open***

Open*** 是一个基于 OpenSSL 库的应用层 *** 实现。和传统 *** 相比，它的优点是简单易用。[1] 

Open***允许参与建立***的单点使用共享金钥，电子证书，或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函式库。Open***能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Windows 2000/XP/Vista上运行，幷包含了许多安全性的功能。它并不是一个基于Web的***软件，也不与IPsec及其他***软件包兼容

实验环境

centos6.5_x64

open***_server eth0 xx.xx.xx.xx(公网IP)   eth1 192.168.10.11

open***_client  192.168.10.12

实验软件

lzo-2.04.tar.gz

open***-2.4.0.tar.gz

EasyRSA-3.0.1.tgz

open***-install-2.4.6-I602.exe

软件安装

modprobe tun

lsmod | grep tun

tun                    17094  0 

yum install -y lrzsz  lsof  openssl  openssl-devel pam pam-devel

tar zxvf  lzo-2.04.tar.gz

cd lzo-2.04

./configure  &&  make  && make install

tar zxvf open***-2.4.0.tar.gz

cd open***-2.4.0

./configure --prefix=/usr/local/open***   --disable-lzo

make  && make install

cp -p sample/sample-config-files/server.conf /usr/local/open***/

tar zxvf EasyRSA-3.0.1.tgz

mv EasyRSA-3.0.1 /usr/local/open***/easy

cp -p /usr/local/open***/easy/easyrsa /usr/local/open***/easy/easyrsa.bak

cd /usr/local/open***/easy/

./easyrsa init-pki

./easyrsa build-ca nopass

./easyrsa gen-dh

./easyrsa build-server-full server nopass             server为服务器端证书名，名字可以随意指定

./easyrsa build-client-full win_client1 nopass      win_client1为客户端证书，名字可随意取

cp -p /etc/sysctl.conf /etc/sysctl.conf.bak    

sed -i "s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g" /etc/sysctl.conf   启用双网卡路由转发

sysctl -p

touch /var/log/open***-status.log 

touch log /var/log/open***.log

echo >  /usr/local/open***/server.conf 

vim /usr/local/open***/server.conf

port 1194

proto tcp

dev tun

ca  /usr/local/open***/easy/pki/ca.crt

cert /usr/local/open***/easy/pki/issued/server.crt

key /usr/local/open***/easy/pki/private/server.key 

dh /usr/local/open***/easy/pki/dh.pem

server 10.8.0.0 255.255.255.0        客户端IP网段

push "redirect-gateway def1 bypass-dhcp"

push "DNS 8.8.8.8"                       客户端dns

client-to-client

keepalive 10 120

compress lz4-v2

push "compress lz4-v2"

user nobody

group nobody

persist-key

persist-tun

status /var/log/open***-status.log

log /var/log/open***.log

verb 3 

/usr/local/open***/sbin/open*** --config   /usr/local/open***/server.conf &   启动服务

vim /etc/rc.local

/usr/local/open***/sbin/open*** --config /usr/local/open***/server.conf  &  开机启动

netstat  -tuplna | grep open***

udp        0      0 0.0.0.0:1194                0.0.0.0:*                               12195/open***

ps -ef | grep open***

nobody   12195 12100  0 16:50 pts/1    00:00:00 /usr/local/open***/sbin/open*** --config /etc/open***/server.conf

root     12331 12130  0 17:10 pts/2    00:00:00 grep open***

ip addr | grep tun0

inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0   拨号虚拟IP

ca.crt  win_client1.crt   win_client1.key  文件复制到 D:\open***\config\  

D:\open***\config\client1.opvn          客户端配置文件需要从新创建

client

dev tun

proto tcp

remote xx.xx.xx.xx 1194         选项为服务端公网IP

persist-key

persist-tun

ca ca.crt

cert win_client1.crt

key win_client1.key

verb 3