一. Open×××
安装环境
Server
端的环境
1. CentOS, kernel
版本
: 2.6.18, IP
为
192.168.1.254
(虚拟机
6.5
)
2. kernel
需要支持
tun
设备
,
需要加载
iptables
模块
.
3.
安装的
Open×××
的版本
: 2.1.rc15.(
目前最新版
可在
http://open***.net
上下载
).
Client
端的环境
:
1. Windows XP SP2
2. open***-2.0.9-gui-1.0.3-install.exe
二. Open×××
服务端安装过程
1.
用
putty
登录到
CentOS
2.
下载
Open××× 2.1.rc15
wget http://open***.net/release/open***-2.1_rc15.tar.gz
lzo-2.03.tar.gz
3.
安装
LZO
和
Open×××
tar zxvf lzo-2.03.tar.gz
cd lzo-2.03
./configure
make
make install
cd ..
tar zxvf open***-2.1_rc15.tar.gz
cd open***-2.1_rc15
./configure
make
make install
拷贝配置文件:
cp –rf /root/open***-2.1_rc15/ /etc/open***
生成证书
初始化PKI
编辑
/etc/open***/easy-rsa/2.0/vars
添加以下内容:
export KEY_COUNTRY="CN"
export KEY_PROVINCE="CN"
export KEY_CITY=" beijing "
export KEY_ORG=" beijing "
export [email protected]
保存
三.创建证书颁发机构
(CA)
Cd /etc/open***/easy-rsa/2.0
[root@server 2.0]# ./clean-all
[root@server 2.0]# ./build-ca
Generating a 1024 bit RSA private key
.............++++++
........................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CN]:
Locality Name (eg, city) [ beijing ]:
Organization Name (eg, company) [test]: beijing
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [test CA]:
Name []:
Email Address [[email protected]]:
四.建立server key
执行./build-key-server server
[root@server 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
.....++++++
...............................................................................................................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CN]:
Locality Name (eg, city) [
beijing
]:
Organization Name (eg, company) [test]:
beijing
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/open***/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'CN'
localityName :PRINTABLE:'
beijing
'
organizationName :PRINTABLE:'
beijing
'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Aug 12 14:55:28 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@server 2.0]#
五.生成客户端 key
[root@server 2.0]# ./build-key test
Generating a 1024 bit RSA private key
.........................++++++
..................++++++
writing new private key to 'test.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [CN]:
Locality Name (eg, city) [ beijing ]:
Organization Name (eg, company) [test]: beijing
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [test]:
Name []:
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/open***/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'CN'
localityName :PRINTABLE:' beijing '
organizationName :PRINTABLE:' beijing '
commonName :PRINTABLE:'test'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Aug 12 14:57:18 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@server 2.0]#
以此类推建立其他客户端 key
./build-key test2
./build-key test3
./build-key test3
生成Diffie Hellman
参数
执行
./build-dh
将
keys
下的所有文件打包下载到本地
(
可以通过
winscp,http,ftp
等等
……)
创建服务端配置文件
cp /root/open***-2.1_rc15/sample-config-files/server.conf /etc/open***
port 1194
proto udp
dev tun
ca /etc/open***/easy-rsa/2.0/keys/ca.crt
cert /etc/open***/easy-rsa/2.0/keys/server.crt
key /etc/open***/easy-rsa/2.0/keys/server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
verb 3
客户端:
3.2 Client
# 下载并安装 open*** (GUI 版本)
http://open***.se/files/install_packages/open***-2.0.9-gui-1.0.3-install.exe
# 设定环境
进入 "c:\Program Files\Open×××\easy-rsa"目录中
将 openssl.cnf.sample 另存为openssl.cnf
将vars.bat.sample 另存为vars.bat
编辑 vars.bat
set KEY_COUNTRY="CN"
set KEY_PROVINCE="CN"
set KEY_CITY="
beijing
"
set KEY_ORG="
beijing
"
set KEY_EMAIL="[email protected]"
(內容必须与server 一至, 尤其 KEY_ORG 项目.)
安装 CA 文件 //在客户端操作
进入c:\Program Files\Open×××\config目录中
把服务器上的XXX.crt(客户端证书名称)和ca.crt 下载到本地的Open×××的config目录
# 复制 sample 目录下的client.o***:
复制
c:\Program Files\Open×××\config\sample-config\client.o***
到 c:\Program Files\Open×××\config 目录中
# 配置 client
右下角(Open××× GUI)
右鍵--> Edit Config (沒提及的, 請保持原貌)
dev tap
;dev tun
remote remote 192.168.1.254 1194
ca ca.crt
cert test.crt
key test.key
双点击桌面右下角的open***-gui的图标 就会弹出界面,正在连接
测试:cmd --> ipconfig /all
Ping 10.8.0 .1
给客户端制定具体的ip地址而不是自动分配,需要以下操作:
进入/etc/open***/ccd中,
Vi client1 并写入ifconfig-push 10.8.0.X 255.255.255.0
绑定虚拟ip。