Linux 下 Open*** 安装和 Windows Open*** GUI 安装笔记

一. Open*** 安装环境

    Server 端的环境
        #[root@localhost ~]# lsb_release  -a
LSB Version:    :core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch
Distributor ID:    CentOS
Description:    CentOS release 5.7 (Final)
Release:    5.7
Codename:    Final
You have mail in /var/spool/mail/root
        #[root@localhost ~]# uname  -a
Linux localhost 2.6.18-274.el5 #1 SMP Fri Jul 22 04:43:29 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

    kernel 需要支持 tun 设备, 需要加载 iptables 模块.
    检查 tun 是否安装:
    代码:

    #[root@localhost ~]# modinfo tun
filename:       /lib/modules/2.6.18-274.el5/kernel/drivers/net/tun.ko
alias:          char-major-10-200
license:        GPL
author:         (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
description:    Universal TUN/TAP device driver
srcversion:     17940217002AD4038411C8A
depends:       
vermagic:       2.6.18-274.el5 SMP mod_unload gcc-4.1
module_sig:    883f3504e294164ec40b13698f67516112fbd209b4eb89a65845ffc9c8882b8d87523fb596a3984b09f5774d4c2abbabfb3813b25c47ae78eca819942


    如果没有 modinfo 命令, 直接找一下, 看看 kernel 里是否有 tun.o 文件:
    代码:


    检查iptables 模块, 查看是否有下列文件:
    /etc/init.d/iptables
    OpenSSL。如果需要启用 SSL 连接,则需要先安装 OpenSSL。安装 OpenSSL 的方法在这里不做介绍,具体可以用 Google 搜索。CentOS 下可以用 yum install:

    #yum install openssl
    #yum install openssl-devel

    安装的 Open*** 的版本: 2.0.5. 现在似乎已经有一个更新的版本了. 可在http://open***.net 上下载.

    Client 端的环境:
    Windows XP PRO SP2
    Open*** GUI For windows 1.0.3 , 可在 open***.se 下载
    注意: Open*** GUI for windows 的版本要和 Open*** Server 的版本配套.
    例如, 服务器装的是 Open*** 2.0.5, 那么下载的 Open*** GUI fow windows 应该是: open***-2.0.5-gui-1.0.3-install.exe
    Open*** GUI的所有历史版本: http://open***.se/files/install_packages/

二. Open*** 服务端安装过程

    下载 LZO,解压到lzo-2.02.

    地址: http://www.oberhumer.com/opensource/lzo/download/ 代码:

    #wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz

    下载 Open***, 解压到open***-2.0.5

    地址: http://open***.net/download.html 代码:

    #wget http://open***.net/release/open***-2.0.5.tar.gz

    安装 LZO 代码:

    #cd /lzo-2.02
    #./configure
    #make
    #make check
    #make install

    安装 Open***

    代码:

    #cd /open***-2.0.5
    #./configure --with-lzo-headers=/usr/local/include  --with-lzo-lib=/usr/local/lib  --with-ssl-headers=/usr/local/include/openssl --with-ssl-lib=/usr/local/lib
    #make
    #make install

    生成证书Key

    初始化 PKI

    (如果没有 export 命令也可以用 setenv [name] [value] 命令)

    代码:

    #cd /open***-2.0.5/easy-rsa/2.0
    #vim vars
    export D=`pwd`
    export KEY_CONFIG=$D/openssl.cnf
    export KEY_DIR=$D/keys
    export KEY_SIZE=1024
    export KEY_COUNTRY=CN
    export KEY_PROVINCE=BEIJING
    export KEY_CITY=BEIJING
    export KEY_ORG="yijiaxin.com"
    export KEY_EMAIL="xuezm@yijiaxin.com"
   
    #source vars

    #./clean-all
    #./build-ca

    Generating a 1024 bit RSA private key
    ................++++++
    ........++++++
    writing new private key to 'ca.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [CN]:
    State or Province Name (full name) [BEIJING]:
    Locality Name (eg, city) [BEIJING]:
    Organization Name (eg, company) [yijiaxin.com]:
    Organizational Unit Name (eg, section) []:yijiaxin.com
    Common Name (eg, your name or your server's hostname) []:server
    Email Address [xuezm@yijiaxin.com]:

    # 建立 server key 代码: 代码:

    #./build-key-server server

    Generating a 1024 bit RSA private key
    ......++++++
    ....................++++++
    writing new private key to 'server.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [CN]:
    State or Province Name (full name) [BEIJING]:
    Locality Name (eg, city) [BEIJING]:
    Organization Name (eg, company) [yijiaxin.com]:
    Organizational Unit Name (eg, section) []:yijiaxin.com
    Common Name (eg, your name or your server's hostname) []:server
    Email Address [xuezm@yijiaxin.com]:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:yijiaxin
    An optional company name []:yijiaxin.com
    Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'CN'
    stateOrProvinceName   :PRINTABLE:'BEIJING'
    localityName          :PRINTABLE:'BEIJING'
    organizationName      :PRINTABLE:'yijiaxin.com'
    organizationalUnitName:PRINTABLE:'yijiaxin.com'
    commonName            :PRINTABLE:'server'
    emailAddress          :IA5STRING:'xuezm@yijiaxin.com'
    Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
    Sign the certificate? [y/n]:y


    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

    #生成客户端 key

    代码:

    #./build-key client1
    Generating a 1024 bit RSA private key
    .....++++++
    ......++++++
    writing new private key to 'client1.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [CN]:
    State or Province Name (full name) [BEIJING]:
    Locality Name (eg, city) [BEIJING]:
    Organization Name (eg, company) [yijiaxin.com]:
    Organizational Unit Name (eg, section) []:yijiaxin.com
    Common Name (eg, your name or your server's hostname) []:client1    #重要: 每个不同的 client 生成的证书, 名字必须不同.
    Email Address [xuezm@yijiaxin.com]:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:yijiaxin
    An optional company name []:yijiaxin.com
    Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'CN'
    stateOrProvinceName   :PRINTABLE:'BEIIING'
    localityName          :PRINTABLE:'BEIJING'
    organizationName      :PRINTABLE:'yijiaxin.com'
    organizationalUnitName:PRINTABLE:'yijiaxin.com'
    commonName            :PRINTABLE:'client1'
    emailAddress          :IA5STRING:'xuezm@yijiaxin.com'
    Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
    Sign the certificate? [y/n]:y


    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

    依次类推生成其他客户端证书/key

    代码:

    #./build-key client2
    #./build-key client3

    注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
    生成 Diffie Hellman 参数 。代码:

    #./build-dh

    将 keys 下的所有文件打包下载到本地

    创建服务端配置文件

    从样例文件创建:

    代码:

    #cd $dir/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录
    #cp server.conf /usr/local/etc  # cp服务器配置文件到/usr/local/etc
    #vi /usr/local/etc/server.conf

    我建立的server.conf 的内容
# cat server.conf  | grep -v ^$ | grep -v ^# | grep -v ^\;
local 192.168.11.27
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh /usr/local/etc/dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
verb 4
push "dhcp-option DNS 202.106.0.20"
     #需要将ca.crt、server.crt、server.key、dh1024.pem从keys目录下拷贝到server.conf的同目录
       
    创建客户端配置文件

    代码:

    #cd $dir/sample-config-files/  #进入源代码解压目录下的sample-config-files子目录
    #cp client.conf /usr/local/etc  #cp客户端配置文件到/usr/local/etc
    #vi /usr/local/etc/client.conf
    client
        dev tun
        proto udp
        remote 192.168.11.27 1194
        persist-key
        persist-tun
        ca ca.crt
        cert client.crt
        key client.key
        ns-cert-type server
        comp-lzo
        verb 3
        redirect-gateway def1
  #cd    open***-2.0.5/easy-rsa/2.0/keys    
  #cp ca.* server.key  dh1024.pem  /usr/local/etc/  #负责证书文件
    启动Open***: open*** [server config file] 代码:

    /usr/local/sbin/open*** --config /usr/local/etc/server.conf  &

三. Open*** GUI For Windows 客户端安装过程

    安装 Open*** GUI For Windows, 到 http://open***.se 下载. 目前的版本是 1.0.3. 注意: Open*** GUI 的版本要和 Open*** Server 的版本配套. 详见第一节一. 安装环境中的说明.
    依屏幕指示安装open*** gui.
    配置 open*** gui

    安装结束后, 进入安装文件夹下的 config 目录, 然后将上面的 client.conf 文件从 server 上下载到此文件夹, 并更名为 client.o***

    同时, 将server服务器上的如下密钥拷贝到本地

    ca.crt
    ca.key       改名
    client1.crt ----->client.crt
    client1.csr ----->client.csr
    client1.key ----->client.key

    然后双击 client.o*** 即可启动 open***, 或者通过 Open*** GUI 的控制启动 ***.

    如果双击 client.o*** 没有反应, 则在任务栏点 Open*** GUI 的小图标右键, 选择 edit config, 将内容复制过去再保存. 然后再点右键中的 connect即可.

    如果需要第二台机器上使用 *** , 进行同样的配置, 只需要将 client1.crt, client1.csr, client1.key 换成对应的 client2.xxx 即可, 然后将 client.o*** 中的对应key文件值改掉.