IDC_ Pro_Env _CentOS 5.4_Open××× | ||
| ||
| ||
| ||
系统环境:CentOS5.4 | 文档版本:V1.0.2 | 整理:kevin |
更新时间:2011-05-10 | 备注:运维专用 |
1.1.1. 安装openssl………………………………………………………………………………………………..3
1.1.2. 安装LZO………………………………………………………………………………………………………3
1.1.3. 安装Open×××……………………………………………………………………………………………..3
进入/usr/local/src目录
cd /usr/local/src
下载LZO和Open××× 2.1.rc15
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
wget http://open***.net/release/open***-2.1_rc15.tar.gz
1.1.1. 安装openssl
yum install -y openssl openssl-devel
1.1.2. 安装LZO
tar zxvf lzo-2.03.tar.gzcd lzo-2.03
./configure
make
make install
1.1.3. 安装Open×××
cd ..tar zxvf open***-2.1_rc15.tar.gz
cd open***-2.1_rc15
./configure
make
make install
cd ..
cp /root/open***-2.1_rc15/easy-rsa/ -r /etc/open***
2. 配置 1.1.4. 初始化PKI
cd /etc/open***/2.0/ #可以设置下Open×××参数(也可以修改vars文件来配置)
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG="dvdmaster"
export KEY_EMAIL="support@jrcz.com"
#也可以不用设置直接执行下面的命令
./ vars
1.1.5. 创建证书颁发机构(CA)
./clean-all
./build-ca
备注:执行此命令后,一直回车,直到看见 Common Name (eg, your name or your server's hostname) 这个,输入一个随意的几个英文字符。如server
1.1.6. 建立server key
./build-key-server server
备注:执行此命令后,一直回车,直到看见 Common Name (eg, your name or your server's hostname) 这个,输入一个随意的几个英文字符。如server2,注意,不能和刚输入的相同
生成客户端 key
./build-key client1
备注:执行此命令后,一直回车,直到 看见 Common Name (eg, your name or your server's hostname) 这个,输入一个随意的几个英文字符。如eric,注意,不能和刚输入的相同
以此类推建立其他客户端 key
./build-key client2
./build-key client3
生成Diffie Hellman参数
./build-dh
将 keys 下的所有文件打包下载到本地(可以通过winscp,http,ftp等等......)
tar zcvf yskeys.tar.gz keys/
创建服务端配置文件
mkdir /etc/open***/2.0/conf
cp /root/open***-2.1_rc15/sample-config-files/server.conf /etc/open***/2.0/conf/server.conf
编辑服务器配置文件
vim /etc/open***/2.0/conf/server.conf
把里面的内容清空,替换为以下内容
local 202.111.16.11
port 1104
proto udp
dev tun
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/server.crt
key /etc/open***/keys/server.key
dh /etc/open***/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/open***/ipp.txt
push "redirect-gateway"
;push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option WINS 10.8.0.1"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 192.168.1.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
mssfix 1300
user nobody
group nobody
persist-key
persist-key
status /etc/open***/open***-status.log
log-append /etc/open***/open***-server.log
verb 3
启动Open×××
/usr/local/sbin/open*** --config /etc/open***/2.0/conf/server.conf &
查看后台客户端的连接日志:
#tail -f open***-server.log
============================
至此,接下来该设置iptables了
============================
启用iptables
service iptables start
开启CentOS 5 的路由转发功能
echo 1 > /proc/sys/net/ipv4/ip_forward
#为了使CentOS重启后仍然开启路由转发功能我们需要再执行下列命令
sysctl -w net.ipv4.ip_forward=1
添加包过滤规则
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source 119.57.16.5
备注:119.57.16.5 换成你服务器的公网ip
设置 Open××× 服务器 reboot后自动启动 open***
执行
vi /etc/rc.local
然后在最后面加入此行:
/usr/local/sbin/open*** --config /etc/open***/2.0/conf/server.conf &
或者
#cp /usr/local/src/open***-source/sample-scripts/open***.init /etc/init.d/open***
#chkconfig -add open***
#chkconfig open*** on
#service open*** restart
==================================
3. winxp客户端连接***服务器
下载 open***-2.1_rc15-install.exe(此版本集成 Open××× GUI)
官方下载地址:http://open***.net/release/open***-2.1_rc15-install.exe
依屏幕指示安装Open××× GUI
配置 open*** gui
将上面第6步打包的yskeys.tar.gz中的下列证书文件解压到你的Open××× GUI安装路径\Open×××\config文件夹下
ca.crt
ca.key
client1.crt--->改名client.crt
client1.csr--->改名client.csr
client1.key--->改名client.key
修改client.o***
把你的Open××× GUI安装路径\Open×××\sample-config下的client.o***文件复制到你的Open××× GUI安装路径\Open×××\config文件夹下,用记事本打开client.o***
找到remote my-server-1 1194
,把my-server-1改成你的ip地址remote 119.57.16.5 1194
双击 client.o*** 即可启动 open***, 或者通过 Open××× GUI 的控制启动 ×××.
Client端日志如下:
i Nov 05 13:36:07 2010 Open××× 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Fri Nov 05 13:36:07 2010 IMPORTANT: Open×××'s default port number is now 1194, based on an official port number assignment by IANA. Open××× 2.0-beta16 and earlier used 5000 as the default port.
Fri Nov 05 13:36:07 2010 WARNING: No server certificate verification method has been enabled. See http://open***.net/howto.html#mitm for more info.
Fri Nov 05 13:36:07 2010 LZO compression initialized
Fri Nov 05 13:36:07 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 05 13:36:07 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Nov 05 13:36:07 2010 Local Options hash (VER=V4): '41690919'
Fri Nov 05 13:36:07 2010 Expected Remote Options hash (VER=V4): '530fdded'
Fri Nov 05 13:36:07 2010 UDPv4 link local: [undef]
Fri Nov 05 13:36:07 2010 UDPv4 link remote: 124.65.129.174:943
Fri Nov 05 13:36:07 2010 TLS: Initial packet from 124.65.129.174:943, sid=d5f33320 04d6c476
Fri Nov 05 13:36:07 2010 VERIFY OK: depth=1, /C=CN/ST=BeiJing/L=BeiJing/O=Open×××-TEST/CN=server/emailAddress=juren_lujianguo001@126.com
Fri Nov 05 13:36:07 2010 VERIFY OK: depth=0, /C=CN/ST=BeiJing/O=Open×××-TEST/CN=server2/emailAddress=juren_lujianguo001@126.com
Fri Nov 05 13:36:07 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
注:暂存的内容只能恢复到当前文章的编辑器中,如需恢复到其他文章中,请编辑该文章并从暂存箱中恢复;或者直接复制以上内容,手工恢复到相关文章。
转载于:https://blog.51cto.com/255361/837699