Server 端的環境
[root@localhost etc]# lsb_release -a
LSB Version: :core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 5.8 (Final)
Release: 5.8
Codename: Final
[root@localhost etc]# uname -a
Linux localhost 2.6.18-308.el5 #1 SMP Tue Feb 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
kernel 需要支持 tun 設備, 需要加載 iptables 模塊.
檢查 tun 是否安裝:
代碼:
[root@localhost etc]# modinfo tun
filename: /lib/modules/2.6.18-308.el5/kernel/drivers/net/tun.ko
alias: char-major-10-200
license: GPL
author: (C) 1999-2004 Max Krasnyansky <[email protected]>
description: Universal TUN/TAP device driver
srcversion: 430A127E593C2F7EFE6855C
depends:
vermagic: 2.6.18-308.el5 SMP mod_unload gcc-4.1
module_sig: 883f3504f44473a48d0a1fbae482c4c112353409f741ba97727abe79e7a1b293a4b6ac46577b82809e28dd61309aa75474d3abbbe30da852c9a01d67
如果沒有 modinfo 命令, 直接找一下, 看看 kernel 裏是否有 tun.o 文件:
代碼:
檢查iptables 模塊, 查看是否有下列文件:
/etc/init.d/iptables
OpenSSL。如果需要啓用 SSL 連接,則需要先安裝 OpenSSL。安裝 OpenSSL 的方法在這裏不做介紹,具體可以用 Google 搜索。CentOS 下可以用 yum install:
#yum install openssl
#yum install openssl-devel
安裝的 Open*** 的版本: 2.0.5. 更新的版本. 可以在http://open***.net 上下載.
Client 端的環境:
Windows XP PRO SP2
Open*** GUI For windows 1.0.3 , 可在 open***.se 下載
注意: Open*** GUI for windows 的版本要和 Open*** Server 的版本配套.
例如, 服務器裝的是 Open*** 2.0.5, 那麼下載的 Open*** GUI fow windows 應該是: open***-2.0.5-gui-1.0.3-install.exe
Open*** GUI的所有歷史版本: http://open***.se/files/install_packages/
二. Open*** 服務端安裝過程 /usr/local/src/
下載 LZO,解壓到lzo-2.02.
地址: http://www.oberhumer.com/opensource/lzo/download/ 代碼:
#wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
下載 Open***, 解壓到open***-2.0.5
地址: http://open***.net/download.html 代碼:
#wget http://open***.net/release/open***-2.0.5.tar.gz
安裝 LZO 代碼:
#cd /lzo-2.02
#./configure
#make
#make check
#make install
安裝 Open***
代碼:
#cd /open***-2.0.5
#./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/local/include/openssl --with-ssl-lib=/usr/local/lib
#make
#make install
cp /usr/local/src/open***-2.0.5/easy-rsa/ -r /etc/open***
初始化 PKI
(如果沒有 export 命令也可以用 setenv [name] [value] 命令)
代碼:
#cd /etc/open***/2.0/
#vim vars
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="zhaoyong.com"
export KEY_EMAIL="[email protected]"
#source vars
#./clean-all
#./build-ca
Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [zhaoyong.com]:
Organizational Unit Name (eg, section) []:zhaoyong.com
Common Name (eg, your name or your server's hostname) []:server
Email Address [[email protected]]:
# 建立 server key 代碼: 代碼:
#./build-key-server server
Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [zhaoyong.com]:
Organizational Unit Name (eg, section) []:zhaoyong.com
Common Name (eg, your name or your server's hostname) []:server
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:zhaoyong
An optional company name []:zhaoyong.com
Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'zhaoyong.com'
organizationalUnitName:PRINTABLE:'zhaoyong.com'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#生成客戶端 key
代碼:
#./build-key client1
Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [zhaoyong.com]:
Organizational Unit Name (eg, section) []:zhaoyong.com
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每個不同的 client 生成的證書, 名字必須不同.
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:zhaoyong
An optional company name []:zhaoyong.com
Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'zhaoyong.com'
organizationalUnitName:PRINTABLE:'zhaoyong.com'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
依次類推生成其他客戶端證書/key
代碼:
#./build-key client2
#./build-key client3
注意在進入 Common Name (eg, your name or your server's hostname) []: 的輸入時, 每個證書輸入的名字必須不同.
生成 Diffie Hellman 參數 。代碼:
#./build-dh
將 keys 下的所有文件打包下載到本地
創建服務端配置文件
mkdir /etc/open***/2.0/conf
cp /usr/local/src/open***-2.0.5/sample-config-files/server.conf /etc/open***/2.0/conf/server.conf
編輯服務器配置文件
vim /etc/open***/2.0/conf/server.conf
從樣例文件創建:server.conf 的內容
# cat server.conf | grep -v ^$ | grep -v ^# | grep -v ^\;
local 192.168.5.72
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh /usr/local/etc/dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
verb 4
push "dhcp-option DNS 202.106.0.20"
#需要將ca.crt、server.crt、server.key、dh1024.pem從keys目錄下拷貝到server.conf的同目錄
創建客戶端配置文件
代碼:
#vim /etc/open***/2.0/conf/client.conf
client
dev tun
proto udp
remote 192.168.5.72 1194
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
創建客戶端配置文件
代碼:
cp /usr/local/src/open***-2.0.5/sample-config-files/client.conf /etc/open***/2.0/conf/
#cp客戶端配置文件
client
dev tun
proto udp
remote 192.168.5.72 1194
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
將keys下的文件打包放到vsftpd目錄下
tar zcvf yskeys.tar.gz keys/
cp yskeys.tar.gz /var/ftp/pub/
啓動Open***
/usr/local/sbin/open*** --config /etc/open***/2.0/conf/server.conf &
#cp /usr/local/src/open***-2.0.5/sample-scripts/open***.init /etc/init.d/open***
#service open*** restart
#chkconfig -add open***
#chkconfig open*** on
至此,接下來該設置iptables了
============================
啓用iptables
service iptables start
開啓CentOS 5 的路由轉發功能
echo 1 > /proc/sys/net/ipv4/ip_forward
#爲了使CentOS重啓後仍然開啓路由轉發功能我們需要再執行下列命令
sysctl -w net.ipv4.ip_forward=1
添加包過濾規則
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 119.57.16.5
備註:119.57.16.5 換成你服務器的公網ip
三. Open*** GUI For Windows 客戶端安裝過程
安裝 Open*** GUI For Windows, 到 http://open***.se 下載. 目前的版本是 1.0.3. 注意: Open*** GUI 的版本要和 Open*** Server 的版本配套. 詳見第一節一. 安裝環境中的說明.
依屏幕指示安裝open*** gui.
配置 open*** gui
安裝結束後, 進入安裝文件夾下的 config 目錄, 然後將上面的 client.conf 文件從 server 上下載到此文件夾, 並更名爲 client.o***
同時, 將server服務器上的如下密鑰拷貝到本地
ca.crt
ca.key
client1.crt--->改名client.crt
client1.csr--->改名client.csr
client1.key--->改名client.key
然後雙擊 client.o*** 即可啓動 open***, 或者通過 Open*** GUI 的控制啓動 ***.
如果雙擊 client.o*** 沒有反應, 則在任務欄點 Open*** GUI 的小圖標右鍵, 選擇 edit config, 將內容複製過去再保存. 然後再點右鍵中的 connect即可.
如果需要第二臺機器上使用 *** , 進行同樣的配置, 只需要將 client1.crt, client1.csr, client1.key 換成對應的 client2.xxx 即可, 然後將 client.o*** 中的對應key文件值改掉.