一,開始安裝過程:
1,三個包
open***-2.1-0.29.rc15.el5.i386.rpm
lzo-2.02-2.el5.1.i386.rpm
lzo-devel-2.02-2.el5.1.i386.rpm
1,三個包
open***-2.1-0.29.rc15.el5.i386.rpm
lzo-2.02-2.el5.1.i386.rpm
lzo-devel-2.02-2.el5.1.i386.rpm
2,查看一下文件分佈:
[root@xxw src]# find / -name open***
/etc/open*** (空的)
/etc/rc.d/init.d/open***
/usr/share/open*** (示例文件)
/usr/share/logwatch/scripts/services/open***
/usr/lib/open***
/usr/sbin/open***
/var/run/open***
[root@xxw src]# find / -name open***
/etc/open*** (空的)
/etc/rc.d/init.d/open***
/usr/share/open*** (示例文件)
/usr/share/logwatch/scripts/services/open***
/usr/lib/open***
/usr/sbin/open***
/var/run/open***
3,查看示例文件,有1.0和2.0兩個版本
[root@xxw easy-rsa]# ll /usr/share/open***/easy-rsa
total 8
drwxr-xr-x 2 root root 4096 Jun 5 13:02 1.0
drwxr-xr-x 2 root root 4096 Jun 5 13:02 2.0
[root@xxw easy-rsa]# ll /usr/share/open***/easy-rsa
total 8
drwxr-xr-x 2 root root 4096 Jun 5 13:02 1.0
drwxr-xr-x 2 root root 4096 Jun 5 13:02 2.0
4,複製2.0的到/etc/open***中
cp 2.0/* /etc/open***
cp 2.0/* /etc/open***
二,詳細安裝
1,創建證書配置文件
vi /etc/open***/vars 最後幾行改好
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BJ"
export KEY_ORG="XXW"
export KEY_EMAIL="[email protected]"
vi /etc/open***/vars 最後幾行改好
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BJ"
export KEY_ORG="XXW"
export KEY_EMAIL="[email protected]"
2,執行
# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/keys (提示,不必理會)
#./clean-all
#./build-ca
最後的命令build-ca將認證CA證書,這些密匙跟openssl緊密結合.
# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/keys (提示,不必理會)
#./clean-all
#./build-ca
最後的命令build-ca將認證CA證書,這些密匙跟openssl緊密結合.
3,建立認證書和密鑰:
服務端的:
#./build-key-server server
建立客戶端證書:
#./build-key client1
#./build-key client2
#./build-key client3
如果你想保護你的客戶端密匙,請運行build-key-pass腳本.
爲了區分每個客戶端,必須用適當的名稱命名”Common Name”, 比如. "client1", "client2", or "client3". 通常是爲每個客戶端指定唯一的”common name”.
服務端的:
#./build-key-server server
建立客戶端證書:
#./build-key client1
#./build-key client2
#./build-key client3
如果你想保護你的客戶端密匙,請運行build-key-pass腳本.
爲了區分每個客戶端,必須用適當的名稱命名”Common Name”, 比如. "client1", "client2", or "client3". 通常是爲每個客戶端指定唯一的”common name”.
4,創建Diffie Hellman參數:
open***服務必須創建Diffe Hellman:
#./build-dh
#mkdir conf
#vi conf/server.conf
open***服務必須創建Diffe Hellman:
#./build-dh
#mkdir conf
#vi conf/server.conf
port 1194
proto tcp
dev tun
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/server.crt
key /etc/open***/keys/server.key # This file should be kept secret
dh /etc/open***/keys/dh1024.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#push "route 172.16.0.0 255.255.255.0"
#push "route 172.16.0.0 255.255.255.0"
#client-config-dir /etc/open***/ccd
#route 172.16.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 3
proto tcp
dev tun
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/server.crt
key /etc/open***/keys/server.key # This file should be kept secret
dh /etc/open***/keys/dh1024.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#push "route 172.16.0.0 255.255.255.0"
#push "route 172.16.0.0 255.255.255.0"
#client-config-dir /etc/open***/ccd
#route 172.16.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 3
5,啓動:
open*** --config /etc/open***/conf/server.conf
open*** --config /etc/open***/conf/server.conf
三,驗證(上圖)
![]()
客戶端的client.conf配置文件內容如下(證書和名稱要注意對上號)
client
;dev tap
dev tun
;dev-node MyTap
proto tcp
;proto udp
remote 192.168.13.211 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/lin.crt
key /etc/open***/keys/lin.key
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
;dev tap
dev tun
;dev-node MyTap
proto tcp
;proto udp
remote 192.168.13.211 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/lin.crt
key /etc/open***/keys/lin.key
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3