linux 下open***配置
参考博客:http://blog.chinaunix.net/uid-26835604-id-3484906.html
一、 下载软件包
# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz
# wget http://open***.net/release/open***-2.1_rc22.tar.gz
centos:
# yum install openssl-devel -y
Debian ,ubunu 平台 apt-get install libssl-dev
二、解压及安装
[root@bogon opt]# tar zxvf lzo-2.04.tar.gz
[root@bogon opt]# cd lzo-2.04
[root@bogon lzo-2.04]# ./configure
[root@bogon lzo-2.04]# make && make install
[root@bogon lzo-2.04]# cd ../
[root@bogon opt]# tar zxvf open***-2.1_rc22.tar.gz
[root@bogon opt]# cd open***-2.1_rc22
[root@bogon open***-2.1_rc22]# ./configure
[root@bogon open***-2.1_rc22]# make && make install
[root@bogon open***-2.1_rc22]# cd ../
三、服务器端设置:
1. 用easy-rsa生成服务器证书客户端证书
[root@bogon opt]# cp open***-2.1_rc22/easy-rsa/ -r /etc/open***
[root@bogon opt]# cd /etc/open***/2.0/
编辑vars文件
[root@bogon 2.0]# vim vars
[root@bogon 2.0]# cat vars | grep -v "^$" | grep -v "^#"
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
#echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR --可以注释掉
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BEIJING"
export KEY_ORG="LIANCHAO"
export KEY_EMAIL="15720182323@163.com"
export KEY_CN=changename
export KEY_NAME=changename
export KEY_OU=IT
export PKCS11_MODULE_PATH=changename
export PKCS11_PIN=1234
[root@bogon 2.0]# source vars
(NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys 在vars中注释掉那句就不显示了)
下面这个命令在第一次安装时可以运行,以后在添加客户端时千万别运行,这个命令会清除所有已经生成的证书密钥。
[root@bogon 2.0]# ./clean-all
生成服务器端ca证书
[root@bogon 2.0]# ./build-ca -----生成服务器端ca证书
Generating a 1024 bit RSA private key
........++++++
......++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [LIANCHAO]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) [changename]:server
Name [changename]:server
Email Address [15720182323@163.com]:
common name 和 name那输入,其他地方直接回车
执行完这个命令后可以看到keys下多了两个文件ca.crt、ca.key
生成服务器端密钥key, 后面这个server就是服务器名,可以自定义。
上面的序列中,大多数询问参数的默认值是在vars或vars.bat文件中设定的值。唯一一个需要明确输入的参数是Common Name,上面的例子中输入的是"server"。
[root@bogon 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
.............++++++
.............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [LIANCHAO]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) [server]:server ----此处输入必须与最上边一致
Name [changename]:server
Email Address [15720182323@163.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/open***/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'LIANCHAO'
organizationalUnitName:PRINTABLE:'IT'
commonName :PRINTABLE:'server'
name :PRINTABLE:'server'
emailAddress :IA5STRING:'15720182323@163.com'
Certificate is to be certified until Mar 13 07:34:17 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
除了绿色标注的,其他地方直接回车就可。
执行完后,可以看到keys下多了三个文件server.crt、server.key、server.csr
生成客户端 key
[root@bogon 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
.......++++++
......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [LIANCHAO]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) [client1]:client1
Name [changename]:client1
Email Address [15720182323@163.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/open***/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'LIANCHAO'
organizationalUnitName:PRINTABLE:'IT'
commonName :PRINTABLE:'client1'
name :PRINTABLE:'client1'
emailAddress :IA5STRING:'15720182323@163.com'
Certificate is to be certified until Mar 13 07:38:51 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
以此类推建立其他的客户端key
[root@bogon 2.0]# ./build-key client2
[root@bogon 2.0]# ./build-key client3
注意在进入 Common Name (eg, your name or your server’s hostname) []: 的输入时, 每个证书输入的名字必须不同.
可以看到key下多了三个文件client1.crt、client1.csr、client1.key
5.生成Diffie Hellman参数
[root@bogon 2.0]# ./build-dh
6.将 keys 下的需要的文件打包下载到本地(可以通过winscp,http,ftp等等……)
这三个文件复制到C:\Program Files\open***\config文件夹下
[root@bogon keys]# tar zcvf client1.tar.gz ca.* client1.*
ca.crt
ca.key
client1.crt
client1.csr
client1.key
将生成的ca.crt,dh1024.pem,server.crt,server.key拷贝到 /etc/open***/目录下,这四个文件是×××服务端执行所须要的文件。
[root@bogon keys]# cp ca.crt /etc/open***/
[root@bogon keys]# cp dh1024.pem /etc/open***/
[root@bogon keys]# cp server.crt /etc/open***/
[root@bogon keys]# cp server.key /etc/open***/
把server.conf配置文件复制到/etc/open***/.
client.conf配置文件复制到/etc/open***/2.0/keys/
[root@bogon open***]# cd /opt/open***-2.1_rc22/sample-config-files/
[root@bogon sample-config-files]# cp server.conf /etc/open***/
[root@bogon sample-config-files]# cp client.conf /etc/open***/2.0/keys/
[root@bogon open***]# vim server.conf
[root@bogon open***]# cat server.conf | grep -v "^$" | grep -v "^#" | grep -v "^;"
local 192.168.1.250 //open***服务端网卡的IP
port 1194
proto udp //通过udp协议连接
dev tun
ca /etc/open***/ca.crt //ca证书存放位置
cert /etc/open***/server.crt //服务器证书存放位置
key /etc/open***/server.key //服务器密钥存放位置
# This file should be kept secret
dh /etc/open***/dh1024.pem //dh1024.pem存放位置
server 10.8.0.0 255.255.255.0 //虚拟局域网网段设置,请依据须要自行改动,不支持和拔号网卡位于同一网段
ifconfig-pool-persist ipp.txt //在open***重新启动时,再次连接的client将依旧被分配和曾经一样的IP地址
push "redirect-gateway def1 bypass-dhcp" //使client全部网络通信通过***
push "dhcp-option DNS 114.114.114.114" //DNS配置,依据实际情况配置
push "dhcp-option DNS 8.8.8.8" //DNS配置,依据实际情况配置
client-to-client //使客户端能相互訪问
keepalive 10 120
comp-lzo //同意数据压缩与client保持一致
persist-key //通过keepalive检測超时后,又一次启动×××,不又一次读取keys,保留第一次
使用的keys
persist-tun //通过keepalive检測超时后,又一次启动×××,一直保持tun或者tap设备是linkup的,否则网络连接会先linkdown然后linkup
status open***-status.log //定期把open***的一些状态信息写到文件里,以便自己敲代码计费或者进行其它操作
log-append open***.log
verb 3 //设置日志记录冗长级别
mute 20 //反复日志记录限额
[root@bogon open***]# vim 2.0/keys/client.conf
[root@bogon open***]# cat 2.0/keys/client.conf | grep -v "^$" | grep -v "^#" | grep -v "^;"
client //定义是一个客户端
dev tun //路由模式windows下必须设为tun,与服务端保持一致
proto udp //通过udp协议连接,与服务端保持一致
remote 192.168.1.250 1194 //指定服务端IP地址和port,能够用多行指定多台server,实现负载均衡
resolv-retry infinite //解析server域名
nobind //client不须要绑定port
persist-key
persist-tun
mute-replay-warnings //无线网络常常会产生非常多反复的数据包。将此标志设置为反复的数据包关闭警告
ca ca.crt //证书位置依据实际情况加入
cert client.crt //证书位置依据实际情况加入
key client.key //证书位置依据实际情况加入
ns-cert-type server
comp-lzo
verb 3
mute 20
四、打开服务器的路由功能
1.开启CentOS 5 的路由转发功能
# vim /etc/sysctl.conf
修改以下内容:
net.ipv4.ip_forward = 1
[root@bogon open***]# vim /etc/sysctl.conf
[root@bogon open***]# sysctl -p
net.ipv4.ip_forward = 1
五、添加iptables路由转发规则
# iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
[root@bogon open***]# iptables -t nat -F 清除防火墙
[root@bogon open***]# iptables -F
六、启动open***,并加入随机启动
vi /etc/rc.local
然后在最后面加入此行:
[root@bogon open***]# vim /etc/rc.local
/usr/local/sbin/open*** --config /etc/open***/server.conf &
七、Open××× GUI For Windows 客户端安装过程
1.下载 open***-2.1_rc15-install.exe(此版本集成 Open××× GUI)官方下载地址:http://open***.net/release/open***-2.1_rc15-install.exe
2.依屏幕指示安装Open××× GUI
3.配置 open*** gui将上面第6步打包的client1.tar.gz中的下列证书文件解压到 你的Open××× GUI安装路径Open×××config文件夹下
windows端可以通过pscp获得压缩包:
cmd进入dos命令:
pscp root@192.168.1.250:/etc/open***/2.0/keys/ C:\lian
这样压缩包就保存到c盘下的lian文件夹下了
解压后 放到c盘--program file(x86)--open***下的config文件夹下
4.修改client.o***把你的Open××× GUI安装路径Open×××sample-config下的client.o***文件复制到你的Open××× GUI安装路径Open×××config文件夹下,
用记事本打开client.o***
client
dev tun
proto udp
remote 192.168.1.250 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
mute 20
这个client.o***就是client.conf文件内容,只是把 cert 和 key后边的文件名,换成自己的文件名
.双击 client.o*** 即可启动 open***, 或者通过 Open××× GUI 的控制启动
转载于:https://blog.51cto.com/liruixin/1773285
6048
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
