Centos 6.3 Open××× 2.3.2搭建

参考文章：

（1）http://www.xiaohui.com/dev/server/20070514-install-open***.htm

（2）http://blog.sina.com.cn/s/blog_86fbdd650101a0ax.html

（3）http://www.ccpt.cc/cross-wall-by-open***-at-centos/

配置环境：

server：Centos6.3 Open××× 2.3.2

client：Windows7-64 Open×××GUI 2.3.2

一、服务器端配置：

1、安装基础库

[root@demo open***]# for i in  $(rpm -q gcc gcc-c++ openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig|grep \\\\\\\'not installed\\\\\\\' | awk \\\\\\\'{print $2}\\\\\\\')
  do
       yum -y  install $i;
  done

安装lzo压缩算法

不安装的话configure的时候就会提示configure: error: lzo enabled but missing

[root@demo open***]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
[root@demo open***]# tar zxvf lzo-2.06.tar.gz
[root@demo open***]# cd lzo-2.06
[root@demo open***]# ./configure --prefix=/usr/local/
[root@demo open***]# make && make install

2、安装Open×××2.3.2

[root@demo open***]# wget -c http://swupdate.open***.org/community/releases/open***-2.3.2.tar.gz
[root@demo open***]# tar zxvf open***-2.3.2.tar.gz
[root@demo open***]# cd open***-2.3.2
[root@demo open***]# ./configure --prefix=/usr/local/open***
[root@demo open***]# make && make install

3、配置Open×××

在github上拉一个resy-rsa下来、地址:https://github.com/Open×××/easy-rsa

下载好之后新建目录/etc/open***

再把easy-rsa搞到（cp复制过去）这个文件夹中，然后进入这个文件夹：

[root@demo open***]# mkdir /etc/open***
[root@demo open***]# cp -arp easy-rsa /etc/open***/

看看这个文件夹里面的东西

[root@demo open***]# ll /etc/open***/easy-rsa/easy-rsa/2.0/
total 112
-rw-r--r--. 1 root root   119 Jul  5 10:49 build-ca
-rw-r--r--. 1 root root   352 Jul  5 10:49 build-dh
-rw-r--r--. 1 root root   188 Jul  5 10:49 build-inter
-rw-r--r--. 1 root root   163 Jul  5 10:49 build-key
-rw-r--r--. 1 root root   157 Jul  5 10:49 build-key-pass
-rw-r--r--. 1 root root   249 Jul  5 10:49 build-key-pkcs12
-rw-r--r--. 1 root root   268 Jul  5 10:49 build-key-server
-rw-r--r--. 1 root root   213 Jul  5 10:49 build-req
-rw-r--r--. 1 root root   158 Jul  5 10:49 build-req-pass
-rw-r--r--. 1 root root   449 Jul  5 10:49 clean-all
-rw-r--r--. 1 root root  1471 Jul  5 10:49 inherit-inter
-rw-r--r--. 1 root root   302 Jul  5 10:49 list-crl
-rw-r--r--. 1 root root  7791 Jul  5 10:49 openssl-0.9.6.cnf
-rw-r--r--. 1 root root  8348 Jul  5 10:49 openssl-0.9.8.cnf
-rw-r--r--. 1 root root  8245 Jul  5 10:49 openssl-1.0.0.cnf
-rw-r--r--. 1 root root 12984 Jul  5 10:49 pkitool
-rw-r--r--. 1 root root   928 Jul  5 10:49 revoke-full
-rw-r--r--. 1 root root   178 Jul  5 10:49 sign-req
-rw-r--r--. 1 root root  2077 Jul  5 10:49 vars
-rw-r--r--. 1 root root   740 Jul  5 10:49 whichopensslcnf

注意：需要加上可执行权限

[root@demo open***]# chmod +x /etc/open***/easy-rsa/easy-rsa/2.0/*
[root@demo open***]# ll /etc/open***/easy-rsa/easy-rsa/2.0/
total 112
-rwxr-xr-x. 1 root root   119 Jul  5 10:49 build-ca
-rwxr-xr-x. 1 root root   352 Jul  5 10:49 build-dh
-rwxr-xr-x. 1 root root   188 Jul  5 10:49 build-inter
-rwxr-xr-x. 1 root root   163 Jul  5 10:49 build-key
-rwxr-xr-x. 1 root root   157 Jul  5 10:49 build-key-pass
-rwxr-xr-x. 1 root root   249 Jul  5 10:49 build-key-pkcs12
-rwxr-xr-x. 1 root root   268 Jul  5 10:49 build-key-server
-rwxr-xr-x. 1 root root   213 Jul  5 10:49 build-req
-rwxr-xr-x. 1 root root   158 Jul  5 10:49 build-req-pass
-rwxr-xr-x. 1 root root   449 Jul  5 10:49 clean-all
-rwxr-xr-x. 1 root root  1471 Jul  5 10:49 inherit-inter
-rwxr-xr-x. 1 root root   302 Jul  5 10:49 list-crl
-rwxr-xr-x. 1 root root  7791 Jul  5 10:49 openssl-0.9.6.cnf
-rwxr-xr-x. 1 root root  8348 Jul  5 10:49 openssl-0.9.8.cnf
-rwxr-xr-x. 1 root root  8245 Jul  5 10:49 openssl-1.0.0.cnf
-rwxr-xr-x. 1 root root 12984 Jul  5 10:49 pkitool
-rwxr-xr-x. 1 root root   928 Jul  5 10:49 revoke-full
-rwxr-xr-x. 1 root root   178 Jul  5 10:49 sign-req
-rwxr-xr-x. 1 root root  2077 Jul  5 10:49 vars
-rwxr-xr-x. 1 root root   740 Jul  5 10:49 whichopensslcnf

4、生成CA证书

修改vars文件

[root@demo open***]# cd /etc/open***/easy-rsa/easy-rsa/2.0/
[root@demo 2.0]# vim vars
................
export KEY_COUNTRY=\\\\\\\"CN\\\\\\\"
export KEY_PROVINCE=\\\\\\\"LN\\\\\\\"
export KEY_CITY=\\\\\\\"ChengDu\\\\\\\"
export KEY_ORG=\\\\\\\"xxxx\\\\\\\"
export KEY_EMAIL=\\\\\\\"Woo@xx.com\\\\\\\"
export KEY_OU=\\\\\\\"MyOpen***\\\\\\\"
.................

这一部分按照自己的情况来填啦0.0

修改完成后保存退出。

然后：

[root@demo 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/easy-rsa/easy-rsa/2.0/keys

当然在这一步之前如果执行./clean-all 和 ./build-ca两条命令的话将会出现以下提示：

[root@demo open***]# ./clean-all
Please source the vars script first (i.e. \\\\\\\"source ./vars\\\\\\\")
Make sure you have edited it to reflect your configuration.

[root@demo open***]# ./build-ca
 Please edit the vars script to reflect your configuration,
 then source it with \\\\\\\"source ./vars\\\\\\\".
Next, to start with a fresh PKI configuration and to delete any
 previous certificates and keys, run \\\\\\\"./clean-all\\\\\\\".
 Finally, you can run this tool (pkitool) to build certificates/keys.

大意就是说修改好vars之后执行source ./vars然后才能执行这些

好了 回到执行source ./vars上面来，之后执行./clean-all

这是为了针对已经有了keys/而想用改写的vars重新生成证书的情况而执行的

第一次安的话不执行也好

[root@demo open***]# ./clean-all

然后执行./build-ca生成证书：

[root@demo 2.0]# ./build-ca
Generating a 2048 bit RSA private key
....+++
.............................................................+++
writing new private key to \\\\\\\'ca.key\\\\\\\'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter \\\\\\\'.\\\\\\\', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [LN]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [xxxx]:
Organizational Unit Name (eg, section) [MyOpen***]:
Common Name (eg, your name or your server\\\\\\\'s hostname) [xxxx CA]:
Name [EasyRSA]:
Email Address [Woo@xx.com]:

这样一直回车就好 或者输入些想输入的什么的… 即可结束keys的初始化

看下keys/中都有些什么文件：

[root@demo 2.0]# ll keys/
total 12
-rw-r--r--. 1 root root 1655 Oct 19 00:37 ca.crt
-rw-------. 1 root root 1704 Oct 19 00:37 ca.key
-rw-r--r--. 1 root root    0 Oct 19 00:36 index.txt
-rw-r--r--. 1 root root    3 Oct 19 00:36 serial

5、生成DH文件

下面是生成DH文件，执行./build-dh：

[root@demo 2.0]# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........+.............................................................................................................+..........................................................................................................++*++*
[root@demo 2.0]# !ll
ll keys/
total 16
-rw-r--r--. 1 root root 1655 Oct 19 00:37 ca.crt
-rw-------. 1 root root 1704 Oct 19 00:37 ca.key
-rw-r--r--. 1 root root  424 Oct 19 00:42 dh2048.pem
-rw-r--r--. 1 root root    0 Oct 19 00:36 index.txt
-rw-r--r--. 1 root root    3 Oct 19 00:36 serial

6、生成服务器证书

执行./build-key-server [证书名]为服务器生成证书：

[root@demo 2.0]# ./build-key-server Open×××_Server
Generating a 2048 bit RSA private key
..+++
..+++
writing new private key to \\\\\\\'Open×××_Server.key\\\\\\\'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter \\\\\\\'.\\\\\\\', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [LN]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [xxxx]:
Organizational Unit Name (eg, section) [MyOpen***]:
Common Name (eg, your name or your server\\\\\\\'s hostname) [Open×××_Server]:
Name [EasyRSA]:
Email Address [Woo@xx.com]:
Please enter the following \\\\\\\'extra\\\\\\\' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/open***/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject\\\\\\\'s Distinguished Name is as follows
countryName           :PRINTABLE:\\\\\\\'CN\\\\\\\'
stateOrProvinceName   :PRINTABLE:\\\\\\\'LN\\\\\\\'
localityName          :PRINTABLE:\\\\\\\'ChengDu\\\\\\\'
organizationName      :PRINTABLE:\\\\\\\'xxxx\\\\\\\'
organizationalUnitName:PRINTABLE:\\\\\\\'MyOpen***\\\\\\\'
commonName            :T61STRING:\\\\\\\'Open×××_Server\\\\\\\'
name                  :PRINTABLE:\\\\\\\'EasyRSA\\\\\\\'
emailAddress          :IA5STRING:\\\\\\\'Woo@xx.com\\\\\\\'
Certificate is to be certified until Oct 16 16:43:29 2023 GMT (3650 days)
Sign the certificate? [y/n]:y  （注意：这里输入y）
1 out of 1 certificate requests certified, commit? [y/n]y  （注意：这里输入y）
Write out database with 1 new entries
Data Base Updated

这样服务器证书搞定了 可以看到keys/文件夹中东西又多了..

[root@demo 2.0]# !ll
ll keys/
total 52
-rw-r--r--. 1 root root 5373 Oct 19 00:43 01.pem
-rw-r--r--. 1 root root 1655 Oct 19 00:37 ca.crt
-rw-------. 1 root root 1704 Oct 19 00:37 ca.key
-rw-r--r--. 1 root root  424 Oct 19 00:42 dh2048.pem
-rw-r--r--. 1 root root  125 Oct 19 00:43 index.txt
-rw-r--r--. 1 root root   21 Oct 19 00:43 index.txt.attr
-rw-r--r--. 1 root root    0 Oct 19 00:36 index.txt.old
-rw-r--r--. 1 root root 5373 Oct 19 00:43 Open×××_Server.crt
-rw-r--r--. 1 root root 1066 Oct 19 00:43 Open×××_Server.csr
-rw-------. 1 root root 1704 Oct 19 00:43 Open×××_Server.key
-rw-r--r--. 1 root root    3 Oct 19 00:43 serial
-rw-r--r--. 1 root root    3 Oct 19 00:36 serial.old

7、生成客户端证书

接下来为我自己申请了一份客户端证书（这些到时要copy到客户端上以便能和服务器进行认证）：

[root@demo 2.0]# ./build-key user-hy
Generating a 2048 bit RSA private key
...+++
....................................................................+++
writing new private key to \\\\\\\'user-hy.key\\\\\\\'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter \\\\\\\'.\\\\\\\', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [LN]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [xxxx]:
Organizational Unit Name (eg, section) [MyOpen***]:
Common Name (eg, your name or your server\\\\\\\'s hostname) [user-hy]:
Name [EasyRSA]:
Email Address [Woo@xx.com]:
Please enter the following \\\\\\\'extra\\\\\\\' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/open***/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject\\\\\\\'s Distinguished Name is as follows
countryName           :PRINTABLE:\\\\\\\'CN\\\\\\\'
stateOrProvinceName   :PRINTABLE:\\\\\\\'LN\\\\\\\'
localityName          :PRINTABLE:\\\\\\\'ChengDu\\\\\\\'
organizationName      :PRINTABLE:\\\\\\\'xxxx\\\\\\\'
organizationalUnitName:PRINTABLE:\\\\\\\'MyOpen***\\\\\\\'
commonName            :PRINTABLE:\\\\\\\'user-hy\\\\\\\'
name                  :PRINTABLE:\\\\\\\'EasyRSA\\\\\\\'
emailAddress          :IA5STRING:\\\\\\\'Woo@xx.com\\\\\\\'
Certificate is to be certified until Oct 16 16:45:15 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

然后我们将CA证书和客户端证书打包下载，好在客户端上作为验证使用

[root@demo 2.0]# cd keys/
[root@demo keys]# tar -zcvf keys.tar.gz user-hy.* ca.*
user-hy.crt
user-hy.csr
user-hy.key
ca.crt
ca.key

8、服务器端配置文件修改

然后将server.conf文件复制到/etc/open***中

[root@demo open***]# cp -arp /home/open***/open***-2.3.2/sample/sample-config-files/server.conf /etc/open***/
[root@demo open***]# vim /etc/open***/server.conf
....
....
# TCP or UDP server?
;proto tcp
proto tcp
....
ca /etc/open***/easy-rsa/easy-rsa/2.0/keys/ca.crt
cert /etc/open***/easy-rsa/easy-rsa/2.0/keys/Open×××_Serve.crt
key /etc/open***/easy-rsa/easy-rsa/2.0/keys/Open×××_Serve.key  # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/open***/easy-rsa/easy-rsa/2.0/keys/dh2048.pem
....
....
server 10.8.0.0 255.255.255.0
#这里配置的是***为客户端分配地址的网段，用私有地址就好，这里没必要改
....
....
;push \\\\\\\"route 192.168.20.0 255.255.255.0\\\\\\\"
#这条是将路由信息推送到客户端
....
....
;push “redirect-gateway def1 bypass-dhcp\\\\\\\"
#改成这个样纸：
push \\\\\\\"redirect-gateway def1\\\\\\\"
....
....
;client-to-client
#这句话取消注释可以让用户借助open***转发互相访问
#效率会高一点
....
....
;duplicate-cn
#若是client所使用的CA的CommonName有重复连接×××，不打开该选项的话只会允#许一名用户连接×××
....
....
comp-lzo
#数据压缩算法，服务器端 用户端要一致
....
....
user nobody
group nobody
#用于运行open***的用户
....
....
;log  open***.log
;log-append open***.log
这两句定义open***日志文件位置以及追加日志方式写入，我将它修改成这个样纸了0.0：
log  /opt/open***/log/open***.log
log-append /opt/open***/log/open***.log
....
....

由于我是将open***安装在<span style=\\"\\\\"color:#008200;font-family:consolas,\\">/usr/local/文件夹中，所以做个软连接链接到sbin中以便以后方便使用，不过到了sbin普通用户可是不能启动或停止的哦

[root@demo open***]# ls -n /usr/local/open***/sbin/open*** /sbin/open***
[root@demo open***]# open*** --daemon --config /etc/open***/server.conf

这里不加--daemon的话，会在shell前台执行。

二、客户端配置过程

客户端采用Open×××-GUI，版本要和服务器版本相对应.

在http://open***.se/development.html这里是可以下载的 不过这里没有2.3.0的版本。

没办法啊 挂着代理跑去官网下了一记：open***.net

https://www.xingdaili.com/browse.php?u=YNJyOGTBrinIxg4FhoMSIGbrPaA7XDa0tfbBC%2BweAVj6Ivb2CLwdywd4qownK42r12Vs&b=6

下载好 安装好 然后进行下面的配置：

1、将刚才从服务器下载的证书解压到config文件夹中

2、在sample-config中复制client-o***到config文件夹，做如下修改：

;proto tcp

proto udp

改成

proto tcp

;proto udp

remote my-server-1 1194

my-server-1填写你的open***服务器的地址

ns-cert-type server

打开这个选项

ca ca.crt

cert client.crt

key client.key

刚好刚才将证书都扔到了config文件夹下，也就在一起了，改个名字就行了：

ca ca.crt

cert user-hy.crt

key user-hy.key

然后就改完了 准备开始***之旅了哈0.0

由于我在windows下配置的客户端 有些针对linux的修改就跳过了的…

现在尝试连接一下，应该是可以连通的哦~~~

到目前为止，×××是假设好了，但是要网络转NAT还得继续。

让服务器那边进行数据包转发

三、Open×××访问公网设置（这里就是iptables的NAT，简要说明了）

1、添加包转发功能：

这里利用iptables进行包的转发- -没有请自己安装一个 yum 一个就好

[root@demo ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0:0 -j SNAT --to-source a.b.c.d

这里要先ifconfig一下查看一下自己的网络设备的状态

source后面的ip地址a.b.c.d填你的服务器对公网的ip地址

venet0:0则是对公网网卡的号码

设置好之后保存iptables规则并重启服务：

[root@demo ~]# service iptables save

iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

[root@demo ~]# service iptables restart

iptables: Flushing firewall rules: [ OK ]

iptables: Setting chains to policy ACCEPT: nat mangle filte[ OK ]

iptables: Unloading modules: [ OK ]

iptables: Applying firewall rules: [ OK ]

2、开启IP路由转发功能

先查看一下都有哪些要改的：

[root@demo ~]# sysctl -a | grep for

kernel.sched_domain.cpu0.domain0.forkexec_idx = 0

kernel.sched_domain.cpu0.domain1.forkexec_idx = 0

kernel.sched_domain.cpu1.domain0.forkexec_idx = 0

kernel.sched_domain.cpu1.domain1.forkexec_idx = 0

kernel.sched_domain.cpu2.domain0.forkexec_idx = 0

kernel.sched_domain.cpu2.domain1.forkexec_idx = 0

kernel.sched_domain.cpu3.domain0.forkexec_idx = 0

kernel.sched_domain.cpu3.domain1.forkexec_idx = 0

kernel.sched_domain.cpu4.domain0.forkexec_idx = 0

kernel.sched_domain.cpu4.domain1.forkexec_idx = 0

kernel.sched_domain.cpu5.domain0.forkexec_idx = 0

kernel.sched_domain.cpu5.domain1.forkexec_idx = 0

kernel.sched_domain.cpu6.domain0.forkexec_idx = 0

kernel.sched_domain.cpu6.domain1.forkexec_idx = 0

kernel.sched_domain.cpu7.domain0.forkexec_idx = 0

kernel.sched_domain.cpu7.domain1.forkexec_idx = 0

kernel.shm_rmid_forced = 0

dev.cdrom.info = CD-ROM information, Id: cdrom.c 3.20 2003/12/17

net.ipv4.conf.all.forwarding = 0

net.ipv4.conf.all.mc_forwarding = 0

net.ipv4.conf.all.force_igmp_version = 0

net.ipv4.conf.default.forwarding = 0

net.ipv4.conf.default.mc_forwarding = 0

net.ipv4.conf.default.force_igmp_version = 0

net.ipv4.conf.lo.forwarding = 0

net.ipv4.conf.lo.mc_forwarding = 0

net.ipv4.conf.lo.force_igmp_version = 0

net.ipv4.conf.venet0.forwarding = 0

net.ipv4.conf.venet0.mc_forwarding = 0

net.ipv4.conf.venet0.force_igmp_version = 0

net.ipv4.ip_forward = 0

把涉及ip转发的都改成1

开始改：

[root@demo ~]# sysctl -w net.ipv4.ip_forward=1

net.ipv4.ip_forward = 1

[root@demo ~]# sysctl -w net.ipv4.conf.all.forwarding=1

net.ipv4.conf.all.forwarding = 1

[root@demo ~]# sysctl -w net.ipv4.conf.default.forwarding=1

net.ipv4.conf.default.forwarding = 1

[root@demo ~]# sysctl -w net.ipv4.conf.lo.forwarding=1

net.ipv4.conf.lo.forwarding = 1

[root@demo ~]# sysctl -w net.ipv4.conf.venet0.forwarding=1

net.ipv4.conf.venet0.forwarding = 1

改完检查下哦~别漏掉了

3、配置DNS

在server.conf中打开下面的配置：

push "dhcp-option DNS 10.8.0.1"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

这样就好~

这回就都完成了 启动open***服务器（要是刚刚开着的话退掉重开哦 killall open***）：

[root@demo ~]# open*** --daemon --config /etc/open***/server.conf/etc/open***/server.conf

转载于:https://blog.51cto.com/mjjwu/1311008