一、安装环境
所用系统:RedHat AS4U3,详情如下:
- [root@as4u3 ~]# uname -a
- Linux as4u3 2.6.9-34.ELsmp #1 SMP Fri Feb 24 16:54:53 EST 2006 i686 i686 i386 GNU/Linux
二、软件包
1、lzo-2.03.tar.gz 用于***的数据压缩
下载页面:http://www.oberhumer.com/opensource/lzo/download/
2、open***-2.0.9.tar.gz
下载页面:http://open***.net/index.php/downloads.html
下载地址:http://open***.net/release/open***-2.0.9.tar.gz
三、Open×××服务器端安装和配置
1、安装lzo
- tar -zxvf lzo-2.03.tar.gz
- cd lzo-2.03
- ./configure --prefix=/usr/local/lzo
- make
- make check
- make test
- make install
2、安装open***
- tar -zxvf open***-2.0.9.tar.gz
- cd open***-2.0.9
- ./configure --prefix=/usr/local/open*** --with-lzo-headers=/usr/local/lzo/include --with-lzo-lib=/usr/local/lzo/lib --with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib
- make
- make install
3、生成证书和Key
- [root@as4u3 open***-2.0.9]# cd easy-rsa/
- [root@as4u3 easy-rsa]# vi vars
- export D=`pwd`
- export KEY_CONFIG=$D/openssl.cnf
- export KEY_DIR=$D/keys
- echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
- export KEY_SIZE=1024
- export KEY_COUNTRY=CN
- export KEY_PROVINCE=BJ
- export KEY_CITY=BJ
- export KEY_ORG="test"
- export KEY_EMAIL="[email protected]"
- [root@as4u3 easy-rsa]# . vars
- NOTE: when you run ./clean-all, I will be doing a rm -rf on /home/open***-2.0.9/easy-rsa/keys
- [root@as4u3 easy-rsa]# ./clean-all
- [root@as4u3 easy-rsa]# ./build-ca
- Generating a 1024 bit RSA private key
- ............................................++++++
- .................++++++
- writing new private key to 'ca.key'
- -----
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [CN]:
- State or Province Name (full name) [BJ]:
- Locality Name (eg, city) [BJ]:
- Organization Name (eg, company) [test]:
- Organizational Unit Name (eg, section) []:test
- Common Name (eg, your name or your server's hostname) []:server
- Email Address [[email protected]]:
# 建立 server key
- [root@as4u3 easy-rsa]# ./build-key-server server
- Generating a 1024 bit RSA private key
- ................++++++
- ..........................................................++++++
- writing new private key to 'server.key'
- -----
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [CN]:
- State or Province Name (full name) [BJ]:
- Locality Name (eg, city) [BJ]:
- Organization Name (eg, company) [test]:
- Organizational Unit Name (eg, section) []:test
- Common Name (eg, your name or your server's hostname) []:server
- Email Address [[email protected]]:
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:123456
- An optional company name []:test
- Using configuration from /home/open***-2.0.9/easy-rsa/openssl.cnf
- Check that the request matches the signature
- Signature ok
- The Subject's Distinguished Name is as follows
- countryName :PRINTABLE:'CN'
- stateOrProvinceName :PRINTABLE:'BJ'
- localityName :PRINTABLE:'BJ'
- organizationName :PRINTABLE:'test'
- organizationalUnitName:PRINTABLE:'test'
- commonName :PRINTABLE:'server'
- emailAddress :IA5STRING:'[email protected]'
- Certificate is to be certified until Aug 23 13:32:35 2018 GMT (3650 days)
- Sign the certificate? [y/n]:y
- 1 out of 1 certificate requests certified, commit? [y/n]y
- Write out database with 1 new entries
- Data Base Updated
# 生成客户端
- [root@as4u3 easy-rsa]# ./build-key client1
- Generating a 1024 bit RSA private key
- ........................................++++++
- ..................................++++++
- writing new private key to 'client1.key'
- -----
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [CN]:
- State or Province Name (full name) [BJ]:
- Locality Name (eg, city) [BJ]:
- Organization Name (eg, company) [test]:
- Organizational Unit Name (eg, section) []:test
- Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同.
- Email Address [[email protected]]:
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:123456
- An optional company name []:test
- Using configuration from /home/open***-2.0.9/easy-rsa/openssl.cnf
- Check that the request matches the signature
- Signature ok
- The Subject's Distinguished Name is as follows
- countryName :PRINTABLE:'CN'
- stateOrProvinceName :PRINTABLE:'BJ'
- localityName :PRINTABLE:'BJ'
- organizationName :PRINTABLE:'test'
- organizationalUnitName:PRINTABLE:'test'
- commonName :PRINTABLE:'client1'
- emailAddress :IA5STRING:'[email protected]'
- Certificate is to be certified until Aug 23 13:36:55 2018 GMT (3650 days)
- Sign the certificate? [y/n]:y
- 1 out of 1 certificate requests certified, commit? [y/n]y
- Write out database with 1 new entries
- Data Base Updated
依次类推生成其他客户端证书/key
./build-key client2
./build-key client3
注意:在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
- [root@as4u3 easy-rsa]# ./build-dh
- Generating DH parameters, 1024 bit long safe prime, generator 2
- This is going to take a long time
- .....................+................................................+........................+..........................+...............+.........................+......................................................................................+......................+..+.......................................................+...............+...................................................................................................+................................+.......+..................+...............................................................................+................+.........+...........................+.....+.................................+............................................................................+...............+..........++*++*++*
4、创建服务端配置文件
- mkdir /usr/local/open***/etc
- cd open***-2.0.9/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录
- cp server.conf /usr/local/open***/etc # cp服务器配置文件到/usr/local/etc
- vi /usr/local/open***/etc/server.conf
编辑后的server.conf文件内容如下:
- port 1194
- proto tcp
- dev tun
- ca /usr/local/open***/etc/keys/ca.crt
- cert /usr/local/open***/etc/keys/server.crt
- key /usr/local/open***/etc/keys/server.key # This file should be kept secret
- dh /usr/local/open***/etc/keys/dh1024.pem
- ifconfig-pool-persist ipp.txt
- client-to-client
- keepalive 10 120
- comp-lzo
- user nobody
- group nobody
- persist-key
- persist-tun
- status /usr/local/open***/etc/keys/open***-status.log
- verb 4
5、部署server端key文件
目录可以自行选择只要和server.conf中配置一致就可以,在本例中将key文件放在/usr/local/open***/etc/keys目录,
- cd open***-2.0.9/easy-rsa/keys # 进入源代码解压目录下的keys子目录
- cp ca.crt /usr/local/open***/etc/keys/ca.crt
- cp server.crt /usr/local/open***/etc/keys/server.crt
- cp server.key /usr/local/open***/etc/keys/server.key
- cp dh1024.pem /usr/local/open***/etc/keys/dh1024.pem
6、启动open*** server
- /usr/local/open***/sbin/open*** --daemon --config /usr/local/open***/etc/server.conf
四、Open××× 客户端安装配置
1、安装
安装过程同上
2、生成证书和key
ca使用上面生成的证书ca.crt,拷贝到client.conf中 ca 指定的位置
cert使用上面生产的client1.crt,拷贝到client.conf中 cert指定的位置
key使用上面生产的client1.key,拷贝到client.conf中 key 指定的位置
3、创建客户端配置文件
- mkdir /usr/local/open***/etc
- cd open***-2.0.9/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录
- cp client.conf /usr/local/open***/etc # cp服务器配置文件到/usr/local/etc
- vi /usr/local/open***/etc/client.conf
编辑后的client.conf文件内容如下:
- client
- dev tun
- proto tcp
- remote 192.168.8.109 1194
- resolv-retry infinite
- nobind
- persist-key
- persist-tun
- ca /usr/local/open***/etc/keys/ca.crt
- cert /usr/local/open***/etc/keys/client1.crt
- key /usr/local/open***/etc/keys/client1.key
- comp-lzo
- verb 4
4、部署client端key文件
目录可以自行选择只要和client.conf中配置一致就可以,在本例中将key文件放在/usr/local/open***/etc/keys目录,
- cd open***-2.0.9/easy-rsa/keys # 进入源代码解压目录下的keys子目录
- cp ca.crt /usr/local/open***/etc/keys/ca.crt
- cp client1.crt /usr/local/open***/etc/keys/client1.crt
- cp client1.key /usr/local/open***/etc/keys/client1.key
6、启动open*** client
- /usr/local/open***/sbin/open*** --daemon --config /usr/local/open***/etc/client.conf