Server端安装配置
一、安装
1、下载及相关依赖包安装
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
wget http://swupdate.open***.org/community/releases/open***-2.2.1.tar.gz
wget ftp://rpmfind.net/linux/epel/5/x86_64/pkcs11-helper-1.07-2.el5.1.x86_64.rpm
wget ftp://rpmfind.net/linux/epel/5/x86_64/pkcs11-helper-devel-1.07-2.el5.1.x86_64.rpm
yum -y install automake pkgconfig
rpm -ivh pkcs11-helper-1.07-2.el5.1.x86_64.rpm
rpm -ivh pkcs11-helper-devel-1.07-2.el5.1.x86_64.rpm
2、安装open***
tar -zxvf lzo-2.06.tar.gz
cd lzo-2.06
./configure && make check && make&& make install
cd ..
tar -zxvf open***-2.2.1.tar.gz
cd open***-2.2.1
./configure --prefix=/usr/local/open*** --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib
make && make install
二、配置
cp -R easy-rsa /usr/local/open***/
cd /usr/local/open***/easy-rsa/2.0
mv -f vars vars.bak
#定义变量
cat vars
##########################################################################
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="/usr/local/open***/keys"
echo NOTE: If you run clean-all, I will be doing a rm-rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="Beijing"
export KEY_CITY="Zhaowei"
export KEY_ORG="IDC"
export KEY_EMAIL="[email protected]"
export [email protected]
export KEY_CN=IDC
export KEY_NAME=IDC
export KEY_OU=IDC
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
##########################################################################
chmod 755 /usr/local/open***/easy-rsa/2.0/vars
source ./vars
##########################################################################
#注意:如果提示:file could be found
# openssl version 查看openssl版本
#检查whichopensslcnf脚本中是否有相关版本,若有,请检查匹配命令
#我的版本号内容:OpenSSL 1.0.0-fips 29 Mar 2010,但是脚本匹配中版本后面未考虑带-情
#况,修改脚本后正常。
##########################################################################
#生成ca证书和key文件
./clean-all#清除旧的
./build-ca#建立CA
./build-key-server server#建立server端cert和key文件
./build-key sjhlidc#创建client端cert和key文件
/usr/local/open***/sbin/open*** --genkey --secret /usr/local/open***/keys/ta.key
./build-dh#建立 Diffie Hellman文件;Diffie Hellman参数必须要在open*** server中使用。
#新建server.conf
cd /usr/local/open***/
cat << EOF > /usr/local/open***/sever.conf
;外网地址
local 192.168.59.21
port 11194
proto udp
dev tun
ca /usr/local/open***/keys/ca.crt
cert /usr/local/open***/keys/server.crt
key /usr/local/open***/keys/server.key
dh /usr/local/open***/keys/dh1024.pem
tls-auth /usr/local/open***/keys/ta.key 0
;tun 网段
server 10.88.0.0 255.255.255.0
ifconfig-pool-persist /usr/local/open***/ipp.txt
client-config-dir /usr/local/open***/ccd
;用于添加server端路由,可多个
route 10.0.1.0 255.255.255.0
;用于添加各客户端路由,可多个
push "route 10.0.0.0 255.255.255.0"
max-clients 10
client-to-client
keepalive 10 120
cipher BF-CBC
;cipher AES-128-CBC
comp-lzo
status /usr/local/open***/log/status.log
log /usr/local/open***/log/log.log
persist-key
persist-tun
verb 3
mute 20
EOF
chmod 755 /usr/local/open***/sever.conf
tar –zcvf keys.tar.gz keys
#客户端相关配置
mkdir -p /usr/local/open***/ccd/
cat <
;固定客户端tun网段IP
ifconfig-push 10.88.0.5 10.88.0.6
;客户端自动添加路由时,需要忽略的本端内网路由条目
iroute 10.0.1.0 255.255.255.0
EOF
chmod 755 /usr/local/open***/ccd/sjhlidc
#修改内核参数
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward= 1/g' /etc/sysctl.conf
sysctl -p
ln -s /usr/local/open***/sbin/open*** /usr/bin/open***
#添加防火墙策略,使server和client可以同对端内网通信
iptables -t nat -A POSTROUTING -s 10.88.0.0/24 -j SNAT --to 10.0.0.21 #snat 地址为内网地址,server或client其中一台添加既可
启动
open*** --config server.conf 2>&1 &
Client端安装配置:
一、安装及修改内核参数 同server端
二、配置
复制server端打包文件keys.tar.gz,并解压缩到client相应位置
#创建配置文件
cd /usr/local/open***/
cat sjhlidc.conf
client
dev tun
proto udp
remote 192.168.59.21 11194
ca /usr/local/open***/keys/ca.crt
cert /usr/local/open***/keys/sjhlidc.crt
key /usr/local/open***/keys/sjhlidc.key
tls-auth /usr/local/open***/keys/ta.key 1
ns-cert-type server
cipher BF-CBC
comp-lzo
persist-key
persist-tun
verb 3
#启动
cd /usr/local/open***/
nohup sbin/open*** --config ./shidc.conf &
三、server、client端连接内网内服务器需要设置网关
例如:
client端内网:
route add -net 10.0.0.0/24 gw 10.0.1.22
server端内网:
route add -net 10.0.1.0/24 gw 10.0.0.21