linux 下open***配置

参考博客:http://blog.chinaunix.net/uid-26835604-id-3484906.html

一、 下载软件包

# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz

# wget http://open***.net/release/open***-2.1_rc22.tar.gz

centos:

# yum install openssl-devel -y

Debian ,ubunu 平台 apt-get install libssl-dev

二、解压及安装

[root@bogon opt]# tar zxvf lzo-2.04.tar.gz

[root@bogon opt]# cd lzo-2.04

[root@bogon lzo-2.04]# ./configure

[root@bogon lzo-2.04]# make && make install

[root@bogon lzo-2.04]# cd ../


[root@bogon opt]# tar zxvf open***-2.1_rc22.tar.gz

[root@bogon opt]# cd open***-2.1_rc22

[root@bogon open***-2.1_rc22]# ./configure

[root@bogon open***-2.1_rc22]# make && make install

[root@bogon open***-2.1_rc22]# cd ../

三、服务器端设置:

1. 用easy-rsa生成服务器证书客户端证书

[root@bogon opt]# cp open***-2.1_rc22/easy-rsa/ -r /etc/open***

[root@bogon opt]# cd /etc/open***/2.0/

编辑vars文件

[root@bogon 2.0]# vim vars

[root@bogon 2.0]# cat vars | grep -v "^$" | grep -v "^#"

export EASY_RSA="`pwd`"

export OPENSSL="openssl"

export PKCS11TOOL="pkcs11-tool"

export GREP="grep"

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

export KEY_DIR="$EASY_RSA/keys"

#echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR --可以注释掉

export PKCS11_MODULE_PATH="dummy"

export PKCS11_PIN="dummy"

export KEY_SIZE=1024

export CA_EXPIRE=3650

export KEY_EXPIRE=3650

export KEY_COUNTRY="CN"

export KEY_PROVINCE="BJ"

export KEY_CITY="BEIJING"

export KEY_ORG="LIANCHAO"

export KEY_EMAIL="15720182323@163.com"

export KEY_CN=changename

export KEY_NAME=changename

export KEY_OU=IT

export PKCS11_MODULE_PATH=changename

export PKCS11_PIN=1234

[root@bogon 2.0]# source vars

(NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys 在vars中注释掉那句就不显示了)

下面这个命令在第一次安装时可以运行,以后在添加客户端时千万别运行,这个命令会清除所有已经生成的证书密钥。

[root@bogon 2.0]# ./clean-all


生成服务器端ca证书

[root@bogon 2.0]# ./build-ca -----生成服务器端ca证书

Generating a 1024 bit RSA private key

........++++++

......++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [LIANCHAO]:

Organizational Unit Name (eg, section) [IT]:

Common Name (eg, your name or your server's hostname) [changename]:server

Name [changename]:server

Email Address [15720182323@163.com]:

common name 和 name那输入,其他地方直接回车

执行完这个命令后可以看到keys下多了两个文件ca.crt、ca.key


生成服务器端密钥key, 后面这个server就是服务器名,可以自定义。

上面的序列中,大多数询问参数的默认值是在vars或vars.bat文件中设定的值。唯一一个需要明确输入的参数是Common Name,上面的例子中输入的是"server"。

[root@bogon 2.0]# ./build-key-server server

Generating a 1024 bit RSA private key

.............++++++

.............++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [LIANCHAO]:

Organizational Unit Name (eg, section) [IT]:

Common Name (eg, your name or your server's hostname) [server]:server ----此处输入必须与最上边一致

Name [changename]:server

Email Address [15720182323@163.com]:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/open***/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'BJ'

localityName :PRINTABLE:'BEIJING'

organizationName :PRINTABLE:'LIANCHAO'

organizationalUnitName:PRINTABLE:'IT'

commonName :PRINTABLE:'server'

name :PRINTABLE:'server'

emailAddress :IA5STRING:'15720182323@163.com'

Certificate is to be certified until Mar 13 07:34:17 2026 GMT (3650 days)

Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

除了绿色标注的,其他地方直接回车就可。

执行完后,可以看到keys下多了三个文件server.crt、server.key、server.csr


生成客户端 key

[root@bogon 2.0]# ./build-key client1

Generating a 1024 bit RSA private key

.......++++++

......++++++

writing new private key to 'client1.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [LIANCHAO]:

Organizational Unit Name (eg, section) [IT]:

Common Name (eg, your name or your server's hostname) [client1]:client1

Name [changename]:client1

Email Address [15720182323@163.com]:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/open***/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'BJ'

localityName :PRINTABLE:'BEIJING'

organizationName :PRINTABLE:'LIANCHAO'

organizationalUnitName:PRINTABLE:'IT'

commonName :PRINTABLE:'client1'

name :PRINTABLE:'client1'

emailAddress :IA5STRING:'15720182323@163.com'

Certificate is to be certified until Mar 13 07:38:51 2026 GMT (3650 days)

Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

以此类推建立其他的客户端key

[root@bogon 2.0]# ./build-key client2

[root@bogon 2.0]# ./build-key client3

注意在进入 Common Name (eg, your name or your server’s hostname) []: 的输入时, 每个证书输入的名字必须不同.

可以看到key下多了三个文件client1.crt、client1.csr、client1.key


5.生成Diffie Hellman参数

[root@bogon 2.0]# ./build-dh


6.将 keys 下的需要的文件打包下载到本地(可以通过winscp,http,ftp等等……)

这三个文件复制到C:\Program Files\open***\config文件夹下

[root@bogon keys]# tar zcvf client1.tar.gz ca.* client1.*

ca.crt

ca.key

client1.crt

client1.csr

client1.key


将生成的ca.crt,dh1024.pem,server.crt,server.key拷贝到 /etc/open***/目录下,这四个文件是***服务端执行所须要的文件。

[root@bogon keys]# cp ca.crt /etc/open***/

[root@bogon keys]# cp dh1024.pem /etc/open***/

[root@bogon keys]# cp server.crt /etc/open***/

[root@bogon keys]# cp server.key /etc/open***/

把server.conf配置文件复制到/etc/open***/.

client.conf配置文件复制到/etc/open***/2.0/keys/

[root@bogon open***]# cd /opt/open***-2.1_rc22/sample-config-files/

[root@bogon sample-config-files]# cp server.conf /etc/open***/

[root@bogon sample-config-files]# cp client.conf /etc/open***/2.0/keys/

[root@bogon open***]# vim server.conf

[root@bogon open***]# cat server.conf | grep -v "^$" | grep -v "^#" | grep -v "^;"

local 192.168.1.250 //open***服务端网卡的IP

port 1194

proto udp //通过udp协议连接

dev tun

ca /etc/open***/ca.crt //ca证书存放位置

cert /etc/open***/server.crt //服务器证书存放位置

key /etc/open***/server.key //服务器密钥存放位置

# This file should be kept secret

dh /etc/open***/dh1024.pem //dh1024.pem存放位置

server 10.8.0.0 255.255.255.0 //虚拟局域网网段设置,请依据须要自行改动,不支持和拔号网卡位于同一网段

ifconfig-pool-persist ipp.txt //在open***重新启动时,再次连接的client将依旧被分配和曾经一样的IP地址

push "redirect-gateway def1 bypass-dhcp" //使client全部网络通信通过***

push "dhcp-option DNS 114.114.114.114" //DNS配置,依据实际情况配置

push "dhcp-option DNS 8.8.8.8" //DNS配置,依据实际情况配置

client-to-client //使客户端能相互訪问

keepalive 10 120

comp-lzo //同意数据压缩与client保持一致

persist-key //通过keepalive检測超时后,又一次启动***,不又一次读取keys,保留第一次

使用的keys

persist-tun //通过keepalive检測超时后,又一次启动***,一直保持tun或者tap设备是linkup的,否则网络连接会先linkdown然后linkup

status open***-status.log //定期把open***的一些状态信息写到文件里,以便自己敲代码计费或者进行其它操作

log-append open***.log

verb 3 //设置日志记录冗长级别

mute 20 //反复日志记录限额


[root@bogon open***]# vim 2.0/keys/client.conf

[root@bogon open***]# cat 2.0/keys/client.conf | grep -v "^$" | grep -v "^#" | grep -v "^;"

client //定义是一个客户端

dev tun //路由模式windows下必须设为tun,与服务端保持一致

proto udp //通过udp协议连接,与服务端保持一致

remote 192.168.1.250 1194 //指定服务端IP地址和port,能够用多行指定多台server,实现负载均衡

resolv-retry infinite //解析server域名

nobind //client不须要绑定port

persist-key

persist-tun

mute-replay-warnings //无线网络常常会产生非常多反复的数据包。将此标志设置为反复的数据包关闭警告

ca ca.crt //证书位置依据实际情况加入

cert client.crt //证书位置依据实际情况加入

key client.key //证书位置依据实际情况加入

ns-cert-type server

comp-lzo

verb 3

mute 20

四、打开服务器的路由功能

1.开启CentOS 5 的路由转发功能

# vim /etc/sysctl.conf

修改以下内容:

net.ipv4.ip_forward = 1

[root@bogon open***]# vim /etc/sysctl.conf

[root@bogon open***]# sysctl -p

net.ipv4.ip_forward = 1

五、添加iptables路由转发规则

# iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

[root@bogon open***]# iptables -t nat -F 清除防火墙

[root@bogon open***]# iptables -F

六、启动open***,并加入随机启动

vi /etc/rc.local

然后在最后面加入此行:

[root@bogon open***]# vim /etc/rc.local

/usr/local/sbin/open*** --config /etc/open***/server.conf &



七、Open*** GUI For Windows 客户端安装过程

1.下载 open***-2.1_rc15-install.exe(此版本集成 Open*** GUI)官方下载地址:http://open***.net/release/open***-2.1_rc15-install.exe


2.依屏幕指示安装Open*** GUI


3.配置 open*** gui将上面第6步打包的client1.tar.gz中的下列证书文件解压到 你的Open*** GUI安装路径Open***config文件夹下

windows端可以通过pscp获得压缩包:

cmd进入dos命令:

pscp root@192.168.1.250:/etc/open***/2.0/keys/ C:\lian

这样压缩包就保存到c盘下的lian文件夹下了

解压后 放到c盘--program file(x86)--open***下的config文件夹下



4.修改client.o***把你的Open*** GUI安装路径Open***sample-config下的client.o***文件复制到你的Open*** GUI安装路径Open***config文件夹下,

用记事本打开client.o***


client

dev tun

proto udp

remote 192.168.1.250 1194

resolv-retry infinite

nobind

persist-key

persist-tun

mute-replay-warnings

ca ca.crt

cert client1.crt

key client1.key

ns-cert-type server

comp-lzo

verb 3

mute 20

这个client.o***就是client.conf文件内容,只是把 cert 和 key后边的文件名,换成自己的文件名


.双击 client.o*** 即可启动 open***, 或者通过 Open*** GUI 的控制启动