安装epel源
rpm -ivh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
安装open***
yum --enablerepo=epel -y install open*** bridge-utils
拷贝配置文件
cp/usr/share/doc/open***-2.3.2/sample/sample-config-files/server.conf /etc/open***
修改配置文件
vi/etc/open***/server.conf
32 port 443 默认的open***端口是1194,这里可以自己设置
53 dev tap0 虚拟网卡
证书以及pem文件位置
78 ca /etc/open***/easy-rsa/keys/ca.crt
79 cert/etc/open***/easy-rsa/keys/server.crt
80 key/etc/open***/easy-rsa/keys/server.key
87 dh /etc/open***/easy-rsa/keys/dh1024.pem
96 #server 10.8.0.0 255.255.255.0
103 #ifconfig-pool-persist ipp.txt
桥接服务器设置(ip地址,子网掩码,***客户端地址分配网段)
115 server-bridge172.16.40.25 255.255.255.0 172.16.40.50 172.16。40.150
138 push "172.16.40.0 255.255.255.0"***网段
日志存储路径
275status /var/log/open***-status.log
284 log /var/log/open***.log
285 log-append /var/log/open***.log
安装easy-rsa
yuminstall easy-rsa
拷贝配置文件
cp -R/usr/share/easy-rsa/2.0 /etc/open***/easy-rsa
cd/etc/open***/easy-rsa
mkdir keys
修改vars脚本,添加生成密钥时的默认配置
vi vars
64 exportKEY_COUNTRY="cn"
65 exportKEY_PROVINCE="shanghai"
66 exportKEY_CITY="shanghai"
67 exportKEY_ORG="LDAP域(不影响)"
68 exportKEY_EMAIL=”email address”
加载vars
[root@localhosteasy-rsa]# source ./vars
NOTE: Ifyou run ./clean-all, I will be doing a rm -rf on /etc/open***/easy-rsa/keys
[root@localhosteasy-rsa]# ./clean-all
初始化
[root@localhosteasy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safeprime, generator 2
This isgoing to take a long time
.............................+..........................................................+.......................+...........................................................................................................................................................................+.............................................................................+....+.....................................................+....................+...........................................+................................................+...................................+..........................+............+...........+...++*++*++*
拷贝配置文件并更改脚本权限
[root@localhosteasy-rsa]#
cp -R/usr/share/doc/open***-2.3.2/sample/sample-scripts/bridge-stop /etc/open***/
cp -R/usr/share/doc/open***-2.3.2/sample/sample-scripts/bridge-start /etc/open***/
root@localhostopen***]# chmod 755/etc/open***/bridge-start
[root@localhostopen***]# chmod 755 /etc/open***/bridge-stop
修改桥接模式启动脚本
vi/etc/open***/bridge-start
17 eth="eth0"
18 eth_ip="172.16.40.25"
19 eth_netmask="255.255.255.0"
20 eth_broadcast="172.16.40.255"
vi /etc/rc.d/init.d/open***
126 /etc/open***/bridge-start
205 /etc/open***/bridge-stop
启动open***
/etc/init.d/open*** start
启动成功。
登陆***采用用户名和密码认证,需要修改/etc/open***/server.conf配置,添加如下两行:
auth-user-pass-verify/etc/open***/checkpsw.sh via-env
script-security 3 system
原因如下:
auth-user-pass-verify,开启用户密码脚本:
加入script-security消除警告
checkpsw.sh脚本可以通过网络获取
wget http://open***.se/files/other/checkpsw.sh
checkpsw.sh默认从文件/etc/open***/psw-file中读取用户名密码。
psw-file中一行是一个账号,用户名和密码之间用空格隔开
username password
到此为止,***服务端搭建完成。
客户端证书生成:
[root@linux211 easy-rsa]cd /etc/open***/easy-rsa
[root@linux211 easy-rsa]# ./build-key test
Generating a 1024 bit RSA private key
.......................................++++++
......++++++
writing new private key to 'test.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [qq]:
State or Province Name (full name) [shanghai]:
Locality Name (eg, city) [shanghai]:
Organization Name (eg, company) [qq.net]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [test]:
Name [changeme]:test #生成证书的用户名#
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/open***/easy-rsa/openssl-0.9.8.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'qq'
stateOrProvinceName :PRINTABLE:'shanghai'
localityName :PRINTABLE:'shanghai'
organizationName :PRINTABLE:'qq.net'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'test'
name :PRINTABLE:'test'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Mar 4 08:23:32 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@linux211 easy-rsa]# cd keys/
[root@linux211 keys]# ls
可以看到用户证书已经生成
常见***问题处理:
第一:Sign the certificate?[y/n]:y
failed to update database
TXT_DB error number 2
只需要如下处理:
[root@linux211easy-rsa]# cd keys/
[root@linux211keys]#vi index.txt.attr
unique_subject= no #将yes改为no#
保存,重新执行生成证书的命令。
第二:unable to open '/etc/open***/easy-rsa/keys/index.txt'23303:error:02001002:systemlibrary:fopen:No such file or
directory:bss_file.c:352:fopen('/etc/open***/easy-rsa/keys/index.txt','r')
23303:error:20074002:BIOroutines:FILE_CTRL:system lib:bss_file.c:354:
说明/etc/open***/easy-rsa/keys目录下没有index.txt和index.txt.attr。
keys目录下文件说明:
index.txt记录生成的客户端密钥
新建一个index.txt文件即可。
转载于:https://blog.51cto.com/buertu/1362846