centos5部署open***

環境：
系統：centos 5.6
server：192.168.56.88 192.168.8.250
client：192.168.56.152 192.168.7.250

1、安裝必要的依賴包：
yum -y install openssl openssl-devel gcc

2、下載安裝包文件：
lzo-2.03.tar.gz  open***-2.1.3-install.exe open***-2.0.9.tar.gz
從http://www.oberhumer.com/opensource/lzo/download/下載最新的lzo
從http://open***.net/index.php/open-source/downloads.html 下載最新的open***
從http://open***.net/release/?C=M;O=D 下載最新的open*** windows客戶端程序 open***-2.1.3-install.exe

3、安裝lzo：
tar xzf lzo-2.03.tar.gz
cd lzo-2.03
./configure --prefix=/usr && make && make install

4、安裝OPEN ×××：
tar xzf open***-2.0.9.tar.gz
cd open***-2.0.9
./configure --with-lzo-lib=/usr && make && make install

debian:
aptitude install open***

5、配置gateway文件：
mkdir -p /etc/open***/
vi /etc/open***/gateway.conf
添加：
#Network configuration
dev tun
port 1194
proto udp
server 10.8.0.0 255.255.255.0
keepalive 10 120

#Logging configuration
log-append /var/log/open***.log
status /var/log/open***-status.log
verb 4
mute 20

Security configuration
user nobody
group nobody
#debian 下是group nogroup
persist-key
persist-tun

#Compression
comp-lzo

注意：
如果使用Netfilter防火牆，請添加相關防火牆規則：
udp:
-A INPUT -i tun0 -p udp -m udp -dport 1194 -d 0/0 -j ACCEPT
tcp:
-A INPUT -i tun0 -p tcp -m tcp -dport 1194 -d 0/0 -j ACCEPT

centos:
cd /root/open***-2.0.9/easy-rsa/2.0/
debian:
cd /usr/share/doc/open***/examples/easy-rsa/2.0
vi vars
修改如下：
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="Beijing"
export KEY_ORG="my company"
export KEY_EMAIL="[email protected]"

. vars
./clean-all
./build-ca

Generating a 1024 bit RSA private key
...................................................................++++++
......................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [my company]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [my company CA]:
Email Address [[email protected]]:

./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.......................................................+.....+........................................................+.................................................................................+..................................................+.............+..............................+...........................................................................+..................................+............................................................................+...........................+....................................................................................................................................................+....................................................................+.........................+..................+..................+............................................+..+....+...............................................+......................+.........................+.........................................................................................+..................................................................................+...........+..............+...................................+....................................................................+...........+.................................+.........................................+...............................................................+..................................................................+...............................................+........................................................+................+...............................+.................++*++*++*

ls ./keys/

./build-key-server server
Generating a 1024 bit RSA private key
............................................++++++
.........................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [my company]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/open***-2.0.9/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'Beijing'
organizationName      :PRINTABLE:'my company'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Jan  7 05:14:06 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

cd /root/open***-2.0.9/easy-rsa/2.0/keys
cp ca.crt  ca.key  dh1024.pem server.crt server.key server.csr  /etc/open***/

chmod 0600 /etc/open***/*.key

vi /etc/open***/gateway.conf
添加：
#Certificate configuration
ca /etc/open***/ca.crt
cert /etc/open***/server.crt
key /etc/open***/server.key  # This file should be kept secret
dh /etc/open***/dh1024.pem

啓動open ***：
/usr/local/sbin/open*** --config /etc/open***/gateway.conf

tail -f /var/log/open***.log
出現：
Tue Jan 10 13:31:18 2012 us=408764 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Tue Jan 10 13:31:18 2012 us=424286 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan 10 13:31:18 2012 us=425573 GID set to nobody
Tue Jan 10 13:31:18 2012 us=425681 UID set to nobody
Tue Jan 10 13:31:18 2012 us=425770 Socket Buffers: R=[110592->131072] S=[110592->131072]
Tue Jan 10 13:31:18 2012 us=425822 UDPv4 link local (bound): [undef]:1194
Tue Jan 10 13:31:18 2012 us=425877 UDPv4 link remote: [undef]
Tue Jan 10 13:31:18 2012 us=425949 MULTI: multi_init called, r=256 v=256
Tue Jan 10 13:31:18 2012 us=426088 IFCONFIG POOL: base=10.8.0.4 size=62
Tue Jan 10 13:31:18 2012 us=426247 Initialization Sequence Completed

顯示：Initialization Sequence Completed 表明啓動成功

爲客戶端生成客戶端證書文件：
./build-key backkom

Generating a 1024 bit RSA private key
....................................................................................++++++
..++++++
writing new private key to 'backkom.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [my company]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [backkom]:
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/open***-2.0.9/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'Beijing'
organizationName      :PRINTABLE:'my company'
commonName            :PRINTABLE:'backkom'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Jan  7 05:46:01 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

將keys目錄下ca.crt backkom.crt backkom.key 複製到D:\Program Files\Open×××\config下

配置windows客戶端：
下載windows客戶端：
http://open***.net/release/

修改/root/open***-2.0.9/sample-config-files/client.conf 文件：
將remote my-server-1 1194 修改成：
remote 192.168.56.88 1194
將：
ca ca.crt
cert client.crt
key client.key
修改成：
ca ca.crt
cert backkom.crt
key backkom.key

#如果出現錯誤提示信息："WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this"
#添加
auth-nocache

並改名爲backkom.o*** 放到 D:\Program Files\Open×××\config下

linux客戶端同上：只是將conf和ca文件拷貝到/etc/open***/下

如果想使用ca+用戶名密碼認證方式：
添加系統登陸用戶名：
useradd backkom
設置密碼：
passwd backkom
註釋掉以下內容：
#cert backkom.crt
#key backkom.key
並在配置結尾添加：
#激活登陸認證方式
auth-user-pass
auth-nocache

open *** site to site 設置：
在server端，/etc/open***/gateway.conf 配置中添加：
client-to-client
push "route 192.168.8.0 255.255.255.0"
client-config-dir /etc/open***/ccd
route 192.168.7.0 255.255.255.0

mkdir -p /etc/open***/ccd
vi /etc/open***/ccd/***2
添加：
iroute 192.168.7.0 255.255.255.0
注意：***2 是客戶端認證證書的名字，根據具體情況修改
重啓server端和client端
這樣 兩端局域網都可以互通了