Open***—通过访问异地服务器测试部署

一、服务端配置

环境

云服务器
#Linux系统版本
[root@open***-server open***]# cat /etc/redhat-release 
CentOS Linux release 7.7.1908 (Core)
#查看内网IP信息
[root@open***-server open***]#  ifconfig eth0|awk 'NR==2{print $2}'
172.16.1.90
#查看公网IP信息
[root@open***-server open***]# curl ifconfig.me
59.110.215.165
#配置yum源于eple源
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

①easy-rsa3生成证书

#添加防火墙的内核参数
echo 'net.ipv4.ip_forward=1 ' >>/etc/sysctl.conf && sysctl -p

#下载需要的安装包
yum install gcc gcc-c++ easy-rsa -y open*** openssl

#将easy-rsa复制到open***目录下
mkdir -p /etc/open***/easy-rsa
\cp -a /usr/share/easy-rsa/3/* /etc/open***/easy-rsa/
chown -R root:root /etc/open***/easy-rsa/
cd /etc/open***/easy-rsa/

[root@lcx01 easy-rsa]# ll ./
total 76
-rwxr-xr-x 1 root root 48730 Feb  2  2019 easyrsa
-rw-r--r-- 1 root root  4651 Feb  2  2019 openssl-easyrsa.cnf
drwx------ 4 root root  4096 Jan  2 18:24 pki
drwxr-xr-x 2 root root  4096 Jan  2 18:14 x509-types

#将vars.example复制一份到open***目录下，命名为vars
cp -a /usr/share/doc/easy-rsa-3.0.6/vars.example ./vars

#修改如下参数
egrep -v '^#|^$' vars 
set_var EASYRSA_REQ_COUNTRY	"CH"
set_var EASYRSA_REQ_PROVINCE	"BJ"
set_var EASYRSA_REQ_CITY	"BJ"
set_var EASYRSA_REQ_ORG	"ZXZN"
set_var EASYRSA_REQ_EMAIL	"[email protected]"
set_var EASYRSA_REQ_OU		"ZXZN"
set_var EASYRSA_KEY_SIZE	2048
set_var EASYRSA_CA_EXPIRE      3650 #默认有效10年
set_var EASYRSA_NS_SUPPORT	"yes"	#如果client的配置文件中使用了ns-cert-type server则要打开此选项

1. 生成服务端证书

初始化目录

初始化，会在当前目录创建PKI目录，用于存储一些中间变量及最终生成的证书

[root@lcx01 easy-rsa]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

WARNING!!!

You are about to remove the EASYRSA_PKI at: /etc/open***/easy-rsa/pki
and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes	

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/open***/easy-rsa/pki

创建CA证书

创建根证书，首先会提示设置密码，用于ca对之后生成的server和client证书签名时使用，然后会提示设置Country Name

[root@lcx01 easy-rsa]# ./easyrsa build-ca

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase: #输入CA密钥密码
Re-Enter New CA Key Passphrase: #再次输入CA密钥密码
Generating RSA private key, 2048 bit long modulus
...............+++
.........+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:***server #证书名称 

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/open***/easy-rsa/pki/ca.crt

创建服务端证书

创建server端证书和private.key，使用“nopass”参数不加密，服务器通常在没有密码输入的情况下启动。

[root@lcx01 easy-rsa]# ./easyrsa gen-req ***server nopass
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...+++
.....+++
writing new private key to '/etc/open***/easy-rsa/pki/private/***server.key.XaqajZ9e3R'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [***server]:

Keypair and certificate request completed. Your files are:
req: /etc/open***/easy-rsa/pki/reqs/***server.req
key: /etc/open***/easy-rsa/pki/private/***server.key

签约服务端证书

给server端证书做签名，首先是对一些信息的确认，可以输入yes，然后输入build-ca时设置的那个密码

[root@lcx01 easy-rsa]# ./easyrsa sign server ***server

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 1080 days:

subject=
    commonName                = ***server

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes	#yes确认
Using configuration from /etc/open***/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/open***/easy-rsa/pki/private/ca.key:		#输入CA证书的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'***server'
Certificate is to be certified until Dec 17 10:49:15 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/open***/easy-rsa/pki/issued/***server.crt

创建迪菲・赫尔曼密钥

生成传输进行秘钥交换时用到的交换秘钥协议文件，确保共享KEY安全穿越不安全网络的方法

时间会有点长，耐心等待

[root@lcx01 easy-rsa]# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...+........................................................+.........................................................
......+................................................................................................................
.........................................................................................................................
.......................................+...............................................................................
................+......................................................................................................
.........................................................................................................................
...+......................................................................++*++*

DH parameters of size 2048 created at /etc/open***/easy-rsa/pki/dh.pem

2. 创建客户端证书

在easy-rsa目录下新建client目录，将easy-rsa的原生目录拷贝到此下

mkdir /etc/open***/easy-rsa/client
cd /etc/open***/easy-rsa/client
cp -a /usr/share/easy-rsa/3/* /etc/open***/easy-rsa/client/

初始化目录

会在当前目录创建PKI目录，用于存储一些中间变量及最终生成的证书

[root@lcx01 client]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars

WARNING!!!

You are about to remove the EASYRSA_PKI at: /etc/open***/easy-rsa/client/pki
and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/open***/easy-rsa/client/pki

创建客户端证书

客户端证书和private key, 这里的client01是客户端的主机名

[root@lcx01 client]# ./easyrsa gen-req client01
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
................................+++
....+++
writing new private key to '/etc/open***/easy-rsa/client/pki/private/client01.key.D7Td4Lia5M'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client01]:

Keypair and certificate request completed. Your files are:
req: /etc/open***/easy-rsa/client/pki/reqs/client01.req
key: /etc/open***/easy-rsa/client/pki/private/client01.key

导入客户端证书

回到生成服务端证书时的easyrsa目录，导入client端证书，准备签名

[root@lcx01 client]# cd ..
[root@lcx01 easy-rsa]# ./easyrsa import-req ./client/pki/reqs/client01.req client01
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

The request has been successfully imported with a short name of: client01
You may now use this name to perform signing operations on this request.

[root@lcx01 easy-rsa]# ll /etc/open***/easy-rsa/pki/reqs/
total 8
-rw------- 1 root root 891 Jan  2 19:16 client01.req
-rw------- 1 root root 891 Jan  2 18:46 ***server.req

签约客户端证书

给客户端端证书做签名，首先是对一些信息的确认，可以输入yes，然后输入build-ca时设置的那个密码

[root@lcx01 easy-rsa]# ./easyrsa sign client client01
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 1080 days:

subject=
    commonName                = client01

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes	#确认yes
Using configuration from /etc/open***/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/open***/easy-rsa/pki/private/ca.key:		#输入CA证书密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client01'
Certificate is to be certified until Dec 17 11:17:42 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/open***/easy-rsa/pki/issued/client01.crt

注意：ca、server和client的Common Name最好不要设置为一样，不然open连接时会有问题*

3. 服务端和客户端证书整理

#open*** server端需要的是
/etc/open***/easy-rsa/pki/ca.crt <制作server证书的文件>
/etc/open***/easy-rsa/pki/private/***server.key <制作server证书的文件>
/etc/open***/easy-rsa/pki/issued/***server.crt <制作server证书的文件>
/etc/open***/easy-rsa/pki/dh.pem	<迪菲・赫尔曼密钥>

#open*** client端需要的是
/etc/open***/easy-rsa/pki/ca.crt <制作server证书的文件>
/etc/open***/easy-rsa/pki/issued/client01.crt <制作client01证书的文件>
/etc/open***/easy-rsa/client/pki/private/client01.key <制作client01证书的文件>

4. 整理证书

#服务端
mkdir /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/ca.crt /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/private/ca.key /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/private/***server.key /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/issued/***server.crt /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/dh.pem /etc/open***/keys

[root@lcx01 open***]# ll keys/
total 20
-rw------- 1 root root 1164 Jan  2 18:40 ca.crt
-rw------- 1 root root 1675 Jan  2 18:39 ca.key
-rw------- 1 root root  424 Jan  2 18:52 dh.pem
-rw------- 1 root root 4802 Jan  2 18:49 ***server.crt
-rw------- 1 root root 1704 Jan  2 18:46 ***server.key


#客户端
mkdir /root/client01
cp -a /etc/open***/easy-rsa/pki/ca.crt /root/client01/
cp -a /etc/open***/easy-rsa/pki/private/ca.key /root/client01/
cp -a /etc/open***/easy-rsa/pki/issued/client01.crt /root/client01/
cp -a /etc/open***/easy-rsa/client/pki/private/client01.key /root/client01/
cp -a /usr/share/doc/open***-2.4.8/sample/sample-config-files/client.conf /root/client01/client01.o***

[root@lcx01 open***]# ll /root/client01/
total 20
-rw------- 1 root root 1164 Jan  2 18:40 ca.crt
-rw------- 1 root root 4679 Jan  2 19:17 client01.crt
-rw------- 1 root root 1704 Jan  2 19:04 client01.key
-rw-r--r-- 1 root root 3585 Oct 30 20:37 client01.o***

5. 创建第二份客户端证书

cd /etc/open***/easy-rsa/client/
./easyrsa init-pki
./easyrsa gen-req client02
cd ..
./easyrsa import-req ./client/pki/reqs/client02.req client02
./easyrsa sign client client02
mkdir /root/client02
cp -a /etc/open***/easy-rsa/pki/ca.crt /root/client02/
cp -a /etc/open***/easy-rsa/pki/private/ca.key /root/client02/
cp -a /etc/open***/easy-rsa/pki/issued/client02.crt /root/client02/
cp -a /etc/open***/easy-rsa/client/pki/private/client02.key /root/client02/
cp -a /usr/share/doc/open***-2.4.8/sample/sample-config-files/client.conf /root/client02/client02.conf

[root@open***-server easy-rsa]# ll /root/client02/
total 24
-rw------- 1 root root 1151 Jan  3 14:18 ca.crt
-rw------- 1 root root 1675 Jan  3 14:17 ca.key
-rw-r--r-- 1 root root 3585 Oct 30 20:37 client02.conf
-rw------- 1 root root 4665 Jan  3 14:51 client02.crt
-rw------- 1 root root 1704 Jan  3 14:50 client02.key

6. 修改服务端配置文件

#拷贝一份服务端配置源文件
cp /usr/share/doc/open***-2.4.8/sample/sample-config-files/server.conf /etc/open***/server.conf.bak
cd /etc/open***/
egrep -v '^;|^$|^#' server.conf.bak >server.conf


#设置客户端固定IP的目录与文件
#ccd目录用来设置客户端固定IP的作用，ccd目录下面的文件名要以客户端证书的名称命名
#open***只支持255.255.255.252的子网，而且252的子网只有两个IP，2^2-2=2
#所以要设置两个IP，一个分配给客户端，一个留给服务器用
#ifconfig-push 10.8.0.1 10.8.0.2
#ifconfig-push 10.8.0.5 10.8.0.6
#ifconfig-push 10.8.0.9 10.8.0.10
#ifconfig-push 10.8.0.13 10.8.0.14
#ifconfig-push 10.8.0.17 10.8.0.18
#...
#ifconfig-push 10.8.0.249 10.8.0.250
http://www.wendangku.net/doc/749ab13c580216fc700afd27.html

mkdir ./ccd	
vim ./ccd/client01
ifconfig-push 10.8.0.5 10.8.0.6
vim ./ccd/client02
ifconfig-push 10.8.0.9 10.8.0.10

☆服务端配置文件详情

[root@lcx01 open***]# cat server.conf
#监听端口
port 1194	
#传输协议
proto udp	
#路由隧道模式
dev tun		
#ca证书路径路径，服务端和客户端都使用相同的CA证书
ca     keys/ca.crt	
#服务器证书路径路径，服务端和客户端指定各自的证书和密钥
cert   keys/***server.crt	
#服务器秘钥路径，可用以配置文件开始为根的相对路径，也可以使用绝对路径
key    keys/***server.key  
#密钥交换协议文件
dh     keys/dh.pem		
#给客户端分配地址池，注意：不能和***服务器内网网段有相同
server 10.8.0.0 255.255.255.0	
#客户端和VIP的对应表，当客户端重连时仍然分配原IP
ifconfig-pool-persist ipp.txt	
#推送路由信息到客户端，使客户端能够连接到服务器背后的其他私有子网
push "route 192.168.1.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
#允许客户端之间互相访问,云服务器搭建***,公司和外地都是***客户端
client-to-client
#设置客户端固定IP的作用，ccd目录下面的文件名要以客户端证书的名称命名
client-config-dir ccd
#存活时间，10秒ping一次,如果120秒未收到响应则认为程连接已关闭
keepalive 10 120
#在***连接上启用压缩，服务端和客户端都必须采用相同配置
comp-lzo
#最大客户端连接数
max-clients 100
#加密算法
cipher AES-256-CBC
#降低open***守护进程的权限
user nobody
group nobody
#保障重启时仍能保留一些状态
persist-key
persist-tun
#输出短日志,每分钟刷新一次,以显示当前的客户端
status open***-status.log
#日志要记录的级别，值越大日志越详细 (0:只记录错误信息;4:记录普通信息;5/6:在连接出现问题时能帮助调试;9:显示所有信息，包括包头信息)
verb 3
#记录日志，重启open***后覆盖原log文件
log /var/log/open***.log
#相同信息的记录次数，连续出现20条后不再记录到日志中
mute 20	
#当服务端重启后，使客户端能自动重连
explicit-exit-notify 1

启动服务端

systemctl restart open***@server.service
systemctl enable open***@server.service
systemctl status open***@server.service
netstat -lntup|grep 1194
ip a |grep tun0

7. 修改windows客户端配置文件

cd /root/client01

#windows上是.o*** ;linux上是.conf
cat ./client.o***	
ns-cert-type server
client	#指定为客户端
dev tun
proto udp
remote 59.110.215.165 1194	#指定服务器(主机名或IP)以及端口号，可设置多个***服务器
resolv-retry infinite		#启用自动重连，适合不稳定的网络环境
nobind			#客户端默认不需要绑定本机特定的端口号
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
ca ca.crt
cert client01.crt
key client01.key
comp-lzo
verb 3

cd ~/

8. 下载客户端证书文件进行连接

windows客户端安装在下文中

yum install -y zip lrzsz
zip -r client01.zip client01/*
sz client01.zip

解压到config下

9. 删除过期的证书的方法

#删除以下文件
rm -rf /etc/open***/easy-rsa/pki/reqs/***server.req
rm -rf /etc/open***/easy-rsa/pki/private/***server.key

#撤消证书
cd /etc/open***/easy-rsa/
./easyrsa revoke server
./easyrsa gen-crl

#重启open***
systemctl restart open***@server.service

10. 一键安装脚本的方法

此脚本建议在执行前拷贝出来仔细看一遍脚本过程，操作部分的流程跟文档大致一样，在生产服务端配置文件时候没有做客户端固定IP的功能，有需求可以适当添加需要的内容，推送路由信息到客户端的配置也没有生成，做了DNS解析与防火墙的一些规则。客户端文件命名规则为xxx.o***，如果要推送到linux客户端记得修改为xxx.conf。

根据自身的生产需求还需要手动进行添加一些功能。我自己部署的过程虽然没有问题，但是较为繁琐，而且来回切换许多目录，容易导致杂乱。所以建议使用开源一键脚本。使用的easy-rsa版本也是最新的3.0.5。网上的许多博客都是easy-rsa2.x版本的，此版本据说有安全漏洞，所以建议学习一下easy-rsa3版一些生成证书的命令。

下载Github上的开源open项目*

#将下载的压缩包上传到服务器中并解压
wget https://github.com/Nyr/open***-install/archive/master.zip
unzip master.zip
ls open***-install-master
LICENSE.txt  open***-install.sh  README.md

执行脚本，一直点点点：回车

#需要输入服务端的公网ip地址
#云服务器需要绑定其他端口，记得在安全组打开此端口
[root@open*** open***-install-master]# bash open***-install.sh 
Welcome to this open*** road warrior installer!

I need to ask you a few questions before starting setup.
You can use the default options and just press enter if you are ok with them.

What IPv4 address should the open*** server bind to?
     1) 172.17.43.166
IPv4 address [1]: 59.110.215.165
59.110.215.165: invalid selection.
IPv4 address [1]: 

This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [114.249.225.46]: 59.110.215.165

Which protocol do you want for open*** connections?
   1) UDP (recommended)
   2) TCP
Protocol [1]: 1

What port do you want open*** listening to?
Port [1194]: 

Which DNS do you want to use with the ***?
   1) Current system resolvers
   2) 1.1.1.1
   3) Google
   4) OpenDNS
   5) Verisign
DNS [1]: 1

Finally, tell me a name for the client certificate.
Client name [client]: client <客户端证书名字，建议不要使用默认名称>

Okay, that was all I needed. We are ready to set up your open*** server now.
Press any key to continue... [回车]
...
.....
Finished!

Your client configuration is available at: /root/client.o***
If you want to add more clients, just run this script again!    

下载完成后显示下载到了 /root/client.o***

#下载到客户端
sz /root/client.o***

将下载的文件放到windows客户端的config下才可以使用open软件*

修改服务端配置文件

添加自己需求的功能参数配置,例如固定IP，生成日志等等

[root@m01 ~]# vim /etc/open***/server/server.conf
local 59.110.215.165 #监听地址，可以写 0.0.0.0 ，或者内网IP                 
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"	#连通***可以访问的网段或者IP
push "route 10.0.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify

重启open服务*

systemctl restart open***[email protected] 
systemctl enable open***[email protected]

②easy-rsa2生成证书

此方法可行，建议使用easy-rsa3版本生成证书，与时俱进

https://blog.51cto.com/ljohn/1961347

yum install -y gcc gcc-c++ open***
wget https://github.com/open***/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz
tar xf EasyRSA-2.2.2.tgz -C /root/
mv /root/EasyRSA-2.2.2 /root/easyrsa
echo 'net.ipv4.ip_forward=1 ' >>/etc/sysctl.conf && sysctl -p

cd /root/easyrsa/
cp -a ./vars{,.bak}

cat > vars <<EOF
export KEY_SIZE=2048
export KEY_COUNTRY="CN" 
export KEY_PROVINCE="BJ"
export KEY_CITY="BJ"
export KEY_ORG="zxzn"
export KEY_EMAIL="[email protected]"
export KEY_OU="zxzn"
export KEY_NAME="zxzn"
EOF

chmod +x vars
source vars

./clean-all
./build-ca zxzn***
./build-key-server ***server
./build-key ***client_01
./build-dh
open*** --genkey --secret keys/ta.key

#./build-key-pass ***zxzn \\需密码验证登录的证书


#./keys/***client_01.crt
#./keys/***client_01.key


cp /usr/share/doc/open***-2.4.8/sample/sample-config-files/server.conf /etc/open***/server.conf.bak
cd /etc/open***/
egrep -v '^;|^$|^#' server.conf.bak >server.conf
mkdir ./{keys,ccd}
\cp -a /root/2_easyrsa/keys/{***server.crt,***server.key,ca.crt,dh2048.pem,ta.key} keys/

vim server.conf
port 1194
proto udp
dev tun
ca 	keys/ca.crt
cert 	keys/***server.crt
key 	keys/***server.key  # This file should be kept secret
dh 	keys/dh.pem
server 	10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
keepalive 10 120
client-to-client
client-config-dir ccd
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 3
log /var/log/open***.log
explicit-exit-notify 1

mkdir ./ccd	
vim ./ccd/client01
ifconfig-push 10.8.0.5 10.8.0.6

systemctl restart open***@server
systemctl enable open***@server
systemctl status open***@server
netstat -lntup|grep 1194
ip a |grep tun0

二、windows客户端配置

windows客户端下载

运行

解压sz下载的压缩包到config目录下

打开服务端的安全组

可以在服务端上进行一下访问内网IP测试，查看是否可以直接访问

yum install nginx -y 
systemctl restart nginx.service

三、Linux客户端配置

Linux的客户端和服务端安装方法相同，其配置方法和Windows的相同，只是文件扩展名有区别而已，Windows是.o***，Linux是 .conf

编译 open*** 及解决相关依赖问题

1. 同步服务器时间

#服务端是阿里云的服务器，所以客户端要保证时间同步，如果时间不同步，客户端是无法连接服务器的
[root@open***01 lzo-2.10]# crontab -e
#/bin/bash-date
*/5 * * * *  /sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1

2. 安装lzo组件

cd /server/tools
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz
tar xf lzo-2.10.tar.gz -C /usr/src/
cd /usr/src/lzo-2.10/
./configure --enable-shared
make && make install

3. 编译安装open***

cd /server/tools/
wget https://swupdate.open***.org/community/releases/open***-2.4.8.tar.xz
yum install openssl-devel pam-devel -y
tar xf open***-2.4.8.tar.xz && cd open***-2.4.8/
./configure --prefix=/usr/local/open***
make && make install
ln -s  /usr/local/open***/sbin/open*** /usr/bin/open***

4. 获取服务端的证书和文件

mkdir /usr/local/open***/etc && cd /usr/local/open***/etc/
rsync -avz [email protected]:/root/client02.zip ./
unzip client02.zip

#将之前生成的client02.o***客户端文件的后缀名改为.conf
mv ./client02/client02.o*** ./client02/client02.conf

cat /usr/local/open***/etc/client02/client02.conf
ns-cert-type server                                            
client	#指定为客户端
dev tun
proto udp
remote 59.110.215.165 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca      /usr/local/open***/etc/***client_01/ca.crt
cert    /usr/local/open***/etc/***client_01/***client_01.crt
key     /usr/local/open***/etc/***client_01/***client_01.key
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

5. 启动open***客户端

#出现Completed就说明连接成功了
open*** --config /usr/local/open***/etc/test01.conf
#加一个参数，在后台运行
open***  --daemon --config /usr/local/open***/etc/test01.conf

#根据生产场景写入开机自启
echo '/usr/bin/open*** --daemon --config /usr/local/open***/etc/client02/client02.conf' >> /etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local

ip a|grep tun0

#注意：如果生成服务端证书时没有为private.key使用“nopass”参数不加密，那这里后台运行会卡住，需要输入密码。所以，生产需求需要连接linux客户端的话，在创建服务端证书时一定要使用"nopass"参数

ifconfig时会多出一块网卡tun0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.9  netmask 255.255.255.0  destination 10.8.0.3
        inet6 fe80::7077:955a:31de:c4b3  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

按相同步骤在服务端上生成新的客户端证书并下发到其他linux客户端上。

此图是之前测试用的，IP与文档中的不同，只是为表明含义

四、记录总结

* 保证全国各地的局域网必须能够访问外网，才能连接云服务器
* 云服务器搭建***,  公司和外地都是***客户端,然后就相当于在一个局域网了
* 客户端都可以通过内网地址通讯，开启客户端之间允许通信,就行了
* 开机自动让客户端向云服务器进行连接
* windows上的客户端和linux上的客户端的安装
* 异地客户端都连服务端，然后就相当于在一个局域网了，客户端都可以通过内网地址通讯
* open***服务端也可以使用开源的一键安装脚本，脚本里面也是用easy-rsa随机生成的，生成客户端证书也是非常方便的。

服务端配置客户端固定虚拟内网IP地址

内网ip获取以后 本地会断开连接 ，客户端的ip地址总是dhcp自动分配的，内网ip地址不知道如何获取到则无法进行连接，所以要进行对客户端IP固定的配置。这里只做记录，具体配置文档中已配置

mkdir -p /etc/open***/ccd
cd /etc/open***/ccd/

#ccd目录下面的文件名要以客户端证书的名称命名
vim ***client_01
ifconfig-push 10.8.0.5 10.8.0.6

echo 'client-config-dir /etc/open***/ccd' >>/etc/open***/server.conf

systemctl restart open***@server.service

服务端配置文件用到的模块文件详解

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have *** access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
===================================================
＃为特定的IP地址分配特定的IP地址
＃个客户端，或者连接的客户端有私有客户端
＃后面的子网也应具有***访问权限，
＃将子目录“ ccd”用于特定于客户端的
＃配置文件（有关更多信息，请参见手册页）。


# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the ***.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
===================================================
＃示例：假设客户端
＃具有证书通用名称“ Thelonious”
＃在他的连接后面还有一个小子网
＃机器，例如192.168.40.128/255.255.255.248。
＃首先，取消注释以下行：
; client-config-dir ccd
;路由192.168.40.128 255.255.255.248
＃然后使用以下代码创建文件ccd / Thelonious：
＃iroute 192.168.40.128 255.255.255.248
＃这将允许Thelonious的专用子网
＃访问***。这个例子只会起作用
＃如果您正在路由而不是桥接，即您在
＃使用“ dev tun”和“ server”指令。


# EXAMPLE: Suppose you want to give
# Thelonious a fixed *** IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2
===================================================
＃示例：假设您想给
＃克隆固定的*** IP地址10.9.0.1。
＃首先取消注释以下行：
; client-config-dir ccd
;路由10.9.0.0 255.255.255.252
＃然后将此行添加到ccd / Thelonious中：
＃ifconfig-push 10.9.0.1 10.9.0.2