时间必须同步
1、安装前的准备工作:
[root@data ~]# yum -y installopensslopenssl-devel gcc
下载软件包open***-2.2.0.tar.gz服务器端安装包
lzo-2.06.tar.gz压缩隧道通信数据安装包
open***-2.2.0-install.exe客户端安装包
软件打包下载地址:
http://down.51cto.com/data/1019725
注:由于open***官网被和谐了, 只能翻wall下载. 所以我已经打包好了,方便大家下载.
2、安装lzo软件包:
lzo软件包用于压缩隧道通信数据以加快传输速度,操作步骤如下:
[root@data ~]# tar zxvf lzo-2.06.tar.gz
[root@data ~]# cd lzo-2.06
[root@data lzo-2.03]#./configure--prefix=/usr/ && make && make install
4、安装openvn:
[root@data ~]# tar zxvfopen***-2.2.0.tar.gz
[root@data ~]# cd open***-2.2.0
[root@data open***-2.2.0]#./configure--with-lzo-lib=/usr/ && make && make install
此处如果出现如下报错:configure: error: libpamrequired but missing
64位系统直接 yuminstall pam-devel.X86_64
如果你服务器是32位的
yum install pam-devel.i686
(1、)建立CA的详细信息
5、Open××× 服务器的配置
[root@data ~]# cdopen***-2.2.0/easy-rsa/2.0/
[root@data 2.0]# vim vars
export KEY_COUNTRY="CN"\\你所在的国家,两个字符为限
export KEY_PROVINCE="SH"\\你所在的省份
export KEY_CITY="SHANGHAI"\\你所在的城市
export KEY_ORG="51CTO"\\你所在的组织
exportKEY_EMAIL="youyou@126.com"\\你的电子邮件
export KEY_OU= "51CTO.com" \\你所在的单位
接下来输入如下命令:
[root@data 2.0]# source vars//此命令输入后会显示如下信息
NOTE: If you run ./clean-all, I willbedoing a rm -rf on /root/open***-2.2.0/easy-rsa/2.0/keys
接着输入下面的命令:
[root@data 2.0]# ./clean-all
[root@data 2.0]# ./build-ca//一路回车即可会生成 rootCA证书
Generating a 1024 bit RSA private key
.........................................++++++
.......................................................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked toenterinformation that will be incorporated
into your certificate request.
What you are about to enter is whatiscalled a Distinguished Name or a DN.
There are quite a few fields but youcanleave some blank
For some fields there will be adefaultvalue,
If you enter '.', the field will beleftblank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [51CTO]:
Organizational Unit Name (eg, section)[51cto.com]:
Common Name (eg, your name or your server'shostname)[51CTO CA]:
Name []:
Email Address [youyou@126.com
可以看到ca.crt ,ca.key已经生成
为服务器生成Diffie-Hellman文件,后面配置Open××× Server时所需要用到的文件命令如下:./build-dh
(2)、为服务器生成证书和密钥,命令如下:
[root@862.0]#./build-key-server server
Generating a 1024 bit RSA private key
.......++++++
.................................................++++++
writing new private key to 'server.key'
-----
You are about to be asked toenterinformation that will be incorporated
into your certificate request.
What you are about to enter is whatiscalled a Distinguished Name or a DN.
There are quite a few fields but youcanleave some blank
For some fields there will be adefaultvalue,
If you enter '.', the field will beleftblank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [51CTO]:
Organizational Unit Name (eg, section)[51cto.com]:
Common Name (eg, your name or yourserver'shostname) [server]:
Name []:
Email Address [youyou@126.com]:
Please enter the following'extra'attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:51cto.com
Using configurationfrom/root/soft/open***-2.2.0/easy-rsa/2.0/openssl.cnf
Check that the request matches thesignature
Signature ok
The Subject's Distinguished Name isasfollows
countryName:PRINTABLE:'CN'
stateOrProvinceName:PRINTABLE:'SH'
localityName:PRINTABLE:'SHANGHAI'
organizationName:PRINTABLE:'51CTO'
organizationalUnitName:PRINTABLE:'51cto.com'
commonName:PRINTABLE:'server'
emailAddress:IA5STRING:'youyou@126.com'
Certificate is to be certified until Nov1908:20:18 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requestscertified,commit? [y/n]y
Write out database with 1 new entries
为客户端生成证书,这时候生成的证书要分发给客户端来用的。
[root@data 2.0]# ./build-key steven.shi
正常结束上面过程后我们可以看到keys目录生成了正常的证书文件,用以下命令可以看到:
[root@data 2.0]# ll keys/
( 3 )修改Open×××的配置文件/etc/server.conf
1)、复制示例文件到/etc目录下,然后再在其基础下进行更改,命令如下:
[root@data 2.0]# cp /root/open***-2.2.0/sample-config-files/server.conf/etc/server.conf
2、)编辑/etc/server.conf,注意以下几个重点:
一是将proto udp 改为proto tcp ,即服务启动用TCP 1194端口。
二是将ca那4行内容改成如下所示的形式(记得写绝对路径):
ca/root/open***-2.2.0/easy-rsa/2.0/keys/ca.crt
ca后面接的是 rootCA 它使用的是buid-ca生成的,用于验证客户端证书是否合法的。
cert/root/open***-2.2.0/easy-rsa/2.0/keys/server.crt
key/root/open***-2.2.0/easy-rsa/2.0/keys/server.key
上面是服务器对应的证书等相关文件
dh/root/open***-2.2.0/easy-rsa/2.0/keys/dh1024.pem
三是将server那行改为如下内容:
server 10.8.0.0 255.255.255.0 //这是Open×××服务器启动时为×××网络分配的网段,注意不要与公网中的IP发生冲突。
四是将verb3改为verb5
3、)启动Open×××
1、关闭iptables和selinux,以免对Open×××造成不必要的干扰
2、开启系统中自带的IP转发功能,命令如下:
[root@data keys]# echo"1">/proc/sys/net/ipv4/ip_forward
3、用命令启动Open×××,命令如下:
[root@data keys]# /usr/local/sbin/open***--config/etc/server.conf
如果看到Initialization Sequence Completed 表示启动成功
用lsof -i:1194来验证一下
[root@datakeys]# lsof -i:1194
COMMAND PID USER FD TYPE DEVICESIZE/OFFNODE NAME
open*** 20074 root 5u IPv4 94836 0t0TCP*:open*** (LISTEN)
6、客户端安装:
1.安装open***-2.2.0-install.exe,一路下一步即可。桌面会生成快捷方式如图
默认安装路径是:C:\ProgramFiles \Open×××
2.把服务器上生成的客户端证书复制到config目录下面即可。
即把ca.crt , steven.shi.crt, steven.shi.key复制到config目录下面。
3.把服务器上面open***2.2.0解压目录下sample-config-files文件夹中的client.conf 复制到本地config 目录下,并重命名为steven.shi.o***
注:与你的证书文件名一样。
用文本编辑器打开steven.shi.o***,并修改下列项:
1)将proto udp 改成proto tcp
2)将remote那行内容改成服务器的IP 端口
192.168.1.1011194
注:此处只是为了测试用,所以用的是内网IP,在生产环境下,服务器都是公网IP,改为相应的IP即可。
3)将ca那3行内容改为如下内容:
ca ca.crt
certsteven.shi.crt
keysteven.shi.ke
4.打开***客户端,在右下角图标上点右键,选择connect
5.连接成功后,图标会变成绿色并提示成功,
OK,到此完全配置成功。
转载于:https://blog.51cto.com/7506939/1557671