[root@Open××× ~]# cd /tmp/
[root@Open××× tmp]# wget http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
[root@Open××× tmp]# rpm -ivh epel-release-5-4.noarch.rpm
2. yum install -y openssl openssl-devel lzo lzo-devel gcc gcc-c++
pam pam-devel automake pkgconfig libstdc++ open*** easy-rsa
3.wget http://www.rarsoft.com/rar/rarlinux-4.0.1.tar.gz
tar zxvf rarlinux-4.0.1.tar.gz
cd rar
make
4.
软件打包下载地址:
安装软件包:
wget http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
复制相关文件:
[root@Open××× tmp]# cp -r /usr/share/easy-rsa/2.0/ /etc/open***/
[root@Open××× tmp]# cp /usr/share/doc/open***-2.3.2/sample/sample-config-files/server.conf /etc/open***/
[root@Open××× tmp]# cd /etc/open***/
[root@Open××× open***]# ls
2.0 server.conf
[root@Open××× open***]#
初始化 PKI[root@Open××× open***]# cd 2.0/
[root@Open××× 2.0]# ls
build-ca build-key-pkcs12 inherit-inter pkitool
build-dh build-key-server list-crl revoke-full
build-inter build-req openssl-0.9.6.cnf sign-req
build-key build-req-pass openssl-0.9.8.cnf vars
build-key-pass clean-all openssl-1.0.0.cnf whichopensslcnf
[root@Open××× 2.0]#
[root@Open××× 2.0]# vim vars
export
KEY_COUNTRY=
"CN"
export
KEY_PROVINCE=
"SC"
export
KEY_CITY=
"CD"
export
KEY_ORG=
"Open×××"
export
KEY_EMAIL=
"admin@contos.com"
[root@Open××× 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys
[root@Open××× 2.0]# env | grep KEY
[root@Open××× 2.0]# ./clean-all
[root@Open××× 2.0]# ls
build-ca build-key-server list-crl sign-req
build-dh build-req openssl-0.9.6.cnf vars
build-inter build-req-pass openssl-0.9.8.cnf whichopensslcnf
build-key clean-all openssl-1.0.0.cnf
build-key-pass inherit-inter pkitool
build-key-pkcs12 keys revoke-full
创建CA证书
[root@Open××× 2.0]# ./build-ca
Generating a 1024 bit RSA private key
...++++++
..............................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SC]:
Locality Name (eg, city) [CD]:
创建服务器Key
[root@Open××× 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
...++++++
....................++++++
writing new private key to 'server.key'
Certificate is to be certified until Feb 8 06:54:03 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@Open××× 2.0]#
创建客户端Key
[root@Open××× 2.0]# ./build-key client
Generating a 1024 bit RSA private key
....................++++++
..........++++++
writing new private key to 'client.key'
-----
Certificate is to be certified until Feb 8 06:55:13 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@Open××× 2.0]#
生成 Diffie Hellman 参数
[root@Open××× 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
....................+.................+..................................................................................................................................................+........................................................................+.........+..........+......................................+....+...+...........................................+..................................................+................+...........................................+..................................................................+....................................................................................................................+.........................................+.....................................................................................+.......................+..........................................+............................................+..........+.........................+.........+......................................+..............................+..................................+............................+.........................................+..............................................................................................................+.....................................................................................................................................+..........+......................................+.....................................................................+...............................................................................................................+.....+........................................................................+........................+....................................................................................+................+.............+............+....++*++*++*
[root@Open××× 2.0]#
[root@Open××× 2.0]# ls
build-ca build-key-server list-crl sign-req
build-dh build-req openssl-0.9.6.cnf vars
build-inter build-req-pass openssl-0.9.8.cnf whichopensslcnf
build-key clean-all openssl-1.0.0.cnf
build-key-pass inherit-inter pkitool
build-key-pkcs12 keys revoke-full
[root@Open××× 2.0]# cd keys/
[root@Open××× keys]# ls
01.pem ca.key client.key index.txt.attr serial server.csr
02.pem client.crt dh1024.pem index.txt.attr.old serial.old server.key
ca.crt client.csr index.txt index.txt.old server.crt
将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/open***
[root@Open××× keys]# cp ca.* server.* dh1024.pem /etc/open***/
[root@Open××× keys]#
[root@Open××× keys]# cd /etc/open***
[root@Open××× open***]# ls
2.0 ca.key server.conf server.csr
ca.crt dh1024.pem server.crt server.key
修改服务器配置文件/etc/open***/server.conf
[root@Open××× open***]# cp server.conf server.conf.bak
[root@Open××× open***]# vim server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
push
"dhcp-option DNS 61.139.2.68"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
verb 4
启动Open×××
[root@Open××× open***]# service open*** start
Starting open***: [ OK ]
[root@Open××× open***]# chkconfig open*** on
安装一下客户端
将服务器上生成的客户机证书文件放到config方件夹下
新建客户端配置文件client.o***
client
dev tun
proto udp
remote x.x.x.x 1194
persist-key
persist-tun
ca config\\ca.crt
cert config
\\client1.crt
key config
\\client1.key
ns-cert-
type
server
comp-lzo
verb 3
redirect-gateway def1
[root@Open××× keys]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@Open××× keys]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
[root@Open××× keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.27
[root@Open××× keys]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.8.0.0/24 anywhere to:192.168.0.27
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@Open××× keys]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@Open××× keys]#
转载于:https://blog.51cto.com/fshuanglan/1355129