Centos 6.3 Open*** 2.3.2搭建

參考文章：

（1）http://www.xiaohui.com/dev/server/20070514-install-open***.htm

（2）http://blog.sina.com.cn/s/blog_86fbdd650101a0ax.html

（3）http://www.ccpt.cc/cross-wall-by-open***-at-centos/

配置環境：

server：Centos6.3 Open*** 2.3.2

client：Windows7-64 Open***GUI 2.3.2

一、服務器端配置：

1、安裝基礎庫

[root@demo open***]# for i in  $(rpm -q gcc gcc-c++ openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig|grep \\\\\\\'not installed\\\\\\\' | awk \\\\\\\'{print $2}\\\\\\\')
  do
       yum -y  install $i;
  done

安裝lzo壓縮算法

不安裝的話configure的時候就會提示configure: error: lzo enabled but missing

[root@demo open***]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
[root@demo open***]# tar zxvf lzo-2.06.tar.gz
[root@demo open***]# cd lzo-2.06
[root@demo open***]# ./configure --prefix=/usr/local/
[root@demo open***]# make && make install

2、安裝Open***2.3.2

[root@demo open***]# wget -c http://swupdate.open***.org/community/releases/open***-2.3.2.tar.gz
[root@demo open***]# tar zxvf open***-2.3.2.tar.gz
[root@demo open***]# cd open***-2.3.2
[root@demo open***]# ./configure --prefix=/usr/local/open***
[root@demo open***]# make && make install

3、配置Open***

在github上拉一個resy-rsa下來、地址:https://github.com/Open***/easy-rsa

下載好之後新建目錄/etc/open***

再把easy-rsa搞到（cp複製過去）這個文件夾中，然後進入這個文件夾：

[root@demo open***]# mkdir /etc/open***
[root@demo open***]# cp -arp easy-rsa /etc/open***/

看看這個文件夾裏面的東西

[root@demo open***]# ll /etc/open***/easy-rsa/easy-rsa/2.0/
total 112
-rw-r--r--. 1 root root   119 Jul  5 10:49 build-ca
-rw-r--r--. 1 root root   352 Jul  5 10:49 build-dh
-rw-r--r--. 1 root root   188 Jul  5 10:49 build-inter
-rw-r--r--. 1 root root   163 Jul  5 10:49 build-key
-rw-r--r--. 1 root root   157 Jul  5 10:49 build-key-pass
-rw-r--r--. 1 root root   249 Jul  5 10:49 build-key-pkcs12
-rw-r--r--. 1 root root   268 Jul  5 10:49 build-key-server
-rw-r--r--. 1 root root   213 Jul  5 10:49 build-req
-rw-r--r--. 1 root root   158 Jul  5 10:49 build-req-pass
-rw-r--r--. 1 root root   449 Jul  5 10:49 clean-all
-rw-r--r--. 1 root root  1471 Jul  5 10:49 inherit-inter
-rw-r--r--. 1 root root   302 Jul  5 10:49 list-crl
-rw-r--r--. 1 root root  7791 Jul  5 10:49 openssl-0.9.6.cnf
-rw-r--r--. 1 root root  8348 Jul  5 10:49 openssl-0.9.8.cnf
-rw-r--r--. 1 root root  8245 Jul  5 10:49 openssl-1.0.0.cnf
-rw-r--r--. 1 root root 12984 Jul  5 10:49 pkitool
-rw-r--r--. 1 root root   928 Jul  5 10:49 revoke-full
-rw-r--r--. 1 root root   178 Jul  5 10:49 sign-req
-rw-r--r--. 1 root root  2077 Jul  5 10:49 vars
-rw-r--r--. 1 root root   740 Jul  5 10:49 whichopensslcnf

注意：需要加上可執行權限

[root@demo open***]# chmod +x /etc/open***/easy-rsa/easy-rsa/2.0/*
[root@demo open***]# ll /etc/open***/easy-rsa/easy-rsa/2.0/
total 112
-rwxr-xr-x. 1 root root   119 Jul  5 10:49 build-ca
-rwxr-xr-x. 1 root root   352 Jul  5 10:49 build-dh
-rwxr-xr-x. 1 root root   188 Jul  5 10:49 build-inter
-rwxr-xr-x. 1 root root   163 Jul  5 10:49 build-key
-rwxr-xr-x. 1 root root   157 Jul  5 10:49 build-key-pass
-rwxr-xr-x. 1 root root   249 Jul  5 10:49 build-key-pkcs12
-rwxr-xr-x. 1 root root   268 Jul  5 10:49 build-key-server
-rwxr-xr-x. 1 root root   213 Jul  5 10:49 build-req
-rwxr-xr-x. 1 root root   158 Jul  5 10:49 build-req-pass
-rwxr-xr-x. 1 root root   449 Jul  5 10:49 clean-all
-rwxr-xr-x. 1 root root  1471 Jul  5 10:49 inherit-inter
-rwxr-xr-x. 1 root root   302 Jul  5 10:49 list-crl
-rwxr-xr-x. 1 root root  7791 Jul  5 10:49 openssl-0.9.6.cnf
-rwxr-xr-x. 1 root root  8348 Jul  5 10:49 openssl-0.9.8.cnf
-rwxr-xr-x. 1 root root  8245 Jul  5 10:49 openssl-1.0.0.cnf
-rwxr-xr-x. 1 root root 12984 Jul  5 10:49 pkitool
-rwxr-xr-x. 1 root root   928 Jul  5 10:49 revoke-full
-rwxr-xr-x. 1 root root   178 Jul  5 10:49 sign-req
-rwxr-xr-x. 1 root root  2077 Jul  5 10:49 vars
-rwxr-xr-x. 1 root root   740 Jul  5 10:49 whichopensslcnf

4、生成CA證書

修改vars文件

[root@demo open***]# cd /etc/open***/easy-rsa/easy-rsa/2.0/
[root@demo 2.0]# vim vars
................
export KEY_COUNTRY=\\\\\\\"CN\\\\\\\"
export KEY_PROVINCE=\\\\\\\"LN\\\\\\\"
export KEY_CITY=\\\\\\\"ChengDu\\\\\\\"
export KEY_ORG=\\\\\\\"xxxx\\\\\\\"
export KEY_EMAIL=\\\\\\\"[email protected]\\\\\\\"
export KEY_OU=\\\\\\\"MyOpen***\\\\\\\"
.................

這一部分按照自己的情況來填啦0.0

修改完成後保存退出。

然後：

[root@demo 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/easy-rsa/easy-rsa/2.0/keys

當然在這一步之前如果執行./clean-all 和 ./build-ca兩條命令的話將會出現以下提示：

[root@demo open***]# ./clean-all
Please source the vars script first (i.e. \\\\\\\"source ./vars\\\\\\\")
Make sure you have edited it to reflect your configuration.

[root@demo open***]# ./build-ca
 Please edit the vars script to reflect your configuration,
 then source it with \\\\\\\"source ./vars\\\\\\\".
Next, to start with a fresh PKI configuration and to delete any
 previous certificates and keys, run \\\\\\\"./clean-all\\\\\\\".
 Finally, you can run this tool (pkitool) to build certificates/keys.

大意就是說修改好vars之後執行source ./vars然後才能執行這些

好了 回到執行source ./vars上面來，之後執行./clean-all

這是爲了針對已經有了keys/而想用改寫的vars重新生成證書的情況而執行的

第一次安的話不執行也好

[root@demo open***]# ./clean-all

然後執行./build-ca生成證書：

[root@demo 2.0]# ./build-ca
Generating a 2048 bit RSA private key
....+++
.............................................................+++
writing new private key to \\\\\\\'ca.key\\\\\\\'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter \\\\\\\'.\\\\\\\', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [LN]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [xxxx]:
Organizational Unit Name (eg, section) [MyOpen***]:
Common Name (eg, your name or your server\\\\\\\'s hostname) [xxxx CA]:
Name [EasyRSA]:
Email Address [[email protected]]:

這樣一直回車就好 或者輸入些想輸入的什麼的… 即可結束keys的初始化

看下keys/中都有些什麼文件：

[root@demo 2.0]# ll keys/
total 12
-rw-r--r--. 1 root root 1655 Oct 19 00:37 ca.crt
-rw-------. 1 root root 1704 Oct 19 00:37 ca.key
-rw-r--r--. 1 root root    0 Oct 19 00:36 index.txt
-rw-r--r--. 1 root root    3 Oct 19 00:36 serial

5、生成DH文件

下面是生成DH文件，執行./build-dh：

[root@demo 2.0]# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........+.............................................................................................................+..........................................................................................................++*++*
[root@demo 2.0]# !ll
ll keys/
total 16
-rw-r--r--. 1 root root 1655 Oct 19 00:37 ca.crt
-rw-------. 1 root root 1704 Oct 19 00:37 ca.key
-rw-r--r--. 1 root root  424 Oct 19 00:42 dh2048.pem
-rw-r--r--. 1 root root    0 Oct 19 00:36 index.txt
-rw-r--r--. 1 root root    3 Oct 19 00:36 serial

6、生成服務器證書

執行./build-key-server [證書名]爲服務器生成證書：

[root@demo 2.0]# ./build-key-server Open***_Server
Generating a 2048 bit RSA private key
..+++
..+++
writing new private key to \\\\\\\'Open***_Server.key\\\\\\\'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter \\\\\\\'.\\\\\\\', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [LN]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [xxxx]:
Organizational Unit Name (eg, section) [MyOpen***]:
Common Name (eg, your name or your server\\\\\\\'s hostname) [Open***_Server]:
Name [EasyRSA]:
Email Address [[email protected]]:
Please enter the following \\\\\\\'extra\\\\\\\' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/open***/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject\\\\\\\'s Distinguished Name is as follows
countryName           :PRINTABLE:\\\\\\\'CN\\\\\\\'
stateOrProvinceName   :PRINTABLE:\\\\\\\'LN\\\\\\\'
localityName          :PRINTABLE:\\\\\\\'ChengDu\\\\\\\'
organizationName      :PRINTABLE:\\\\\\\'xxxx\\\\\\\'
organizationalUnitName:PRINTABLE:\\\\\\\'MyOpen***\\\\\\\'
commonName            :T61STRING:\\\\\\\'Open***_Server\\\\\\\'
name                  :PRINTABLE:\\\\\\\'EasyRSA\\\\\\\'
emailAddress          :IA5STRING:\\\\\\\'[email protected]\\\\\\\'
Certificate is to be certified until Oct 16 16:43:29 2023 GMT (3650 days)
Sign the certificate? [y/n]:y  （注意：這裏輸入y）
1 out of 1 certificate requests certified, commit? [y/n]y  （注意：這裏輸入y）
Write out database with 1 new entries
Data Base Updated

這樣服務器證書搞定了 可以看到keys/文件夾中東西又多了..

[root@demo 2.0]# !ll
ll keys/
total 52
-rw-r--r--. 1 root root 5373 Oct 19 00:43 01.pem
-rw-r--r--. 1 root root 1655 Oct 19 00:37 ca.crt
-rw-------. 1 root root 1704 Oct 19 00:37 ca.key
-rw-r--r--. 1 root root  424 Oct 19 00:42 dh2048.pem
-rw-r--r--. 1 root root  125 Oct 19 00:43 index.txt
-rw-r--r--. 1 root root   21 Oct 19 00:43 index.txt.attr
-rw-r--r--. 1 root root    0 Oct 19 00:36 index.txt.old
-rw-r--r--. 1 root root 5373 Oct 19 00:43 Open***_Server.crt
-rw-r--r--. 1 root root 1066 Oct 19 00:43 Open***_Server.csr
-rw-------. 1 root root 1704 Oct 19 00:43 Open***_Server.key
-rw-r--r--. 1 root root    3 Oct 19 00:43 serial
-rw-r--r--. 1 root root    3 Oct 19 00:36 serial.old

7、生成客戶端證書

接下來爲我自己申請了一份客戶端證書（這些到時要copy到客戶端上以便能和服務器進行認證）：

[root@demo 2.0]# ./build-key user-hy
Generating a 2048 bit RSA private key
...+++
....................................................................+++
writing new private key to \\\\\\\'user-hy.key\\\\\\\'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter \\\\\\\'.\\\\\\\', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [LN]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [xxxx]:
Organizational Unit Name (eg, section) [MyOpen***]:
Common Name (eg, your name or your server\\\\\\\'s hostname) [user-hy]:
Name [EasyRSA]:
Email Address [[email protected]]:
Please enter the following \\\\\\\'extra\\\\\\\' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/open***/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject\\\\\\\'s Distinguished Name is as follows
countryName           :PRINTABLE:\\\\\\\'CN\\\\\\\'
stateOrProvinceName   :PRINTABLE:\\\\\\\'LN\\\\\\\'
localityName          :PRINTABLE:\\\\\\\'ChengDu\\\\\\\'
organizationName      :PRINTABLE:\\\\\\\'xxxx\\\\\\\'
organizationalUnitName:PRINTABLE:\\\\\\\'MyOpen***\\\\\\\'
commonName            :PRINTABLE:\\\\\\\'user-hy\\\\\\\'
name                  :PRINTABLE:\\\\\\\'EasyRSA\\\\\\\'
emailAddress          :IA5STRING:\\\\\\\'[email protected]\\\\\\\'
Certificate is to be certified until Oct 16 16:45:15 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

然後我們將CA證書和客戶端證書打包下載，好在客戶端上作爲驗證使用

[root@demo 2.0]# cd keys/
[root@demo keys]# tar -zcvf keys.tar.gz user-hy.* ca.*
user-hy.crt
user-hy.csr
user-hy.key
ca.crt
ca.key

8、服務器端配置文件修改

然後將server.conf文件複製到/etc/open***中

[root@demo open***]# cp -arp /home/open***/open***-2.3.2/sample/sample-config-files/server.conf /etc/open***/
[root@demo open***]# vim /etc/open***/server.conf
....
....
# TCP or UDP server?
;proto tcp
proto tcp
....
ca /etc/open***/easy-rsa/easy-rsa/2.0/keys/ca.crt
cert /etc/open***/easy-rsa/easy-rsa/2.0/keys/Open***_Serve.crt
key /etc/open***/easy-rsa/easy-rsa/2.0/keys/Open***_Serve.key  # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/open***/easy-rsa/easy-rsa/2.0/keys/dh2048.pem
....
....
server 10.8.0.0 255.255.255.0
#這裏配置的是***爲客戶端分配地址的網段，用私有地址就好，這裏沒必要改
....
....
;push \\\\\\\"route 192.168.20.0 255.255.255.0\\\\\\\"
#這條是將路由信息推送到客戶端
....
....
;push “redirect-gateway def1 bypass-dhcp\\\\\\\"
#改成這個樣紙：
push \\\\\\\"redirect-gateway def1\\\\\\\"
....
....
;client-to-client
#這句話取消註釋可以讓用戶藉助open***轉發互相訪問
#效率會高一點
....
....
;duplicate-cn
#若是client所使用的CA的CommonName有重複連接***，不打開該選項的話只會允#許一名用戶連接***
....
....
comp-lzo
#數據壓縮算法，服務器端 用戶端要一致
....
....
user nobody
group nobody
#用於運行open***的用戶
....
....
;log  open***.log
;log-append open***.log
這兩句定義open***日誌文件位置以及追加日誌方式寫入，我將它修改成這個樣紙了0.0：
log  /opt/open***/log/open***.log
log-append /opt/open***/log/open***.log
....
....

由於我是將open***安裝在<span style=\\"\\\\"color:#008200;font-family:consolas,\\">/usr/local/文件夾中，所以做個軟連接鏈接到sbin中以便以後方便使用，不過到了sbin普通用戶可是不能啓動或停止的哦

[root@demo open***]# ls -n /usr/local/open***/sbin/open*** /sbin/open***
[root@demo open***]# open*** --daemon --config /etc/open***/server.conf

這裏不加--daemon的話，會在shell前臺執行。

二、客戶端配置過程

客戶端採用Open***-GUI，版本要和服務器版本相對應.

在http://open***.se/development.html這裏是可以下載的 不過這裏沒有2.3.0的版本。

沒辦法啊 掛着代理跑去官網下了一記：open***.net

https://www.xingdaili.com/browse.php?u=YNJyOGTBrinIxg4FhoMSIGbrPaA7XDa0tfbBC%2BweAVj6Ivb2CLwdywd4qownK42r12Vs&b=6

下載好 安裝好 然後進行下面的配置：

1、將剛纔從服務器下載的證書解壓到config文件夾中

2、在sample-config中複製client-o***到config文件夾，做如下修改：

;proto tcp

proto udp

改成

proto tcp

;proto udp

remote my-server-1 1194

my-server-1填寫你的open***服務器的地址

ns-cert-type server

打開這個選項

ca ca.crt

cert client.crt

key client.key

剛好剛纔將證書都扔到了config文件夾下，也就在一起了，改個名字就行了：

ca ca.crt

cert user-hy.crt

key user-hy.key

然後就改完了 準備開始***之旅了哈0.0

由於我在windows下配置的客戶端 有些針對linux的修改就跳過了的…

現在嘗試連接一下，應該是可以連通的哦~~~

到目前爲止，***是假設好了，但是要網絡轉NAT還得繼續。

讓服務器那邊進行數據包轉發

三、Open***訪問公網設置（這裏就是iptables的NAT，簡要說明了）

1、添加包轉發功能：

這裏利用iptables進行包的轉發- -沒有請自己安裝一個 yum 一個就好

[root@demo ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0:0 -j SNAT --to-source a.b.c.d

這裏要先ifconfig一下查看一下自己的網絡設備的狀態

source後面的ip地址a.b.c.d填你的服務器對公網的ip地址

venet0:0則是對公網網卡的號碼

設置好之後保存iptables規則並重啓服務：

[root@demo ~]# service iptables save

iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

[root@demo ~]# service iptables restart

iptables: Flushing firewall rules: [ OK ]

iptables: Setting chains to policy ACCEPT: nat mangle filte[ OK ]

iptables: Unloading modules: [ OK ]

iptables: Applying firewall rules: [ OK ]

2、開啓IP路由轉發功能

先查看一下都有哪些要改的：

[root@demo ~]# sysctl -a | grep for

kernel.sched_domain.cpu0.domain0.forkexec_idx = 0

kernel.sched_domain.cpu0.domain1.forkexec_idx = 0

kernel.sched_domain.cpu1.domain0.forkexec_idx = 0

kernel.sched_domain.cpu1.domain1.forkexec_idx = 0

kernel.sched_domain.cpu2.domain0.forkexec_idx = 0

kernel.sched_domain.cpu2.domain1.forkexec_idx = 0

kernel.sched_domain.cpu3.domain0.forkexec_idx = 0

kernel.sched_domain.cpu3.domain1.forkexec_idx = 0

kernel.sched_domain.cpu4.domain0.forkexec_idx = 0

kernel.sched_domain.cpu4.domain1.forkexec_idx = 0

kernel.sched_domain.cpu5.domain0.forkexec_idx = 0

kernel.sched_domain.cpu5.domain1.forkexec_idx = 0

kernel.sched_domain.cpu6.domain0.forkexec_idx = 0

kernel.sched_domain.cpu6.domain1.forkexec_idx = 0

kernel.sched_domain.cpu7.domain0.forkexec_idx = 0

kernel.sched_domain.cpu7.domain1.forkexec_idx = 0

kernel.shm_rmid_forced = 0

dev.cdrom.info = CD-ROM information, Id: cdrom.c 3.20 2003/12/17

net.ipv4.conf.all.forwarding = 0

net.ipv4.conf.all.mc_forwarding = 0

net.ipv4.conf.all.force_igmp_version = 0

net.ipv4.conf.default.forwarding = 0

net.ipv4.conf.default.mc_forwarding = 0

net.ipv4.conf.default.force_igmp_version = 0

net.ipv4.conf.lo.forwarding = 0

net.ipv4.conf.lo.mc_forwarding = 0

net.ipv4.conf.lo.force_igmp_version = 0

net.ipv4.conf.venet0.forwarding = 0

net.ipv4.conf.venet0.mc_forwarding = 0

net.ipv4.conf.venet0.force_igmp_version = 0

net.ipv4.ip_forward = 0

把涉及ip轉發的都改成1

開始改：

[root@demo ~]# sysctl -w net.ipv4.ip_forward=1

net.ipv4.ip_forward = 1

[root@demo ~]# sysctl -w net.ipv4.conf.all.forwarding=1

net.ipv4.conf.all.forwarding = 1

[root@demo ~]# sysctl -w net.ipv4.conf.default.forwarding=1

net.ipv4.conf.default.forwarding = 1

[root@demo ~]# sysctl -w net.ipv4.conf.lo.forwarding=1

net.ipv4.conf.lo.forwarding = 1

[root@demo ~]# sysctl -w net.ipv4.conf.venet0.forwarding=1

net.ipv4.conf.venet0.forwarding = 1

改完檢查下哦~別漏掉了

3、配置DNS

在server.conf中打開下面的配置：

push "dhcp-option DNS 10.8.0.1"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

這樣就好~

這回就都完成了 啓動open***服務器（要是剛剛開着的話退掉重開哦 killall open***）：

[root@demo ~]# open*** --daemon --config /etc/open***/server.conf/etc/open***/server.conf