Linux 下 Open*** 安裝和 Windows Open*** GUI 安裝筆記

一. Open*** 安裝環境

Server 端的環境

[root@localhost etc]# lsb_release -a

LSB Version:    :core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch

Distributor ID: CentOS

Description:    CentOS release 5.8 (Final)

Release:        5.8

Codename:       Final

[root@localhost etc]# uname -a

Linux localhost 2.6.18-308.el5 #1 SMP Tue Feb 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux

kernel 需要支持 tun 設備, 需要加載 iptables 模塊.
檢查 tun 是否安裝:
代碼:

[root@localhost etc]# modinfo tun

filename:       /lib/modules/2.6.18-308.el5/kernel/drivers/net/tun.ko

alias:          char-major-10-200

license:        GPL

author:         (C) 1999-2004 Max Krasnyansky <[email protected]>

description:    Universal TUN/TAP device driver

srcversion:     430A127E593C2F7EFE6855C

depends:        

vermagic:       2.6.18-308.el5 SMP mod_unload gcc-4.1

module_sig:     883f3504f44473a48d0a1fbae482c4c112353409f741ba97727abe79e7a1b293a4b6ac46577b82809e28dd61309aa75474d3abbbe30da852c9a01d67

如果沒有 modinfo 命令, 直接找一下, 看看 kernel 裏是否有 tun.o 文件:
代碼:


檢查iptables 模塊, 查看是否有下列文件:
/etc/init.d/iptables
OpenSSL。如果需要啓用 SSL 連接，則需要先安裝 OpenSSL。安裝　OpenSSL 的方法在這裏不做介紹，具體可以用 Google 搜索。CentOS 下可以用 yum install:

#yum install openssl
#yum install openssl-devel

安裝的 Open*** 的版本: 2.0.5. 更新的版本. 可以在http://open***.net 上下載. 

Client 端的環境:
Windows XP PRO SP2
Open*** GUI For windows 1.0.3 , 可在 open***.se 下載
注意: Open*** GUI for windows 的版本要和 Open*** Server 的版本配套.
例如, 服務器裝的是 Open*** 2.0.5, 那麼下載的 Open*** GUI fow windows 應該是: open***-2.0.5-gui-1.0.3-install.exe
Open*** GUI的所有歷史版本: http://open***.se/files/install_packages/ 

二. Open*** 服務端安裝過程    /usr/local/src/

下載 LZO，解壓到lzo-2.02.

地址: http://www.oberhumer.com/opensource/lzo/download/ 代碼:

#wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz

下載 Open***, 解壓到open***-2.0.5

地址: http://open***.net/download.html 代碼:

#wget http://open***.net/release/open***-2.0.5.tar.gz

安裝 LZO 代碼:

#cd /lzo-2.02 
#./configure 
#make 
#make check 
#make install 

安裝 Open***

代碼:

#cd /open***-2.0.5
#./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/local/include/openssl --with-ssl-lib=/usr/local/lib 
#make 
#make install 

cp /usr/local/src/open***-2.0.5/easy-rsa/ -r /etc/open***

生成證書Key

初始化 PKI

(如果沒有 export 命令也可以用 setenv [name] [value] 命令)

代碼:

#cd /etc/open***/2.0/
#vim vars
export D=`pwd` 
export KEY_CONFIG=$D/openssl.cnf 
export KEY_DIR=$D/keys 
export KEY_SIZE=1024 
export KEY_COUNTRY=CN 
export KEY_PROVINCE=BJ 
export KEY_CITY=BJ
export KEY_ORG="zhaoyong.com" 
export KEY_EMAIL="[email protected]" 

#source vars

#./clean-all 
#./build-ca 

Generating a 1024 bit RSA private key 
................++++++ 
........++++++ 
writing new private key to 'ca.key' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [CN]: 
State or Province Name (full name) [BJ]: 
Locality Name (eg, city) [BJ]: 
Organization Name (eg, company) [zhaoyong.com]: 
Organizational Unit Name (eg, section) []:zhaoyong.com 
Common Name (eg, your name or your server's hostname) []:server 
Email Address [[email protected]]: 

# 建立 server key 代碼: 代碼:

#./build-key-server server 

Generating a 1024 bit RSA private key 
......++++++ 
....................++++++ 
writing new private key to 'server.key' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [CN]: 
State or Province Name (full name) [BJ]: 
Locality Name (eg, city) [BJ]: 
Organization Name (eg, company) [zhaoyong.com]: 
Organizational Unit Name (eg, section) []:zhaoyong.com 
Common Name (eg, your name or your server's hostname) []:server 
Email Address [[email protected]]: 

Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []:zhaoyong
An optional company name []:zhaoyong.com
Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf 
Check that the request matches the signature 
Signature ok 
The Subject's Distinguished Name is as follows 
countryName :PRINTABLE:'CN' 
stateOrProvinceName :PRINTABLE:'BJ' 
localityName :PRINTABLE:'BJ' 
organizationName :PRINTABLE:'zhaoyong.com' 
organizationalUnitName:PRINTABLE:'zhaoyong.com' 
commonName :PRINTABLE:'server' 
emailAddress :IA5STRING:'[email protected]' 
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days) 
Sign the certificate? [y/n]:y 


1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated 

#生成客戶端 key

代碼:

#./build-key client1 
Generating a 1024 bit RSA private key 
.....++++++ 
......++++++ 
writing new private key to 'client1.key' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [CN]: 
State or Province Name (full name) [BJ]: 
Locality Name (eg, city) [BJ]: 
Organization Name (eg, company) [zhaoyong.com]: 
Organizational Unit Name (eg, section) []:zhaoyong.com 
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每個不同的 client 生成的證書, 名字必須不同. 
Email Address [[email protected]]: 

Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []:zhaoyong 
An optional company name []:zhaoyong.com 
Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf 
Check that the request matches the signature 
Signature ok 
The Subject's Distinguished Name is as follows 
countryName :PRINTABLE:'CN' 
stateOrProvinceName :PRINTABLE:'BJ' 
localityName :PRINTABLE:'BJ' 
organizationName :PRINTABLE:'zhaoyong.com' 
organizationalUnitName:PRINTABLE:'zhaoyong.com' 
commonName :PRINTABLE:'client1' 
emailAddress :IA5STRING:'[email protected]' 
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days) 
Sign the certificate? [y/n]:y 


1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated 

依次類推生成其他客戶端證書/key

代碼:

#./build-key client2 
#./build-key client3 

注意在進入 Common Name (eg, your name or your server's hostname) []: 的輸入時, 每個證書輸入的名字必須不同.
生成 Diffie Hellman 參數 。代碼:

#./build-dh 

將 keys 下的所有文件打包下載到本地

創建服務端配置文件

mkdir /etc/open***/2.0/conf

 cp /usr/local/src/open***-2.0.5/sample-config-files/server.conf /etc/open***/2.0/conf/server.conf

編輯服務器配置文件

vim /etc/open***/2.0/conf/server.conf

從樣例文件創建:

server.conf 的內容
# cat server.conf | grep -v ^$ | grep -v ^# | grep -v ^\;
local 192.168.5.72
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh /usr/local/etc/dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
verb 4
push "dhcp-option DNS 202.106.0.20" 

#需要將ca.crt、server.crt、server.key、dh1024.pem從keys目錄下拷貝到server.conf的同目錄

創建客戶端配置文件
代碼:

cp /usr/local/src/open***-2.0.5/sample-config-files/client.conf /etc/open***/2.0/conf/

 #cp客戶端配置文件

#vim  /etc/open***/2.0/conf/client.conf 
client
dev tun
proto udp
remote 192.168.5.72 1194
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1 

將keys下的文件打包放到vsftpd目錄下

tar zcvf yskeys.tar.gz keys/

cp yskeys.tar.gz /var/ftp/pub/

啓動Open***

/usr/local/sbin/open*** --config /etc/open***/2.0/conf/server.conf &

#cp /usr/local/src/open***-2.0.5/sample-scripts/open***.init /etc/init.d/open***

#service open*** restart

#chkconfig -add open***

#chkconfig open*** on

至此，接下來該設置iptables了

============================

啓用iptables

service iptables start

開啓CentOS 5 的路由轉發功能

echo 1 > /proc/sys/net/ipv4/ip_forward

#爲了使CentOS重啓後仍然開啓路由轉發功能我們需要再執行下列命令

sysctl -w net.ipv4.ip_forward=1

添加包過濾規則

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 119.57.16.5

備註：119.57.16.5 換成你服務器的公網ip

三. Open*** GUI For Windows 客戶端安裝過程

安裝 Open*** GUI For Windows, 到 http://open***.se 下載. 目前的版本是 1.0.3. 注意: Open*** GUI 的版本要和 Open*** Server 的版本配套. 詳見第一節一. 安裝環境中的說明.
依屏幕指示安裝open*** gui.
配置 open*** gui

安裝結束後, 進入安裝文件夾下的 config 目錄, 然後將上面的 client.conf 文件從 server 上下載到此文件夾, 並更名爲 client.o***

同時, 將server服務器上的如下密鑰拷貝到本地

ca.crt 
ca.key 

client1.crt--->改名client.crt

client1.csr--->改名client.csr

client1.key--->改名client.key

然後雙擊 client.o*** 即可啓動 open***, 或者通過 Open*** GUI 的控制啓動 ***.

如果雙擊 client.o*** 沒有反應, 則在任務欄點 Open*** GUI 的小圖標右鍵, 選擇 edit config, 將內容複製過去再保存. 然後再點右鍵中的 connect即可.

如果需要第二臺機器上使用 *** , 進行同樣的配置, 只需要將 client1.crt, client1.csr, client1.key 換成對應的 client2.xxx 即可, 然後將 client.o*** 中的對應key文件值改掉.