所需软件到:http://down.51cto.com/data/868114 下载,其中包括了文中提到的server.conf client.conf client.o***
Open×××在安全性上比PPTP,L2TP和IPsec都高,因为它通过三个证书的安全验证,实现了整个通信链路的完整加密。
注:该文档参考了VPSYOU.com的帮助文档,在此表示感谢。
帮助文档链接如下:http://www.vpsyou.com/centos5-5-install-open***/
但在实际的安装配置过程中,我发现这篇帮助文档中仍然存在着一些小的配置上的错误,并且为了让Open×××易于卸载,我将分散的程序目录都规划在了相同位置,加上了防火墙策略,最后成功登陆并翻过GFW。于是,我将整个过程记录了下来,以供大家参考。
安装步骤:
一、首先检查VPS上的tun设备是否可用,如果不可用需要联系客服打开,否则Open×××无法启用。
通过root用户登陆,执行
#cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state
如果现实结果如上所示,则表示tun设备可用,其它则表示设备异常,无法安装Open×××。
二、下载安装所需软件包:
wget ftp://rpmfind.net/linux/epel/5/i386/pkcs11-helper-devel-1.07-2.el5.1.i386.rpm
wget ftp://rpmfind.net/linux/epel/5/i386/pkcs11-helper-1.07-2.el5.1.i386.rpm
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz
wget http://swupdate.open***.net/community/releases/open***-2.1.4.tar.gz
三、使用yum安装程序所需开发包
yum install -y openssl openssl-devel automake pkgconfig iptables openssl098e-*
四、安装Open×××服务端
1.安装pkcs11-helper RPM包
rpm -ivh pkcs11-helper-1.07-2.el5.1.i386.rpm
rpm -ivh pkcs11-helper-devel-1.07-2.el5.1.i386.rpm
2.安装 LZO
tar zxvf lzo-2.04.tar.gz
cd lzo-2.04/
./configure --prefix=/opt/lzo
make
make check
make install
cd ../
3.安装 Open×××
tar zxvf open***-2.1.4.tar.gz
cd open***-2.1.4
./configure --prefix=/opt/open*** --with-lzo-headers=/opt/lzo/include --with-lzo-lib=/opt/lzo/lib --with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib
make
make install
然后,下面就开始key证书文件的创建,总共需要创建三个,即ca,server key,client key。
4.生成证书Key
cp -r easy-rsa /opt/open***/
cd /opt/open***/easy-rsa/2.0/
vim export_new_var
2 | export KEY_CONFIG=$D/openssl.cnf |
8 | export KEY_ORG= "heyLinux.com" |
9 | export KEY_EMAIL= "root@heyLinux.com" |
source export_new_var
./clean-all
./build-ca
01 | Generating a 1024 bit RSA private key |
04 | writing new private key to 'ca.key' |
06 | You are about to be asked to enter information that will be incorporated |
07 | into your certificate request. |
08 | What you are about to enter is what is called a Distinguished Name or a DN. |
09 | There are quite a few fields but you can leave some blank |
10 | For some fields there will be a default value, |
11 | If you enter '.', the field will be left blank. |
13 | Country Name (2 letter code) [CN]: |
14 | State or Province Name (full name) [BJ]: |
15 | Locality Name (eg, city) [BJ]: |
16 | Organization Name (eg, company) [heyLinux.com]: |
17 | Organizational Unit Name (eg, section) []:heyLinux |
18 | Common Name (eg, your name or your server's hostname) [heyLinux.com CA]:heyLinux |
21 | Email Address [root@heyLinux.com]: |
5.建立 server key
01 | [root@centos 2.0]# ./build-key-server server |
02 | Generating a 1024 bit RSA private key |
03 | ............................++++++ |
05 | writing new private key to 'server.key' |
07 | You are about to be asked to enter information that will be incorporated |
08 | into your certificate request. |
09 | What you are about to enter is what is called a Distinguished Name or a DN. |
10 | There are quite a few fields but you can leave some blank |
11 | For some fields there will be a default value, |
12 | If you enter '.', the field will be left blank. |
14 | Country Name (2 letter code) [CN]: |
15 | State or Province Name (full name) [BJ]: |
16 | Locality Name (eg, city) [BJ]: |
17 | Organization Name (eg, company) [heyLinux.com]: |
18 | Organizational Unit Name (eg, section) []:heyLinux |
19 | Common Name (eg, your name or your server's hostname) [server]:heyLinux.com |
21 | Email Address [root@heyLinux.com]: |
23 | Please enter the following 'extra' attributes |
24 | to be sent with your certificate request |
25 | A challenge password []:123456 |
26 | An optional company name []:heyLinux.com |
27 | Using configuration from /etc/open***/easy-rsa/2.0/openssl.cnf |
28 | Check that the request matches the signature |
30 | The Subject's Distinguished Name is as follows |
31 | countryName :PRINTABLE:'CN' |
32 | stateOrProvinceName :PRINTABLE:'BJ' |
33 | localityName :PRINTABLE:'BJ' |
34 | organizationName :PRINTABLE:'heyLinux.com' |
35 | organizationalUnitName:PRINTABLE:'heyLinux' |
36 | commonName :PRINTABLE:'heyLinux.com' |
37 | name :PRINTABLE:'heyLinux' |
38 | emailAddress :IA5STRING:'root@heyLinux.com' |
39 | Certificate is to be certified until Apr 12 08:21:52 2021 GMT (3650 days) |
40 | Sign the certificate? [y/n]:y |
6.生成客户端 key
01 | [root@centos 2.0]# ./build-key client1 |
02 | Generating a 1024 bit RSA private key |
03 | ................................................................................ |
05 | ......................++++++ |
06 | writing new private key to 'client1.key' |
08 | You are about to be asked to enter information that will be incorporated |
09 | into your certificate request. |
10 | What you are about to enter is what is called a Distinguished Name or a DN. |
11 | There are quite a few fields but you can leave some blank |
12 | For some fields there will be a default value, |
13 | If you enter '.', the field will be left blank. |
15 | Country Name (2 letter code) [CN]: |
16 | State or Province Name (full name) [BJ]: |
17 | Locality Name (eg, city) [BJ]: |
18 | Organization Name (eg, company) [heyLinux.com]: |
19 | Organizational Unit Name (eg, section) []:heyLinux |
20 | Common Name (eg, your name or your server's hostname) [client1]: |
22 | Email Address [root@heyLinux.com]: |
24 | Please enter the following 'extra' attributes |
25 | to be sent with your certificate request |
26 | A challenge password []:123456 |
27 | An optional company name []:heyLinux.com |
28 | Using configuration from /etc/open***/easy-rsa/2.0/openssl.cnf |
29 | Check that the request matches the signature |
31 | The Subject's Distinguished Name is as follows |
32 | countryName :PRINTABLE:'CN' |
33 | stateOrProvinceName :PRINTABLE:'BJ' |
34 | localityName :PRINTABLE:'BJ' |
35 | organizationName :PRINTABLE:'heyLinux.com' |
36 | organizationalUnitName:PRINTABLE:'heyLinux' |
37 | commonName :PRINTABLE:'client1' |
38 | name :PRINTABLE:'heyLinux' |
39 | emailAddress :IA5STRING:'root@heyLinux.com' |
40 | Certificate is to be certified until Apr 12 08:24:33 2021 GMT (3650 days) |
41 | Sign the certificate? [y/n]:y |
43 | 1 out of 1 certificate requests certified, commit? [y/n]y |
44 | Write out database with 1 new entries |
47 | 1 out of 1 certificate requests certified, commit? [y/n]y |
48 | Write out database with 1 new entries |
如果想生成多个client key的话,重复以上步骤,修改client1为client2,client3……即可。
至此,所有的key都已经生成完毕,如果你想删除这些key,重新生成的话,执行以下命令。
source var
./clean-all
7.生成 Diffie Hellman 参数
vi build-dh
把$OPENSSL 改成 openssl
./build-dh
8.将 keys 下的所有文件打包下载到本地
tar -cf keys.tar keys
9.创建服务端配置文件
vi /opt/open***/etc/server.conf
内容如下:
06 | ca /opt/open***/easy-rsa/2.0/keys/ca.crt |
07 | cert /opt/open***/easy-rsa/2.0/keys/server.crt |
08 | key /opt/open***/easy-rsa/2.0/keys/server.key |
09 | dh /opt/open***/easy-rsa/2.0/keys/dh1024.pem |
11 | server 10.10.20.0 255.255.255.0 |
20 | status /opt/open***/easy-rsa/2.0/keys/open***-status.log |
23 | push "dhcp-option DNS 10.10.20.1" |
24 | push "dhcp-option DNS 8.8.8.8" |
25 | push "dhcp-option DNS 8.8.4.4" |
10.创建客户端配置文件
vi /opt/open***/etc/client.conf
内容如下
06 | remote 204.74.215.57 1194 #请换成自己ip |
09 | ca /opt/open***/easy-rsa/2.0/keys/ca.crt |
10 | cert /opt/open***/easy-rsa/2.0/keys/client1.crt |
11 | key /opt/open***/easy-rsa/2.0/keys/client1.key |
12.设置 Open××× 服务器 reboot后自动启动 open***
vi /etc/rc.local
加入:
/opt/open***/sbin/open*** --config /opt/open***/etc/server.conf > /dev/null 2>&1 &
运行Open×××服务端
/opt/open***/sbin/open*** --config /opt/open***/etc/server.conf > /dev/null 2>&1 &
检查服务端是否启动
执行netstat -lnp
如果看到有 0.0.0.0:1194 则证明服务端已经成功启动。
五、防火墙规则设置
1.开放Open×××服务器端口
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
2.启用NAT映射,实现共享上网
iptables -I RH-Firewall-1-INPUT 12 -p UDP --dport 53 -j ACCEPT(允许客户端拨通***后ping通域名)
iptables -t nat -A POSTROUTING -s 10.10.20.0/255.255.255.0 -o eth0 -j MASQUERADE
3.开启数据转发
sysctl -w net.ipv4.ip_forward=1
六、Open××× GUI for Windows 客户端安装
1.下载并安装 .NET Framwork 3.5 SP1
由于Open×××客户端需要 .NET Framwork 3.5 SP1 以上的支持,所以很遗憾,我们不得不先安装它。
下载地址:http://www.microsoft.com/downloads/zh-cn/details.aspx?FamilyID=333325fd-ae52-4e35-b531-508d977d32a6&DisplayLang=zh-cn
2.下载并安装Open×××客户端
下载地址:http://swupdate.open***.net/downloads/open***-client.msi
3.创建客户端配置文件
进入程序目录,C:\Program Files\Open××× Technologies\Open××× Client\etc\profile
创建配置文件client.o***,内容如下:
06 | remote 204.74.215.57 1194 #请换成自己ip |
4.将所需的证书等文件放入客户端目录
将之前压缩的keys.tar压缩文件解压,并将目录下的所有文件移动到目录:
C:\Program Files\Open××× Technologies\Open××× Client\etc\profile
5.启动Open×××客户端
启动Open×××客户端软件,点击添加连接配置,选择本地文件导入,然后导入刚刚创建的client.o***文件。
如下图所示:
然后界面上会出现一个Client1选项,点击即可登录
登录成功
至此,整个Open×××的安装过程就已经完成了,如果你也是国外的VPS主机的话,那就开始体验翻过GFW的快乐吧。
七、卸载Open×××
如果你觉得Open×××用起来太过于麻烦或其它原因想卸载Open×××,那么,请执行以下操作。
killall open***
rpm -e pkcs11-helper-1.07-2.el5.1.i386.rpm
rpm -e pkcs11-helper-devel-1.07-2.el5.1.i386.rpm
rm -rf /opt/lzo
rm -rf /opt/open***