時間必須同步
1、安裝前的準備工作:
[root@data ~]# yum -y installopensslopenssl-devel gcc
下載軟件包open***-2.2.0.tar.gz服務器端安裝包
lzo-2.06.tar.gz壓縮隧道通信數據安裝包
open***-2.2.0-install.exe客戶端安裝包
軟件打包下載地址:
http://down.51cto.com/data/1019725
注:由於open***官網被和諧了, 只能翻wall下載. 所以我已經打包好了,方便大家下載.
2、安裝lzo軟件包:
lzo軟件包用於壓縮隧道通信數據以加快傳輸速度,操作步驟如下:
[root@data ~]# tar zxvf lzo-2.06.tar.gz
[root@data ~]# cd lzo-2.06
[root@data lzo-2.03]#./configure--prefix=/usr/ && make && make install
4、安裝openvn:
[root@data ~]# tar zxvfopen***-2.2.0.tar.gz
[root@data ~]# cd open***-2.2.0
[root@data open***-2.2.0]#./configure--with-lzo-lib=/usr/ && make && make install
此處如果出現如下報錯:configure: error: libpamrequired but missing
64位系統直接 yuminstall pam-devel.X86_64
如果你服務器是32位的
yum install pam-devel.i686
(1、)建立CA的詳細信息
5、Open*** 服務器的配置
[root@data ~]# cdopen***-2.2.0/easy-rsa/2.0/
[root@data 2.0]# vim vars
export KEY_COUNTRY="CN"\\你所在的國家,兩個字符爲限
export KEY_PROVINCE="SH"\\你所在的省份
export KEY_CITY="SHANGHAI"\\你所在的城市
export KEY_ORG="51CTO"\\你所在的組織
exportKEY_EMAIL="[email protected]"\\你的電子郵件
export KEY_OU= "51CTO.com" \\你所在的單位
接下來輸入如下命令:
[root@data 2.0]# source vars//此命令輸入後會顯示如下信息
NOTE: If you run ./clean-all, I willbedoing a rm -rf on /root/open***-2.2.0/easy-rsa/2.0/keys
接着輸入下面的命令:
[root@data 2.0]# ./clean-all
[root@data 2.0]# ./build-ca//一路回車即可會生成 rootCA證書
Generating a 1024 bit RSA private key
.........................................++++++
.......................................................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked toenterinformation that will be incorporated
into your certificate request.
What you are about to enter is whatiscalled a Distinguished Name or a DN.
There are quite a few fields but youcanleave some blank
For some fields there will be adefaultvalue,
If you enter '.', the field will beleftblank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [51CTO]:
Organizational Unit Name (eg, section)[51cto.com]:
Common Name (eg, your name or your server'shostname)[51CTO CA]:
Name []:
Email Address [[email protected]
可以看到ca.crt ,ca.key已經生成
爲服務器生成Diffie-Hellman文件,後面配置Open*** Server時所需要用到的文件命令如下:./build-dh
(2)、爲服務器生成證書和密鑰,命令如下:
[[email protected]]#./build-key-server server
Generating a 1024 bit RSA private key
.......++++++
.................................................++++++
writing new private key to 'server.key'
-----
You are about to be asked toenterinformation that will be incorporated
into your certificate request.
What you are about to enter is whatiscalled a Distinguished Name or a DN.
There are quite a few fields but youcanleave some blank
For some fields there will be adefaultvalue,
If you enter '.', the field will beleftblank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [51CTO]:
Organizational Unit Name (eg, section)[51cto.com]:
Common Name (eg, your name or yourserver'shostname) [server]:
Name []:
Email Address [[email protected]]:
Please enter the following'extra'attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:51cto.com
Using configurationfrom/root/soft/open***-2.2.0/easy-rsa/2.0/openssl.cnf
Check that the request matches thesignature
Signature ok
The Subject's Distinguished Name isasfollows
countryName:PRINTABLE:'CN'
stateOrProvinceName:PRINTABLE:'SH'
localityName:PRINTABLE:'SHANGHAI'
organizationName:PRINTABLE:'51CTO'
organizationalUnitName:PRINTABLE:'51cto.com'
commonName:PRINTABLE:'server'
emailAddress:IA5STRING:'[email protected]'
Certificate is to be certified until Nov1908:20:18 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requestscertified,commit? [y/n]y
Write out database with 1 new entries
爲客戶端生成證書,這時候生成的證書要分發給客戶端來用的。
[root@data 2.0]# ./build-key steven.shi
正常結束上面過程後我們可以看到keys目錄生成了正常的證書文件,用以下命令可以看到:
[root@data 2.0]# ll keys/
( 3 )修改Open***的配置文件/etc/server.conf
1)、複製示例文件到/etc目錄下,然後再在其基礎下進行更改,命令如下:
[root@data 2.0]# cp /root/open***-2.2.0/sample-config-files/server.conf/etc/server.conf
2、)編輯/etc/server.conf,注意以下幾個重點:
一是將proto udp 改爲proto tcp ,即服務啓動用TCP 1194端口。
二是將ca那4行內容改成如下所示的形式(記得寫絕對路徑):
ca/root/open***-2.2.0/easy-rsa/2.0/keys/ca.crt
ca後面接的是 rootCA 它使用的是buid-ca生成的,用於驗證客戶端證書是否合法的。
cert/root/open***-2.2.0/easy-rsa/2.0/keys/server.crt
key/root/open***-2.2.0/easy-rsa/2.0/keys/server.key
上面是服務器對應的證書等相關文件
dh/root/open***-2.2.0/easy-rsa/2.0/keys/dh1024.pem
三是將server那行改爲如下內容:
server 10.8.0.0 255.255.255.0 //這是Open***服務器啓動時爲***網絡分配的網段,注意不要與公網中的IP發生衝突。
四是將verb3改爲verb5
3、)啓動Open***
1、關閉iptables和selinux,以免對Open***造成不必要的干擾
2、開啓系統中自帶的IP轉發功能,命令如下:
[root@data keys]# echo"1">/proc/sys/net/ipv4/ip_forward
3、用命令啓動Open***,命令如下:
[root@data keys]# /usr/local/sbin/open***--config/etc/server.conf
如果看到Initialization Sequence Completed 表示啓動成功
用lsof -i:1194來驗證一下
[root@datakeys]# lsof -i:1194
COMMAND PID USER FD TYPE DEVICESIZE/OFFNODE NAME
open*** 20074 root 5u IPv4 94836 0t0TCP*:open*** (LISTEN)
6、客戶端安裝:
1.安裝open***-2.2.0-install.exe,一路下一步即可。桌面會生成快捷方式如圖
默認安裝路徑是:C:\ProgramFiles \Open***
2.把服務器上生成的客戶端證書複製到config目錄下面即可。
即把ca.crt , steven.shi.crt, steven.shi.key複製到config目錄下面。
3.把服務器上面open***2.2.0解壓目錄下sample-config-files文件夾中的client.conf 複製到本地config 目錄下,並重命名爲steven.shi.o***
注:與你的證書文件名一樣。
用文本編輯器打開steven.shi.o***,並修改下列項:
1)將proto udp 改成proto tcp
2)將remote那行內容改成服務器的IP 端口
192.168.1.1011194
注:此處只是爲了測試用,所以用的是內網IP,在生產環境下,服務器都是公網IP,改爲相應的IP即可。
3)將ca那3行內容改爲如下內容:
ca ca.crt
certsteven.shi.crt
keysteven.shi.ke
4.打開***客戶端,在右下角圖標上點右鍵,選擇connect
5.連接成功後,圖標會變成綠色並提示成功,
OK,到此完全配置成功。