Open*** 是一個基於 OpenSSL 庫的應用層 *** 實現。和傳統 *** 相比,它的優點是簡單易用。[1]
Open***允許參與建立***的單點使用共享金鑰,電子證書,或者用戶名/密碼來進行身份驗證。它大量使用了OpenSSL加密庫中的SSLv3/TLSv1協議函式庫。Open***能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X與Windows 2000/XP/Vista上運行,幷包含了許多安全性的功能。它並不是一個基於Web的***軟件,也不與IPsec及其他***軟件包兼容
實驗環境
centos6.5_x64
open***_server eth0 xx.xx.xx.xx(公網IP) eth1 192.168.10.11
open***_client 192.168.10.12
實驗軟件
lzo-2.04.tar.gz
open***-2.4.0.tar.gz
EasyRSA-3.0.1.tgz
open***-install-2.4.6-I602.exe
軟件安裝
modprobe tun
lsmod | grep tun
tun 17094 0
yum install -y lrzsz lsof openssl openssl-devel pam pam-devel
tar zxvf lzo-2.04.tar.gz
cd lzo-2.04
./configure && make && make install
tar zxvf open***-2.4.0.tar.gz
cd open***-2.4.0
./configure --prefix=/usr/local/open*** --disable-lzo
make && make install
cp -p sample/sample-config-files/server.conf /usr/local/open***/
tar zxvf EasyRSA-3.0.1.tgz
mv EasyRSA-3.0.1 /usr/local/open***/easy
cp -p /usr/local/open***/easy/easyrsa /usr/local/open***/easy/easyrsa.bak
cd /usr/local/open***/easy/
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa build-server-full server nopass server爲服務器端證書名,名字可以隨意指定
./easyrsa build-client-full win_client1 nopass win_client1爲客戶端證書,名字可隨意取
cp -p /etc/sysctl.conf /etc/sysctl.conf.bak
sed -i "s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g" /etc/sysctl.conf 啓用雙網卡路由轉發
sysctl -p
touch /var/log/open***-status.log
touch log /var/log/open***.log
echo > /usr/local/open***/server.conf
vim /usr/local/open***/server.conf
port 1194
proto tcp
dev tun
ca /usr/local/open***/easy/pki/ca.crt
cert /usr/local/open***/easy/pki/issued/server.crt
key /usr/local/open***/easy/pki/private/server.key
dh /usr/local/open***/easy/pki/dh.pem
server 10.8.0.0 255.255.255.0 客戶端IP網段
push "redirect-gateway def1 bypass-dhcp"
push "DNS 8.8.8.8" 客戶端dns
client-to-client
keepalive 10 120
compress lz4-v2
push "compress lz4-v2"
user nobody
group nobody
persist-key
persist-tun
status /var/log/open***-status.log
log /var/log/open***.log
verb 3
/usr/local/open***/sbin/open*** --config /usr/local/open***/server.conf & 啓動服務
vim /etc/rc.local
/usr/local/open***/sbin/open*** --config /usr/local/open***/server.conf & 開機啓動
netstat -tuplna | grep open***
udp 0 0 0.0.0.0:1194 0.0.0.0:* 12195/open***
ps -ef | grep open***
nobody 12195 12100 0 16:50 pts/1 00:00:00 /usr/local/open***/sbin/open*** --config /etc/open***/server.conf
root 12331 12130 0 17:10 pts/2 00:00:00 grep open***
ip addr | grep tun0
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 撥號虛擬IP
ca.crt win_client1.crt win_client1.key 文件複製到 D:\open***\config\
D:\open***\config\client1.opvn 客戶端配置文件需要從新創建
client
dev tun
proto tcp
remote xx.xx.xx.xx 1194 選項爲服務端公網IP
persist-key
persist-tun
ca ca.crt
cert win_client1.crt
key win_client1.key
verb 3