open***桥接模式搭建 （一）

安装epel源

rpm -ivh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

安装open***

yum --enablerepo=epel -y install open*** bridge-utils

拷贝配置文件

cp/usr/share/doc/open***-2.3.2/sample/sample-config-files/server.conf  /etc/open***

修改配置文件

vi/etc/open***/server.conf

32 port 443 默认的open***端口是1194，这里可以自己设置

53   dev tap0  虚拟网卡

证书以及pem文件位置

78   ca /etc/open***/easy-rsa/keys/ca.crt

79   cert/etc/open***/easy-rsa/keys/server.crt

80   key/etc/open***/easy-rsa/keys/server.key

87  dh  /etc/open***/easy-rsa/keys/dh1024.pem

96   #server 10.8.0.0 255.255.255.0

103  #ifconfig-pool-persist ipp.txt

桥接服务器设置（ip地址，子网掩码，***客户端地址分配网段）

115  server-bridge172.16.40.25 255.255.255.0 172.16.40.50 172.16。40.150

138 push "172.16.40.0 255.255.255.0"***网段

日志存储路径

275status  /var/log/open***-status.log

284  log  /var/log/open***.log

285  log-append /var/log/open***.log

安装easy-rsa

yuminstall easy-rsa

拷贝配置文件

cp -R/usr/share/easy-rsa/2.0 /etc/open***/easy-rsa

cd/etc/open***/easy-rsa

mkdir keys

修改vars脚本，添加生成密钥时的默认配置

vi vars

64 exportKEY_COUNTRY="cn"

65 exportKEY_PROVINCE="shanghai"

66 exportKEY_CITY="shanghai"

67 exportKEY_ORG="LDAP域（不影响）"

68 exportKEY_EMAIL=”email address”

加载vars

[root@localhosteasy-rsa]# source ./vars

NOTE: Ifyou run ./clean-all, I will be doing a rm -rf on /etc/open***/easy-rsa/keys

[root@localhosteasy-rsa]# ./clean-all

初始化

[root@localhosteasy-rsa]#  ./build-dh

Generating DH parameters, 1024 bit long safeprime, generator 2

This isgoing to take a long time

.............................+..........................................................+.......................+...........................................................................................................................................................................+.............................................................................+....+.....................................................+....................+...........................................+................................................+...................................+..........................+............+...........+...++*++*++*

拷贝配置文件并更改脚本权限

[root@localhosteasy-rsa]#

cp -R/usr/share/doc/open***-2.3.2/sample/sample-scripts/bridge-stop /etc/open***/

cp -R/usr/share/doc/open***-2.3.2/sample/sample-scripts/bridge-start /etc/open***/

root@localhostopen***]#  chmod 755/etc/open***/bridge-start

[root@localhostopen***]# chmod 755 /etc/open***/bridge-stop

修改桥接模式启动脚本

vi/etc/open***/bridge-start

17 eth="eth0"

    18 eth_ip="172.16.40.25"

    19 eth_netmask="255.255.255.0"

    20 eth_broadcast="172.16.40.255"

vi /etc/rc.d/init.d/open***

126          /etc/open***/bridge-start

205          /etc/open***/bridge-stop

启动open***

/etc/init.d/open***  start

启动成功。

登陆***采用用户名和密码认证，需要修改/etc/open***/server.conf配置，添加如下两行：

auth-user-pass-verify/etc/open***/checkpsw.sh via-env

script-security 3 system

原因如下：

auth-user-pass-verify，开启用户密码脚本：

加入script-security消除警告

checkpsw.sh脚本可以通过网络获取

wget http://open***.se/files/other/checkpsw.sh

checkpsw.sh默认从文件/etc/open***/psw-file中读取用户名密码。

psw-file中一行是一个账号，用户名和密码之间用空格隔开

username  password

到此为止，***服务端搭建完成。

客户端证书生成：

[root@linux211 easy-rsa]cd /etc/open***/easy-rsa

[root@linux211 easy-rsa]# ./build-key test     

Generating a 1024 bit RSA private key

.......................................++++++

......++++++

writing new private key to 'test.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [qq]:

State or Province Name (full name) [shanghai]:

Locality Name (eg, city) [shanghai]:

Organization Name (eg, company) [qq.net]:

Organizational Unit Name (eg, section) [changeme]:

Common Name (eg, your name or your server's hostname) [test]:

Name [changeme]:test            #生成证书的用户名#

Email Address [mail@host.domain]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/open***/easy-rsa/openssl-0.9.8.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'qq'

stateOrProvinceName   :PRINTABLE:'shanghai'

localityName          :PRINTABLE:'shanghai'

organizationName      :PRINTABLE:'qq.net'

organizationalUnitName:PRINTABLE:'changeme'

commonName            :PRINTABLE:'test'

name                  :PRINTABLE:'test'

emailAddress          :IA5STRING:'mail@host.domain'

Certificate is to be certified until Mar  4 08:23:32 2024 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@linux211 easy-rsa]# cd keys/

[root@linux211 keys]# ls

可以看到用户证书已经生成

常见***问题处理：

第一：Sign the certificate?[y/n]:y

failed to update database

TXT_DB error number 2

只需要如下处理：

[root@linux211easy-rsa]# cd keys/

[root@linux211keys]#vi index.txt.attr

unique_subject= no   #将yes改为no#

保存，重新执行生成证书的命令。

第二：unable to open '/etc/open***/easy-rsa/keys/index.txt'23303:error:02001002:systemlibrary:fopen:No such file or

 directory:bss_file.c:352:fopen('/etc/open***/easy-rsa/keys/index.txt','r')

23303:error:20074002:BIOroutines:FILE_CTRL:system lib:bss_file.c:354:

说明/etc/open***/easy-rsa/keys目录下没有index.txt和index.txt.attr。

keys目录下文件说明：

index.txt记录生成的客户端密钥

新建一个index.txt文件即可。

转载于:https://blog.51cto.com/buertu/1362846