这个写的有点乱,自己随便搭着玩的,测试是没问题的。server.conf和client。conf配置文件大家最好整理清楚了再去搭建,这样一般就不会出错了。
open***搭建及安全性设定:
环境:centos 5.5
1、准备软件:
# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz
# wget http://open***.net/release/open***-2.1_rc22.tar.gz
2、安装
安装lzo
tar xvzf lzo-2.04.tar.gz
cd lzo-2.04
./configure --prefix=/usr/local/lzo
make
make check
make test
make install
安装open×××
tar xvzf open***-2.1_rc22.tar.gz
cd open***-2.1_rc22
ln -s /usr/local/lzo/include/* /usr/include/
ln -s /usr/local/lzo/lib/* /usr/lib/
./configure --prefix=/usr/local/open***
make && make install
cp /root/***/open***-2.1_rc22/easy-rsa/2.0 -r /etc/open***/etc/open***
cd /etc/open***/open***
vim vars
export KEY_COUNTRY="CN" #中国
export KEY_PROVINCE="JIANGSU" #省份
export KEY_CITY="SUZHOU" #市
export KEY_ORG="***" #组织单位
export KEY_EMAIL="***@123.com" #email
其余默认
保存退出。
刷新变量:source vars
清除所有密钥(仅刚安装完时执行):./clean-all
创建服务器端ca证书:./build-ca
[root@longray open***]# ./build-ca
Generating a 1024 bit RSA private key
.++++++
.............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [17U]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [17U CA]:server
Name []:
Email Address [newyue01@163.com]:
创建服务器端密钥证书:./build-server-key server
[root@longray open***]# ./build-key-server server
Generating a 1024 bit RSA private key
..++++++
.........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [17U]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:server
Name []:
Email Address [newyue01@163.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:111111
An optional company name []:111111
Using configuration from /etc/open***/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'JS'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'17U'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'newyue01@163.com'
Certificate is to be certified until Mar 27 17:09:33 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#创建客户端所需密钥证书文件:./build-key mark
[root@longray open***]# ./build-key mark
Generating a 1024 bit RSA private key
.++++++
......................................++++++
writing new private key to 'mark.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [17U]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [mark]:mark
Name []:
Email Address [newyue01@163.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:111111
An optional company name []:111111
Using configuration from /etc/open***/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'JS'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'17U'
commonName :PRINTABLE:'mark'
emailAddress :IA5STRING:'newyue01@163.com'
Certificate is to be certified until Mar 27 17:12:17 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#再生成 diffie hellman 参数 : ./build-dh
#创建并编辑服务器端配置文件:
内容如下:
local 公网IP地址。
port 11947
proto udp
dev tun
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/server.crt
key /etc/open***/keys/server.key # This file should be kept secret
dh /etc/open***/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /root/ipp.txt
client-config-dir ccd
route 10.8.0.0 255.255.255.252
client-to-client
keepalive 10 60
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 4
push "redirect-gateway"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 8.8.8.8"
script-security 3
打包keys目录并下载至本机。
防火墙设置:
1、开启IP转发。
vim /etc/sysctl.conf
此处
net.ipv4.ip_forward = 0
改为
net.ipv4.ip_forward = 1
#/sbin/sysctl -p
2、设置nat转发。
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source 202.131.78.234
service iptables save
service iptables restart
vim /etc/sysconfig/iptables添加下面两行
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 11947 -j ACCEPT
-A RH-Firewall-1-INPUT -i tun0 -j ACCEPT
保存重启。service iptables restart
客户端client.conf下载至本机后,修改名称为client.o***
修改其配置文件为:
client
dev tun
proto udp
remote 公网IP地址 11947
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert mark.crt
key mark.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
route-method exe
route-delay 2
保存后,点击connection连接即可。
转载于:https://blog.51cto.com/newyue/530925