一.软件下载
lzo下载地址:http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
open***服务端下载:http://swupdate.open***.org/community/releases/open***-2.2.1.tar.gz
open***客户端下载:http://swupdate.open***.org/community/releases/open***-2.2.1-install.exe
如果这些包openssl openssl-devel automake pkgconfig iptables没有安装,就用yum安装
yum install -y openssl openssl-devel automake pkgconfig iptables
二.《安装open***所需的支持库lzo》,注意:我的源码包都是解压在家目录下
# tar -zxvf lzo-2.06.tar.gz
# cd lzo-2.06
# ./configure && make && make install -->这里,我安装了n多遍了,才这样写,你要是第一次装,需要分开执行
# echo '/usr/local/lib' >> /etc/ld.so.conf
# ldconfig
# cd
三.《安装open***服务端》
# tar -zxvf open***-2.2.1.tar.gz
# cd open***-2.2.1
# ./configure && make && make install
到这里,默认安装的/usr/local/sbin目录下,只有一个名为open***的可执行文件
四.开始做哪些密钥和证书
4.1 # cd /root/open***-2.2.1/easy-rsa/2.0/ -->到这里主要是编辑vars文件
# vim vars
主要修改下面的内容:
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="beijing"
export KEY_ORG="OPEN×××"
export KEY_EMAIL="root@jun.com"
export KEY_EMAIL=root@jun.com
export KEY_CN=jun.com
export KEY_NAME=jun.com
export KEY_OU=jishubu
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
注意,这些内容可以根据自己的实际情况来进行更改,为了就是以后的创建证书的时候,不用交互式,直接采用默认就行了
4.2 生成ca证书
# cp openssl-1.0.0.cnf openssl.cnf
# source ./vars -->这一步就是让上面修改的vars生效,同时用到openssl.cnf文件
# ./clean-all -->这一步,生成一个keys目录
下面这一步就是生成ca,因为上面修改了vars,所以,一路回车就好了
# ./build-ca
如下:
Generating a 1024 bit RSA private key
.............................++++++
...........................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [OPEN×××]:
Organizational Unit Name (eg, section) [jishubu]:
Common Name (eg, your name or your server's hostname) [jun.com]:
Name [jun.com]:
Email Address [root@jun.com]:
4.3 生成服务器证书及私钥
# ./build-key-server server
内容如下:
Generating a 1024 bit RSA private key
.....................................++++++
...++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [OPEN×××]:
Organizational Unit Name (eg, section) [jishubu]:
Common Name (eg, your name or your server's hostname) [server]:
Name [jun.com]:
Email Address [root@jun.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:moyo
Using configuration from /root/open***-2.2.1/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'beijing'
organizationName :PRINTABLE:'OPEN×××'
organizationalUnitName:PRINTABLE:'jishubu'
commonName :PRINTABLE:'server'
name :PRINTABLE:'jun.com'
emailAddress :IA5STRING:'root@jun.com'
Certificate is to be certified until May 20 10:25:04 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4.4 生成客户端证书及私钥
./build-key client1
内容如下:
Generating a 1024 bit RSA private key
................................++++++
............................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [OPEN×××]:
Organizational Unit Name (eg, section) [jishubu]:
Common Name (eg, your name or your server's hostname) [client1]:wang@wang.com -->注意这里,一定要和sever不一样
Name [jun.com]:wang.com
Email Address [root@jun.com]:wang@wang.com -->这里也要与server的不一样,都可以乱写
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/open***-2.2.1/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'beijing'
organizationName :PRINTABLE:'OPEN×××'
organizationalUnitName:PRINTABLE:'jishubu'
commonName :T61STRING:'wang@wang.com'
name :PRINTABLE:'wang.com'
emailAddress :IA5STRING:'wang@wang.com'
Certificate is to be certified until May 20 10:27:24 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4.5 创建服务器所需的Diffie-Hellman
# ./build-dh
内容如下:
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..........................................................................................................................+........................................................................................................................................................................+...............................+..............+....................................................................+...................................................................+..............................................................+.............................................................................................+.................................................................+......................................................................+...+...+................................................+....+.............................+.......................................................................................+........................................+.........................+....................................................................................+............................................+.......................................+..................+................................+............+..++*++*++*
4.6 生成HMAC firewall验证码,目的就是防止doc***,它其实是一种加密的散列消息验证码,对数据的完整性和真实性进行同步检查
# /usr/local/sbin/open*** --genkey --secret keys/ta.key
五.开始配置了,这些才是最重要
5.1建立配置目录,并将证书和配置复制到相应的目录中去,打包client需要的证书
# mkdir /etc/open***/
# cd keys/
# cp {ca.crt,ca.key,dh1024.pem,server.crt,server.key,ta.key} /etc/open***/
# tar -zcvf client1.tar.gz ca.crt client1.crt client1.key client1.csr -->这些事客户端所需要的证书
# cp /root/open***-2.2.1/sample-config-files/server.conf /etc/open***/ -->这里cp的是配置文件
# cp /root/open***-2.2.1/sample-scripts/open***.init /etc/init.d/open*** -->这里cp的是启动脚本
//查看脚本可知,官方的init启动脚本就是读取/etc/open***配置目录的,如果安装路径不是默认的,需要手动修改这个脚本
5.2 服务器端的配置
# cd /etc/open***/
# vim server.conf
修改后的内容用下面的这个命令查看,如下:
# grep -v "^#" server.conf | grep -v "^;" | sed '/^$/d'
port 1194
proto udp
dev tap
ca ./ca.crt
cert ./server.crt
key ./server.key # This file should be kept secret
dh ./dh1024.pem
server 10.10.20.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.122.0 255.255.255.0" -->如果你用的是vmware,而且vmware是默认的,这句话的重要性是很大的
push "route 192.168.10.0 255.255.255.0" -->192.168.10.0是你的内网的网络地址
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/open***-status.log
log /var/log/open***.log
verb 4
push "dhcp-option DNS 10.10.20.1"
push "dhcp-option DNS 8.8.8.8" (我这里用的本机/etc/resolv.conf 中的)
push "dhcp-option DNS 8.8.4.4" (我这里用的本机/etc/resolv.conf 中的)
5.3 客户端的配置
下面的客户端的配置是要cp到client端的
这个client.conf的样例配置文件在/root/open***-2.2.1/sample-config-files/client.conf这里,下面是我修改后的配置文件;这里就不多说了;
# vim client.conf
client
dev tap
proto udp
remote 192.168.0.2 1194 -->这里的ip是你自己***服务器的ip(注,我配置***是为了在家里能够通过公司办公网络进行跳转,连接到公司机房的服务器,如果你***用的内网地址,那么你的配置要用网络出口的外网IP,并在那台机器上做DNAT转发到内网***服务器的1194端口上。)
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
script-security 3
route-method exe
route-delay 2
5.4 让open***服务器开就就自动启动
# chkconfig --add open***
# chkconfig open*** on
查看一下,看到如下,
# chkconfig --list open***
open*** 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
5.5 打开ip的转发功能
将/etc/sysctl.conf文件里的net.ipv4.ip_forward = 0修改成net.ipv4.ip_forward = 1
然后,在执行以下命令,让其修改的生效
# sysctl -p
5.6 启动open***服务
# service open*** start
# netstat -lnp | grep open*** 查看一下端口是否启动了
udp 0 0 0.0.0.0:1194 0.0.0.0:* 2040/open***
我目前,用下面的防火墙的方式,还没有实现,以后会继续努力,找到解决办法,
六. 防火墙规则设置(这几步很重要,需要按自己的实际情况来指定)
开放open***的服务端口
# iptables -I INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
启动NAT映射,实现共享上网
# iptables -A POSTROUTING -s 10.10.20.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.64.99 注意:这里的10.10.20.0网段是客户端的ip,eth0是***的外网网卡
七.windows的客户端
7.1 载与服务器对应的客户端版本安装
open***的下载地址:http://swupdate.open***.org/community/releases/open***-2.2.1-install.exe
7.2 将上面再服务器上打包的client1.tar.gz下载下来,并把里面的内容解压到open***-2.2.1-install.exe
在windows的安装目录的config目录里,然后,再把上面的client.conf也放到这个config目录里并重命名为client1.o***,这时,就算完成了
7.3 client.o***的内容和上面一样,如下:(这些都是我的实际配置文件,你可以根据自己的需求来配置这个文件)
client
dev tap
proto udp
remote 192.168.0.2 1194 -->这里的ip是你自己***服务器的ip
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
script-security 3
route-method exe
route-delay 2
7.3 启动客户端在托盘右键单击选择Connect即可。
八.添加新的客户端
# cd /root/open***-2.2.1/easy-rsa/2.0
# source ./vars
# ./build-key client2
Generating a 1024 bit RSA private key
...........................................................................++++++
........................................++++++
writing new private key to 'client2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [OPEN×××]:
Organizational Unit Name (eg, section) [jishubu]:
Common Name (eg, your name or your server's hostname) [client2]:client2.com
Name [jun.com]:client2.com
Email Address [root@jun.com]:client2@client2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/open***-2.2.1/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'beijing'
organizationName :PRINTABLE:'OPEN×××'
organizationalUnitName:PRINTABLE:'jishubu'
commonName :PRINTABLE:'client2.com'
name :PRINTABLE:'client2.com'
emailAddress :IA5STRING:'client2@client2.com'
Certificate is to be certified until May 21 07:10:23 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
转载于:https://blog.51cto.com/tototo/895388
扫一扫
2537
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
