1.系统环境:centos6.4
双网卡:一个公网,一个私有IP 这里对外IP 是1.1.1.202 内网为192.168.0.10 (server),把10 作为内网的IP 的网关,让server可以转发数据。
2.基础包的安装
yum install openssl openssl-devel gcc -y 或者编译安装这里我采用编译安装的方式部署
# yum install pam-devel gcc -y
#wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
# tar zxvf openssl-1.0.1e.tar.gz
# cd openssl-1.0.1e
# ./config --prefix=/usr/local/openssl
#make && make installs
3.安装lzo 软件包,用于压缩隧道通信数据以加快传输的速度
#cd /usr/src
#wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
#tar zxvflzo-2.06.tar.gz
#cd lzo-2.06
#./configure--prefix=/usr /local/lzo
#make && make install
4.open*** 服务器端的安装配置
安装open*** 在http://open***.net/release/open***-2.3.2.tar.gz
open*** 提供*** server 由于众所周知的原因官网无法打开,建议在国内网站下载低版本
#tar zxvf open***-2.2.2.tar.gz
#cd open***-2.2.2
#./configure --prefix=/usr/local/open*** --with-lzo-headers=/usr/local/lzo/include --with-lzo-lib=/usr/local/lzo/lib --with-ssl-headers=/usr/local/openssl/include/ --with-ssl-lib=/usr/local/openssl/lib/
注意:configure: error: libpam required but missing
yum install pam-devel 需要安装
# make && make install
5.配置
#mkdir /etc/open***
#cp -aR /usr/src/open***-2.2.2/easy-rsa/ /etc/open***
#cd /etc/open***/easy-rsa/2.0/
这下面的文件做简单介绍:
vars 脚本,是用来创建环境变量,设置所需要的变量的脚本
clean-all 脚本,是创建生成CA证书及密钥文件所需要的文件和目录
build-ca 脚本,生成CA证书(交互)
build-dh 脚本,生成Diffie-Hellman文件(交互)
build-key-server 脚本,生成服务器端密钥(交互)
build-key 脚本,生成客户端密钥(交互)
pkitool 脚本,直接使用vars的环境变量设置直接生成证书(非交互)
调整vars文件
vim /etc/open***/easy-rsa/2.0/vars
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BeiJing"
export KEY_ORG="geeboo"
export KEY_EMAIL="459812529@qq.com"
export KEY_CN=geeboo
export KEY_NAME=geeboo
export KEY_OU="geeboo.com"
export PKCS11_MODULE_PATH=geeboo
export PKCS11_PIN=123456
:wq
#source vars
#./clean-all
#cp openssl-1.0.0.cnf openssl.cnf
#./build-ca 一路回车即可
。。。。。。
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [beijing]:
.........
#cd keys
在keys目录下就可以看到ca.crt ca.key文件
生成Diffie-Hellman文件
#cd ..
#./build-dh
ls keys
ca.crt ca.key dh1024.pem
#./build-key-server server
challenge password []:123456 #定义密码,建议设置复杂的密码
An optional company name []:geeboo
一路回车,Sign the certificate? [y/n]:y 选择y
Certificate is to be certified until Jan 31 02:46:02 2022 GMT (3650days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
创建客户端证书
#./build-key dean #用户名
Generating a 1024 bit RSA private key
..........++++++
................++++++
writing new private key to 'dean.key'
-----
You are about to be asked to enter information that will beincorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or aDN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [geeboo]:
Organizational Unit Name (eg, section) []:geeboo
Common Name (eg, your name or your server's hostname) [dean]:dean
Name []:
Email Address zhangsan@pongo.cn]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:dean123456
An optional company name []:
这个步骤主要设定用户的名字和密码
一次可以创建其他的用户和密码
6.配置主配置文件
#cp /usr/src/open***-2.2.2/sample-config-files/server.conf /etc/open***
#vim server.conf
local 1.1.1.202 (*** server 的对外ip)
port 1194
proto tcp
dev tun
ca /etc/open***/easy-rsa/2.0/keys/ca.crt
cert /etc/open***/easy-rsa/2.0/keys/server.crt
key /etc/open***/easy-rsa/2.0/keys/server.key
dh /etc/open***/easy-rsa/2.0/keys/dh1024.pem
server 20.0.0.0 255.255.255.0 #是*** 通道自己划归的ip
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0" #和服务器同网段的内网网段
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /etc/open***/easy-rsa/2.0/keys/open***-status.log
verb 5
7.客户端的安装配置
在客户端上个运行open***-2.1.3-install-amcoding.exert
下一步到安装完成
在config 文件夹把 server 端的ca.crt dean.keydean.crt copy 到这个文件夹下
用文本编辑器编辑client.o***
##############################################
# Sample client-side Open××× 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .o*** extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the ××× will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. OnXP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the samesetting as
# on the server.
;proto tcp
proto tcp
hand-window 45
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 1.1.1.202 1194
push "route 192.168.0.0 255.255.255.0"
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the Open××× server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual Open×××
# server, put the proxy server/IP and
# port number here. See the manpage
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set thisflag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert dean.crt
key dean.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://open***.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
#tls-auth dean.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the ××× link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 4
# Silence repeating messages
;mute 20
reneg-sec 0
#route-method exe
route-delay 2
auth-user-pass
#auth-user-pass mypasswd.txt
route-method exe
route-delay 2
route add 0.0.0.0 mask 0.0.0.0
8.启动*** 服务
#/usr/local/open***/sbin/open***--config /etc/open***/server.conf &
并把该命令写入
vim /etc/rc.d/rc.local
/usr/local/open***/sbin/open***--config /etc/open***/server.conf >/dev/null 2>&1 &
#lsof -i:1194
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
open*** 20790 root 5u IPv4 136403 0t0 TCP 1.1.1.202:open*** (LISTEN)
open*** 20790 root 8u IPv4 142078 0t0 TCP 1.1.1.202:open***->1.1.1.24:59860 (ESTABLISHED)
#ifconfig
tun0 Link encap:UNSPEC HWaddr00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:20.0.0.1 P-t-P:20.0.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNINGNOARP MULTICAST MTU:1500 Metric:1
RX packets:144226 errors:0dropped:0 overruns:0 frame:0
TX packets:76902errors:0 dropped:0 overruns:0 carrier:0
collisions:0txqueuelen:100
在客户端运行open***
右击图标连接,并输入dean 和密码
ping 192.168.0.144 内网段的一个服务器的IP