一、制作证书:

  1. 安装证书: 
    yum  -y  install  easy-rsa
  2. 2.*版本:
    a. 进入目录: 
    cd  /usr/share/easy-rsa/2.*/

    b. 确保vars中以下参数正确:vim vars

    export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_NAME="EasyRSA"

    c. 使 vars 文件生效,并清除缓存:

    .  ./vars
.  ./clean-all

    d. 生成证书,Name [EasyRSA] 那一项写ca:

    ./build-ca

    e. 生成服务器密钥和证书,在challenge password和optional company name处留空,Name [EasyRSA] 那一项写server,两个y选项选择y:

    ./build-key-server  server
./build-dh

    f. 生成客户端密钥和证书,在challenge password和optional company name处留空,Name [EasyRSA] 那一项写client,两个y选项选择y:

    ./build-key  client

    g. open***所需文件:

    #server端
/usr/share/easy-rsa/2.*/keys/ca.crt
/usr/share/easy-rsa/2.*/keys/server.key
/usr/share/easy-rsa/2.*/keys/server.crt
/usr/share/easy-rsa/2.*/keys/dh.pem
#client端
/usr/share/easy-rsa/2.*/keys/ca.crt
/usr/share/easy-rsa/2.*/keys/client.crt
/usr/share/easy-rsa/2.*/keys/client.key
  3. 3.*版本:
    a. 创建文件夹: 
    mkdir  /home/lee/{server,client}

    b. 复制文件:

    cp  -arf  /usr/share/easy-rsa/3.*/*  /home/lee/server
cp  -arf  /usr/share/easy-rsa/3.*/*  /home/lee/client

    c. 进入server目录:

    cd  /home/lee/server

    d. 初始化:

    ./easyrsa  init-pki

    e. 创建根证书(输入密码123456):

    ./easyrsa  build-ca

    f. 创建server端证书:

    ./easyrsa  gen-req  server nopass

    g. 给server端证书签名:

    ./easyrsa  sign  server  server

    h. 创建dh:

    ./easyrsa  gen-dh

    i. 进入client目录:

    cd  /home/lee/client

    j. 初始化:

    ./easyrsa init-pki

    k. 创建client端证书:

    ./easyrsa  gen-req  client  nopass

    l. 回到server目录:

    cd  /home/lee/server

    m. 导入client端证书:

    ./easyrsa  import-req  ../client/pki/reqs/client.req  client

    n. 给client端证书签名:

    ./easyrsa  sign  client  client

    o. open***所需文件:

    #server端
/home/lee/server/pki/ca.crt
/home/lee/server/pki/private/server.key
/home/lee/server/pki/issued/server.crt
/home/lee/server/pki/dh.pem
#client端
/home/lee/server/pki/ca.crt
/home/lee/server/pki/issued/client.crt
/home/lee/client/pki/private/client.key
  4. 如果觉得制作证书太麻烦,我这里有现成的:
    a. 克隆: 
    git  clone  https://github.com/dollarphper/easy-rsa.git

    b. 目录结构:
    centos7 搭建open***_第1张图片
    centos7 搭建open***_第2张图片

    二、服务端配置:

  5. 安装open*** 
    yum  -y  install  open***
  6. 创建文件夹: 
    mkdir  /etc/open***/{server,client}
  7. 复制证书文件: 
    cp  /path/to/ca.crt  /etc/open***/server/ca.crt
cp  /path/to/server.crt  /etc/open***/server/server.crt
cp  /path/to/server.key  /etc/open***/server/server.key
cp  /path/to/dh.pem  /etc/open***/server/dh.pem
  8. 进入open***目录: 
    cd  /etc/open***/
  9. 修改配置文件:vim server.conf 
    port  1337
proto  udp
dev  tun
ca  /etc/open***/server/ca.crt
cert  /etc/open***/server/server.crt
key  /etc/open***/server/server.key
dh  /etc/open***/server/dh.pem
server 100.100.100.0  255.255.255.0
push  "redirect-gateway def1"
push  "dhcp-option DNS 8.8.8.8"
push  "dhcp-option DNS 114.114.114.114"
push  "dhcp-option DNS 8.8.4.4"
duplicate-cn
keepalive  10  30
comp-lzo
persist-key
client-to-client
persist-tun
daemon
log-append   /var/log/open***/open***.log
verb  3
script-security  3
auth-user-pass-verify  /etc/open***/checkpwd.sh via-env
username-as-common-name
  10. 新建一个 log 文件: 
    mkdir  -p  /var/log/open***/
touch  /var/log/open***/open***.log
touch  /var/log/open***/passwd.log
  11. 创建密码验证脚本:vim checkpwd.sh 
    #!/bin/sh
PASSFILE="/etc/open***/passwd"
LOG_FILE="/var/log/open***/passwd.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
  12. 修改密码验证文件的权限: 
    chmod  a+x  checkpwd.sh
  13. 创建用户名、密码文件:vim passwd 
    lee  123456
  14. 配置iptables(以下为可选): 
    iptables  -t  nat  -A  POSTROUTING  -s  192.168.100.0/24  -j  SNAT  --to-source  x.x.x.x
iptables  -A  INPUT  -p  udp  --dport  1337  -j  ACCEPT
iptables-save
  15. 配置sysctl:vim /etc/sysctl.conf 
    #添加
net.ipv4.ip_forward = 1
#重新加载
sysctl  -p
  16. 配置selinux: 
    yum -y install policycoreutils-python
semanage  port  -a  -t  open***_port_t  -p  udp  1337
  17. 启动服务端open***服务: 
    systemctl  start  open***@server

    三、客户端(linux)

  18. 安装open***: 
    yum  -y  install  open***
  19. 从server端拷贝文件到client端: 
    scp  [email protected]:/path/to/{ca.crt,client.crt,client.key}  /etc/open***/
  20. 创建文件:vim /etc/open/client.o 
    client
dev tun
proto udp
remote  x.x.x.x  1337
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
mute-replay-warnings
#ns-cert-type server
remote-cert-tls  server
comp-lzo
ca  /etc/open***/ca.crt
cert  /etc/open***/client.crt
key  /etc/open***/client.key
  21. 进入目录: 
    cd  /etc/open***/
  22. 连接: 
    open***  client.o***
  23. 输入用户名、密码:
    centos7 搭建open***_第3张图片

    四、客户端(windows):

  24. 下载文件:
    a. 网站:https://open***.net/index.php/open-source/downloads.html
    b. 找到文件下载:
    centos7 搭建open***_第4张图片
  25. 安装文件:
    省略,全部勾选
  26. 把服务端生成的三个文件复制到安装目录下的config目录里面去:
    centos7 搭建open***_第5张图片
  27. 在config目录下创建client.o***文件,内容如下: 
    client
dev tun
proto udp
remote 120.77.59.227 1337
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
mute-replay-warnings
remote-cert-tls server
comp-lzo
ca ca.crt
cert client.crt
key client.key
  28. 启动软件,连接***:
    centos7 搭建open***_第6张图片
    centos7 搭建open***_第7张图片

    五、客户端(手机):

    client
dev tun
proto udp
remote 192.168.8.81 1337
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
mute-replay-warnings
ns-cert-type server
comp-lzo

内容


内容


内容