open***橋接模式（擴展內網）

公司有時候的需要使用***連接辦公，最近新購了mac之後的，不支持pptp ***，所以在公司搭建一個open***，之所以不使用網上大多數教程一的轉發模式，1是因爲效率不好，2是需要修改現有路由，網絡上達不到聯通。好了廢話不多說了，開始安裝已經部署過程吧。
1.安裝open***-2.2.2-1 下載地址http://down.51cto.com/data/2368640

yum install -y iptables openssl lzo pam openssl-devel lzo-devel pam-devel
yum install pkcs11-helper pkcs11-helper-devel –y 
rpm -ivh open***-2.2.2-1.x86_64.rpm 

2.配置open***

cd /usr/share/doc/open***-2.2.2/easy-rsa/2.0/
ln -s openssl-1.0.0.cnf openssl.cnf

#修改vars文件

[root@cmdb open***]# grep -Ev "^$|#" /usr/share/doc/open***-2.2.2/easy-rsa/2.0/vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=<font color=4096
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY=<font color="CN"
export KEY_PROVINCE=<font color="SZ"
export KEY_CITY=<font color="shenzheng"
export KEY_ORG="localhost.com"
export KEY_EMAIL="[email protected]"
export [email protected]
export KEY_CN=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
[root@cmdb open***]#

配置認證信息

source  /usr/share/doc/open***-2.2.2/easy-rsa/2.0/vars
./clean-all
./build-ca 
./build-key-server server 
./build-key youshumin
./build-dh 

3.創建open***目錄

mkdir /etc/open***/keys
cp -R /usr/share/doc/open***-2.2.2/easy-rsa/2.0/keys/*  /etc/open***/keys 
cp  /usr/share/doc/open***-2.2.2/sample-config-files/server.conf /etc/open***/server.conf.default
cd /etc/open*** 
grep -Ev  "#|^$|^;" server.conf.default > /etc/open***/server.conf  
mkdir logs 
mkdir scripts 
cd scripts 
cp /usr/share/doc/open***-2.2.2/sample-scripts/bridge-st* . 

cd /etc/open***/scripts

修改 bridge-start和stop

grep -Ev "^$|#" /etc/open***/scripts/bridge-start 
br="br0"
tap="tap0"
eth="eth0"    
eth_ip="192.168.7.150"      #本機ip
eth_netmask="255.255.248.0"
eth_broadcast="192.168.7.255"
for t in $tap; do
    open*** --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
    brctl addif $br $t
done
for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw 192.168.1.254     ### 添加路由網關 不添加可能不能上網

添加停止橋接腳本

grep -Ev "^$|#" /etc/open***/scripts/bridge-stop 
br="br0"
tap="tap0"
ifconfig $br down
brctl delbr $br
for t in $tap; do
    open*** --rmtun --dev $t
done
service network restart  # 添加網絡重啓否則可能網絡不能恢復 

open***服務的配置

cd /etc/open***
[root@cmdb open***]# cat server.conf
port 65520
proto tcp
dev tap0
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/server.crt
dh /etc/open***/keys/dh4096.pem
key /etc/open***/keys/server.key
server-bridge 192.168.1.254 255.255.248.0 192.168.7.155 192.168.7.165 
push "192.168.1.0 255.255.248.0". 
push "redirect-gateway def1 bypass-dhcp"   
push "dhcp-option DNS 192.168.1.254"
client-to-client
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /etc/open***/logs/open***-status.log
log  /etc/open***/logs/open***.log
verb 3
[root@cmdb open***]#

啓動open***

sh /etc/open***/scripts/bridge_start 
/etc/init.d/open*** start 

停止open***
/etc/init.d/open*** stop

4.驗證open***

[root@cmdb open***]# netstat -nltp 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:65520               0.0.0.0:*                   LISTEN      4285/open***        
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1296/sshd           
[root@cmdb open***]# 

[root@cmdb open***]# pwd 
/etc/open***
[root@cmdb open***]# tree 
.
├── ipp.txt
├── keys
│   ├── 01.pem
│   ├── 02.pem
│   ├── ca.crt
│   ├── ca.key
│   ├── dh4096.pem
│   ├── index.txt
│   ├── index.txt.attr
│   ├── index.txt.attr.old
│   ├── index.txt.old
│   ├── serial
│   ├── serial.old
│   ├── server.crt
│   ├── server.csr
│   ├── server.key
│   ├── youshumin.crt
│   ├── youshumin.csr
│   └── youshumin.key
├── logs
│   ├── open***.log
│   └── open***-status.log
├── scripts
│   ├── bridge-start
│   └── bridge-stop
├── server.conf
└── server.conf.default

將的ca.crt以及建立的用戶認證文件youshumoin.crt和youshumin.key 保存到本地。
windows下載open***-client，將這個3個文件放在config文件夾下C:\Program Files\Open***\config

修改config.opvn文件

 client
dev tap
proto tcp
remote  192.168.7.20 65520 
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert youshumin.crt
key youshumin.key
comp-lzo
verb 3

然後點擊桌面的連接

到這裏windows連接成功，下次給大家分享在家使用mac連接的方法