Centos 下Open***的安装

一. Open*** 安装环境

 

      Server 端的环境

 

   1. CentOS, kernel 版本 : 2.6.18, IP 为 192.168.1.254 （虚拟机 6.5 ）

   2. kernel 需要支持 tun 设备 , 需要加载 iptables 模块 .

   3. 安装的 Open*** 的版本 : 2.1.rc15.( 目前最新版 可在 http://open***.net 上下载 ).

 

 

      Client 端的环境 :

 

   1. Windows XP SP2

   2. open***-2.0.9-gui-1.0.3-install.exe

二. Open*** 服务端安装过程

 

   1. 用 putty 登录到 CentOS

   2. 下载 Open*** 2.1.rc15

 

    wget http://open***.net/release/open***-2.1_rc15.tar.gz

    lzo-2.03.tar.gz

 

   3. 安装 LZO 和 Open***

 

      tar zxvf lzo-2.03.tar.gz

      cd lzo-2.03

      ./configure

      make

      make install

      cd ..

      tar zxvf open***-2.1_rc15.tar.gz

      cd open***-2.1_rc15

      ./configure

      make

      make install

拷贝配置文件：

cp –rf /root/open***-2.1_rc15/ /etc/open***

生成证书

初始化PKI

 

编辑 /etc/open***/easy-rsa/2.0/vars

添加以下内容：

export KEY_COUNTRY="CN"

export KEY_PROVINCE="CN"

export KEY_CITY="beijing"

export KEY_ORG="beijing"

export KEY_EMAIL=andlhz@gmail.com

 

保存

 

三．创建证书颁发机构 (CA)

Cd  /etc/open***/easy-rsa/2.0

[root@server 2.0]# ./clean-all

[root@server 2.0]# ./build-ca

Generating a 1024 bit RSA private key

.............++++++

........................++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [CN]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [test]:beijing

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [test CA]:

Name []:

Email Address [andlhz@gmail.com]:

 

四．建立server key

 

执行./build-key-server server 

[root@server 2.0]# ./build-key-server server

Generating a 1024 bit RSA private key

.....++++++

...............................................................................................................................++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [CN]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [test]:beijing

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [server]:

Name []:

Email Address [andlhz@gmail.com]:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/open***/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'CN'

localityName          :PRINTABLE:'beijing'

organizationName      :PRINTABLE:'beijing'

commonName            :PRINTABLE:'server'

emailAddress          :IA5STRING:'andlhz@gmail.com'

Certificate is to be certified until Aug 12 14:55:28 2019 GMT (3650 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@server 2.0]#

 

五．生成客户端 key

 

[root@server 2.0]# ./build-key test

Generating a 1024 bit RSA private key

.........................++++++

..................++++++

writing new private key to 'test.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [CN]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [test]:beijing

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [test]:

Name []:

Email Address [andlhz@gmail.com]:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/open***/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'CN'

localityName          :PRINTABLE:'beijing'

organizationName      :PRINTABLE:'beijing'

commonName            :PRINTABLE:'test'

emailAddress          :IA5STRING:'andlhz@gmail.com'

Certificate is to be certified until Aug 12 14:57:18 2019 GMT (3650 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@server 2.0]#

 

 

以此类推建立其他客户端 key

 

./build-key test2
./build-key test3

 

生成Diffie Hellman 参数

执行

./build-dh

将 keys 下的所有文件打包下载到本地 ( 可以通过 winscp,http,ftp 等等 ……)

 

创建服务端配置文件

 

cp /root/open***-2.1_rc15/sample-config-files/server.conf /etc/open***

 

port 1194

 

proto udp

 

dev tun

 

ca /etc/open***/easy-rsa/2.0/keys/ca.crt

cert /etc/open***/easy-rsa/2.0/keys/server.crt

key /etc/open***/easy-rsa/2.0/keys/server.key

 

dh dh1024.pem

 

server 10.8.0.0 255.255.255.0

 

ifconfig-pool-persist ipp.txt

 

keepalive 10 120

 

comp-lzo

 

persist-key

persist-tun

 

status open***-status.log

 

verb 3

 

 

 

客户端：

3.2 Client

# 下载并安装 open*** (GUI 版本)

http://open***.se/files/install_packages/open***-2.0.9-gui-1.0.3-install.exe

# 设定环境

进入 "c:\Program Files\Open***\easy-rsa"目录中

将 openssl.cnf.sample 另存为openssl.cnf

将vars.bat.sample 另存为vars.bat

编辑 vars.bat

set KEY_COUNTRY="CN"

 set KEY_PROVINCE="CN"

 set KEY_CITY="beijing"

 set KEY_ORG="beijing"

 set KEY_EMAIL="andlhz@gmail.com"

        (內容必须与server 一至, 尤其 KEY_ORG 项目.)

安装 CA 文件 //在客户端操作

进入c:\Program Files\Open***\config目录中

把服务器上的XXX.crt（客户端证书名称）和ca.crt  下载到本地的Open***的config目录 

# 复制 sample 目录下的client.o***:

复制

c:\Program Files\Open***\config\sample-config\client.o*** 

到 c:\Program Files\Open***\config 目录中

# 配置 client 

右下角(Open*** GUI) 

右鍵--> Edit Config (沒提及的, 請保持原貌)

        dev tap

        ;dev tun

        remote remote 192.168.1.254 1194

        ca ca.crt

        cert test.crt

        key test.key

双点击桌面右下角的open***-gui的图标就会弹出界面，正在连接

测试：cmd --> ipconfig /all

 

Ping 10.8.0.1

给客户端制定具体的ip地址而不是自动分配，需要以下操作：

进入/etc/open***/ccd中，

Vi client1 并写入ifconfig-push 10.8.0.X 255.255.255.0

绑定虚拟ip。