我的实验环境
主机:Fedora22 108.108.108.71
虚拟机中:Win7 64位 108.108.108.72
open***:2.3.8版本
1 看构建高可用服务器这本书,书上讲用lzo压缩隧道通信数据以加快传输速度
1.1 下载lzo包
$ wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz
$ tar xf lzo-2.09.tar.gz
$ cd lzo-2.09/
$ sudo ./configure --prefix=/usr
$ sudo make && sudo make install
2 下载open***2.3.8的源码包,刚开始百度不到以为被墙了,结果没有 ...如果被墙了,我只说(iqlink)
[liuliancao@liuliancao Downloads]$ wget https://swupdate.open***.org/community/releases/open***-2.3.8.tar.xz
[liuliancao@liuliancao Downloads]$ tar xf open***-2.3.8.tar.xz
[liuliancao@liuliancao Downloads]$ cd open***-2.3.8/
[liuliancao@liuliancao open***-2.3.8]$ sudo ./configure --with-lzo-lib=/usr
configure: error: ssl is required but missing 需要安装openssl,openssl-devel包
[liuliancao@liuliancao open***-2.3.8]$ sudo yum -y install openssl openssl-devel
[liuliancao@liuliancao open***-2.3.8]$ sudo ./configure --with-lzo-lib=/usr
configure: error: libpam required but missing
[liuliancao@liuliancao open***-2.3.8]$ sudo yum -y install pam-devel
[liuliancao@liuliancao open***-2.3.8]$ sudo ./configure #默认已经支持了lzo
[liuliancao@liuliancao open***-2.3.8]$ sudo make && sudo make install
3 open***的证书准备工作
3.1 准备CA信息,初始化keys目录
sudo dnf -y install easy-rsa sudo cp -R /usr/share/easy-rsa /etc/open***/ cd /etc/open***/easy-rsa/2.0/ sudo sed -i 's/US/CN/' /etc/open***/easy-rsa/2.0/vars sudo sed -i 's/CA/GZ/' /etc/open***/easy-rsa/2.0/vars sudo sed -i 's/SanFrancisco/GY/' /etc/open***/easy-rsa/2.0/vars sudo sed -i 's/Fort-Funston/Liuliancao/' /etc/open***/easy-rsa/2.0/vars sudo sed -i 's/me@myhost.mydomain/liuliancao@gmail.com/' /etc/open***/easy-rsa/2.0/vars sudo sed -i 's/MyOrganizationalUnit/MT/' /etc/open***/easy-rsa/2.0/vars #为了避免麻烦,我切换下权限 su -l root cd /etc/open***/easy-rsa/2.0/ source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/easy-rsa/2.0/keys ./clean-all #这样就多了个keys文件夹,里面有个空的index.txt,和一个内容为01的serial 3.2 生成一个root-CA证书,用的是easy-rsa这个软件的命令,直接回车就行,刚刚的vars已经设置了,但我漏了个rsa名称,想改的可以改 ./build-ca Generating a 2048 bit RSA private key ...................................+++ ...............................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GZ]: Locality Name (eg, city) [GY]: Organization Name (eg, company) [Liuliancao]: Organizational Unit Name (eg, section) [MT]: Common Name (eg, your name or your server's hostname) [Liuliancao CA]: Name [EasyRSA]: Email Address [liuliancao@gmail.com]: # ls keys ca.crt ca.key index.txt serial #前面两个是多的,用于签发server和client证书
3.3 生成Diffie-Hellman文件
./build-dh ls keys ca.crt ca.key dh2048.pem index.txt serial
3.4 为服务器生成证书和密钥
./build-key-server server Generating a 2048 bit RSA private key ................................................+++ ............................................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GZ]: Locality Name (eg, city) [GY]: Organization Name (eg, company) [Liuliancao]: Organizational Unit Name (eg, section) [MT]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [liuliancao@gmail.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:liuliancao An optional company name []:liuliancao.com Using configuration from /etc/open***/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GZ' localityName :PRINTABLE:'GY' organizationName :PRINTABLE:'Liuliancao' organizationalUnitName:PRINTABLE:'MT' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'liuliancao@gmail.com' Certificate is to be certified until Oct 24 06:30:56 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ls keys 01.pem ca.key index.txt index.txt.old serial.old server.csr ca.crt dh2048.pem index.txt.attr serial server.crt server.key
3.5 为客户端生成客户端证书文件
./build-key foo Generating a 2048 bit RSA private key ..+++ ...................+++ writing new private key to 'foo.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GZ]: Locality Name (eg, city) [GY]: Organization Name (eg, company) [Liuliancao]: Organizational Unit Name (eg, section) [MT]: Common Name (eg, your name or your server's hostname) [foo]: Name [EasyRSA]: Email Address [liuliancao@gmail.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:liuliancao An optional company name []:liuliancao.com Using configuration from /etc/open***/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GZ' localityName :PRINTABLE:'GY' organizationName :PRINTABLE:'Liuliancao' organizationalUnitName:PRINTABLE:'MT' commonName :PRINTABLE:'foo' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'liuliancao@gmail.com' Certificate is to be certified until Oct 24 06:35:37 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ls keys 01.pem ca.key foo.csr index.txt.attr serial server.csr 02.pem dh2048.pem foo.key index.txt.attr.old serial.old server.key ca.crt foo.crt index.txt index.txt.old server.crt
同理生成另一个客户端用户lara
3.6 修改配置文件/etc/server.conf
cp ~liuliancao/Downloads/open***-2.3.8/sample/sample-config-files/server.conf /etc/server.conf # 书上改了几处 # udp改为了tcp # crt key pem那三个文件绝对路径 # verb 3 改为verb 5获得更多的调试信息
3.7 开启服务前,关闭防火墙和selinux(有机会好好研究下),开启自身的ip转发功能
echo "1" > /proc/sys/net/ipv4/ip_forward
3.8 启动open***服务
/usr/local/sbin/open*** --config /etc/server.conf Tue Oct 27 14:52:15 2015 us=527991 Current Parameter Settings: Tue Oct 27 14:52:15 2015 us=528061 config = '/etc/server.conf' Tue Oct 27 14:52:15 2015 us=528076 mode = 1 Tue Oct 27 14:52:15 2015 us=528086 persist_config = DISABLED Tue Oct 27 14:52:15 2015 us=528095 persist_mode = 1 Tue Oct 27 14:52:15 2015 us=528104 show_ciphers = DISABLED Tue Oct 27 14:52:15 2015 us=528112 show_digests = DISABLED Tue Oct 27 14:52:15 2015 us=528121 show_engines = DISABLED Tue Oct 27 14:52:15 2015 us=528129 genkey = DISABLED Tue Oct 27 14:52:15 2015 us=528138 key_pass_file = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528151 show_tls_ciphers = DISABLED Tue Oct 27 14:52:15 2015 us=528168 Connection profiles [default]: Tue Oct 27 14:52:15 2015 us=528183 proto = tcp-server Tue Oct 27 14:52:15 2015 us=528199 local = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528209 local_port = 1194 Tue Oct 27 14:52:15 2015 us=528228 remote = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528243 remote_port = 1194 Tue Oct 27 14:52:15 2015 us=528256 remote_float = DISABLED Tue Oct 27 14:52:15 2015 us=528269 bind_defined = DISABLED Tue Oct 27 14:52:15 2015 us=528284 bind_local = ENABLED Tue Oct 27 14:52:15 2015 us=528294 connect_retry_seconds = 5 Tue Oct 27 14:52:15 2015 us=528302 connect_timeout = 10 Tue Oct 27 14:52:15 2015 us=528310 connect_retry_max = 0 Tue Oct 27 14:52:15 2015 us=528319 socks_proxy_server = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528327 socks_proxy_port = 0 Tue Oct 27 14:52:15 2015 us=528335 socks_proxy_retry = DISABLED Tue Oct 27 14:52:15 2015 us=528344 tun_mtu = 1500 Tue Oct 27 14:52:15 2015 us=528352 tun_mtu_defined = ENABLED Tue Oct 27 14:52:15 2015 us=528360 link_mtu = 1500 Tue Oct 27 14:52:15 2015 us=528368 link_mtu_defined = DISABLED Tue Oct 27 14:52:15 2015 us=528376 tun_mtu_extra = 0 Tue Oct 27 14:52:15 2015 us=528384 tun_mtu_extra_defined = DISABLED Tue Oct 27 14:52:15 2015 us=528392 mtu_discover_type = -1 Tue Oct 27 14:52:15 2015 us=528401 fragment = 0 Tue Oct 27 14:52:15 2015 us=528409 mssfix = 1450 Tue Oct 27 14:52:15 2015 us=528416 explicit_exit_notification = 0 Tue Oct 27 14:52:15 2015 us=528425 Connection profiles END Tue Oct 27 14:52:15 2015 us=528433 remote_random = DISABLED Tue Oct 27 14:52:15 2015 us=528441 ipchange = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528449 dev = 'tun' Tue Oct 27 14:52:15 2015 us=528457 dev_type = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528465 dev_node = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528473 lladdr = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528481 topology = 1 Tue Oct 27 14:52:15 2015 us=528489 tun_ipv6 = DISABLED Tue Oct 27 14:52:15 2015 us=528497 ifconfig_local = '10.8.0.1' Tue Oct 27 14:52:15 2015 us=528505 ifconfig_remote_netmask = '10.8.0.2' Tue Oct 27 14:52:15 2015 us=528513 ifconfig_noexec = DISABLED Tue Oct 27 14:52:15 2015 us=528521 ifconfig_nowarn = DISABLED Tue Oct 27 14:52:15 2015 us=528529 ifconfig_ipv6_local = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528537 ifconfig_ipv6_netbits = 0 Tue Oct 27 14:52:15 2015 us=528545 ifconfig_ipv6_remote = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528553 shaper = 0 Tue Oct 27 14:52:15 2015 us=528562 mtu_test = 0 Tue Oct 27 14:52:15 2015 us=528570 mlock = DISABLED Tue Oct 27 14:52:15 2015 us=528578 keepalive_ping = 10 Tue Oct 27 14:52:15 2015 us=528586 keepalive_timeout = 120 Tue Oct 27 14:52:15 2015 us=528594 inactivity_timeout = 0 Tue Oct 27 14:52:15 2015 us=528602 ping_send_timeout = 10 Tue Oct 27 14:52:15 2015 us=528610 ping_rec_timeout = 240 Tue Oct 27 14:52:15 2015 us=528618 ping_rec_timeout_action = 2 Tue Oct 27 14:52:15 2015 us=528626 ping_timer_remote = DISABLED Tue Oct 27 14:52:15 2015 us=528634 remap_sigusr1 = 0 Tue Oct 27 14:52:15 2015 us=528642 persist_tun = ENABLED Tue Oct 27 14:52:15 2015 us=528650 persist_local_ip = DISABLED Tue Oct 27 14:52:15 2015 us=528658 persist_remote_ip = DISABLED Tue Oct 27 14:52:15 2015 us=528666 persist_key = ENABLED Tue Oct 27 14:52:15 2015 us=528674 passtos = DISABLED Tue Oct 27 14:52:15 2015 us=528682 resolve_retry_seconds = 1000000000 Tue Oct 27 14:52:15 2015 us=528690 username = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528698 groupname = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528706 chroot_dir = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528714 cd_dir = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528722 writepid = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528730 up_script = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528738 down_script = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528746 down_pre = DISABLED Tue Oct 27 14:52:15 2015 us=528754 up_restart = DISABLED Tue Oct 27 14:52:15 2015 us=528762 up_delay = DISABLED Tue Oct 27 14:52:15 2015 us=528770 daemon = DISABLED Tue Oct 27 14:52:15 2015 us=528778 inetd = 0 Tue Oct 27 14:52:15 2015 us=528786 log = DISABLED Tue Oct 27 14:52:15 2015 us=528794 suppress_timestamps = DISABLED Tue Oct 27 14:52:15 2015 us=528802 nice = 0 Tue Oct 27 14:52:15 2015 us=528809 verbosity = 5 Tue Oct 27 14:52:15 2015 us=528817 mute = 0 Tue Oct 27 14:52:15 2015 us=528825 gremlin = 0 Tue Oct 27 14:52:15 2015 us=528833 status_file = 'open***-status.log' Tue Oct 27 14:52:15 2015 us=528840 status_file_version = 1 Tue Oct 27 14:52:15 2015 us=528848 status_file_update_freq = 60 Tue Oct 27 14:52:15 2015 us=528856 occ = ENABLED Tue Oct 27 14:52:15 2015 us=528864 rcvbuf = 65536 Tue Oct 27 14:52:15 2015 us=528872 sndbuf = 65536 Tue Oct 27 14:52:15 2015 us=528880 mark = 0 Tue Oct 27 14:52:15 2015 us=528888 sockflags = 0 Tue Oct 27 14:52:15 2015 us=528895 fast_io = DISABLED Tue Oct 27 14:52:15 2015 us=528903 lzo = 7 Tue Oct 27 14:52:15 2015 us=528911 route_script = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528919 route_default_gateway = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=528927 route_default_metric = 0 Tue Oct 27 14:52:15 2015 us=528935 route_noexec = DISABLED Tue Oct 27 14:52:15 2015 us=528943 route_delay = 0 Tue Oct 27 14:52:15 2015 us=528951 route_delay_window = 30 Tue Oct 27 14:52:15 2015 us=528959 route_delay_defined = DISABLED Tue Oct 27 14:52:15 2015 us=528967 route_nopull = DISABLED Tue Oct 27 14:52:15 2015 us=528975 route_gateway_via_dhcp = DISABLED Tue Oct 27 14:52:15 2015 us=528983 max_routes = 100 Tue Oct 27 14:52:15 2015 us=528991 allow_pull_fqdn = DISABLED Tue Oct 27 14:52:15 2015 us=528999 route 10.8.0.0/255.255.255.0/nil/nil Tue Oct 27 14:52:15 2015 us=529007 management_addr = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529015 management_port = 0 Tue Oct 27 14:52:15 2015 us=529023 management_user_pass = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529031 management_log_history_cache = 250 Tue Oct 27 14:52:15 2015 us=529039 management_echo_buffer_size = 100 Tue Oct 27 14:52:15 2015 us=529047 management_write_peer_info_file = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529055 management_client_user = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529063 management_client_group = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529071 management_flags = 0 Tue Oct 27 14:52:15 2015 us=529079 shared_secret_file = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529087 key_direction = 0 Tue Oct 27 14:52:15 2015 us=529095 ciphername_defined = ENABLED Tue Oct 27 14:52:15 2015 us=529103 ciphername = 'BF-CBC' Tue Oct 27 14:52:15 2015 us=529111 authname_defined = ENABLED Tue Oct 27 14:52:15 2015 us=529119 authname = 'SHA1' Tue Oct 27 14:52:15 2015 us=529127 prng_hash = 'SHA1' Tue Oct 27 14:52:15 2015 us=529135 prng_nonce_secret_len = 16 Tue Oct 27 14:52:15 2015 us=529143 keysize = 0 Tue Oct 27 14:52:15 2015 us=529151 engine = DISABLED Tue Oct 27 14:52:15 2015 us=529159 replay = ENABLED Tue Oct 27 14:52:15 2015 us=529167 mute_replay_warnings = DISABLED Tue Oct 27 14:52:15 2015 us=529175 replay_window = 64 Tue Oct 27 14:52:15 2015 us=529183 replay_time = 15 Tue Oct 27 14:52:15 2015 us=529191 packet_id_file = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529199 use_iv = ENABLED Tue Oct 27 14:52:15 2015 us=529207 test_crypto = DISABLED Tue Oct 27 14:52:15 2015 us=529214 tls_server = ENABLED Tue Oct 27 14:52:15 2015 us=529227 tls_client = DISABLED Tue Oct 27 14:52:15 2015 us=529235 key_method = 2 Tue Oct 27 14:52:15 2015 us=529243 ca_file = '/etc/open***/easy-rsa/2.0/keys/ca.crt' Tue Oct 27 14:52:15 2015 us=529251 ca_path = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529259 dh_file = '/etc/open***/easy-rsa/2.0/keys/dh2048.pem' Tue Oct 27 14:52:15 2015 us=529267 cert_file = '/etc/open***/easy-rsa/2.0/keys/server.crt' Tue Oct 27 14:52:15 2015 us=529276 priv_key_file = '/etc/open***/easy-rsa/2.0/keys/server.key' Tue Oct 27 14:52:15 2015 us=529284 pkcs12_file = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529292 cipher_list = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529300 tls_verify = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529308 tls_export_cert = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529316 verify_x509_type = 0 Tue Oct 27 14:52:15 2015 us=529324 verify_x509_name = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529332 crl_file = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529339 ns_cert_type = 0 Tue Oct 27 14:52:15 2015 us=529347 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529355 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529363 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529370 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529378 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529386 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529394 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529401 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529409 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529417 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529425 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529433 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529441 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529448 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529456 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529464 remote_cert_ku[i] = 0 Tue Oct 27 14:52:15 2015 us=529472 remote_cert_eku = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529480 ssl_flags = 0 Tue Oct 27 14:52:15 2015 us=529497 tls_timeout = 2 Tue Oct 27 14:52:15 2015 us=529510 renegotiate_bytes = 0 Tue Oct 27 14:52:15 2015 us=529519 renegotiate_packets = 0 Tue Oct 27 14:52:15 2015 us=529527 renegotiate_seconds = 3600 Tue Oct 27 14:52:15 2015 us=529535 handshake_window = 60 Tue Oct 27 14:52:15 2015 us=529543 transition_window = 3600 Tue Oct 27 14:52:15 2015 us=529551 single_session = DISABLED Tue Oct 27 14:52:15 2015 us=529563 push_peer_info = DISABLED Tue Oct 27 14:52:15 2015 us=529573 tls_exit = DISABLED Tue Oct 27 14:52:15 2015 us=529581 tls_auth_file = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529593 server_network = 10.8.0.0 Tue Oct 27 14:52:15 2015 us=529602 server_netmask = 255.255.255.0 Tue Oct 27 14:52:15 2015 us=529614 server_network_ipv6 = :: Tue Oct 27 14:52:15 2015 us=529623 server_netbits_ipv6 = 0 Tue Oct 27 14:52:15 2015 us=529631 server_bridge_ip = 0.0.0.0 Tue Oct 27 14:52:15 2015 us=529639 server_bridge_netmask = 0.0.0.0 Tue Oct 27 14:52:15 2015 us=529648 server_bridge_pool_start = 0.0.0.0 Tue Oct 27 14:52:15 2015 us=529656 server_bridge_pool_end = 0.0.0.0 Tue Oct 27 14:52:15 2015 us=529665 push_entry = 'route 10.8.0.1' Tue Oct 27 14:52:15 2015 us=529673 push_entry = 'topology net30' Tue Oct 27 14:52:15 2015 us=529681 push_entry = 'ping 10' Tue Oct 27 14:52:15 2015 us=529689 push_entry = 'ping-restart 120' Tue Oct 27 14:52:15 2015 us=529697 ifconfig_pool_defined = ENABLED Tue Oct 27 14:52:15 2015 us=529705 ifconfig_pool_start = 10.8.0.4 Tue Oct 27 14:52:15 2015 us=529713 ifconfig_pool_end = 10.8.0.251 Tue Oct 27 14:52:15 2015 us=529722 ifconfig_pool_netmask = 0.0.0.0 Tue Oct 27 14:52:15 2015 us=529730 ifconfig_pool_persist_filename = 'ipp.txt' Tue Oct 27 14:52:15 2015 us=529738 ifconfig_pool_persist_refresh_freq = 600 Tue Oct 27 14:52:15 2015 us=529746 ifconfig_ipv6_pool_defined = DISABLED Tue Oct 27 14:52:15 2015 us=529755 ifconfig_ipv6_pool_base = :: Tue Oct 27 14:52:15 2015 us=529763 ifconfig_ipv6_pool_netbits = 0 Tue Oct 27 14:52:15 2015 us=529771 n_bcast_buf = 256 Tue Oct 27 14:52:15 2015 us=529779 tcp_queue_limit = 64 Tue Oct 27 14:52:15 2015 us=529787 real_hash_size = 256 Tue Oct 27 14:52:15 2015 us=529795 virtual_hash_size = 256 Tue Oct 27 14:52:15 2015 us=529803 client_connect_script = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529811 learn_address_script = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529819 client_disconnect_script = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529828 client_config_dir = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529836 ccd_exclusive = DISABLED Tue Oct 27 14:52:15 2015 us=529843 tmp_dir = '/tmp' Tue Oct 27 14:52:15 2015 us=529851 push_ifconfig_defined = DISABLED Tue Oct 27 14:52:15 2015 us=529860 push_ifconfig_local = 0.0.0.0 Tue Oct 27 14:52:15 2015 us=529868 push_ifconfig_remote_netmask = 0.0.0.0 Tue Oct 27 14:52:15 2015 us=529876 push_ifconfig_ipv6_defined = DISABLED Tue Oct 27 14:52:15 2015 us=529885 push_ifconfig_ipv6_local = ::/0 Tue Oct 27 14:52:15 2015 us=529893 push_ifconfig_ipv6_remote = :: Tue Oct 27 14:52:15 2015 us=529901 enable_c2c = DISABLED Tue Oct 27 14:52:15 2015 us=529909 duplicate_cn = DISABLED Tue Oct 27 14:52:15 2015 us=529917 cf_max = 0 Tue Oct 27 14:52:15 2015 us=529925 cf_per = 0 Tue Oct 27 14:52:15 2015 us=529933 max_clients = 1024 Tue Oct 27 14:52:15 2015 us=529941 max_routes_per_client = 256 Tue Oct 27 14:52:15 2015 us=529949 auth_user_pass_verify_script = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529957 auth_user_pass_verify_script_via_file = DISABLED Tue Oct 27 14:52:15 2015 us=529965 port_share_host = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=529973 port_share_port = 0 Tue Oct 27 14:52:15 2015 us=529981 client = DISABLED Tue Oct 27 14:52:15 2015 us=529989 pull = DISABLED Tue Oct 27 14:52:15 2015 us=529997 auth_user_pass_file = '[UNDEF]' Tue Oct 27 14:52:15 2015 us=530006 Open××× 2.3.8 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 27 2015 Tue Oct 27 14:52:15 2015 us=530017 library versions: OpenSSL 1.0.1k-fips 8 Jan 2015, LZO 2.09 Tue Oct 27 14:52:15 2015 us=591771 Diffie-Hellman initialized with 2048 bit key Tue Oct 27 14:52:15 2015 us=592728 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:3 ] Tue Oct 27 14:52:15 2015 us=592762 Socket Buffers: R=[87380->131072] S=[16384->131072] Tue Oct 27 14:52:15 2015 us=592859 ROUTE_GATEWAY 108.108.108.1/255.255.255.0 IFACE=enp2s0 HWADDR=74:d4:35:94:7e:a1 Tue Oct 27 14:52:15 2015 us=593113 TUN/TAP device tun0 opened Tue Oct 27 14:52:15 2015 us=593141 TUN/TAP TX queue length set to 100 Tue Oct 27 14:52:15 2015 us=593162 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Oct 27 14:52:15 2015 us=593194 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 Tue Oct 27 14:52:15 2015 us=626688 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 Tue Oct 27 14:52:15 2015 us=706994 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:143 ET:0 EL:3 AF:3/1 ] Tue Oct 27 14:52:15 2015 us=707035 Listening for incoming TCP connection on [undef] Tue Oct 27 14:52:15 2015 us=707057 TCPv4_SERVER link local (bound): [undef] Tue Oct 27 14:52:15 2015 us=707065 TCPv4_SERVER link remote: [undef] Tue Oct 27 14:52:15 2015 us=707074 MULTI: multi_init called, r=256 v=256 Tue Oct 27 14:52:15 2015 us=707099 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Tue Oct 27 14:52:15 2015 us=707123 IFCONFIG POOL LIST Tue Oct 27 14:52:15 2015 us=707143 MULTI: TCP INIT maxclients=1024 maxevents=1028 Tue Oct 27 14:52:15 2015 us=707165 Initialization Sequence Completed #Ctrl-Alt t 打开新标签,发现tcp 1194端口开启啦 netstat -tunlp |grep 1194 tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 22302/open*** lsof -i:1194 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME open*** 22302 root 5u IPv4 377638 0t0 TCP *:open*** (LISTEN)
4 客户端连接
4.1 windows客户连接
4.1.1 windows版***自己去下载
可以去这里下载https://open***.net/index.php/open-source/downloads.html
正常安装就好了,会发现通知告诉了你安装了一个网络适配器
4.1.2 复制服务器端的证书到window用户,这次我复制foo的主要是foo.crt foo.key ca.crt
4.1.3 修改配置文件,这里主要修改如下内容
书上讲
udp改成了tcp;remote的那行改为自己的服务器地址和端口;ca cert key修改相应的名称;注释掉comp-lzo(我也不知道为什么)
然后打开open*** ui即可使用*** 会发现
没成功就看看日志吧
转载于:https://blog.51cto.com/qixue/1706839