时间必须同步

1、安装前的准备工作:

 

[root@data ~]# yum -y installopensslopenssl-devel gcc

 

下载软件包open***-2.2.0.tar.gz服务器端安装包

lzo-2.06.tar.gz压缩隧道通信数据安装包

open***-2.2.0-install.exe客户端安装包

 

软件打包下载地址:

http://down.51cto.com/data/1019725

 

:由于open***官网被和谐了只能翻wall下载所以我已经打包好了,方便大家下载.

 

 

2、安装lzo软件包:

 

lzo软件包用于压缩隧道通信数据以加快传输速度,操作步骤如下:

 

[root@data ~]# tar zxvf lzo-2.06.tar.gz

 

[root@data ~]# cd lzo-2.06

 

[root@data lzo-2.03]#./configure--prefix=/usr/ && make && make install

 

 

4、安装openvn

 

 

[root@data ~]# tar zxvfopen***-2.2.0.tar.gz

 

[root@data ~]# cd open***-2.2.0

 

[root@data open***-2.2.0]#./configure--with-lzo-lib=/usr/ && make && make install

 

此处如果出现如下报错:configure: error: libpamrequired but missing

 

64位系统直接 yuminstall pam-devel.X86_64

 

如果你服务器是32位的

yum install pam-devel.i686

 

(1)建立CA的详细信息

 

5Open××× 服务器的配置

 

[root@data ~]# cdopen***-2.2.0/easy-rsa/2.0/

[root@data 2.0]# vim vars

export KEY_COUNTRY="CN"\\你所在的国家,两个字符为限

export KEY_PROVINCE="SH"\\你所在的省份

export KEY_CITY="SHANGHAI"\\你所在的城市

export KEY_ORG="51CTO"\\你所在的组织

exportKEY_EMAIL="youyou@126.com"\\你的电子邮件

export KEY_OU= "51CTO.com" \\你所在的单位

 

接下来输入如下命令:

 

[root@data 2.0]# source vars//此命令输入后会显示如下信息

 

NOTE: If you run ./clean-all, I willbedoing a rm -rf on /root/open***-2.2.0/easy-rsa/2.0/keys

 

接着输入下面的命令:

 

[root@data 2.0]# ./clean-all

 

[root@data 2.0]# ./build-ca//一路回车即可会生成 rootCA证书

 

Generating a 1024 bit RSA private key

.........................................++++++

.......................................................................................++++++

writing new private key to 'ca.key'

-----

You are about to be asked toenterinformation that will be incorporated

into your certificate request.

What you are about to enter is whatiscalled a Distinguished Name or a DN.

There are quite a few fields but youcanleave some blank

For some fields there will be adefaultvalue,

If you enter '.', the field will beleftblank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [SH]:

Locality Name (eg, city) [SHANGHAI]:

Organization Name (eg, company) [51CTO]:

Organizational Unit Name (eg, section)[51cto.com]:

Common Name (eg, your name or your server'shostname)[51CTO CA]:

Name []:

Email Address [youyou@126.com

可以看到ca.crt ,ca.key已经生成

 

 

为服务器生成Diffie-Hellman文件,后面配置Open××× Server时所需要用到的文件命令如下:./build-dh

(2)、为服务器生成证书和密钥,命令如下:

 

[root@862.0]#./build-key-server server

Generating a 1024 bit RSA private key

.......++++++

.................................................++++++

writing new private key to 'server.key'

-----

You are about to be asked toenterinformation that will be incorporated

into your certificate request.

What you are about to enter is whatiscalled a Distinguished Name or a DN.

There are quite a few fields but youcanleave some blank

For some fields there will be adefaultvalue,

If you enter '.', the field will beleftblank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [SH]:

Locality Name (eg, city) [SHANGHAI]:

Organization Name (eg, company) [51CTO]:

Organizational Unit Name (eg, section)[51cto.com]:

Common Name (eg, your name or yourserver'shostname) [server]:

Name []:

Email Address [youyou@126.com]:

 

Please enter the following'extra'attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:51cto.com

Using configurationfrom/root/soft/open***-2.2.0/easy-rsa/2.0/openssl.cnf

Check that the request matches thesignature

Signature ok

The Subject's Distinguished Name isasfollows

countryName:PRINTABLE:'CN'

stateOrProvinceName:PRINTABLE:'SH'

localityName:PRINTABLE:'SHANGHAI'

organizationName:PRINTABLE:'51CTO'

organizationalUnitName:PRINTABLE:'51cto.com'

commonName:PRINTABLE:'server'

emailAddress:IA5STRING:'youyou@126.com'

Certificate is to be certified until Nov1908:20:18 2023 GMT (3650 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requestscertified,commit? [y/n]y

Write out database with 1 new entries

 

 

为客户端生成证书,这时候生成的证书要分发给客户端来用的。

 

[root@data 2.0]# ./build-key steven.shi

 

正常结束上面过程后我们可以看到keys目录生成了正常的证书文件,用以下命令可以看到:

 

 

[root@data 2.0]# ll keys/

 

( 3 )修改Open×××的配置文件/etc/server.conf

 

1)、复制示例文件到/etc目录下,然后再在其基础下进行更改,命令如下:

 

[root@data 2.0]# cp /root/open***-2.2.0/sample-config-files/server.conf/etc/server.conf

 

2)编辑/etc/server.conf,注意以下几个重点:

 

一是将proto udp 改为proto tcp ,即服务启动用TCP 1194端口。

 

二是将ca4行内容改成如下所示的形式(记得写绝对路径):

 

ca/root/open***-2.2.0/easy-rsa/2.0/keys/ca.crt

 

ca后面接的是 rootCA 它使用的是buid-ca生成的,用于验证客户端证书是否合法的。

 

cert/root/open***-2.2.0/easy-rsa/2.0/keys/server.crt

 

key/root/open***-2.2.0/easy-rsa/2.0/keys/server.key

 

上面是服务器对应的证书等相关文件

 

dh/root/open***-2.2.0/easy-rsa/2.0/keys/dh1024.pem

 

三是将server那行改为如下内容:

 

server 10.8.0.0 255.255.255.0 //这是Open×××服务器启动时为×××网络分配的网段,注意不要与公网中的IP发生冲突。

 

四是将verb3改为verb5

 

 

3、)启动Open×××

 

1、关闭iptablesselinux,以免对Open×××造成不必要的干扰

 

2、开启系统中自带的IP转发功能,命令如下:

 

[root@data keys]# echo"1">/proc/sys/net/ipv4/ip_forward

 

3、用命令启动Open×××,命令如下:

 

[root@data keys]# /usr/local/sbin/open***--config/etc/server.conf

 

如果看到Initialization Sequence Completed 表示启动成功

 

lsof -i:1194来验证一下

 

[root@datakeys]# lsof -i:1194

COMMAND PID USER FD TYPE DEVICESIZE/OFFNODE NAME

open*** 20074 root 5u IPv4 94836 0t0TCP*:open*** (LISTEN)

 

 

6、客户端安装:

 

1.安装open***-2.2.0-install.exe,一路下一步即可。桌面会生成快捷方式如图

 

默认安装路径是:C:\ProgramFiles \Open×××

 

2.把服务器上生成的客户端证书复制到config目录下面即可。

即把ca.crt , steven.shi.crt, steven.shi.key复制到config目录下面。

3.把服务器上面open***2.2.0解压目录下sample-config-files文件夹中的client.conf 复制到本地config 目录下,并重命名为steven.shi.o***

注:与你的证书文件名一样。

 

用文本编辑器打开steven.shi.o***,并修改下列项:

 

1)将proto udp 改成proto tcp

2)将remote那行内容改成服务器的IP 端口

192.168.1.1011194

注:此处只是为了测试用,所以用的是内网IP,在生产环境下,服务器都是公网IP,改为相应的IP即可。

 

3)将ca3行内容改为如下内容:

ca ca.crt

certsteven.shi.crt

keysteven.shi.ke

4.打开***客户端,在右下角图标上点右键,选择connect

5.连接成功后,图标会变成绿色并提示成功,

OK,到此完全配置成功。