open***的架设

open***的架设不是什么新鲜的东西了.

照着做一遍,很容易成功的

需要说明的是.*** server上的网卡的内网地址,尽量不要和远端客户机的内网ip重复.

我的*** server上有2个网卡.内网是192.168.1.253 外网是219.X.X.X

家里的机器通过nat上网,内网ip也是192.168.1.X,结果拨通***后就无法访问internet

查看 *** server的log有

Sun Mar 23 15:23:53 2008 client/61.48.134.165:62764 MULTI: bad source address from client [192.168.1.109], packet dropped

 

另外从 [url]http://bbs.et8.net/bbs/showthread.php?t=802493&highlight=open***[/url]发现一些好想法

 

open***加固

server.conf里面添加几行

user nobody ;降权限，保安全
group nobody
chroot /var/tmp

 

然后测试一下:

[root@RH9 root]# ps aux | grep open***
nobody 24066 0.0 0.1 4012 1684 ? S 15:12 0:00 [ open***]
root 24069 0.0 0.0 3572 624 pts/2 S 15:45 0:00 grep open***

 

说明open***是用nobody用户在运行

[root@RH9 root]# lsof -p 24066 | grep "/var/tmp"
open*** 24066 nobody cwd DIR 8,1 4096 294337 /var/tmp
open*** 24066 nobody rtd DIR 8,1 4096 294337 /var/tmp

这回即使别人有remote exp也不怕了，要能进来的话就请看看/var/tmp里的东西好了，呵呵。

 

本文来自别人的blog.这里只是转载一下.

[url]http://www.xiaohui.com/dev/server/20070514-install-open***.htm[/url]

一. Open××× 安装环境

Server 端的环境 redhat, kernel版本: 2.4.20-31.9, IP 为 70.8.7.6 kernel 需要 支持 tun 设备, 需要加载 iptables 模块.
检查 tun 是否安装:
代码:

root@a [/]# modinfo tun 
filename:    /lib/modules/2.4.20-31.9/kernel/drivers/net/tun.o 
description:  
author:       
license:     "GPL" 

如果没有 modinfo 命令, 直接找一下, 看看 kernel 里是否有 tun.o 文件:
代码:

find -name tun.o 
./lib/modules/2.4.20/kernel/drivers/net/tun.o 

检查iptables 模块, 查看是否有下列文件:
/etc/init.d/iptables 安装的 Open××× 的版本: 2.0.5. 现在似乎已经有一个更新的版本了. 可在 [url]http://open***.net[/url] 上下载.

Client 端的环境: Windows XP PRO SP2 Open××× GUI For windows 1.0.3 , 可在 open***.se 下载
注意: Open××× GUI for windows 的版本要和 Open××× Server 的版本配套.
例如, 服务器装的是 Open××× 2.0.5, 那么下载的 Open××× GUI fow windows 应该是: open***-2.0.5-gui-1.0.3-install.exe
Open××× GUI的所有历史版本: [url]http://open***.se/files/install_packages/[/url]

二. Open××× 服务端安装过程

[url]http://www.xiaohui.com/dev/server/20070514-install-open***.htm[/url]

1. 用 SecureCRT 登录到 host, 进入根目录 代码:

   cd / 

2. 下载 LZO，解压到lzo-2.02.
   地址: [url]http://www.oberhumer.com/opensource/lzo/download/[/url] 代码:

   wget [url]http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz[/url]

3. 下载 Open×××, 解压到open***-2.0.5
   地址: [url]http://open***.net/download.html[/url] 代码:

   wget [url]http://open***.net/release/open***-2.0.5.tar.gz[/url]

4. 安装 LZO 代码:

   cd /lzo-2.02 
   ./configure 
   make 
   make check 
   make install 

5. 安装 Open×××
   代码:

   cd /open***-2.0.5
   ./configure 
   # 或用指定dir: (注:下述命令, 应该在一行写完. 为了方便显示, 这里分成了四行)
   # ./configure --with-lzo-headers=/usr/local/include 
   #  --with-lzo-lib=/usr/local/lib 
   #  --with-ssl-headers=/usr/local/include/openssl 
   #  --with-ssl-lib=/usr/local/lib 
   make 
   make install 
   

6. 生成证书Key
   初始化 PKI
   (如果没有 export 命令也可以用 setenv [name] [value] 命令)
   代码:

   cd /open***-2.0.5/easy-rsa 
   export D=`pwd` 
   export KEY_CONFIG=$D/openssl.cnf 
   export KEY_DIR=$D/keys 
   export KEY_SIZE=1024 
   export KEY_COUNTRY=CN 
   export KEY_PROVINCE=GD 
   export KEY_CITY=SZ 
   export KEY_ORG="dvdmaster" 
   export KEY_EMAIL="[email]support@cooldvd.com[/email]" 

   Build:

   代码:

   ./clean-all 
   ./build-ca 
   Generating a 1024 bit RSA private key 
   ................++++++ 
   ........++++++ 
   writing new private key to 'ca.key' 
   ----- 
   You are about to be asked to enter information that will be incorporated 
   into your certificate request. 
   What you are about to enter is what is called a Distinguished Name or a DN. 
   There are quite a few fields but you can leave some blank 
   For some fields there will be a default value, 
   If you enter '.', the field will be left blank. 
   ----- 
   Country Name (2 letter code) [CN]: 
   State or Province Name (full name) [GD]: 
   Locality Name (eg, city) [SZ]: 
   Organization Name (eg, company) [dvdmaster]: 
   Organizational Unit Name (eg, section) []:dvdmaster 
   Common Name (eg, your name or your server's hostname) []:server 
   Email Address [[email]support@cooldvd.com[/email]]: 

   # 建立 server key 代码: 代码:

   ./build-key-server server 
   Generating a 1024 bit RSA private key 
   ......++++++ 
   ....................++++++ 
   writing new private key to 'server.key' 
   ----- 
   You are about to be asked to enter information that will be incorporated 
   into your certificate request. 
   What you are about to enter is what is called a Distinguished Name or a DN. 
   There are quite a few fields but you can leave some blank 
   For some fields there will be a default value, 
   If you enter '.', the field will be left blank. 
   ----- 
   Country Name (2 letter code) [CN]: 
   State or Province Name (full name) [GD]: 
   Locality Name (eg, city) [SZ]: 
   Organization Name (eg, company) [dvdmaster]: 
   Organizational Unit Name (eg, section) []:dvdmaster 
   Common Name (eg, your name or your server's hostname) []:server 
   Email Address [[email]support@cooldvd.com[/email]]: 
   Please enter the following 'extra' attributes 
   to be sent with your certificate request 
   A challenge password []:abcd1234 
   An optional company name []:dvdmaster 
   Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf 
   Check that the request matches the signature 
   Signature ok 
   The Subject's Distinguished Name is as follows 
   countryName           :PRINTABLE:'CN' 
   stateOrProvinceName   :PRINTABLE:'GD' 
   localityName          :PRINTABLE:'SZ' 
   organizationName      :PRINTABLE:'dvdmaster' 
   organizationalUnitName:PRINTABLE:'dvdmaster' 
   commonName            :PRINTABLE:'server' 
   emailAddress          :IA5STRING:'[email]support@cooldvd.com[/email]' 
   Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days) 
   Sign the certificate? [y/n]:y 
   1 out of 1 certificate requests certified, commit? [y/n]y 
   Write out database with 1 new entries 
   Data Base Updated 

   #生成客户端 key

   代码:

   ./build-key client1 
   Generating a 1024 bit RSA private key 
   .....++++++ 
   ......++++++ 
   writing new private key to 'client1.key' 
   ----- 
   You are about to be asked to enter information that will be incorporated 
   into your certificate request. 
   What you are about to enter is what is called a Distinguished Name or a DN. 
   There are quite a few fields but you can leave some blank 
   For some fields there will be a default value, 
   If you enter '.', the field will be left blank. 
   ----- 
   Country Name (2 letter code) [CN]: 
   State or Province Name (full name) [GD]: 
   Locality Name (eg, city) [SZ]: 
   Organization Name (eg, company) [dvdmaster]: 
   Organizational Unit Name (eg, section) []:dvdmaster 
   Common Name (eg, your name or your server's hostname) []:client1    #重要: 每个不同的 client 生成的证书, 名字必须不同. 
   Email Address [[email]support@cooldvd.com[/email]]: 
   Please enter the following 'extra' attributes 
   to be sent with your certificate request 
   A challenge password []:abcd1234 
   An optional company name []:dvdmaster 
   Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf 
   Check that the request matches the signature 
   Signature ok 
   The Subject's Distinguished Name is as follows 
   countryName           :PRINTABLE:'CN' 
   stateOrProvinceName   :PRINTABLE:'GD' 
   localityName          :PRINTABLE:'SZ' 
   organizationName      :PRINTABLE:'dvdmaster' 
   organizationalUnitName:PRINTABLE:'dvdmaster' 
   commonName            :PRINTABLE:'client1' 
   emailAddress          :IA5STRING:'[email]support@cooldvd.com[/email]' 
   Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days) 
   Sign the certificate? [y/n]:y 
   1 out of 1 certificate requests certified, commit? [y/n]y 
   Write out database with 1 new entries 
   Data Base Updated 

   依次类推生成其他客户端证书/key

   代码:

   ./build-key client2 
   ./build-key client3 

   注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
7. build: 代码:

   
   ./build-dh 

8. 将 keys 下的所有文件打包下载到本地
   代码:

   tar -cf mykeys.tar /open***-2.0.5/easy-rsa/keys 
   cp mykeys.tar /home/dvdmastersys/public_html/mykeys.tar 

   将 mykeys.tar 移到 web public(绝对路径因人而异) 上, 然后用 [url]http://www.a.com/mykeys.tar[/url] 方式将其下载到本地保存, 然后将其从server删除: 代码:

   rm /home/dvdmastersys/public_html/mykeys.tar 

   也可以用其他方法把 key file搞到本地，例如 ftp.
9. 创建服务端配置文件
   从样例文件创建:
   代码:

   cd $dir/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录 
   cp server.conf /usr/local/etc  # cp服务器配置文件到/usr/local/etc 
   vi /usr/local/etc/server.conf 

   我建立的server.conf 的内容稍后另附.
10. 创建客户端配置文件
    代码:

    cd $dir/sample-config-files/  #进入源代码解压目录下的sample-config-files子目录 
    cp client.conf /usr/local/etc  #cp客户端配置文件到/usr/local/etc 
    vi /usr/local/etc/client.conf 

    我建立的client.conf 的内容稍后另附.
11. 启动Open***: open*** [server config file] 代码:

    /usr/local/sbin/open*** --config /usr/local/etc/server.conf 

三. Open××× GUI For Windows 客户端安装过程

1. 安装 Open××× GUI For Windows, 到 [url]http://open***.se[/url] 下载. 目前的版本是 1.0.3. 注意: Open××× GUI 的版本要和 Open××× Server 的版本配套. 详见第一节一. 安装环境中的说明.
2. 依屏幕指示安装open*** gui.
3. 配置 open*** gui
   安装结束后, 进入安装文件夹下的 config 目录, 然后将上面第 10 步建立的 client.conf 文件从 server 上下载到此文件夹, 并更名为 client.o***
   同时, 将第8 步打包的 mykeys.tar 中的下列证书文件解压到此文件夹:
   代码:

   ca.crt 
   ca.key 
   client1.crt 
   client1.csr 
   client1.key 

   然后双击 client.o*** 即可启动 open***, 或者通过 Open××× GUI 的控制启动 ×××.

   如果双击 client.o*** 没有反应, 则在任务栏点 Open××× GUI 的小图标右键, 选择 edit config, 将内容复制过去再保存. 然后再点右键中的 connect即可.

   如果需要第二台机器上使用 *** , 进行同样的配置, 只需要将 client1.crt, client1.csr, client1.key 换成对应的 client2.xxx 即可, 然后将 client.o*** 中的对应key文件值改掉.

四. Open××× 配置样例文件

1. Open××× 服务端：server.conf
   代码:

   local 70.8.7.6 
   port 1194 
   proto udp 
   dev tun 
   ca /open***-2.0.5/easy-rsa/keys/ca.crt 
   cert /open***-2.0.5/easy-rsa/keys/server.crt 
   key /open***-2.0.5/easy-rsa/keys/server.key  # This file should be kept secret 
   dh /open***-2.0.5/easy-rsa/keys/dh1024.pem 
   server 10.8.0.0 255.255.255.0 
   client-to-client 
   keepalive 10 120 
   comp-lzo 
   persist-key 
   persist-tun 
   status /open***-2.0.5/easy-rsa/keys/open***-status.log 
   verb 4 
   push "dhcp-option DNS 10.8.0.1" 
   push "dhcp-option DNS 70.88.98.10"  # name server 地址, 如何获取见随后说明 
   push "dhcp-option DNS 70.88.99.11"  # name server 地址, 如何获取见随后说明 

   说明: 有些 domain 被 GFW 封掉了, 这时, 如果要访问这些网站, 应该将 server 上的 dns push 到 client. 上面示例中的 dns ip: 70.88.98.10, 70.88.99.10, 可以在 /etc/resolv.conf 中找到: 代码:

   vi /etc/resolv.conf 
   nameserver   70.88.98.10 
   nameserver   70.88.99.11 

2. Open××× 客户端: client.o***
   代码:

   client 
   dev tun 
   proto udp 
   remote 70.8.7.6 1194 
   persist-key 
   persist-tun 
   ca ca.crt 
   cert client1.crt 
   key client1.key 
   ns-cert-type server 
   comp-lzo 
   verb 3 
   redirect-gateway def1 

五. Open××× 访问外网的设置

1. 打开路由 ×××连接成功后, 还需要设置路由, 才能透过×××访问Internet. 在 linux host 上添加路由: 代码:

   iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 70.8.7.6 
   /etc/init.d/iptables save 
   /etc/init.d/iptables restart 

   不同的机器，-o eth0 参数可能不一样，具体可输入 ifconfig 查看，搞清 ip(70.8.7.6)所在的网卡号.
   同时, 需要将 ip forward 打开. 不要用 echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 这种方式重启后无效. 先查看一下:
   代码:

   
   sysctl -a | grep for 
   #查看结果: 
   net.ipv4.conf.tun0.mc_forwarding = 0 
   net.ipv4.conf.tun0.forwarding = 1 
   net.ipv4.conf.eth0.mc_forwarding = 0 
   net.ipv4.conf.eth0.forwarding = 1 
   net.ipv4.conf.lo.mc_forwarding = 0 
   net.ipv4.conf.lo.forwarding = 1 
   net.ipv4.conf.default.mc_forwarding = 0 
   net.ipv4.conf.default.forwarding = 1 
   net.ipv4.conf.all.mc_forwarding = 0 
   net.ipv4.conf.all.forwarding = 1 
   net.ipv4.ip_forward = 1 

   如果你的主机上列数值不是为1, 则要将其改成1, 例如:

   代码:

   sysctl -w net.ipv4.ip_forward=1 

   依此类推.
2. 开启域名服务器
   如果你需要访问一些已经被GFW封掉了域名的网站, 但你的 Open××× 服务器没有被封的话，那么你需要在你的主机上开启 name server, 并将 dns push 给 client。 一般的独立主机, 都带有 private dns server.
   代码:

   rpm -qa | grep bind 
   /etc/init.d/named start 

   另外, 必须保证 server.conf 配置中, 有这三个配置:

   代码:

   push "dhcp-option DNS 10.8.0.1" 
   push "dhcp-option DNS 70.88.98.10"  # name server 地址 
   push "dhcp-option DNS 70.88.99.11"  # name server 地址 

   当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:

   代码:

   Ethernet adapter Local Area Connection 3: 
           Connection-specific DNS Suffix  . : 
           Description . . . . . . . . . . . : TAP-Win32 Adapter V8 
           Physical Address. . . . . . . . . : 00-FF-AA-B0-60-2B 
           Dhcp Enabled. . . . . . . . . . . : Yes 
           Autoconfiguration Enabled . . . . : Yes 
           IP Address. . . . . . . . . . . . : 10.8.0.6 
           Subnet Mask . . . . . . . . . . . : 255.255.255.252 
           Default Gateway . . . . . . . . . : 10.8.0.5 
           DHCP Server . . . . . . . . . . . : 10.8.0.5 
           DNS Servers . . . . . . . . . . . : 10.8.0.1 
                                               70.88.98.10 
                                               70.88.99.11 
           Lease Obtained. . . . . . . . . . : 2006年5月25日 5:13:52 
           Lease Expires . . . . . . . . . . : 2007年5月25日 5:13:52 

六. 设置 Open××× 服务器 reboot后自动启动 open***

执行命令:

代码:

vi /etc/rc.local 

然后在最后面加入此行:

代码:

/usr/local/sbin/open*** --config /usr/local/etc/server.conf > /dev/null 2>&1 & 

七. Open××× 测试

你可以用 ××× 登录上去之后, 测试 MSN, QQ, IE 等网络应用, 也可以尝试访问一些被 GFW 禁掉的网站, 当然, 前提是你的 ××× 服务器不在境内.

八. 使用 Open××× 的强烈注意事项

不建议用 ××× 登录 paypal 帐户和 google adsense 帐户. 否则有可能导致帐户受限或带来其他风险.

转载于:https://blog.51cto.com/coolerfeng/67521