一.软件下载
lzo下载地址: open***服务端下载: open***客户端下载:如果这些包openssl openssl-devel automake pkgconfig iptables没有安装,就用yum安装
yum install -y openssl openssl-devel automake pkgconfig iptables二.《安装open***所需的支持库lzo》,注意:我的源码包都是解压在家目录下
# tar -zxvf lzo-2.06.tar.gz # cd lzo-2.06 # ./configure && make && make install -->这里,我安装了n多遍了,才这样写,你要是第一次装,需要分开执行 # echo '/usr/local/lib' >> /etc/ld.so.conf # ldconfig # cd三.《安装open***服务端》
# tar -zxvf open***-2.2.1.tar.gz # cd open***-2.2.1 # ./configure && make && make install 到这里,默认安装的/usr/local/sbin目录下,只有一个名为open***的可执行文件四.开始做哪些密钥和证书
4.1 # cd /root/open***-2.2.1/easy-rsa/2.0/ -->到这里主要是编辑vars文件 # vim vars 主要修改下面的内容: export KEY_COUNTRY="CN" export KEY_PROVINCE="BJ" export KEY_CITY="beijing" export KEY_ORG="OPEN×××" export KEY_EMAIL="" export export KEY_CN=jun.com export KEY_NAME=jun.com export KEY_OU=jishubu export PKCS11_MODULE_PATH=changeme export PKCS11_PIN=1234 注意,这些内容可以根据自己的实际情况来进行更改,为了就是以后的创建证书的时候,不用交互式,直接采用默认就行了 4.2 生成ca证书 # cp openssl-1.0.0.cnf openssl.cnf # source ./vars -->这一步就是让上面修改的vars生效,同时用到openssl.cnf文件 # ./clean-all -->这一步,生成一个keys目录 下面这一步就是生成ca,因为上面修改了vars,所以,一路回车就好了 # ./build-ca 如下: Generating a 1024 bit RSA private key .............................++++++ ...........................................................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [beijing]: Organization Name (eg, company) [OPEN×××]: Organizational Unit Name (eg, section) [jishubu]: Common Name (eg, your name or your server's hostname) [jun.com]: Name [jun.com]: Email Address [root@jun.com]:4.3 生成服务器证书及私钥
# ./build-key-server server 内容如下: Generating a 1024 bit RSA private key .....................................++++++ ...++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [beijing]: Organization Name (eg, company) [OPEN×××]: Organizational Unit Name (eg, section) [jishubu]: Common Name (eg, your name or your server's hostname) [server]: Name [jun.com]: Email Address [root@jun.com]:Please enter the following 'extra' attributes
to be sent with your certificate request A challenge password []: An optional company name []:moyo Using configuration from /root/open***-2.2.1/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'beijing' organizationName :PRINTABLE:'OPEN×××' organizationalUnitName:PRINTABLE:'jishubu' commonName :PRINTABLE:'server' name :PRINTABLE:'jun.com' emailAddress :IA5STRING:'root@jun.com' Certificate is to be certified until May 20 10:25:04 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated4.4 生成客户端证书及私钥
./build-key client1 内容如下: Generating a 1024 bit RSA private key ................................++++++ ............................++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [beijing]: Organization Name (eg, company) [OPEN×××]: Organizational Unit Name (eg, section) [jishubu]: Common Name (eg, your name or your server's hostname) [client1]:wang@wang.com -->注意这里,一定要和sever不一样 Name [jun.com]:wang.com Email Address [root@jun.com]:wang@wang.com -->这里也要与server的不一样,都可以乱写Please enter the following 'extra' attributes
to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /root/open***-2.2.1/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'beijing' organizationName :PRINTABLE:'OPEN×××' organizationalUnitName:PRINTABLE:'jishubu' commonName :T61STRING:'wang@wang.com' name :PRINTABLE:'wang.com' emailAddress :IA5STRING:'wang@wang.com' Certificate is to be certified until May 20 10:27:24 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated4.5 创建服务器所需的Diffie-Hellman
# ./build-dh 内容如下: Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ..........................................................................................................................+........................................................................................................................................................................+...............................+..............+....................................................................+...................................................................+..............................................................+.............................................................................................+.................................................................+......................................................................+...+...+................................................+....+.............................+.......................................................................................+........................................+.........................+....................................................................................+............................................+.......................................+..................+................................+............+..++*++*++*4.6 生成HMAC firewall验证码,目的就是防止doc***,它其实是一种加密的散列消息验证码,对数据的完整性和真实性进行同步检查
# /usr/local/sbin/open*** --genkey --secret keys/ta.key五.开始配置了,这些才是最重要
5.1建立配置目录,并将证书和配置复制到相应的目录中去,打包client需要的证书 # mkdir /etc/open***/ # cd keys/ # cp {ca.crt,ca.key,dh1024.pem,server.crt,server.key,ta.key} /etc/open***/# tar -zcvf client1.tar.gz ca.crt client1.crt client1.key client1.csr -->这些事客户端所需要的证书
# cp /root/open***-2.2.1/sample-config-files/server.conf /etc/open***/ -->这里cp的是配置文件 # cp /root/open***-2.2.1/sample-scripts/open***.init /etc/init.d/open*** -->这里cp的是启动脚本 //查看脚本可知,官方的init启动脚本就是读取/etc/open***配置目录的,如果安装路径不是默认的,需要手动修改这个脚本
5.2 服务器端的配置
# cd /etc/open***/ # vim server.conf 修改后的内容用下面的这个命令查看,如下: # grep -v "^#" server.conf | grep -v "^;" | sed '/^$/d' port 1194 proto udp dev tap ca ./ca.crt cert ./server.crt key ./server.key # This file should be kept secret dh ./dh1024.pem server 10.10.20.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.122.0 255.255.255.0" -->如果你用的是vmware,而且vmware是默认的,这句话的重要性是很大的 push "route 192.168.10.0 255.255.255.0" -->192.168.10.0是你的内网的网络地址 client-to-client keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status /var/log/open***-status.log log /var/log/open***.log verb 4 push "dhcp-option DNS 10.10.20.1" push "dhcp-option DNS 8.8.8.8" (我这里用的本机/etc/resolv.conf 中的) push "dhcp-option DNS 8.8.4.4" (我这里用的本机/etc/resolv.conf 中的)5.3 客户端的配置
下面的客户端的配置是要cp到client端的 这个client.conf的样例配置文件在/root/open***-2.2.1/sample-config-files/client.conf这里,下面是我修改后的配置文件;这里就不多说了; # vim client.conf clientdev tap
proto udp
remote 192.168.0.2 1194 -->这里的ip是你自己***服务器的ip(注,我配置***是为了在家里能够通过公司办公网络进行跳转,连接到公司机房的服务器,如果你***用的内网地址,那么你的配置要用网络出口的外网IP,并在那台机器上做DNAT转发到内网***服务器的1194端口上。)
persist-key persist-tun ca ca.crt cert client1.crt key client1.key ns-cert-type server comp-lzo verb 3redirect-gateway def1
script-security 3
route-method exe route-delay 25.4 让open***服务器开就就自动启动
# chkconfig --add open*** # chkconfig open*** on 查看一下,看到如下, # chkconfig --list open*** open*** 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭5.5 打开ip的转发功能
将/etc/sysctl.conf文件里的net.ipv4.ip_forward = 0修改成net.ipv4.ip_forward = 1 然后,在执行以下命令,让其修改的生效 # sysctl -p5.6 启动open***服务
# service open*** start# netstat -lnp | grep open*** 查看一下端口是否启动了
udp 0 0 0.0.0.0:1194 0.0.0.0:* 2040/open***我目前,用下面的防火墙的方式,还没有实现,以后会继续努力,找到解决办法,
六. 防火墙规则设置(这几步很重要,需要按自己的实际情况来指定)
开放open***的服务端口 # iptables -I INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT 启动NAT映射,实现共享上网 # iptables -A POSTROUTING -s 10.10.20.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.64.99 注意:这里的10.10.20.0网段是客户端的ip,eth0是***的外网网卡
七.windows的客户端
7.1 载与服务器对应的客户端版本安装 open***的下载地址:7.2 将上面再服务器上打包的client1.tar.gz下载下来,并把里面的内容解压到open***-2.2.1-install.exe
在windows的安装目录的config目录里,然后,再把上面的client.conf也放到这个config目录里并重命名为client1.o***,这时,就算完成了7.3 client.o***的内容和上面一样,如下:(这些都是我的实际配置文件,你可以根据自己的需求来配置这个文件)
clientdev tap
proto udp
remote 192.168.0.2 1194 -->这里的ip是你自己***服务器的ip
persist-key persist-tun ca ca.crt cert client1.crt key client1.key ns-cert-type server comp-lzo verb 3script-security 3
route-method exe route-delay 27.3 启动客户端在托盘右键单击选择Connect即可。
八.添加新的客户端# cd /root/open***-2.2.1/easy-rsa/2.0
# source ./vars# ./build-key client2
Generating a 1024 bit RSA private key ...........................................................................++++++ ........................................++++++ writing new private key to 'client2.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [beijing]: Organization Name (eg, company) [OPEN×××]: Organizational Unit Name (eg, section) [jishubu]: Common Name (eg, your name or your server's hostname) [client2]:client2.com Name [jun.com]:client2.com Email Address [root@jun.com]:client2@client2.comPlease enter the following 'extra' attributes
to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /root/open***-2.2.1/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'beijing' organizationName :PRINTABLE:'OPEN×××' organizationalUnitName:PRINTABLE:'jishubu' commonName :PRINTABLE:'client2.com' name :PRINTABLE:'client2.com' emailAddress :IA5STRING:'client2@client2.com' Certificate is to be certified until May 21 07:10:23 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated