open***服務詳細配置

1、網絡拓撲

2、環境介紹

全部服務器系統均是centos6.5，內核:2.6.32-431.el6.x86_64

***client:一張網卡eth0:192.168.3.202,gw:192.168.3.201,僅主機vmnet1

***server:兩張網卡eth0:192.168.3.201,僅主機vmnet1

             eth1:192.168.18.201,僅主機vmnet2

lanserver:一張網卡eth0:192.168.18.203,gw:192.168.18.201,僅主機vmnet2

此時***client(192.168.3.202) ping不通lanserver(192.168.18.203)

3、***server端配置

3.1.1、基礎環境配置

[root@***server ~]#wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo

[root@***server ~]#sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf

[root@***server ~]# sysctl -p  ##開啓內核轉發

[root@***server ~]#crontab -e  ##制定計劃任務校訂時間

#time sync by yyc at 201712#

*/1 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1

[root@***server ~]#/etc/init.d/iptables stop  ##測試完成前關掉防火牆

[root@***server ~]#yum install -y lrzsz openssl*  ##安裝基礎依賴包

3.1.2、編譯安裝lzo、open***

[root@***server ~]# mkdir -p /server/tools

[root@***server ~]# cd /server/tools/

[root@***server tools]# rz lzo-2.09.tar.gz open***-2.2.2.tar.gz

[root@***server tools]# tar zxvf lzo-2.09.tar.gz

[root@***server tools]# cd lzo-2.09

[root@***server lzo-2.09]# ./configure &&make &&make install

[root@***server lzo-2.09]# mkdir /application

[root@***server lzo-2.09]# cd ..

[root@***server tools]# tar zxvf open***-2.2.2.tar.gz -C /application/

[root@***server tools]# cd /application/open***-2.2.2

[root@***server open***-2.2.2]# ./configure --with-lzo-lib=/usr/local/lib --with-lzo-headers=/usr/local/include &&make &&make install

[root@***server open***-2.2.2]# ln -s /application/open***-2.2.2/ /application/open***

3.1.3、生成CA證書

[root@***server open***-2.2.2]# cd /application/open***-2.2.2/easy-rsa/2.0

[root@***server 2.0]# cp vars vars.bak

[root@***server 2.0]# vim vars

export KEY_COUNTRY="CN"

export KEY_PROVINCE="BJ"

export KEY_CITY="BJ"

export KEY_ORG="Andy"

export KEY_EMAIL="123456@qq.com"

export KEY_EMAIL=123456@qq.com

export KEY_CN=Andy

export KEY_NAME=Andy

export KEY_OU=Andy

export PKCS11_MODULE_PATH=changeme

export PKCS11_PIN=1234

[root@***server 2.0]# source vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /application/open***-2.2.2/easy-rsa/2.0/keys

[root@***server 2.0]# ./clean-all

[root@***server 2.0]# ls

build-ca   build-key   build-key-server  clean-all  list-crl  openssl-0.9.8.cnf  README       vars

build-dh    build-key-pass  build-req  inherit-inter  Makefile  openssl-1.0.0.cnf   revoke-full  whichopensslcnf

build-inter  build-key-pkcs12  build-req-pas  keys  openssl-0.9.6.cnf  pkitool            sign-req

[root@***server 2.0]# ll keys/

總用量 4

-rw-r--r-- 1 root root 0 4月  16 15:05 index.txt

-rw-r--r-- 1 root root 3 4月  16 15:05 serial

[root@***server 2.0]# ./build-ca  ##一路回車

Generating a 1024 bit RSA private key

.................................++++++

.......................++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [Andy]:

Organizational Unit Name (eg, section) [Andy]:

Common Name (eg, your name or your server's hostname) [Andy]:

Name [Andy]:

Email Address [123456@qq.com]:

3.1.4、生成服務端證書和祕鑰

[root@***server 2.0]# ./build-key-server server

Generating a 1024 bit RSA private key

..++++++

......++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [Andy]:

Organizational Unit Name (eg, section) [Andy]:

Common Name (eg, your name or your server's hostname) [server]:

Name [Andy]:

Email Address [123456@qq.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:Andy

Using configuration from /application/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'BJ'

localityName          :PRINTABLE:'BJ'

organizationName      :PRINTABLE:'Andy'

organizationalUnitName:PRINTABLE:'Andy'

commonName            :PRINTABLE:'server'

name                  :PRINTABLE:'Andy'

emailAddress          :IA5STRING:'123456@qq.com'

Certificate is to be certified until Apr 13 07:12:32 2028 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

3.1.5、生成客戶端證書和祕鑰

生成一個無密碼驗證密鑰，使用命令build-key，新建一個test客戶端密鑰，此帳號無需密碼驗證

[root@***server 2.0]# ./build-key test

Generating a 1024 bit RSA private key

...++++++

...........++++++

writing new private key to 'test.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [Andy]:

Organizational Unit Name (eg, section) [Andy]:

Common Name (eg, your name or your server's hostname) [test]:

Name [Andy]:

Email Address [123456@qq.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:Andy

Using configuration from /application/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'BJ'

localityName          :PRINTABLE:'BJ'

organizationName      :PRINTABLE:'Andy'

organizationalUnitName:PRINTABLE:'Andy'

commonName            :PRINTABLE:'test'

name                  :PRINTABLE:'Andy'

emailAddress          :IA5STRING:'123456@qq.com'

Certificate is to be certified until Apr 13 07:16:39 2028 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

生成一個須要密碼驗證的客戶端密鑰Andy,密碼爲123456，生產環境此密碼須要設置較複雜

[root@***server 2.0]# ./build-key-pass Andy

Generating a 1024 bit RSA private key

..++++++

...............++++++

writing new private key to 'Andy.key'

Enter PEM pass phrase:123456

Verifying - Enter PEM pass phrase:123456

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [Andy]:

Organizational Unit Name (eg, section) [Andy]:

Common Name (eg, your name or your server's hostname) [Andy]:

Name [Andy]:

Email Address [123456@qq.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:Andy

Using configuration from /application/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'BJ'

localityName          :PRINTABLE:'BJ'

organizationName      :PRINTABLE:'Andy'

organizationalUnitName:PRINTABLE:'Andy'

commonName            :PRINTABLE:'Andy'

name                  :PRINTABLE:'Andy'

emailAddress          :IA5STRING:'123456@qq.com'

Certificate is to be certified until Apr 13 07:21:29 2028 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

3.1.6、生成密碼協議交換文件

[root@***server 2.0]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

.......................+.......................+...................+...................................................+..........++*++*++*

[root@***server 2.0]# ll keys/dh1024.pem

-rw-r--r-- 1 root root 245 4月  16 15:23 keys/dh1024.pem

3.1.7、生成防***key文件

[root@***server 2.0]# open*** --genkey --secret keys/ta.key

[root@***server 2.0]# ll keys/ta.key

-rw------- 1 root root 636 4月  16 15:26 keys/ta.key

3.2、編輯服務端配置文件

[root@***server 2.0]# mkdir -p /etc/open***

[root@***server 2.0]# cd /etc/open***/

[root@***server open***]# cp -ap /application/open***/easy-rsa/2.0/keys .

[root@***server open***]# ll

總用量 4

drwx------ 2 root root 4096 4月  16 15:26 keys

[root@***server open***]# cp /application/open***/sample-config-files/server.conf server.bak

[root@***server open***]# ll

總用量 16

drwx------ 2 root root  4096 4月  16 15:26 keys

-rw-r--r-- 1 root root 10288 4月  16 15:38 server.bak

[root@***server open***]# egrep -v '#|;|^$' server.bak >server.conf

[root@***server open***]# ll

總用量 20

drwx------ 2 root root  4096 4月  16 15:26 keys

-rw-r--r-- 1 root root 10288 4月  16 15:38 server.bak

-rw-r--r-- 1 root root   211 4月  16 15:39 server.conf

[root@***server open***]# vim server.conf

local 192.168.3.201

port 1195

proto tcp

dev tun

ca /etc/open***/keys/ca.crt

cert /etc/open***/keys/server.crt

dh /etc/open***/keys/dh1024.pem

server 10.8.0.0 255.255.255.0

push "route 192.168.18.0 255.255.255.0"

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

persist-key

persist-tun

status open***-status.log

log /var/log/open***.log

duplicate-cn

client-to-client

verb 3

3.3、啓動服務端

3.3.1  啓動服務端

[root@***server open***]# /usr/local/sbin/open*** --config /etc/open***/server.conf &

[1] 28429

[root@***server open***]# ps -ef|grep open***

root  28429   3086  2 16:30 pts/0    00:00:00  /usr/local/sbin/open*** --config /etc/open***/server.conf

root  28487   3086  0 16:30 pts/0  00:00:00  grep open***

3.3.2、將Open×××加入開機自啓動

方法一：將啓動命令加入到/etc/rc.local

echo 「/usr/local/sbin/open*** --config /etc/open***/server.conf>/dev/null  &」>>/etc/rc.local

方法二：利用sample-scripts下面的腳本

cp /application/open***/sample-scripts/open***.init /etc/init.d/open***

chkconfig open*** on

chkconfig --list open***

open***         0:off   1:off  2:on    3:on    4:on   5:on    6:off

4、linux客戶端安裝與配置

4.1、基礎環境配置

linux客戶端軟件的安裝與服務端軟件安裝過程同樣，也是須要先安裝lzo，而後源碼編譯open***2.2.2

[root@***client ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo

[root@***server ~]#sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf

[root@***server ~]# sysctl -p  ##開啓內核轉發

[root@***server ~]#crontab -e  ##制定計劃任務校訂時間

#time sync by yyc at 201712#

*/1 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1

[root@***server ~]#/etc/init.d/iptables stop  ##測試完成前關掉防火牆

[root@***server ~]#yum install -y lrzsz openssl*   ##安裝基礎依賴包

4.2、編譯安裝lzo、open***

[root@***client ~]# mkdir -p /server/tools

[root@***client ~]# cd /server/tools/

[root@***client tools]# rz lzo-2.09.tar.gz open***-2.2.2.tar.gz

[root@***client tools]# tar zxvf lzo-2.09.tar.gz

[root@***client tools]# cd lzo-2.09

[root@***client lzo-2.09]# ./configure &&make &&make install

[root@***client lzo-2.09]# cd ..

[root@***client tools]# mkdir /application

[root@***client tools]# tar zxvf open***-2.2.2.tar.gz -C /application/

[root@***client tools]# cd /application/open***-2.2.2/

[root@***client open***-2.2.2]# ./configure --with-lzo-lib=/usr/local/lib --with-lzo-headers=/usr/local/include&& make &&make install

[root@***client open***-2.2.2]# ln -s /application/open***-2.2.2 /application/open***

[root@***client open***-2.2.2]# cd ..

[root@***client application]# ll

總用量 12

lrwxrwxrwx  1 root  root  26 4月  16 17:10 open*** -> /application/open***-2.2.2

drwxrwxr-x 17 oldboy oldboy 12288 4月  16 17:09 open***-2.2.2

4.3、編輯客戶端配置文件

新建配置文件目錄/etc/open***

[root@***client application]# mkdir /etc/open***

[root@***client application]# cd /etc/open***/

[root@***client open***]# rz ca.crt server.conf test.crt test.key

[root@***client open***]# mv server.conf client.conf

[root@***client open***]# vim client.conf

[root@***client open***]# cat client.conf 

client

dev tun

proto tcp

remote 192.168.3.201 1195

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert test.crt

key test.key

ns-cert-type server

comp-lzo

verb 3

4.4、遠程拔入***

[root@***client open***]# /usr/local/sbin/open*** --config /etc/open***/client.conf  &

[1] 1071

[root@***client open***]# Mon Apr 16 17:28:14 2018 Open××× 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Apr 16 2018

Mon Apr 16 17:28:14 2018 NOTE: Open××× 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Mon Apr 16 17:28:14 2018 WARNING: file 'test.key' is group or others accessible

Mon Apr 16 17:28:14 2018 LZO compression initialized

Mon Apr 16 17:28:14 2018 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]

 

若是帶密碼認證的用戶,以Andy爲例，將Andy.crt,Andy.key,Andy.o***上傳至/etc/open***,Andy.o***的內容以下：

client

dev tun

proto tcp

remote 192.168.3.204 1195

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert sunny.crt

key sunny.key

ns-cert-type server

comp-lzo

verb 3

在/etc/open***下新建密碼文件pass.txt

[root@***client open***]# vim pass.txt

[root@***client open***]# cat pass.txt

123456

[root@***client open***]# chmod 400 pass.txt

啓動客戶端

[root@***client open***]#open***--config /etc/open***/sunny.o*** --askpass /etc/open***/pass.txt &

echo ‘open*** --config /etc/open***/sunny.o*** --askpass/etc/open***/pass.txt >/dev/null &’>>/etc/rc.local#開機自啓

5、測試連通性

在***client端ping

在lanserver端抓包顯示

參考：

https://open***.net/index.php/open-source/documentation.html

https://blog.51cto.com/francis198/1830639