CentOS下Open×××安装、配置

安装Open***的前提条件

在安装Open***之前你必须确保你已经安装了C编译器(例如gcc)、OpenSSL、LZO(一种无损压缩算法)、PAM(一种可插入式的身份验证模块)，安装方法就不用再说了。

安装Linux版Open***

接着，我们使用tar命令，将该压缩文件解压到当前目录，完整命令为：tar zxf open***-2.3.3.tar.gz

#调用configure

./configure

#编译

make

#安装

make install

配置防火墙规则以及IP转发

echo “1”>/proc/sys/net/ipv4/ip_forward #IP转发

sysctl –p

Open***配置

下载并解压easy-rsa，接着，我们将上图中所标注的easy-rsa-release-2.x/easy-rsa文件夹复制到Open***的解压目录中，命令如下：

然后，我们执行命令cd /usr/local/open***-2.3.4/easy-rsa/2.0从而进入Open***下的easy-rsa/2.0目录。

上面说了这么多，实际上就只是下载了easy-rsa 2.0，并将解压后的easy-rsa子目录复制到了Open***的主目录下。

使用easy-rsa生成CA证书

在生成证书之前，可以对2.0目录中的vars文件稍作修改。vars文件存储的是一些用户变量设置信息，每次生成证书都会使用到其中的某些变量。如下并选择性地对其进行修改(你可以不修改这些参数，但不要把这些参数留空)。

KEY_SIZE：表示密钥的长度，一般为1024或2048(长度越长，性能耗费越多)。

 

#下面是一些用户相关信息配置

KEY_COUNTRY：所在国家

KEY_PROVINCE：所在省

KEY_CITY：所在城市

KEY_ORG：所在组织

KEY_EMAIL：邮箱地址

KEY_OU：机构单位或部门名称

 

下面，我们就开始来生成证书了。保持当前目录为Open***根目录/easy-rsa/2.0。然后依次执行下列命令：

#初始化命令，用于设置后续命令所需的相关变量信息

. ./vars

#清除之前创建的所有证书和密钥

./clean-all

#生成CA证书和密钥

./build-ca

[root@Open*** 2.0]# . ./vars 

NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/open***-2.3.3/easy-rsa/2.0/keys

[root@Open*** 2.0]# ./clean-all 

[root@Open*** 2.0]# ./build-ca #生成ca证书和秘钥

Generating a 2048 bit RSA private key

............................+++

....................................................................................+++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:CN

State or Province Name (full name) [CA]:GD

Locality Name (eg, city) [SanFrancisco]:SZ

Organization Name (eg, company) [Fort-Funston]:softown

Organizational Unit Name (eg, section) [MyOrganizationalUnit]:softown_admin

Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:Open***_CA

Name [EasyRSA]:

Email Address [me@myhost.mydomain]:admin@softown.cn

[root@Open*** 2.0]# 

[root@Open*** 2.0]# ls keys/

ca.crt  ca.key  index.txt  serial

[root@Open*** 2.0]# pwd

/root/open***-2.3.3/easy-rsa/2.0

生成服务端证书

[root@Open*** 2.0]# ./build-key-server ***S

Generating a 2048 bit RSA private key

.....+++

...............+++

writing new private key to '***S.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:CN

State or Province Name (full name) [CA]:GD

Locality Name (eg, city) [SanFrancisco]:SZ

Organization Name (eg, company) [Fort-Funston]:softown

Organizational Unit Name (eg, section) [MyOrganizationalUnit]:softown_admin

Common Name (eg, your name or your server's hostname) [***S]:***S

Name [EasyRSA]:

Email Address [me@myhost.mydomain]:admin@softown.cn

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:server_pwd  

An optional company name []:softown

Using configuration from /root/open***-2.3.3/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'GD'

localityName          :PRINTABLE:'SZ'

organizationName      :PRINTABLE:'softown'

organizationalUnitName:T61STRING:'softown_admin'

commonName            :PRINTABLE:'***S'

name                  :PRINTABLE:'EasyRSA'

emailAddress          :IA5STRING:'admin@softown.cn'

Certificate is to be certified until Aug 29 08:00:20 2027 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

生成客户端证书

[root@Open*** 2.0]# ./build-key user1

Generating a 2048 bit RSA private key

..+++

.....................................+++

writing new private key to 'user1.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:CN

State or Province Name (full name) [CA]:GD

Locality Name (eg, city) [SanFrancisco]:SZ

Organization Name (eg, company) [Fort-Funston]:softown

Organizational Unit Name (eg, section) [MyOrganizationalUnit]:softown_admin

Common Name (eg, your name or your server's hostname) [user1]:user1      

Name [EasyRSA]:

Email Address [me@myhost.mydomain]:admin@softown.cn

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:user1_pwd

An optional company name []:softown

Using configuration from /root/open***-2.3.3/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'GD'

localityName          :PRINTABLE:'SZ'

organizationName      :PRINTABLE:'softown'

organizationalUnitName:T61STRING:'softown_admin'

commonName            :PRINTABLE:'user1'

name                  :PRINTABLE:'EasyRSA'

emailAddress          :IA5STRING:'admin@softown.cn'

Certificate is to be certified until Aug 29 08:02:05 2027 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

生成迪菲·赫尔曼交换密钥

[root@Open*** 2.0]# ./build-dh 

Generating DH parameters, 2048 bit long safe prime, generator 2

This is going to take a long time

.......................................................................................................................................................................+........................................................................................................................................................................................................................+..........................................................................................................................................................................................................+..................................................................................................................................................+...............................................................+...........................................................................................................................................+...............................+.......................................................................................................+.............................................................................................................................................................................................+.....................................................................+....................................+.........................................+..........................................................................................................................................................................................................................................................................................................+..+.....................................................................................................+......................++*++*

生成TLS-auth密钥

[root@Open*** 2.0]# /usr/local/sbin/open*** --genkey --secret /root/open***-2.3.3/easy-rsa/2.0/keys/ta.key

编写配置文件

在这里，我们先在Open***主目录下创建一个config目录，并将其所需的证书和密钥文件拷贝到该目录中。

[root@Open*** 2.0]# mkdir /root/open***-2.3.3/config    

[root@Open*** 2.0]# cp keys/ca.crt keys/ca.key keys/dh2048.pem keys/***S.crt keys/***S.key  keys/ta.key /root/open***-2.3.3/config

此外，我们还需要为服务器和每个客户端的config目录分别编写一个配置文件，服务器端的配置文件为server.conf，客户端的配置文件为client.conf。

这两个配置文件该如何编写呢？Open***已经在sample/sample-config-files子目录中为我们提供了相关的示例文件server.conf和client.conf，并且配置文件中的每个配置选项均有详细的英文说明(配置文件中"#"或";"开头的均为注释内容)。

服务端配置文件server.conf

local 172.18.1.132 #指定监听的本机IP
port 3889
proto udp
dev tun
ca /root/open***-2.3.3/config/ca.crt
cert /root/open***-2.3.3/config/***S.crt
key /root/open***-2.3.3/config/***S.key  # This file should be kept secret
dh /root/open***-2.3.3/config/dh2048.pem
server 10.8.0.0 255.255.255.0 #隧道分配的网段和掩码
ifconfig-pool-persist /root/open***-2.3.3/config/ipp.txt
push "route 192.168.40.0 255.255.255.0" #推送服务器的内网网段
;client-config-dir /root/open***-2.3.3/config/ccd #指定客户端网络配置
route 192.168.20.0 255.255.255.0 #服务器添加客户端的内网网段
client-to-client #允许客户端与客户端相连接，默认情况下客户端只能与服务器相连接
duplicate-cn
keepalive 10 120
tls-auth /root/open***-2.3.3/config/ta.key 0 #开启TLS-auth防御***服务器端的参数值为0，客户端的为1
cipher AES-128-CBC   # AES 加密方式
comp-lzo #开启***连接压缩，如果服务器端开启，客户端也必须开启
max-clients 100
user nobody
group nobody
persist-key
persist-tun
verb 3 #指定日志文件的记录详细级别，可选0-9，等级越高日志内容越详细
mute 20

客户端配置文件client.conf

client
dev tun
proto udp
remote 172.18.1.132 3889 #服务器地址以及端口
resolv-retry infinite #断线自动重新连接
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt  #指定CA证书的文件路径
cert user1.crt #指定当前客户端的证书文件路径
key user1.key #指定当前客户端的私钥文件路径
ns-cert-type server #指定采用服务器校验方式
tls-auth ta.key 1  #如果服务器设置了防御DoS等***的ta.key，则必须每个客户端开启
cipher AES-128-CBC #加密方式
comp-lzo  #开启***连接压缩
verb 3 #指定日志文件的记录详细级别，可选0-9，等级越高日志内容越详细
mute 20

接着看下一篇：Open***路由模式

转载于:https://blog.51cto.com/linuxcgi/1965241