Open***—通過訪問異地服務器測試部署

一、服務端配置

環境

雲服務器
#Linux系統版本
[root@open***-server open***]# cat /etc/redhat-release 
CentOS Linux release 7.7.1908 (Core)
#查看內網IP信息
[root@open***-server open***]#  ifconfig eth0|awk 'NR==2{print $2}'
172.16.1.90
#查看公網IP信息
[root@open***-server open***]# curl ifconfig.me
59.110.215.165
#配置yum源於eple源
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

①easy-rsa3生成證書

#添加防火牆的內核參數
echo 'net.ipv4.ip_forward=1 ' >>/etc/sysctl.conf && sysctl -p

#下載需要的安裝包
yum install gcc gcc-c++ easy-rsa -y open*** openssl

#將easy-rsa複製到open***目錄下
mkdir -p /etc/open***/easy-rsa
\cp -a /usr/share/easy-rsa/3/* /etc/open***/easy-rsa/
chown -R root:root /etc/open***/easy-rsa/
cd /etc/open***/easy-rsa/

[root@lcx01 easy-rsa]# ll ./
total 76
-rwxr-xr-x 1 root root 48730 Feb  2  2019 easyrsa
-rw-r--r-- 1 root root  4651 Feb  2  2019 openssl-easyrsa.cnf
drwx------ 4 root root  4096 Jan  2 18:24 pki
drwxr-xr-x 2 root root  4096 Jan  2 18:14 x509-types

#將vars.example複製一份到open***目錄下，命名爲vars
cp -a /usr/share/doc/easy-rsa-3.0.6/vars.example ./vars

#修改如下參數
egrep -v '^#|^$' vars 
set_var EASYRSA_REQ_COUNTRY	"CH"
set_var EASYRSA_REQ_PROVINCE	"BJ"
set_var EASYRSA_REQ_CITY	"BJ"
set_var EASYRSA_REQ_ORG	"ZXZN"
set_var EASYRSA_REQ_EMAIL	"[email protected]"
set_var EASYRSA_REQ_OU		"ZXZN"
set_var EASYRSA_KEY_SIZE	2048
set_var EASYRSA_CA_EXPIRE      3650 #默認有效10年
set_var EASYRSA_NS_SUPPORT	"yes"	#如果client的配置文件中使用了ns-cert-type server則要打開此選項

1. 生成服務端證書

初始化目錄

初始化，會在當前目錄創建PKI目錄，用於存儲一些中間變量及最終生成的證書

[root@lcx01 easy-rsa]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

WARNING!!!

You are about to remove the EASYRSA_PKI at: /etc/open***/easy-rsa/pki
and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes	

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/open***/easy-rsa/pki

創建CA證書

創建根證書，首先會提示設置密碼，用於ca對之後生成的server和client證書籤名時使用，然後會提示設置Country Name

[root@lcx01 easy-rsa]# ./easyrsa build-ca

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase: #輸入CA密鑰密碼
Re-Enter New CA Key Passphrase: #再次輸入CA密鑰密碼
Generating RSA private key, 2048 bit long modulus
...............+++
.........+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:***server #證書名稱 

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/open***/easy-rsa/pki/ca.crt

創建服務端證書

創建server端證書和private.key，使用“nopass”參數不加密，服務器通常在沒有密碼輸入的情況下啓動。

[root@lcx01 easy-rsa]# ./easyrsa gen-req ***server nopass
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...+++
.....+++
writing new private key to '/etc/open***/easy-rsa/pki/private/***server.key.XaqajZ9e3R'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [***server]:

Keypair and certificate request completed. Your files are:
req: /etc/open***/easy-rsa/pki/reqs/***server.req
key: /etc/open***/easy-rsa/pki/private/***server.key

簽約服務端證書

給server端證書做簽名，首先是對一些信息的確認，可以輸入yes，然後輸入build-ca時設置的那個密碼

[root@lcx01 easy-rsa]# ./easyrsa sign server ***server

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 1080 days:

subject=
    commonName                = ***server

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes	#yes確認
Using configuration from /etc/open***/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/open***/easy-rsa/pki/private/ca.key:		#輸入CA證書的密碼
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'***server'
Certificate is to be certified until Dec 17 10:49:15 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/open***/easy-rsa/pki/issued/***server.crt

創建迪菲・赫爾曼密鑰

生成傳輸進行祕鑰交換時用到的交換祕鑰協議文件，確保共享KEY安全穿越不安全網絡的方法

時間會有點長，耐心等待

[root@lcx01 easy-rsa]# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...+........................................................+.........................................................
......+................................................................................................................
.........................................................................................................................
.......................................+...............................................................................
................+......................................................................................................
.........................................................................................................................
...+......................................................................++*++*

DH parameters of size 2048 created at /etc/open***/easy-rsa/pki/dh.pem

2. 創建客戶端證書

在easy-rsa目錄下新建client目錄，將easy-rsa的原生目錄拷貝到此下

mkdir /etc/open***/easy-rsa/client
cd /etc/open***/easy-rsa/client
cp -a /usr/share/easy-rsa/3/* /etc/open***/easy-rsa/client/

初始化目錄

會在當前目錄創建PKI目錄，用於存儲一些中間變量及最終生成的證書

[root@lcx01 client]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars

WARNING!!!

You are about to remove the EASYRSA_PKI at: /etc/open***/easy-rsa/client/pki
and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/open***/easy-rsa/client/pki

創建客戶端證書

客戶端證書和private key, 這裏的client01是客戶端的主機名

[root@lcx01 client]# ./easyrsa gen-req client01
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
................................+++
....+++
writing new private key to '/etc/open***/easy-rsa/client/pki/private/client01.key.D7Td4Lia5M'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client01]:

Keypair and certificate request completed. Your files are:
req: /etc/open***/easy-rsa/client/pki/reqs/client01.req
key: /etc/open***/easy-rsa/client/pki/private/client01.key

導入客戶端證書

回到生成服務端證書時的easyrsa目錄，導入client端證書，準備簽名

[root@lcx01 client]# cd ..
[root@lcx01 easy-rsa]# ./easyrsa import-req ./client/pki/reqs/client01.req client01
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

The request has been successfully imported with a short name of: client01
You may now use this name to perform signing operations on this request.

[root@lcx01 easy-rsa]# ll /etc/open***/easy-rsa/pki/reqs/
total 8
-rw------- 1 root root 891 Jan  2 19:16 client01.req
-rw------- 1 root root 891 Jan  2 18:46 ***server.req

簽約客戶端證書

給客戶端端證書做簽名，首先是對一些信息的確認，可以輸入yes，然後輸入build-ca時設置的那個密碼

[root@lcx01 easy-rsa]# ./easyrsa sign client client01
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 1080 days:

subject=
    commonName                = client01

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes	#確認yes
Using configuration from /etc/open***/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/open***/easy-rsa/pki/private/ca.key:		#輸入CA證書密碼
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client01'
Certificate is to be certified until Dec 17 11:17:42 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/open***/easy-rsa/pki/issued/client01.crt

注意：ca、server和client的Common Name最好不要設置爲一樣，不然open連接時會有問題*

3. 服務端和客戶端證書整理

#open*** server端需要的是
/etc/open***/easy-rsa/pki/ca.crt <製作server證書的文件>
/etc/open***/easy-rsa/pki/private/***server.key <製作server證書的文件>
/etc/open***/easy-rsa/pki/issued/***server.crt <製作server證書的文件>
/etc/open***/easy-rsa/pki/dh.pem	<迪菲・赫爾曼密鑰>

#open*** client端需要的是
/etc/open***/easy-rsa/pki/ca.crt <製作server證書的文件>
/etc/open***/easy-rsa/pki/issued/client01.crt <製作client01證書的文件>
/etc/open***/easy-rsa/client/pki/private/client01.key <製作client01證書的文件>

4. 整理證書

#服務端
mkdir /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/ca.crt /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/private/ca.key /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/private/***server.key /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/issued/***server.crt /etc/open***/keys
cp -a /etc/open***/easy-rsa/pki/dh.pem /etc/open***/keys

[root@lcx01 open***]# ll keys/
total 20
-rw------- 1 root root 1164 Jan  2 18:40 ca.crt
-rw------- 1 root root 1675 Jan  2 18:39 ca.key
-rw------- 1 root root  424 Jan  2 18:52 dh.pem
-rw------- 1 root root 4802 Jan  2 18:49 ***server.crt
-rw------- 1 root root 1704 Jan  2 18:46 ***server.key


#客戶端
mkdir /root/client01
cp -a /etc/open***/easy-rsa/pki/ca.crt /root/client01/
cp -a /etc/open***/easy-rsa/pki/private/ca.key /root/client01/
cp -a /etc/open***/easy-rsa/pki/issued/client01.crt /root/client01/
cp -a /etc/open***/easy-rsa/client/pki/private/client01.key /root/client01/
cp -a /usr/share/doc/open***-2.4.8/sample/sample-config-files/client.conf /root/client01/client01.o***

[root@lcx01 open***]# ll /root/client01/
total 20
-rw------- 1 root root 1164 Jan  2 18:40 ca.crt
-rw------- 1 root root 4679 Jan  2 19:17 client01.crt
-rw------- 1 root root 1704 Jan  2 19:04 client01.key
-rw-r--r-- 1 root root 3585 Oct 30 20:37 client01.o***

5. 創建第二份客戶端證書

cd /etc/open***/easy-rsa/client/
./easyrsa init-pki
./easyrsa gen-req client02
cd ..
./easyrsa import-req ./client/pki/reqs/client02.req client02
./easyrsa sign client client02
mkdir /root/client02
cp -a /etc/open***/easy-rsa/pki/ca.crt /root/client02/
cp -a /etc/open***/easy-rsa/pki/private/ca.key /root/client02/
cp -a /etc/open***/easy-rsa/pki/issued/client02.crt /root/client02/
cp -a /etc/open***/easy-rsa/client/pki/private/client02.key /root/client02/
cp -a /usr/share/doc/open***-2.4.8/sample/sample-config-files/client.conf /root/client02/client02.conf

[root@open***-server easy-rsa]# ll /root/client02/
total 24
-rw------- 1 root root 1151 Jan  3 14:18 ca.crt
-rw------- 1 root root 1675 Jan  3 14:17 ca.key
-rw-r--r-- 1 root root 3585 Oct 30 20:37 client02.conf
-rw------- 1 root root 4665 Jan  3 14:51 client02.crt
-rw------- 1 root root 1704 Jan  3 14:50 client02.key

6. 修改服務端配置文件

#拷貝一份服務端配置源文件
cp /usr/share/doc/open***-2.4.8/sample/sample-config-files/server.conf /etc/open***/server.conf.bak
cd /etc/open***/
egrep -v '^;|^$|^#' server.conf.bak >server.conf


#設置客戶端固定IP的目錄與文件
#ccd目錄用來設置客戶端固定IP的作用，ccd目錄下面的文件名要以客戶端證書的名稱命名
#open***只支持255.255.255.252的子網，而且252的子網只有兩個IP，2^2-2=2
#所以要設置兩個IP，一個分配給客戶端，一個留給服務器用
#ifconfig-push 10.8.0.1 10.8.0.2
#ifconfig-push 10.8.0.5 10.8.0.6
#ifconfig-push 10.8.0.9 10.8.0.10
#ifconfig-push 10.8.0.13 10.8.0.14
#ifconfig-push 10.8.0.17 10.8.0.18
#...
#ifconfig-push 10.8.0.249 10.8.0.250
http://www.wendangku.net/doc/749ab13c580216fc700afd27.html

mkdir ./ccd	
vim ./ccd/client01
ifconfig-push 10.8.0.5 10.8.0.6
vim ./ccd/client02
ifconfig-push 10.8.0.9 10.8.0.10

☆服務端配置文件詳情

[root@lcx01 open***]# cat server.conf
#監聽端口
port 1194	
#傳輸協議
proto udp	
#路由隧道模式
dev tun		
#ca證書路徑路徑，服務端和客戶端都使用相同的CA證書
ca     keys/ca.crt	
#服務器證書路徑路徑，服務端和客戶端指定各自的證書和密鑰
cert   keys/***server.crt	
#服務器祕鑰路徑，可用以配置文件開始爲根的相對路徑，也可以使用絕對路徑
key    keys/***server.key  
#密鑰交換協議文件
dh     keys/dh.pem		
#給客戶端分配地址池，注意：不能和***服務器內網網段有相同
server 10.8.0.0 255.255.255.0	
#客戶端和VIP的對應表，當客戶端重連時仍然分配原IP
ifconfig-pool-persist ipp.txt	
#推送路由信息到客戶端，使客戶端能夠連接到服務器背後的其他私有子網
push "route 192.168.1.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
#允許客戶端之間互相訪問,雲服務器搭建***,公司和外地都是***客戶端
client-to-client
#設置客戶端固定IP的作用，ccd目錄下面的文件名要以客戶端證書的名稱命名
client-config-dir ccd
#存活時間，10秒ping一次,如果120秒未收到響應則認爲程連接已關閉
keepalive 10 120
#在***連接上啓用壓縮，服務端和客戶端都必須採用相同配置
comp-lzo
#最大客戶端連接數
max-clients 100
#加密算法
cipher AES-256-CBC
#降低open***守護進程的權限
user nobody
group nobody
#保障重啓時仍能保留一些狀態
persist-key
persist-tun
#輸出短日誌,每分鐘刷新一次,以顯示當前的客戶端
status open***-status.log
#日誌要記錄的級別，值越大日誌越詳細 (0:只記錄錯誤信息;4:記錄普通信息;5/6:在連接出現問題時能幫助調試;9:顯示所有信息，包括包頭信息)
verb 3
#記錄日誌，重啓open***後覆蓋原log文件
log /var/log/open***.log
#相同信息的記錄次數，連續出現20條後不再記錄到日誌中
mute 20	
#當服務端重啓後，使客戶端能自動重連
explicit-exit-notify 1

啓動服務端

systemctl restart open***@server.service
systemctl enable open***@server.service
systemctl status open***@server.service
netstat -lntup|grep 1194
ip a |grep tun0

7. 修改windows客戶端配置文件

cd /root/client01

#windows上是.o*** ;linux上是.conf
cat ./client.o***	
ns-cert-type server
client	#指定爲客戶端
dev tun
proto udp
remote 59.110.215.165 1194	#指定服務器(主機名或IP)以及端口號，可設置多個***服務器
resolv-retry infinite		#啓用自動重連，適合不穩定的網絡環境
nobind			#客戶端默認不需要綁定本機特定的端口號
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
ca ca.crt
cert client01.crt
key client01.key
comp-lzo
verb 3

cd ~/

8. 下載客戶端證書文件進行連接

windows客戶端安裝在下文中

yum install -y zip lrzsz
zip -r client01.zip client01/*
sz client01.zip

解壓到config下

9. 刪除過期的證書的方法

#刪除以下文件
rm -rf /etc/open***/easy-rsa/pki/reqs/***server.req
rm -rf /etc/open***/easy-rsa/pki/private/***server.key

#撤消證書
cd /etc/open***/easy-rsa/
./easyrsa revoke server
./easyrsa gen-crl

#重啓open***
systemctl restart open***@server.service

10. 一鍵安裝腳本的方法

此腳本建議在執行前拷貝出來仔細看一遍腳本過程，操作部分的流程跟文檔大致一樣，在生產服務端配置文件時候沒有做客戶端固定IP的功能，有需求可以適當添加需要的內容，推送路由信息到客戶端的配置也沒有生成，做了DNS解析與防火牆的一些規則。客戶端文件命名規則爲xxx.o***，如果要推送到linux客戶端記得修改爲xxx.conf。

根據自身的生產需求還需要手動進行添加一些功能。我自己部署的過程雖然沒有問題，但是較爲繁瑣，而且來回切換許多目錄，容易導致雜亂。所以建議使用開源一鍵腳本。使用的easy-rsa版本也是最新的3.0.5。網上的許多博客都是easy-rsa2.x版本的，此版本據說有安全漏洞，所以建議學習一下easy-rsa3版一些生成證書的命令。

下載Github上的開源open項目*

#將下載的壓縮包上傳到服務器中並解壓
wget https://github.com/Nyr/open***-install/archive/master.zip
unzip master.zip
ls open***-install-master
LICENSE.txt  open***-install.sh  README.md

執行腳本，一直點點點：回車

#需要輸入服務端的公網ip地址
#雲服務器需要綁定其他端口，記得在安全組打開此端口
[root@open*** open***-install-master]# bash open***-install.sh 
Welcome to this open*** road warrior installer!

I need to ask you a few questions before starting setup.
You can use the default options and just press enter if you are ok with them.

What IPv4 address should the open*** server bind to?
     1) 172.17.43.166
IPv4 address [1]: 59.110.215.165
59.110.215.165: invalid selection.
IPv4 address [1]: 

This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [114.249.225.46]: 59.110.215.165

Which protocol do you want for open*** connections?
   1) UDP (recommended)
   2) TCP
Protocol [1]: 1

What port do you want open*** listening to?
Port [1194]: 

Which DNS do you want to use with the ***?
   1) Current system resolvers
   2) 1.1.1.1
   3) Google
   4) OpenDNS
   5) Verisign
DNS [1]: 1

Finally, tell me a name for the client certificate.
Client name [client]: client <客戶端證書名字，建議不要使用默認名稱>

Okay, that was all I needed. We are ready to set up your open*** server now.
Press any key to continue... [回車]
...
.....
Finished!

Your client configuration is available at: /root/client.o***
If you want to add more clients, just run this script again!    

下載完成後顯示下載到了 /root/client.o***

#下載到客戶端
sz /root/client.o***

將下載的文件放到windows客戶端的config下纔可以使用open軟件*

修改服務端配置文件

添加自己需求的功能參數配置,例如固定IP，生成日誌等等

[root@m01 ~]# vim /etc/open***/server/server.conf
local 59.110.215.165 #監聽地址，可以寫 0.0.0.0 ，或者內網IP                 
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"	#連通***可以訪問的網段或者IP
push "route 10.0.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify

重啓open服務*

systemctl restart open***[email protected] 
systemctl enable open***[email protected]

②easy-rsa2生成證書

此方法可行，建議使用easy-rsa3版本生成證書，與時俱進

https://blog.51cto.com/ljohn/1961347

yum install -y gcc gcc-c++ open***
wget https://github.com/open***/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz
tar xf EasyRSA-2.2.2.tgz -C /root/
mv /root/EasyRSA-2.2.2 /root/easyrsa
echo 'net.ipv4.ip_forward=1 ' >>/etc/sysctl.conf && sysctl -p

cd /root/easyrsa/
cp -a ./vars{,.bak}

cat > vars <<EOF
export KEY_SIZE=2048
export KEY_COUNTRY="CN" 
export KEY_PROVINCE="BJ"
export KEY_CITY="BJ"
export KEY_ORG="zxzn"
export KEY_EMAIL="[email protected]"
export KEY_OU="zxzn"
export KEY_NAME="zxzn"
EOF

chmod +x vars
source vars

./clean-all
./build-ca zxzn***
./build-key-server ***server
./build-key ***client_01
./build-dh
open*** --genkey --secret keys/ta.key

#./build-key-pass ***zxzn \\需密碼驗證登錄的證書


#./keys/***client_01.crt
#./keys/***client_01.key


cp /usr/share/doc/open***-2.4.8/sample/sample-config-files/server.conf /etc/open***/server.conf.bak
cd /etc/open***/
egrep -v '^;|^$|^#' server.conf.bak >server.conf
mkdir ./{keys,ccd}
\cp -a /root/2_easyrsa/keys/{***server.crt,***server.key,ca.crt,dh2048.pem,ta.key} keys/

vim server.conf
port 1194
proto udp
dev tun
ca 	keys/ca.crt
cert 	keys/***server.crt
key 	keys/***server.key  # This file should be kept secret
dh 	keys/dh.pem
server 	10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
keepalive 10 120
client-to-client
client-config-dir ccd
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 3
log /var/log/open***.log
explicit-exit-notify 1

mkdir ./ccd	
vim ./ccd/client01
ifconfig-push 10.8.0.5 10.8.0.6

systemctl restart open***@server
systemctl enable open***@server
systemctl status open***@server
netstat -lntup|grep 1194
ip a |grep tun0

二、windows客戶端配置

windows客戶端下載

運行

解壓sz下載的壓縮包到config目錄下

打開服務端的安全組

可以在服務端上進行一下訪問內網IP測試，查看是否可以直接訪問

yum install nginx -y 
systemctl restart nginx.service

三、Linux客戶端配置

Linux的客戶端和服務端安裝方法相同，其配置方法和Windows的相同，只是文件擴展名有區別而已，Windows是.o***，Linux是 .conf

編譯 open*** 及解決相關依賴問題

1. 同步服務器時間

#服務端是阿里雲的服務器，所以客戶端要保證時間同步，如果時間不同步，客戶端是無法連接服務器的
[root@open***01 lzo-2.10]# crontab -e
#/bin/bash-date
*/5 * * * *  /sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1

2. 安裝lzo組件

cd /server/tools
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz
tar xf lzo-2.10.tar.gz -C /usr/src/
cd /usr/src/lzo-2.10/
./configure --enable-shared
make && make install

3. 編譯安裝open***

cd /server/tools/
wget https://swupdate.open***.org/community/releases/open***-2.4.8.tar.xz
yum install openssl-devel pam-devel -y
tar xf open***-2.4.8.tar.xz && cd open***-2.4.8/
./configure --prefix=/usr/local/open***
make && make install
ln -s  /usr/local/open***/sbin/open*** /usr/bin/open***

4. 獲取服務端的證書和文件

mkdir /usr/local/open***/etc && cd /usr/local/open***/etc/
rsync -avz [email protected]:/root/client02.zip ./
unzip client02.zip

#將之前生成的client02.o***客戶端文件的後綴名改爲.conf
mv ./client02/client02.o*** ./client02/client02.conf

cat /usr/local/open***/etc/client02/client02.conf
ns-cert-type server                                            
client	#指定爲客戶端
dev tun
proto udp
remote 59.110.215.165 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca      /usr/local/open***/etc/***client_01/ca.crt
cert    /usr/local/open***/etc/***client_01/***client_01.crt
key     /usr/local/open***/etc/***client_01/***client_01.key
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

5. 啓動open***客戶端

#出現Completed就說明連接成功了
open*** --config /usr/local/open***/etc/test01.conf
#加一個參數，在後臺運行
open***  --daemon --config /usr/local/open***/etc/test01.conf

#根據生產場景寫入開機自啓
echo '/usr/bin/open*** --daemon --config /usr/local/open***/etc/client02/client02.conf' >> /etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local

ip a|grep tun0

#注意：如果生成服務端證書時沒有爲private.key使用“nopass”參數不加密，那這裏後臺運行會卡住，需要輸入密碼。所以，生產需求需要連接linux客戶端的話，在創建服務端證書時一定要使用"nopass"參數

ifconfig時會多出一塊網卡tun0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.9  netmask 255.255.255.0  destination 10.8.0.3
        inet6 fe80::7077:955a:31de:c4b3  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

按相同步驟在服務端上生成新的客戶端證書並下發到其他linux客戶端上。

此圖是之前測試用的，IP與文檔中的不同，只是爲表明含義

四、記錄總結

* 保證全國各地的局域網必須能夠訪問外網，才能連接雲服務器
* 雲服務器搭建***,  公司和外地都是***客戶端,然後就相當於在一個局域網了
* 客戶端都可以通過內網地址通訊，開啓客戶端之間允許通信,就行了
* 開機自動讓客戶端向雲服務器進行連接
* windows上的客戶端和linux上的客戶端的安裝
* 異地客戶端都連服務端，然後就相當於在一個局域網了，客戶端都可以通過內網地址通訊
* open***服務端也可以使用開源的一鍵安裝腳本，腳本里面也是用easy-rsa隨機生成的，生成客戶端證書也是非常方便的。

服務端配置客戶端固定虛擬內網IP地址

內網ip獲取以後 本地會斷開連接 ，客戶端的ip地址總是dhcp自動分配的，內網ip地址不知道如何獲取到則無法進行連接，所以要進行對客戶端IP固定的配置。這裏只做記錄，具體配置文檔中已配置

mkdir -p /etc/open***/ccd
cd /etc/open***/ccd/

#ccd目錄下面的文件名要以客戶端證書的名稱命名
vim ***client_01
ifconfig-push 10.8.0.5 10.8.0.6

echo 'client-config-dir /etc/open***/ccd' >>/etc/open***/server.conf

systemctl restart open***@server.service

服務端配置文件用到的模塊文件詳解

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have *** access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
===================================================
＃爲特定的IP地址分配特定的IP地址
＃個客戶端，或者連接的客戶端有私有客戶端
＃後面的子網也應具有***訪問權限，
＃將子目錄“ ccd”用於特定於客戶端的
＃配置文件（有關更多信息，請參見手冊頁）。


# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the ***.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
===================================================
＃示例：假設客戶端
＃具有證書通用名稱“ Thelonious”
＃在他的連接後面還有一個小子網
＃機器，例如192.168.40.128/255.255.255.248。
＃首先，取消註釋以下行：
; client-config-dir ccd
;路由192.168.40.128 255.255.255.248
＃然後使用以下代碼創建文件ccd / Thelonious：
＃iroute 192.168.40.128 255.255.255.248
＃這將允許Thelonious的專用子網
＃訪問***。這個例子只會起作用
＃如果您正在路由而不是橋接，即您在
＃使用“ dev tun”和“ server”指令。


# EXAMPLE: Suppose you want to give
# Thelonious a fixed *** IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2
===================================================
＃示例：假設您想給
＃克隆固定的*** IP地址10.9.0.1。
＃首先取消註釋以下行：
; client-config-dir ccd
;路由10.9.0.0 255.255.255.252
＃然後將此行添加到ccd / Thelonious中：
＃ifconfig-push 10.9.0.1 10.9.0.2