Open*** 是一个基于 OpenSSL 库的应用层 *** 实现。和传统 *** 相比,它的优点是简单易用。[1]
Open***允许参与建立***的单点使用共享金钥,电子证书,或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函式库。Open***能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Windows 2000/XP/Vista上运行,并包含了许多安全性的功能。它并不是一个基于Web的***软件,也不与IPsec及其他***软件包兼容
实验环境
centos6.5_x64
open***_server eth0 xx.xx.xx.xx(公网IP) eth1 192.168.20.11
open***_client 192.168.10.12
实验软件
lzo-2.04.tar.gz
open***-2.4.0.tar.gz
EasyRSA-3.0.1.tgz
open***-install-2.4.6-I602.exe
软件安装
modprobe tun
lsmod | grep tun
tun 17094 0
yum install -y lrzsz lsof openssl openssl-devel pam pam-devel
tar zxvf lzo-2.04.tar.gz
cd lzo-2.04
./configure && make && make install
tar zxvf open***-2.4.0.tar.gz
cd open***-2.4.0
./configure --prefix=/usr/local/open*** --disable-lzo
make && make install
cp -pv sample/sample-config-files/server.conf /usr/local/open***/
echo > /usr/local/open***/server.conf
touch /var/log/open***.log
ln -s /usr/local/open***/sbin/open*** /usr/bin/
ll /usr/bin/open***
/usr/bin/open*** -> /usr/local/open***/sbin/open***
tar zxvf EasyRSA-3.0.1.tgz
mv EasyRSA-3.0.1 /usr/local/open***/easy
cp -pv /usr/local/open***/easy/easyrsa /usr/local/open***/easy/easyrsa.bak
cd /usr/local/open***/easy/
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa build-server-full server nopass server为服务器端证书名,名字可以随意指定
./easyrsa build-client-full winclient nopass winclient为客户端证书,名字可随意取
cat > /usr/local/open***/server.conf << EOF
> port 1194 端口号可修改
> proto tcp
> dev tun
> ca /usr/local/open***/easy/pki/ca.crt
> cert /usr/local/open***/easy/pki/issued/server.crt
> key /usr/local/open***/easy/pki/private/server.key
> dh /usr/local/open***/easy/pki/dh.pem
> server 10.8.0.0 255.255.255.0
> push "route 192.168.30.0 255.255.255.0" 服务器内网网段
> push "DNS 8.8.8.8"
> push "DNS 8.8.4.4"
> client-to-client
> keepalive 10 120
> compress lz4-v2
> push "compress lz4-v2"
> user nobody
> group nobody
> max-clients 90000 允许客户端最大连接数
> reneg-sec 0
> persist-key
> persist-tun
> log /var/log/open***.log
> verb 5
> EOF
cp -pv /etc/sysctl.conf /etc/sysctl.conf.bak
sed -i "s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g" /etc/sysctl.conf 启用双网卡路由转发
sysctl -p
open*** --daemon --config /usr/local/open***/server.conf & 启动服务
cp -pv /etc/rc.d/rc.local /etc/rc.d/rc.local.bak
echo "open*** --daemon --config /usr/local/open***/server.conf & " >> /etc/rc.d/rc.local 重启启动服务
cat /etc/rc.d/rc.local | grep open***
open*** --daemon --config /usr/local/open***/server.conf &
pkill open*** 杀死进程
netstat -tuplna | grep open***
udp 0 0 0.0.0.0:1194 0.0.0.0:* 12195/open***
ps -ef | grep open***
nobody 12195 12100 0 16:50 pts/1 00:00:00 /usr/local/open***/sbin/open*** --config /etc/open***/server.conf
root 12331 12130 0 17:10 pts/2 00:00:00 grep open***
cat /etc/services | grep 1194
open*** 1194/tcp # Open×××
open*** 1194/udp # Open×××
sed -i 's/1194/1994/g' /etc/services 修改端口执行此命令
ip addr | grep tun0
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 拨号虚拟IP
ca.crt winclient.crt winclient.key 文件复制到 D:\open***\config\
D:\open***\config\client.o*** 客户端配置文件需要从新创建
client
dev tun
proto tcp
reneg-sec 0
remote xx.xx.xx.xx 1194 公网ip
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
keeplive 10 120
verb 5
拨号成功图标小电脑为绿色
