服务器端配置
1. 下载安装所需要的软件包
1. 下载安装所需要的软件包
引用
#wget http://open***.net/release/open***-2.0.9.tar.gz
#wget http://open***.net/release/lzo-1.08-4.rf.src.rpm
2. 编译安装软件包
如果在安装系统时已经把程序开发包全部安装,安装编译工具的这步可以省略。
引用
#yum install rpm-build
#yum install autoconf.noarch
#yum install zlib-devel
#yum install pam-devel
#yum install openssl-devel
#yum install autoconf.noarch
#yum install zlib-devel
#yum install pam-devel
#yum install openssl-devel
编译安装Open×××
引用
#rpmbuild –-rebuild lzo-1.08-4.rf.src.rpm
#rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm
#rpmbuild -tb open***-2.0.9.tar.gz
#rpm -Uvh /usr/src/redhat/RPMS/i386/open***-2.0.9-1.i386.rpm
#rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm
#rpmbuild -tb open***-2.0.9.tar.gz
#rpm -Uvh /usr/src/redhat/RPMS/i386/open***-2.0.9-1.i386.rpm
3. 复制配置文件
引用
#cp -r /usr/share/doc/open***-2.0.9/easy-rsa/ /etc/open***/
#cp /usr/share/doc/open***-2.0.9/sample-config-files/server.conf /etc/open***/
#cp /usr/share/doc/open***-2.0.9/sample-config-files/server.conf /etc/open***/
#cp /usr/share/doc/open***-2.0.9/sample-config-files/client.conf /etc/open***/client.o***
4. 配置CA证书预生成项
引用
#cd /etc/open***/easy-rsa/
可以使用vi编辑器对vars文件做适当修改:
引用
export KEY_COUNTRY=CN
export KEY_PROVINCE=Zhejiang
export KEY_CITY=Ningbo
export KEY_ORG="Open×××-UNNC"
export KEY_EMAIL="name@email.com"
export KEY_PROVINCE=Zhejiang
export KEY_CITY=Ningbo
export KEY_ORG="Open×××-UNNC"
export KEY_EMAIL="name@email.com"
保存退出后执行source vars使其生效,然后执行 ./clean-all
5. 建立CA证书
引用
[root@localhost easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
.................++++++
..................................................................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Zhejiang]:
Locality Name (eg, city) [Ningbo]:
Organization Name (eg, company) [Open×××-Server]:
Organizational Unit Name (eg, section) []:IS
Common Name (eg, your name or your server's hostname) []:Open×××
Email Address [name@email.com]:
Generating a 1024 bit RSA private key
.................++++++
..................................................................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Zhejiang]:
Locality Name (eg, city) [Ningbo]:
Organization Name (eg, company) [Open×××-Server]:
Organizational Unit Name (eg, section) []:IS
Common Name (eg, your name or your server's hostname) []:Open×××
Email Address [name@email.com]:
# 建立 server key 代码: 代码:
./build-key-server server
Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [xiaohui.com]:
Organizational Unit Name (eg, section) []:xiaohui.com
Common Name (eg, your name or your server's hostname) []:server
Email Address [your-email [at] xiaohui.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:xiaohui.com
Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'CN'
stateOrProvinceName
:PRINTABLE:'GD'
localityName
:PRINTABLE:'SZ'
organizationName
:PRINTABLE:'xiaohui.com'
organizationalUnitName:PRINTABLE:'xiaohui.com'
commonName
:PRINTABLE:'server'
emailAddress
:IA5STRING:'your-email [at] xiaohui.com'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
5.客户端证书
在open***中,这种配置方法是每一个登陆的×××客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接(如果有两个机器安装相同证书,同时拨服务器,都能拨上,但是只有第一个拨上的才能连通网络)。所以需要建立许多份证书。下面建立三份,名称分别为client1 – client3。
./build-key client1
Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [buaa]:
Organizational Unit Name (eg, section) []:gait
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address [support@cooldvd.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:gait
Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName RINTABLE:'CN'
stateOrProvinceName RINTABLE:'GD'
localityName RINTABLE:'SZ'
organizationName RINTABLE:'dvdmaster'
organizationalUnitName:PRINTABLE:'dvdmaster'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'support@cooldvd.com'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
) 依次类推生成其他客户端证书/key:
./build-key client2
./build-key client3
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
g) 执行./build-dh
h) 生成的所有证书在/etc/open***/easy-rsa/keys下。
i. 其中服务器需要的是ca.crt、server.crt、server.key、dh1024.pem将其复制到/etc/open***/下,每个客户端需要的是ca.crt、client1-3.crt、client1-3.key。将该文件放到win客户端下.
创建服务端配置文件
Mkdir -p /etc/open***/conf
cp /usr/share/doc/open***-2.0.9/sample-config-files/server.conf /etc/open***/server.conf
服务端配置文件(server.conf)样例
local 10.22.16.160
port 1194
proto udp
dev tun
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/server.crt
key /etc/open***/keys/server.key # This file should be kept secret
dh /etc/open***/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
client-config-dir ccd
route 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /etc/open***/open***-status.log >/dev/null 2>&1
verb 4
push "dhcp-option DNS 10.9.0.1"
push "dhcp-option DNS 172.16.0.23" #客户端获得的DNS地址
push "dhcp-option DNS 8.8.8.8" #客户端获得的DNS地址
push "dhcp-option DNS 202.103.24.68" #客户端获得的DNS地址
启动Open×××
Service open*** restart
客户端
1
copy 服务器上的文件/usr/share/doc/open***-2.0.9/sample-config-files/client.conf /etc/open***/ 改好后将其送到win客户端改名为client.o***
2、 执行open***-2.0.9-gui-1.0.3-install.exe。一切采用默认设置。
3、 将client.o*** .ca.crt、client1.crt、client1.key复制到C:\Program Files\Open×××\config。(不同用户使用不同的证书,每个证书包括.crt和.key两个文件,如client2.crt和client2.key)
4、 在/root/open***-2.0.9/sample-config-files/client.conf 的基础上建立客户端配置文件,改名为C:\Program Files\Open×××\config\client.o***
a) proto udp改成proto tcp
b) remote那行改成
这里填写***服务器公网ip 1194(端口号)
c) ca那3行改为
ca ca.crt
cert client1.crt
key client1.key
d) 注释掉comp-lzo
客户端样例文件
# C:\Program Files\Open×××\config\client.o***
client
dev tun
proto udp
remote 10.22.16.160 1194
persist-key
persist-tun
ca ca.crt
cert client_tom.crt
key client_tom.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
五
a) 关闭服务器、防火墙上所有对SSH(22)、open***(1194)的拦截。
b) echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/sysctl.conf
修改net.ipv4.ip_forward = 1
编辑完成后,请执行以下命令使变动立即生效:
/sbin/sysctl -p
/sbin/sysctl -w net.ipv4.route.flush=1
c) 实现开机启动
chkconfig open*** on
chkconfig –level 345 open*** on
六 配置iptables
iptables -t nat -I POSTROUTING -s 192.168.30.0/24 -j SNAT --to-source 10.22.16.160
iptables -t nat -I POSTROUTING -s 10.9.0.0/16 -j SNAT --to-source 10.22.16.160
iptables -t nat -I POSTROUTING -s 10.9.0.0/24 -j SNAT --to-source 10.22.16.160
service iptable restart
service iptables status
或者
vi /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sun Jan 30 21:14:46 2011
*nat
:PREROUTING ACCEPT [19:1140]
:POSTROUTING ACCEPT [10:2388]
:OUTPUT ACCEPT [10:2388]
-A POSTROUTING -s 10.8.0.0/255.255.0.0 -j SNAT --to-source 10.22.16.160
-A POSTROUTING -s 192.168.30.0/255.255.255.0 -j SNAT --to-source 10.22.16.160
-A POSTROUTING -s 10.8.0.0/255.255.255.0 -j SNAT --to-source 10.22.16.160
-A POSTROUTING -s 192.168.30.0/255.255.255.0 -o eth0 -j SNAT --to-source 10.22.16.160
COMMIT
# Completed on Sun Jan 30 21:14:46 2011
# Generated by iptables-save v1.3.5 on Sun Jan 30 21:14:46 2011
*filter
:INPUT ACCEPT [646:166802]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [693:301118]
COMMIT
# Completed on Sun Jan 30 21:14:46 2011
iptables-restore < /etc/sysconfig/iptables
转载于:https://blog.51cto.com/dadloveu/711133
扫一扫
3483
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
