服务器网卡设置
客户端xp系统网卡设置,客户端有外网ip10.0.0.6,这个ip和***server的外网ip是通的,
open***服务器的网络环境,***server要有内网eth0的ip:192.168.0.35,和外网eth1的ip:10.0.0.5。IDC机房的网段是192.168.0.0/24
[root@c2 network-scripts]# pwd
/etc/sysconfig/network-scripts
[root@c2 network-scripts]# cat ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=192.168.0.35
PREFIX=24
GATEWAY=192.168.0.1
DNS1=202.101.172.35
[root@c2 network-scripts]# cat ifcfg-eth1
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=10.0.0.5
PREFIX=24
[root@c2 network-scripts]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:7c:1f:5b brd ff:ff:ff:ff:ff:ff
inet 192.168.0.35/24 brd 192.168.0.255 scope global eth0
inet6 fe80::20c:29ff:fe7c:1f5b/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:7c:1f:65 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.5/24 brd 10.0.0.255 scope global eth1
inet6 fe80::20c:29ff:fe7c:1f65/64 scope link
valid_lft forever preferred_lft forever
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
yum makecache
yum -y install open***
yum -y install easy-rsa
ntpdate pool.ntp.org
yum -y install openssl openssl-devel gcc
[root@c2 ~]# cp -R /usr/share/easy-rsa/ /etc/open***/
[root@c2 ~]# cd /etc/open***/easy-rsa/2.0
[root@c2 2.0]# chmod +x ./*
在server端配置***server简历CA,初始化配置,删除或者修改vars的以下几行
[root@c2 2.0]# pwd
/etc/open***/easy-rsa/2.0
[root@c2 2.0]# egrep -v "^$|^#" vars | tail -7 | head -5
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
修改方法可以使用vim,也可以使用sed,下面使用sed修改,修改前要备份var和检查,备份的名字要有作者和日期
[root@c2 2.0]# cp vars vars.zgp.20150202
[root@c2 2.0]# grep US vars
export KEY_COUNTRY="US"
[root@c2 2.0]# sed -i '/US/d' vars # 删除国家
[root@c2 2.0]# grep US vars
删除省份,CA删除有点特殊,要删除以CA"结尾 而不是删除含有CA的行
[root@c2 2.0]# grep 'CA"' vars
export KEY_PROVINCE="CA"
[root@c2 2.0]# sed -i '/CA"/d' vars # 删除省份
[root@c2 2.0]# grep 'CA"' vars
[root@c2 2.0]# grep 'CA' vars
# In how many days should the root CA key expire?
export CA_EXPIRE=3650
删除城市,组织,邮箱其它三项
[root@c2 2.0]# grep SanFrancisco vars
export KEY_CITY="SanFrancisco"
[root@c2 2.0]# sed -i '/SanFrancisco/d' vars #删除城市
[root@c2 2.0]# grep Fort-Funston vars
export KEY_ORG="Fort-Funston"
[root@c2 2.0]# sed -i '/Fort-Funston/d' vars # 删除组织
[root@c2 2.0]# grep me@myhost.mydomain vars
export KEY_EMAIL="me@myhost.mydomain" # 删除邮箱
[root@c2 2.0]# sed -i '/me@myhost.mydomain/d' vars
[root@c2 2.0]# grep me@myhost.mydomain vars
删除后用EOF追加以下几行
[root@c2 2.0]# cat >> vars << EOF
> # by zgp 20150202
> export KEY_COUNTRY="CN"
> export KEY_PROVINCE="ZHEJIANG"
> export KEY_CITY="hangzhou"
> export KEY_ORG="zgp"
> export KEY_EMAIL="8888888@qq.com"
> EOF
使用source使vars文件生效
[root@c2 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/easy-rsa/2.0/keys
这时keys目录下只有index.txt和serial两个文件
[root@c2 2.0]# ll keys/
total 4
-rw-r--r-- 1 root root 0 Jun 21 04:38 index.txt
-rw-r--r-- 1 root root 3 Jun 21 04:38 serial
下面开始生成key等文件,所有的都回车默认
[root@c2 2.0]# ./clean-all #清除所有相关证书
[root@c2 2.0]# ./build-ca # 生成CA证书,ca.crt、ca.key,下面是输出
Generating a 2048 bit RSA private key
............................+++
............................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ZHEJIANG]:
Locality Name (eg, city) [hangzhou]:
Organization Name (eg, company) [zgp]:
Name [EasyRSA]:
Email Address [8888888@qq.com]:
生成后检查下keys目录,生成了ca.crt和ca.key两个文件
[root@c2 2.0]# ll keys/
total 12
-rw-r--r-- 1 root root 1663 Jun 21 04:46 ca.crt
-rw------- 1 root root 1704 Jun 21 04:46 ca.key
-rw-r--r-- 1 root root 0 Jun 21 04:41 index.txt
-rw-r--r-- 1 root root 3 Jun 21 04:41 serial
创建完CA证书后,还要在服务端生成证书和密钥key文件,服务端和客户端都要有密钥进行通讯
创建CA之后来。生成服务器端证书,输入
[root@c2 2.0]# ./build-key-server server
Generating a 2048 bit RSA private key
...................................................................................................................................................................+++
...................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ZHEJIANG]:
Locality Name (eg, city) [hangzhou]:
Organization Name (eg, company) [zgp]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:IT
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [8888888@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test
An optional company name []:
Using configuration from /etc/open***/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'ZHEJIANG'
localityName :PRINTABLE:'hangzhou'
organizationName :PRINTABLE:'zgp'
organizationalUnitName:PRINTABLE:'IT'
commonName :PRINTABLE:'server'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'8888888@qq.com'
Certificate is to be certified until Jun 18 20:58:57 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看keys目录下生成的结果
[root@c2 2.0]# ll -rt keys/
total 48
-rw-r--r-- 1 root root 3 Jun 21 04:41 serial.old
-rw-r--r-- 1 root root 0 Jun 21 04:41 index.txt.old
-rw------- 1 root root 1704 Jun 21 04:46 ca.key
-rw-r--r-- 1 root root 1663 Jun 21 04:46 ca.crt
-rw------- 1 root root 1704 Jun 21 04:58 server.key
-rw-r--r-- 1 root root 1090 Jun 21 04:58 server.csr
-rw-r--r-- 1 root root 3 Jun 21 04:59 serial
-rw-r--r-- 1 root root 21 Jun 21 04:59 index.txt.attr
-rw-r--r-- 1 root root 120 Jun 21 04:59 index.txt
-rw-r--r-- 1 root root 5379 Jun 21 04:59 01.pem
-rw-r--r-- 1 root root 5379 Jun 21 04:59 server.crt
接下来生成客户端证书和key文件,同样,都是默认回车 ,现在给zhgp和zhxy两个人生成两个客户端证书和密钥一个zhgp,一个zhxy
第一种方法,使用./build-key接上名字zhgp
[root@c2 2.0]# ./build-key zhgp
Generating a 2048 bit RSA private key
..........................................................................+++
.............................................................................................+++
writing new private key to 'zhgp.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ZHEJIANG]:
Locality Name (eg, city) [hangzhou]:
Organization Name (eg, company) [zgp]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:IT
Common Name (eg, your name or your server's hostname) [zhgp]:
Name [EasyRSA]:
Email Address [8888888@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test
An optional company name []:
Using configuration from /etc/open***/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'ZHEJIANG'
localityName :PRINTABLE:'hangzhou'
organizationName :PRINTABLE:'zgp'
organizationalUnitName:PRINTABLE:'IT'
commonName :PRINTABLE:'zhgp'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'8888888@qq.com'
Certificate is to be certified until Jun 18 21:14:19 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看keys目录下生成的文件
[root@c2 2.0]# ll -rt keys/
total 80
-rw------- 1 root root 1704 Jun 21 04:46 ca.key
-rw-r--r-- 1 root root 1663 Jun 21 04:46 ca.crt
-rw------- 1 root root 1704 Jun 21 04:58 server.key
-rw-r--r-- 1 root root 1090 Jun 21 04:58 server.csr
-rw-r--r-- 1 root root 3 Jun 21 04:59 serial.old
-rw-r--r-- 1 root root 120 Jun 21 04:59 index.txt.old
-rw-r--r-- 1 root root 21 Jun 21 04:59 index.txt.attr.old
-rw-r--r-- 1 root root 5379 Jun 21 04:59 01.pem
-rw-r--r-- 1 root root 5379 Jun 21 04:59 server.crt
-rw------- 1 root root 1708 Jun 21 05:14 zhgp.key
-rw-r--r-- 1 root root 1086 Jun 21 05:14 zhgp.csr
-rw-r--r-- 1 root root 3 Jun 21 05:14 serial
-rw-r--r-- 1 root root 21 Jun 21 05:14 index.txt.attr
-rw-r--r-- 1 root root 238 Jun 21 05:14 index.txt
-rw-r--r-- 1 root root 5256 Jun 21 05:14 zhgp.crt
-rw-r--r-- 1 root root 5256 Jun 21 05:14 02.pem
第一种方法,使用./build-key-pass接上名字zhgp,使用build-key-pass创建的客户端证书和密钥,当客户端拨号的时候会要求输入密码
[root@c2 2.0]# ./build-key-pass zhxy
Generating a 2048 bit RSA private key
............................................+++
..............................+++
writing new private key to 'zhxy.key'
Enter PEM pass phrase: #这里输入密码testtest,密码是密文的看不到
Verifying - Enter PEM pass phrase: #再次输入密码testtest
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ZHEJIANG]:
Locality Name (eg, city) [hangzhou]:
Organization Name (eg, company) [zgp]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:IT
Common Name (eg, your name or your server's hostname) [zhxy]:
Name [EasyRSA]:
Email Address [8888888@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test
An optional company name []:
Using configuration from /etc/open***/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'ZHEJIANG'
localityName :PRINTABLE:'hangzhou'
organizationName :PRINTABLE:'zgp'
organizationalUnitName:PRINTABLE:'IT'
commonName :PRINTABLE:'zhxy'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'8888888@qq.com'
Certificate is to be certified until Jun 18 21:32:19 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
再查看keys目录下的文件
[root@c2 2.0]# ll -rt keys/
total 104
-rw------- 1 root root 1704 Jun 21 04:46 ca.key
-rw-r--r-- 1 root root 1663 Jun 21 04:46 ca.crt
-rw------- 1 root root 1704 Jun 21 04:58 server.key
-rw-r--r-- 1 root root 1090 Jun 21 04:58 server.csr
-rw-r--r-- 1 root root 5379 Jun 21 04:59 01.pem
-rw-r--r-- 1 root root 5379 Jun 21 04:59 server.crt
-rw------- 1 root root 1708 Jun 21 05:14 zhgp.key
-rw-r--r-- 1 root root 1086 Jun 21 05:14 zhgp.csr
-rw-r--r-- 1 root root 3 Jun 21 05:14 serial.old
-rw-r--r-- 1 root root 238 Jun 21 05:14 index.txt.old
-rw-r--r-- 1 root root 21 Jun 21 05:14 index.txt.attr.old
-rw-r--r-- 1 root root 5256 Jun 21 05:14 zhgp.crt
-rw-r--r-- 1 root root 5256 Jun 21 05:14 02.pem
-rw------- 1 root root 1834 Jun 21 05:32 zhxy.key
-rw-r--r-- 1 root root 1086 Jun 21 05:32 zhxy.csr
-rw-r--r-- 1 root root 3 Jun 21 05:32 serial
-rw-r--r-- 1 root root 21 Jun 21 05:32 index.txt.attr
-rw-r--r-- 1 root root 356 Jun 21 05:32 index.txt
-rw-r--r-- 1 root root 5256 Jun 21 05:32 zhxy.crt
-rw-r--r-- 1 root root 5256 Jun 21 05:32 03.pem
最后生成Diffie Hellman参数,作为交换密钥时的一个协议文件:
[root@c2 2.0]# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................................................+.......+.........................................................................................................................................................................................................+.........+.........+.............................................................................................+.................................+......+............................................................................................................+....................................................................................++*++*
再查看keys目录下的文件,生成dh2048.pem
[root@c2 2.0]# ll -rt keys/
total 108
-rw------- 1 root root 1704 Jun 21 04:46 ca.key
-rw-r--r-- 1 root root 1663 Jun 21 04:46 ca.crt
-rw------- 1 root root 1704 Jun 21 04:58 server.key
-rw-r--r-- 1 root root 1090 Jun 21 04:58 server.csr
-rw-r--r-- 1 root root 5379 Jun 21 04:59 01.pem
-rw-r--r-- 1 root root 5379 Jun 21 04:59 server.crt
-rw------- 1 root root 1708 Jun 21 05:14 zhgp.key
-rw-r--r-- 1 root root 1086 Jun 21 05:14 zhgp.csr
-rw-r--r-- 1 root root 3 Jun 21 05:14 serial.old
-rw-r--r-- 1 root root 238 Jun 21 05:14 index.txt.old
-rw-r--r-- 1 root root 21 Jun 21 05:14 index.txt.attr.old
-rw-r--r-- 1 root root 5256 Jun 21 05:14 zhgp.crt
-rw-r--r-- 1 root root 5256 Jun 21 05:14 02.pem
-rw------- 1 root root 1834 Jun 21 05:32 zhxy.key
-rw-r--r-- 1 root root 1086 Jun 21 05:32 zhxy.csr
-rw-r--r-- 1 root root 3 Jun 21 05:32 serial
-rw-r--r-- 1 root root 21 Jun 21 05:32 index.txt.attr
-rw-r--r-- 1 root root 356 Jun 21 05:32 index.txt
-rw-r--r-- 1 root root 5256 Jun 21 05:32 zhxy.crt
-rw-r--r-- 1 root root 5256 Jun 21 05:32 03.pem
-rw-r--r-- 1 root root 424 Jun 21 05:38 dh2048.pem
到此服务端的部署已经完成,接下来配置服务端
把生成的keys目录拷贝到/etc/open***目录下面
[root@c2 keys]# pwd /etc/open***/easy-rsa/2.0/keys [root@c2 keys]# cp -a /etc/open***/easy-rsa/2.0/keys /etc/open***/
找到客户端和服务器样列的配置文件拷贝到/etc/open***目录下面
[root@c2 sample]# rpm -ql open*** | grep sample | head -1
/usr/share/doc/open***-2.3.11/sample
[root@c2 sample]# cp -a /usr/share/doc/open***-2.3.11/sample/sample-config-files/*.conf /etc/open***/
切换到/etc/open***目录下,备份server.conf,过滤出有用的server.conf
[root@c2 open***]# pwd
/etc/open***
[root@c2 open***]# cp server.conf server.conf.zgp.20150202
[root@c2 open***]# egrep -v "^$|^#|;" server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
verb 3
追加到一个文件里面
[root@c2 open***]# egrep -v "^$|^#|;" server.conf > /opt/zgp-***.conf
和默认的相比,一般要修改的配置
local 0.0.0.0
port 34535
push 'route 192.168.0.0 255.255.255.0'
client-to-client
log /var/log/openvn.log
完整的server.conf文件
[root@c2 open***]# egrep -v "^$|^#|;" server.conf local 0.0.0.0 port 34535 proto udp dev tun ca /etc/open***/keys/ca.crt cert /etc/open***/keys/server.crt key /etc/open***/keys/server.key # This file should be kept secret dh /etc/open***/keys/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.0.0 255.255.255.0" client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status open***-status.log verb 3
打开路由转发,
通过指定配置文件zgp-***.conf的方式来启动open***
[root@c2 open***]# /usr/sbin/open*** --config /opt/zgp-***.conf
检查端口和进程
[root@c2 open***]# ps -ef | grep *** root 5610 1 0 06:09 ? 00:00:00 /usr/sbin/open*** --daemon --writepid /var/run/open***/server.pid --cd /etc/open*** --config server.conf --script-security 2 root 5664 1748 0 06:17 pts/0 00:00:00 grep --color=auto *** [root@c2 open***]# netstat -anptu | grep 34535 udp 0 0 0.0.0.0:34535 0.0.0.0:* 5610/open***
查看生成tun0的ip
[root@c2 open***]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:7c:1f:5b brd ff:ff:ff:ff:ff:ff
inet 192.168.0.35/24 brd 192.168.0.255 scope global eth0
inet6 fe80::20c:29ff:fe7c:1f5b/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:7c:1f:65 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.5/24 brd 10.0.0.255 scope global eth1
inet6 fe80::20c:29ff:fe7c:1f65/64 scope link
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/[65534]
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
<h1>未完,待续。。。。。。。。。。</h1>
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
yum makecache
yum -y install open***
yum -y install easy-rsa
ntpdate pool.ntp.org
yum -y install openssl openssl-devel gcc
cp -R /usr/share/easy-rsa/ /etc/open***/
cd /etc/open***/easy-rsa/2.0
chmod +x ./*
sed -i '/US/d' vars
sed -i '/CA"/d' vars
sed -i '/SanFrancisco/d' vars
sed -i '/Fort-Funston/d' vars
sed -i '/me@myhost.mydomain/d' vars
cat >> vars << EOF
#by zgp 20150202
export KEY_COUNTRY="CN"
export KEY_PROVINCE="ZHEJIANG"
export KEY_CITY="hangzhou"
export KEY_ORG="zgp"
export KEY_EMAIL="8888888@qq.com"
EOF
source ./vars
./clean-all
./build-ca # 回车
./build-key-server server # 回车
./build-key-pass zhxy # 回车
./build-dh
cp -a /etc/open***/easy-rsa/2.0/keys /etc/open***/
cp -a /usr/share/doc/open***-2.3.11/sample/sample-config-files/*.conf /etc/open***/
cd /etc/open***
cp server.conf server.conf.zgp.20150202
egrep -v "^$|^#|;" server.conf > /opt/zgp-***.conf
转载于:https://blog.51cto.com/zxygp/1790456