公司有时候的需要使用***连接办公,最近新购了mac之后的,不支持pptp ***,所以在公司搭建一个open***,之所以不使用网上大多数教程一的转发模式,1是因为效率不好,2是需要修改现有路由,网络上达不到联通。好了废话不多说了,开始安装已经部署过程吧。
1.安装open***-2.2.2-1 下载地址http://down.51cto.com/data/2368640
yum install -y iptables openssl lzo pam openssl-devel lzo-devel pam-devel
yum install pkcs11-helper pkcs11-helper-devel –y
rpm -ivh open***-2.2.2-1.x86_64.rpm
2.配置open***
cd /usr/share/doc/open***-2.2.2/easy-rsa/2.0/
ln -s openssl-1.0.0.cnf openssl.cnf
#修改vars文件
[root@cmdb open***]# grep -Ev "^$|#" /usr/share/doc/open***-2.2.2/easy-rsa/2.0/vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=<font color=4096
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY=<font color="CN"
export KEY_PROVINCE=<font color="SZ"
export KEY_CITY=<font color="shenzheng"
export KEY_ORG="localhost.com"
export KEY_EMAIL="youshumin@126.com"
export KEY_EMAIL=youshumin@126.com
export KEY_CN=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
[root@cmdb open***]#
配置认证信息
source /usr/share/doc/open***-2.2.2/easy-rsa/2.0/vars
./clean-all
./build-ca
./build-key-server server
./build-key youshumin
./build-dh
3.创建open***目录
mkdir /etc/open***/keys
cp -R /usr/share/doc/open***-2.2.2/easy-rsa/2.0/keys/* /etc/open***/keys
cp /usr/share/doc/open***-2.2.2/sample-config-files/server.conf /etc/open***/server.conf.default
cd /etc/open***
grep -Ev "#|^$|^;" server.conf.default > /etc/open***/server.conf
mkdir logs
mkdir scripts
cd scripts
cp /usr/share/doc/open***-2.2.2/sample-scripts/bridge-st* .
cd /etc/open***/scripts
修改 bridge-start和stop
grep -Ev "^$|#" /etc/open***/scripts/bridge-start
br="br0"
tap="tap0"
eth="eth0"
eth_ip="192.168.7.150" #本机ip
eth_netmask="255.255.248.0"
eth_broadcast="192.168.7.255"
for t in $tap; do
open*** --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw 192.168.1.254 ### 添加路由网关 不添加可能不能上网
添加停止桥接脚本
grep -Ev "^$|#" /etc/open***/scripts/bridge-stop
br="br0"
tap="tap0"
ifconfig $br down
brctl delbr $br
for t in $tap; do
open*** --rmtun --dev $t
done
service network restart # 添加网络重启否则可能网络不能恢复
open***服务的配置
cd /etc/open***
[root@cmdb open***]# cat server.conf
port 65520
proto tcp
dev tap0
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/server.crt
dh /etc/open***/keys/dh4096.pem
key /etc/open***/keys/server.key
server-bridge 192.168.1.254 255.255.248.0 192.168.7.155 192.168.7.165
push "192.168.1.0 255.255.248.0".
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.254"
client-to-client
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /etc/open***/logs/open***-status.log
log /etc/open***/logs/open***.log
verb 3
[root@cmdb open***]#
启动open***
sh /etc/open***/scripts/bridge_start
/etc/init.d/open*** start
停止open***/etc/init.d/open*** stop
4.验证open***
[root@cmdb open***]# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:65520 0.0.0.0:* LISTEN 4285/open***
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1296/sshd
[root@cmdb open***]#
[root@cmdb open***]# pwd
/etc/open***
[root@cmdb open***]# tree
.
├── ipp.txt
├── keys
│ ├── 01.pem
│ ├── 02.pem
│ ├── ca.crt
│ ├── ca.key
│ ├── dh4096.pem
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── serial
│ ├── serial.old
│ ├── server.crt
│ ├── server.csr
│ ├── server.key
│ ├── youshumin.crt
│ ├── youshumin.csr
│ └── youshumin.key
├── logs
│ ├── open***.log
│ └── open***-status.log
├── scripts
│ ├── bridge-start
│ └── bridge-stop
├── server.conf
└── server.conf.default
将的ca.crt以及建立的用户认证文件youshumoin.crt和youshumin.key 保存到本地。
windows下载open***-client,将这个3个文件放在config文件夹下C:\Program Files\Open×××\config
修改config.opvn文件
client
dev tap
proto tcp
remote 192.168.7.20 65520
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert youshumin.crt
key youshumin.key
comp-lzo
verb 3
然后点击桌面的连接
到这里windows连接成功,下次给大家分享在家使用mac连接的方法
转载于:https://blog.51cto.com/youprince/2043858