參考文章:
(1)http://www.xiaohui.com/dev/server/20070514-install-open***.htm
(2)http://blog.sina.com.cn/s/blog_86fbdd650101a0ax.html
(3)http://www.ccpt.cc/cross-wall-by-open***-at-centos/
配置環境:
server:Centos6.3 Open*** 2.3.2
client:Windows7-64 Open***GUI 2.3.2
一、服務器端配置:
1、安裝基礎庫
[root@demo open***]# for i in $(rpm -q gcc gcc-c++ openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig|grep \\\\\\\'not installed\\\\\\\' | awk \\\\\\\'{print $2}\\\\\\\') do yum -y install $i; done
安裝lzo壓縮算法
不安裝的話configure的時候就會提示configure: error: lzo enabled but missing
[root@demo open***]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz [root@demo open***]# tar zxvf lzo-2.06.tar.gz [root@demo open***]# cd lzo-2.06 [root@demo open***]# ./configure --prefix=/usr/local/ [root@demo open***]# make && make install
2、安裝Open***2.3.2
[root@demo open***]# wget -c http://swupdate.open***.org/community/releases/open***-2.3.2.tar.gz [root@demo open***]# tar zxvf open***-2.3.2.tar.gz [root@demo open***]# cd open***-2.3.2 [root@demo open***]# ./configure --prefix=/usr/local/open*** [root@demo open***]# make && make install
3、配置Open***
在github上拉一個resy-rsa下來、地址:https://github.com/Open***/easy-rsa
下載好之後新建目錄/etc/open***
再把easy-rsa搞到(cp複製過去)這個文件夾中,然後進入這個文件夾:
[root@demo open***]# mkdir /etc/open*** [root@demo open***]# cp -arp easy-rsa /etc/open***/
看看這個文件夾裏面的東西
[root@demo open***]# ll /etc/open***/easy-rsa/easy-rsa/2.0/ total 112 -rw-r--r--. 1 root root 119 Jul 5 10:49 build-ca -rw-r--r--. 1 root root 352 Jul 5 10:49 build-dh -rw-r--r--. 1 root root 188 Jul 5 10:49 build-inter -rw-r--r--. 1 root root 163 Jul 5 10:49 build-key -rw-r--r--. 1 root root 157 Jul 5 10:49 build-key-pass -rw-r--r--. 1 root root 249 Jul 5 10:49 build-key-pkcs12 -rw-r--r--. 1 root root 268 Jul 5 10:49 build-key-server -rw-r--r--. 1 root root 213 Jul 5 10:49 build-req -rw-r--r--. 1 root root 158 Jul 5 10:49 build-req-pass -rw-r--r--. 1 root root 449 Jul 5 10:49 clean-all -rw-r--r--. 1 root root 1471 Jul 5 10:49 inherit-inter -rw-r--r--. 1 root root 302 Jul 5 10:49 list-crl -rw-r--r--. 1 root root 7791 Jul 5 10:49 openssl-0.9.6.cnf -rw-r--r--. 1 root root 8348 Jul 5 10:49 openssl-0.9.8.cnf -rw-r--r--. 1 root root 8245 Jul 5 10:49 openssl-1.0.0.cnf -rw-r--r--. 1 root root 12984 Jul 5 10:49 pkitool -rw-r--r--. 1 root root 928 Jul 5 10:49 revoke-full -rw-r--r--. 1 root root 178 Jul 5 10:49 sign-req -rw-r--r--. 1 root root 2077 Jul 5 10:49 vars -rw-r--r--. 1 root root 740 Jul 5 10:49 whichopensslcnf
注意:需要加上可執行權限
[root@demo open***]# chmod +x /etc/open***/easy-rsa/easy-rsa/2.0/* [root@demo open***]# ll /etc/open***/easy-rsa/easy-rsa/2.0/ total 112 -rwxr-xr-x. 1 root root 119 Jul 5 10:49 build-ca -rwxr-xr-x. 1 root root 352 Jul 5 10:49 build-dh -rwxr-xr-x. 1 root root 188 Jul 5 10:49 build-inter -rwxr-xr-x. 1 root root 163 Jul 5 10:49 build-key -rwxr-xr-x. 1 root root 157 Jul 5 10:49 build-key-pass -rwxr-xr-x. 1 root root 249 Jul 5 10:49 build-key-pkcs12 -rwxr-xr-x. 1 root root 268 Jul 5 10:49 build-key-server -rwxr-xr-x. 1 root root 213 Jul 5 10:49 build-req -rwxr-xr-x. 1 root root 158 Jul 5 10:49 build-req-pass -rwxr-xr-x. 1 root root 449 Jul 5 10:49 clean-all -rwxr-xr-x. 1 root root 1471 Jul 5 10:49 inherit-inter -rwxr-xr-x. 1 root root 302 Jul 5 10:49 list-crl -rwxr-xr-x. 1 root root 7791 Jul 5 10:49 openssl-0.9.6.cnf -rwxr-xr-x. 1 root root 8348 Jul 5 10:49 openssl-0.9.8.cnf -rwxr-xr-x. 1 root root 8245 Jul 5 10:49 openssl-1.0.0.cnf -rwxr-xr-x. 1 root root 12984 Jul 5 10:49 pkitool -rwxr-xr-x. 1 root root 928 Jul 5 10:49 revoke-full -rwxr-xr-x. 1 root root 178 Jul 5 10:49 sign-req -rwxr-xr-x. 1 root root 2077 Jul 5 10:49 vars -rwxr-xr-x. 1 root root 740 Jul 5 10:49 whichopensslcnf
4、生成CA證書
修改vars文件
[root@demo open***]# cd /etc/open***/easy-rsa/easy-rsa/2.0/ [root@demo 2.0]# vim vars ................ export KEY_COUNTRY=\\\\\\\"CN\\\\\\\" export KEY_PROVINCE=\\\\\\\"LN\\\\\\\" export KEY_CITY=\\\\\\\"ChengDu\\\\\\\" export KEY_ORG=\\\\\\\"xxxx\\\\\\\" export KEY_EMAIL=\\\\\\\"[email protected]\\\\\\\" export KEY_OU=\\\\\\\"MyOpen***\\\\\\\" .................
這一部分按照自己的情況來填啦0.0
修改完成後保存退出。
然後:
[root@demo 2.0]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/easy-rsa/easy-rsa/2.0/keys
當然在這一步之前如果執行./clean-all 和 ./build-ca兩條命令的話將會出現以下提示:
[root@demo open***]# ./clean-all Please source the vars script first (i.e. \\\\\\\"source ./vars\\\\\\\") Make sure you have edited it to reflect your configuration.
[root@demo open***]# ./build-ca Please edit the vars script to reflect your configuration, then source it with \\\\\\\"source ./vars\\\\\\\". Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run \\\\\\\"./clean-all\\\\\\\". Finally, you can run this tool (pkitool) to build certificates/keys.
大意就是說修改好vars之後執行source ./vars然後才能執行這些
好了 回到執行source ./vars上面來,之後執行./clean-all
這是爲了針對已經有了keys/而想用改寫的vars重新生成證書的情況而執行的
第一次安的話不執行也好
[root@demo open***]# ./clean-all
然後執行./build-ca生成證書:
[root@demo 2.0]# ./build-ca Generating a 2048 bit RSA private key ....+++ .............................................................+++ writing new private key to \\\\\\\'ca.key\\\\\\\' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter \\\\\\\'.\\\\\\\', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [LN]: Locality Name (eg, city) [ChengDu]: Organization Name (eg, company) [xxxx]: Organizational Unit Name (eg, section) [MyOpen***]: Common Name (eg, your name or your server\\\\\\\'s hostname) [xxxx CA]: Name [EasyRSA]: Email Address [[email protected]]:
這樣一直回車就好 或者輸入些想輸入的什麼的… 即可結束keys的初始化
看下keys/中都有些什麼文件:
[root@demo 2.0]# ll keys/ total 12 -rw-r--r--. 1 root root 1655 Oct 19 00:37 ca.crt -rw-------. 1 root root 1704 Oct 19 00:37 ca.key -rw-r--r--. 1 root root 0 Oct 19 00:36 index.txt -rw-r--r--. 1 root root 3 Oct 19 00:36 serial
5、生成DH文件
下面是生成DH文件,執行./build-dh:
[root@demo 2.0]# ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ...........+.............................................................................................................+..........................................................................................................++*++* [root@demo 2.0]# !ll ll keys/ total 16 -rw-r--r--. 1 root root 1655 Oct 19 00:37 ca.crt -rw-------. 1 root root 1704 Oct 19 00:37 ca.key -rw-r--r--. 1 root root 424 Oct 19 00:42 dh2048.pem -rw-r--r--. 1 root root 0 Oct 19 00:36 index.txt -rw-r--r--. 1 root root 3 Oct 19 00:36 serial
6、生成服務器證書
執行./build-key-server [證書名]爲服務器生成證書:
[root@demo 2.0]# ./build-key-server Open***_Server Generating a 2048 bit RSA private key ..+++ ..+++ writing new private key to \\\\\\\'Open***_Server.key\\\\\\\' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter \\\\\\\'.\\\\\\\', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [LN]: Locality Name (eg, city) [ChengDu]: Organization Name (eg, company) [xxxx]: Organizational Unit Name (eg, section) [MyOpen***]: Common Name (eg, your name or your server\\\\\\\'s hostname) [Open***_Server]: Name [EasyRSA]: Email Address [[email protected]]: Please enter the following \\\\\\\'extra\\\\\\\' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject\\\\\\\'s Distinguished Name is as follows countryName :PRINTABLE:\\\\\\\'CN\\\\\\\' stateOrProvinceName :PRINTABLE:\\\\\\\'LN\\\\\\\' localityName :PRINTABLE:\\\\\\\'ChengDu\\\\\\\' organizationName :PRINTABLE:\\\\\\\'xxxx\\\\\\\' organizationalUnitName:PRINTABLE:\\\\\\\'MyOpen***\\\\\\\' commonName :T61STRING:\\\\\\\'Open***_Server\\\\\\\' name :PRINTABLE:\\\\\\\'EasyRSA\\\\\\\' emailAddress :IA5STRING:\\\\\\\'[email protected]\\\\\\\' Certificate is to be certified until Oct 16 16:43:29 2023 GMT (3650 days) Sign the certificate? [y/n]:y (注意:這裏輸入y) 1 out of 1 certificate requests certified, commit? [y/n]y (注意:這裏輸入y) Write out database with 1 new entries Data Base Updated
這樣服務器證書搞定了 可以看到keys/文件夾中東西又多了..
[root@demo 2.0]# !ll ll keys/ total 52 -rw-r--r--. 1 root root 5373 Oct 19 00:43 01.pem -rw-r--r--. 1 root root 1655 Oct 19 00:37 ca.crt -rw-------. 1 root root 1704 Oct 19 00:37 ca.key -rw-r--r--. 1 root root 424 Oct 19 00:42 dh2048.pem -rw-r--r--. 1 root root 125 Oct 19 00:43 index.txt -rw-r--r--. 1 root root 21 Oct 19 00:43 index.txt.attr -rw-r--r--. 1 root root 0 Oct 19 00:36 index.txt.old -rw-r--r--. 1 root root 5373 Oct 19 00:43 Open***_Server.crt -rw-r--r--. 1 root root 1066 Oct 19 00:43 Open***_Server.csr -rw-------. 1 root root 1704 Oct 19 00:43 Open***_Server.key -rw-r--r--. 1 root root 3 Oct 19 00:43 serial -rw-r--r--. 1 root root 3 Oct 19 00:36 serial.old
7、生成客戶端證書
接下來爲我自己申請了一份客戶端證書(這些到時要copy到客戶端上以便能和服務器進行認證):
[root@demo 2.0]# ./build-key user-hy Generating a 2048 bit RSA private key ...+++ ....................................................................+++ writing new private key to \\\\\\\'user-hy.key\\\\\\\' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter \\\\\\\'.\\\\\\\', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [LN]: Locality Name (eg, city) [ChengDu]: Organization Name (eg, company) [xxxx]: Organizational Unit Name (eg, section) [MyOpen***]: Common Name (eg, your name or your server\\\\\\\'s hostname) [user-hy]: Name [EasyRSA]: Email Address [[email protected]]: Please enter the following \\\\\\\'extra\\\\\\\' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject\\\\\\\'s Distinguished Name is as follows countryName :PRINTABLE:\\\\\\\'CN\\\\\\\' stateOrProvinceName :PRINTABLE:\\\\\\\'LN\\\\\\\' localityName :PRINTABLE:\\\\\\\'ChengDu\\\\\\\' organizationName :PRINTABLE:\\\\\\\'xxxx\\\\\\\' organizationalUnitName:PRINTABLE:\\\\\\\'MyOpen***\\\\\\\' commonName :PRINTABLE:\\\\\\\'user-hy\\\\\\\' name :PRINTABLE:\\\\\\\'EasyRSA\\\\\\\' emailAddress :IA5STRING:\\\\\\\'[email protected]\\\\\\\' Certificate is to be certified until Oct 16 16:45:15 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
然後我們將CA證書和客戶端證書打包下載,好在客戶端上作爲驗證使用
[root@demo 2.0]# cd keys/ [root@demo keys]# tar -zcvf keys.tar.gz user-hy.* ca.* user-hy.crt user-hy.csr user-hy.key ca.crt ca.key
8、服務器端配置文件修改
然後將server.conf文件複製到/etc/open***中
[root@demo open***]# cp -arp /home/open***/open***-2.3.2/sample/sample-config-files/server.conf /etc/open***/ [root@demo open***]# vim /etc/open***/server.conf .... .... # TCP or UDP server? ;proto tcp proto tcp .... ca /etc/open***/easy-rsa/easy-rsa/2.0/keys/ca.crt cert /etc/open***/easy-rsa/easy-rsa/2.0/keys/Open***_Serve.crt key /etc/open***/easy-rsa/easy-rsa/2.0/keys/Open***_Serve.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh /etc/open***/easy-rsa/easy-rsa/2.0/keys/dh2048.pem .... .... server 10.8.0.0 255.255.255.0 #這裏配置的是***爲客戶端分配地址的網段,用私有地址就好,這裏沒必要改 .... .... ;push \\\\\\\"route 192.168.20.0 255.255.255.0\\\\\\\" #這條是將路由信息推送到客戶端 .... .... ;push “redirect-gateway def1 bypass-dhcp\\\\\\\" #改成這個樣紙: push \\\\\\\"redirect-gateway def1\\\\\\\" .... .... ;client-to-client #這句話取消註釋可以讓用戶藉助open***轉發互相訪問 #效率會高一點 .... .... ;duplicate-cn #若是client所使用的CA的CommonName有重複連接***,不打開該選項的話只會允#許一名用戶連接*** .... .... comp-lzo #數據壓縮算法,服務器端 用戶端要一致 .... .... user nobody group nobody #用於運行open***的用戶 .... .... ;log open***.log ;log-append open***.log 這兩句定義open***日誌文件位置以及追加日誌方式寫入,我將它修改成這個樣紙了0.0: log /opt/open***/log/open***.log log-append /opt/open***/log/open***.log .... ....
由於我是將open***安裝在<span style=\\"\\\\"color:#008200;font-family:consolas,\\">/usr/local/文件夾中,所以做個軟連接鏈接到sbin中以便以後方便使用,不過到了sbin普通用戶可是不能啓動或停止的哦
[root@demo open***]# ls -n /usr/local/open***/sbin/open*** /sbin/open*** [root@demo open***]# open*** --daemon --config /etc/open***/server.conf
這裏不加--daemon的話,會在shell前臺執行。
二、客戶端配置過程
客戶端採用Open***-GUI,版本要和服務器版本相對應.
在http://open***.se/development.html這裏是可以下載的 不過這裏沒有2.3.0的版本。
沒辦法啊 掛着代理跑去官網下了一記:open***.net
https://www.xingdaili.com/browse.php?u=YNJyOGTBrinIxg4FhoMSIGbrPaA7XDa0tfbBC%2BweAVj6Ivb2CLwdywd4qownK42r12Vs&b=6
下載好 安裝好 然後進行下面的配置:
1、將剛纔從服務器下載的證書解壓到config文件夾中
2、在sample-config中複製client-o***到config文件夾,做如下修改:
;proto tcp
proto udp
改成
proto tcp
;proto udp
remote my-server-1 1194
my-server-1填寫你的open***服務器的地址
ns-cert-type server
打開這個選項
ca ca.crt
cert client.crt
key client.key
剛好剛纔將證書都扔到了config文件夾下,也就在一起了,改個名字就行了:
ca ca.crt
cert user-hy.crt
key user-hy.key
然後就改完了 準備開始***之旅了哈0.0
由於我在windows下配置的客戶端 有些針對linux的修改就跳過了的…
現在嘗試連接一下,應該是可以連通的哦~~~
到目前爲止,***是假設好了,但是要網絡轉NAT還得繼續。
讓服務器那邊進行數據包轉發
三、Open***訪問公網設置(這裏就是iptables的NAT,簡要說明了)
1、添加包轉發功能:
這裏利用iptables進行包的轉發- -沒有請自己安裝一個 yum 一個就好
[root@demo ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0:0 -j SNAT --to-source a.b.c.d
這裏要先ifconfig一下查看一下自己的網絡設備的狀態
source後面的ip地址a.b.c.d填你的服務器對公網的ip地址
venet0:0則是對公網網卡的號碼
設置好之後保存iptables規則並重啓服務:
[root@demo ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@demo ~]# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: nat mangle filte[ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
2、開啓IP路由轉發功能
先查看一下都有哪些要改的:
[root@demo ~]# sysctl -a | grep for
kernel.sched_domain.cpu0.domain0.forkexec_idx = 0
kernel.sched_domain.cpu0.domain1.forkexec_idx = 0
kernel.sched_domain.cpu1.domain0.forkexec_idx = 0
kernel.sched_domain.cpu1.domain1.forkexec_idx = 0
kernel.sched_domain.cpu2.domain0.forkexec_idx = 0
kernel.sched_domain.cpu2.domain1.forkexec_idx = 0
kernel.sched_domain.cpu3.domain0.forkexec_idx = 0
kernel.sched_domain.cpu3.domain1.forkexec_idx = 0
kernel.sched_domain.cpu4.domain0.forkexec_idx = 0
kernel.sched_domain.cpu4.domain1.forkexec_idx = 0
kernel.sched_domain.cpu5.domain0.forkexec_idx = 0
kernel.sched_domain.cpu5.domain1.forkexec_idx = 0
kernel.sched_domain.cpu6.domain0.forkexec_idx = 0
kernel.sched_domain.cpu6.domain1.forkexec_idx = 0
kernel.sched_domain.cpu7.domain0.forkexec_idx = 0
kernel.sched_domain.cpu7.domain1.forkexec_idx = 0
kernel.shm_rmid_forced = 0
dev.cdrom.info = CD-ROM information, Id: cdrom.c 3.20 2003/12/17
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.force_igmp_version = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.force_igmp_version = 0
net.ipv4.conf.venet0.forwarding = 0
net.ipv4.conf.venet0.mc_forwarding = 0
net.ipv4.conf.venet0.force_igmp_version = 0
net.ipv4.ip_forward = 0
把涉及ip轉發的都改成1
開始改:
[root@demo ~]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[root@demo ~]# sysctl -w net.ipv4.conf.all.forwarding=1
net.ipv4.conf.all.forwarding = 1
[root@demo ~]# sysctl -w net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.forwarding = 1
[root@demo ~]# sysctl -w net.ipv4.conf.lo.forwarding=1
net.ipv4.conf.lo.forwarding = 1
[root@demo ~]# sysctl -w net.ipv4.conf.venet0.forwarding=1
net.ipv4.conf.venet0.forwarding = 1
改完檢查下哦~別漏掉了
3、配置DNS
在server.conf中打開下面的配置:
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
這樣就好~
這回就都完成了 啓動open***服務器(要是剛剛開着的話退掉重開哦 killall open***):
[root@demo ~]# open*** --daemon --config /etc/open***/server.conf/etc/open***/server.conf