open***搭建过程

最新推荐文章于 2023-11-30 22:34:14 发布

???Sir

最新推荐文章于 2023-11-30 22:34:14 发布

阅读量102

点赞数 1

文章标签：网络开发工具数据库

原文链接：http://blog.51cto.com/newyue/530925

版权

这个写的有点乱，自己随便搭着玩的，测试是没问题的。server.conf和client。conf配置文件大家最好整理清楚了再去搭建，这样一般就不会出错了。

open***搭建及安全性设定：

环境：centos 5.5

1、准备软件：

# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz

# wget http://open***.net/release/open***-2.1_rc22.tar.gz

2、安装

安装lzo

tar xvzf lzo-2.04.tar.gz

cd lzo-2.04

./configure --prefix=/usr/local/lzo

make

make check

make test

make install

安装open×××

tar xvzf open***-2.1_rc22.tar.gz

cd open***-2.1_rc22

ln -s /usr/local/lzo/include/* /usr/include/
ln -s /usr/local/lzo/lib/* /usr/lib/

./configure --prefix=/usr/local/open***

make &&　make install

cp /root/***/open***-2.1_rc22/easy-rsa/2.0 -r　/etc/open***/etc/open***

cd /etc/open***/open***

vim vars

export KEY_COUNTRY="CN"                 #中国
export KEY_PROVINCE="JIANGSU"           #省份
export KEY_CITY="SUZHOU"                #市
export KEY_ORG="***"                    #组织单位
export KEY_EMAIL="***@123.com"          #email

其余默认

保存退出。

刷新变量：source vars

清除所有密钥（仅刚安装完时执行）：./clean-all

创建服务器端ca证书：./build-ca

[root@longray open***]# ./build-ca
Generating a 1024 bit RSA private key
.++++++
.............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [17U]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [17U CA]:server
Name []:
Email Address [newyue01@163.com]:

创建服务器端密钥证书：./build-server-key server

[root@longray open***]# ./build-key-server server
Generating a 1024 bit RSA private key
..++++++
.........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [17U]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:server
Name []:
Email Address [newyue01@163.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:111111
An optional company name []:111111
Using configuration from /etc/open***/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'JS'
localityName          :PRINTABLE:'SZ'
organizationName      :PRINTABLE:'17U'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'newyue01@163.com'
Certificate is to be certified until Mar 27 17:09:33 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

#创建客户端所需密钥证书文件：./build-key mark

[root@longray open***]# ./build-key mark
Generating a 1024 bit RSA private key
.++++++
......................................++++++
writing new private key to 'mark.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [17U]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [mark]:mark
Name []:
Email Address [newyue01@163.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:111111
An optional company name []:111111
Using configuration from /etc/open***/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'JS'
localityName          :PRINTABLE:'SZ'
organizationName      :PRINTABLE:'17U'
commonName            :PRINTABLE:'mark'
emailAddress          :IA5STRING:'newyue01@163.com'
Certificate is to be certified until Mar 27 17:12:17 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

#再生成 diffie hellman 参数 : ./build-dh

#创建并编辑服务器端配置文件:
内容如下：

local 公网IP地址。
port 11947
proto udp
dev tun
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/server.crt
key /etc/open***/keys/server.key # This file should be kept secret
dh /etc/open***/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /root/ipp.txt
client-config-dir ccd
route 10.8.0.0 255.255.255.252
client-to-client
keepalive 10 60
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 4
push "redirect-gateway"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 8.8.8.8"
script-security 3

打包keys目录并下载至本机。

防火墙设置：

1、开启IP转发。
vim /etc/sysctl.conf
此处
net.ipv4.ip_forward = 0
改为
net.ipv4.ip_forward = 1

#/sbin/sysctl -p

2、设置nat转发。

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source 202.131.78.234

service iptables save

service iptables restart

vim /etc/sysconfig/iptables添加下面两行

-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 11947 -j ACCEPT
-A RH-Firewall-1-INPUT -i tun0 -j ACCEPT

保存重启。service iptables restart

客户端client.conf下载至本机后，修改名称为client.o***

修改其配置文件为：

client
dev tun
proto udp
remote 公网IP地址 11947
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert mark.crt
key mark.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
route-method exe
route-delay 2

保存后，点击connection连接即可。

转载于:https://blog.51cto.com/newyue/530925

???Sir

关注

1
点赞
踩
2

收藏

觉得还不错? 一键收藏
0
评论
open***搭建过程

这个写的有点乱，自己随便搭着玩的，测试是没问题的。server.conf和client。conf配置文件大家最好整理清楚了再去搭建，这样一般就不会出错了。open***搭建及安全性设定：环境：centos 5.51、准备软件：# wget http://www.oberhumer.com/opensource/lzo/download/lzo...
复制链接

扫一扫