1.系统环境:centos6.4

双网卡:一个公网,一个私有IP 这里对外IP 1.1.1.202 内网为192.168.0.10 server),把10 作为内网的IP 的网关,让server可以转发数据。

2.基础包的安装

yum install openssl openssl-devel gcc -y 或者编译安装这里我采用编译安装的方式部署

# yum install pam-devel gcc -y

#wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz

# tar zxvf openssl-1.0.1e.tar.gz

# cd openssl-1.0.1e

# ./config --prefix=/usr/local/openssl

#make && make installs

3.安装lzo 软件包,用于压缩隧道通信数据以加快传输的速度

#cd /usr/src

#wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz

#tar zxvflzo-2.06.tar.gz

#cd lzo-2.06

#./configure--prefix=/usr /local/lzo

#make && make install

4.open*** 服务器端的安装配置

安装open*** http://open***.net/release/open***-2.3.2.tar.gz

open*** 提供*** server 由于众所周知的原因官网无法打开,建议在国内网站下载低版本

#tar zxvf open***-2.2.2.tar.gz

#cd open***-2.2.2

#./configure --prefix=/usr/local/open*** --with-lzo-headers=/usr/local/lzo/include --with-lzo-lib=/usr/local/lzo/lib --with-ssl-headers=/usr/local/openssl/include/ --with-ssl-lib=/usr/local/openssl/lib/
 

注意:configure: error: libpam required but missing

yum install pam-devel 需要安装

# make && make install

5.配置

#mkdir /etc/open***

#cp -aR /usr/src/open***-2.2.2/easy-rsa/ /etc/open***

#cd /etc/open***/easy-rsa/2.0/

这下面的文件做简单介绍:

vars 脚本,是用来创建环境变量,设置所需要的变量的脚本

clean-all 脚本,是创建生成CA证书及密钥文件所需要的文件和目录

build-ca 脚本,生成CA证书(交互)

build-dh 脚本,生成Diffie-Hellman文件(交互)

build-key-server 脚本,生成服务器端密钥(交互)

build-key 脚本,生成客户端密钥(交互)

pkitool 脚本,直接使用vars的环境变量设置直接生成证书(非交互)

调整vars文件

vim /etc/open***/easy-rsa/2.0/vars

export KEY_COUNTRY="CN"

export KEY_PROVINCE="BJ"

export KEY_CITY="BeiJing"

export KEY_ORG="geeboo"

export KEY_EMAIL="459812529@qq.com"

export KEY_CN=geeboo

export KEY_NAME=geeboo

export KEY_OU="geeboo.com"

export PKCS11_MODULE_PATH=geeboo

export PKCS11_PIN=123456

wq

#source vars

#./clean-all

#cp openssl-1.0.0.cnf openssl.cnf

#./build-ca 一路回车即可

。。。。。。

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [beijing]:

.........

#cd keys

keys目录下就可以看到ca.crt ca.key文件

生成Diffie-Hellman文件

#cd ..

#./build-dh

ls keys

ca.crt ca.key dh1024.pem

#./build-key-server server

challenge password []:123456 #定义密码,建议设置复杂的密码

An optional company name []:geeboo

一路回车,Sign the certificate? [y/n]:y 选择y

Certificate is to be certified until Jan 31 02:46:02 2022 GMT (3650days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

创建客户端证书

#./build-key dean #用户名

Generating a 1024 bit RSA private key

..........++++++

................++++++

writing new private key to 'dean.key'

-----

You are about to be asked to enter information that will beincorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or aDN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [geeboo]:

Organizational Unit Name (eg, section) []:geeboo

Common Name (eg, your name or your server's hostname) [dean]:dean

Name []:

Email Address zhangsan@pongo.cn]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:dean123456

An optional company name []:

这个步骤主要设定用户的名字和密码

一次可以创建其他的用户和密码

6.配置主配置文件

#cp /usr/src/open***-2.2.2/sample-config-files/server.conf /etc/open***

#vim server.conf

local 1.1.1.202 (*** server 的对外ip)

port 1194

proto tcp

dev tun

ca /etc/open***/easy-rsa/2.0/keys/ca.crt

cert /etc/open***/easy-rsa/2.0/keys/server.crt

key /etc/open***/easy-rsa/2.0/keys/server.key

dh /etc/open***/easy-rsa/2.0/keys/dh1024.pem

server 20.0.0.0 255.255.255.0 #*** 通道自己划归的ip

ifconfig-pool-persist ipp.txt

push "route 192.168.0.0 255.255.255.0" #和服务器同网段的内网网段

client-to-client

duplicate-cn

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status /etc/open***/easy-rsa/2.0/keys/open***-status.log

verb 5

7.客户端的安装配置

在客户端上个运行open***-2.1.3-install-amcoding.exert

下一步到安装完成

config 文件夹把 server 端的ca.crt dean.keydean.crt copy 到这个文件夹下

用文本编辑器编辑client.o***

##############################################

# Sample client-side Open××× 2.0 config file #

# for connecting to multi-client server. #

# #

# This configuration can be used by multiple #

# clients, however each client should have #

# its own cert and key files. #

# #

# On Windows, you might want to rename this #

# file so it has a .o*** extension #

##############################################

# Specify that we are a client and that we

# will be pulling certain config file directives

# from the server.

client

# Use the same setting as you are using on

# the server.

# On most systems, the ××× will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel

# if you have more than one. OnXP SP2,

# you may need to disable the firewall

# for the TAP adapter.

;dev-node MyTap

# Are we connecting to a TCP or

# UDP server? Use the samesetting as

# on the server.

;proto tcp

proto tcp

hand-window 45

# The hostname/IP and port of the server.

# You can have multiple remote entries

# to load balance between the servers.

remote 1.1.1.202 1194

push "route 192.168.0.0 255.255.255.0"

# Choose a random host from the remote

# list for load-balancing. Otherwise

# try hosts in the order specified.

;remote-random

# Keep trying indefinitely to resolve the

# host name of the Open××× server. Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

# Most clients don't need to bind to

# a specific local port number.

nobind

# Downgrade privileges after initialization (non-Windows only)

;user nobody

;group nobody

# Try to preserve some state across restarts.

persist-key

persist-tun

# If you are connecting through an

# HTTP proxy to reach the actual Open×××

# server, put the proxy server/IP and

# port number here. See the manpage

# if your proxy server requires

# authentication.

;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot

# of duplicate packets. Set thisflag

# to silence duplicate packet warnings.

;mute-replay-warnings

# SSL/TLS parms.

# See the server config file for more

# description. It's best to use

# a separate .crt/.key file pair

# for each client. A single ca

# file can be used for all clients.

ca ca.crt

cert dean.crt

key dean.key

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server". This is an

# important precaution to protect against

# a potential attack discussed here:

# http://open***.net/howto.html#mitm

#

# To use this feature, you will need to generate

# your server certificates with the nsCertType

# field set to "server". The build-key-server

# script in the easy-rsa folder will do this.

ns-cert-type server

# If a tls-auth key is used on the server

# then every client must also have the key.

#tls-auth dean.key 1

# Select a cryptographic cipher.

# If the cipher option is used on the server

# then you must also specify it here.

;cipher x

# Enable compression on the ××× link.

# Don't enable this unless it is also

# enabled in the server config file.

comp-lzo

# Set log file verbosity.

verb 4

# Silence repeating messages

;mute 20

reneg-sec 0

#route-method exe

route-delay 2

auth-user-pass

#auth-user-pass mypasswd.txt

route-method exe

route-delay 2

route add 0.0.0.0 mask 0.0.0.0

8.启动*** 服务

#/usr/local/open***/sbin/open***--config /etc/open***/server.conf &

并把该命令写入

vim /etc/rc.d/rc.local

/usr/local/open***/sbin/open***--config /etc/open***/server.conf >/dev/null 2>&1 &

#lsof -i:1194

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

open*** 20790 root 5u IPv4 136403 0t0 TCP 1.1.1.202:open*** (LISTEN)

open*** 20790 root 8u IPv4 142078 0t0 TCP 1.1.1.202:open***->1.1.1.24:59860 (ESTABLISHED)

#ifconfig

tun0 Link encap:UNSPEC HWaddr00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet addr:20.0.0.1 P-t-P:20.0.0.2 Mask:255.255.255.255

UP POINTOPOINT RUNNINGNOARP MULTICAST MTU:1500 Metric:1

RX packets:144226 errors:0dropped:0 overruns:0 frame:0

TX packets:76902errors:0 dropped:0 overruns:0 carrier:0

collisions:0txqueuelen:100

在客户端运行open***

右击图标连接,并输入dean 和密码

spacer.gif

ping 192.168.0.144 内网段的一个服务器的IP

spacer.gif