..............+...............................................................................................................................................................................+........................................................................................+...............................................................................+................................................+..........++*++*
DH parameters of size 2048 created at /usr/local/open***/easy-rsa/easyrsa3/pki/dh.pem
|
5、创建客户端证书
(1)在根目录下建立client目录
[root@*** easyrsa3]# cd
[root@*** ~]# mkdir client
[root@*** ~]# cp -R /home/sources/easy-rsa/ client/
|
(2)初始化
[root@*** ~]# cd client/easy-rsa/easyrsa3/
[root@*** easyrsa3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki
|
(3)创建客户端key及生成证书
[root@*** easyrsa3]# ./easyrsa gen-req qiangsh
Generating a 2048 bit RSA privatekey
.......................+++
........................................................+++
writing new private key to'/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key.LD7Wk6hmQq'
Enter PEM pass phrase: #输入密码
Verifying - Enter PEM passphrase: #再次输入密码
-----
You are about to be asked toenter information that will be incorporated
into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Common Name (eg: your user, host,or server name) [qiangsh]:qiangsh #输入qiangsh
Keypair and certificate request completed.Your files are:
req:/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req
key:/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key
|
(4)将得到的qiangsh.req导入并签约证书
[root@*** ~]# cd /usr/local/open***/easy-rsa/easyrsa3/
[root@*** easyrsa3]#./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req qiangsh #导入req
Note: using Easy-RSAconfiguration from: ./vars
The request has been successfullyimported with a short name of: qiangsh
You may now use this name toperform signing operations on this request.
[root@*** easyrsa3]# ./easyrsa sign client qiangsh #签约证书
Note: using Easy-RSAconfiguration from: ./vars
You are about to sign thefollowing certificate.
Please check over the detailsshown below for accuracy. Note that this request
has not been cryptographicallyverified. Please be sure it came from a trusted
source or that you have verifiedthe request checksum with the sender.
Request subject, to be signed asa client certificate for 3650 days:
subject=
commonName = qiangsh
Type the word 'yes' to continue,or any other input to abort.
Confirm request details:yes #输入yes
Using configuration from/usr/local/share/doc/open***/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for/usr/local/share/doc/open***/easy-rsa/easyrsa3/pki/private/ca.key: #输入创建根证书时的密码
Check that the request matchesthe signature
Signature ok
The Subject's Distinguished Nameis as follows
commonName :PRINTABLE:'qiangsh'
Certificate is to be certifieduntil Jun 6 07:50:02 2026 GMT (3650 days)
Write out database with 1 newentries
Data Base Updated
Certificate created at:/usr/local/share/doc/open***/easy-rsa/easyrsa3/pki/issued/qiangsh.crt #
签约成功
|
(5)服务端及客户端生成的文件
服务端:(/usr/local/share/doc/open***/easy-rsa/easyrsa3/pki/)文件夹
/usr/local/open***/easy-rsa/easyrsa3/pki/ca.crt
/usr/local/open***/easy-rsa/easyrsa3/pki/reqs/server.req
/usr/local/open***/easy-rsa/easyrsa3/pki/reqs/qiangsh.req
/usr/local/open***/easy-rsa/easyrsa3/pki/private/ca.key
/usr/local/open***/easy-rsa/easyrsa3/pki/private/server.key
/usr/local/open***/easy-rsa/easyrsa3/pki/issued/server.crt
/usr/local/open***/easy-rsa/easyrsa3/pki/issued/qiangsh.crt
/usr/local/open***/easy-rsa/easyrsa3
/pki/dh.pem
|
客户端:(/root/client/easy-rsa)
/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key
/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req #
这个文件被我们导入到了服务端文件,所以那里也有
|
(6)拷贝服务器密钥及证书等到open***目录
[root@*** ~]# cp /usr/local/open***/easy-rsa/easyrsa3/pki/ca.crt /usr/local/open***/
[root@*** ~]# cp /usr/local/open***/easy-rsa/easyrsa3/pki/private/server.key /usr/local/open***/
[root@*** ~]# cp /usr/local/open***/easy-rsa/easyrsa3/pki/issued/server.crt /usr/local/open***/
[root@*** ~]# cp
/usr/local/open***/easy-rsa/easyrsa3/
pki/dh.pem /usr/local/open***/
|
(7)拷贝客户端密钥及证书等到client目录
[root@*** ~]# cp /usr/local/open***/easy-rsa/easyrsa3/pki/ca.crt /root/client/
[root@*** ~]# cp /usr/local/open***/easy-rsa/easyrsa3/pki/issued/qiangsh.crt /root/client/
[root@*** ~]# cp /root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key /root/client/
|
(8)为服务端编写配置文件
当安装好open***时候,它会提供一个server配置的文件例子
将此例子拷贝open***目录,然后配置
[root@*** ~]# cp /home/sources/open***-2.3.11/sample/sample-config-files/server.conf /usr/local/open***/
[root@*** ~]# vim /usr/local/open***/server.conf
local 192.168.1.100 #(自己vps IP)
port 1194
proto udp
dev tun
ca /usr/local/open***/ca.crt
cert /usr/local/open***/server.crt
key /usr/local/open***/server.key
dh /usr/local/open***/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
max-clients 100
persist-key
persist-tun
status open***-status.log
verb 3
|
(9)开启系统转发功能
[root@*** ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 0 改成 net.ipv4.ip_forward = 1
[root@*** ~]# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
|
(10)封装出去的数据包(eth0是你的vps外网的网卡,否则无法上网):
/sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE
|
三、下载open***客户端,并进行配置
1、将客户端密钥及证书等拷出到windows备用
[root@*** ~]# cd ~/client/
[root@*** client]# ls
ca.crt easy-rsa qiangsh.crt qiangsh.key #
带后缀的这三个
|
2、安装open***-gui工具
(1)将C:\ProgramFiles\Open***\sample-config\client.o***复制到C:\Program Files\Open***\config
(2)将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\Open***\config下
(3)编辑C:\ProgramFiles\Open***\config\client.o***,修改为
client
dev tun
proto udp
remote 192.168.1.100 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt //这里需要证书
cert qiangsh.crt
key qiangsh.key
comp-lzo
verb 3
|
四、启动服务、测试
1、在***服务器上启动open***服务
[root@*** ~]# /usr/local/sbin/open*** --config /usr/local/open***/server.conf &
[root@*** ~]# echo "/usr/local/sbin/open*** --config /usr/local/open***/server.conf &
" >>/etc/rc.local #
设为开机启动
|
2、在open***-gui上右键Connect输入密码连接
3、查看***状态