linux open*** 部署

      open***提供兩種類型的虛擬網絡接口:TUN和TAP,tun用於創建IP隧道,tap用於創建以太網橋,這兩種模式咱們也稱爲路由模式和網橋模式。 TAP 等同於一個以太網設備,它操做第二層數據包如以太網數據幀。TUN模擬了網絡層設備,操做第三層數據包好比IP數據封包。vim

參考http://blog.csdn.net/guoliquan1/article/details/4851332安全

1、服務器

Lzo庫的編譯安裝:網絡

登陸http://www.oberhumer.com/opensource/lzo/download/,下載lzo-2.04.tar.gz源碼包。ide

或者採用命令:ui

wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gzspa

安裝lzo庫:.net

tar -zxvf lzo-2.04.tar.gzrest

cd lzo-2.04code

./configure -–prefix=/usr/local/lzo &

make && make install

2、 open***的配置

安裝open***:

tar -zxvf open***-2.1_rc4.tar.gz

cd  open***-2.1_rc4

./configure && make && make install

./configure --prefix=/usr/local/open*** --with-lzo-lib=/usr/local/lzo/lib --with-lzo-headers=/usr/local/lzo/include/

cp easy-rsa/ /etc/open*** -r

cd    /etc/open***

cp /usr/src/open***-2.1_rc4/sample-config-files/server.conf .

cd /etc/open***/2.0

×××變量

vim vars

export KEY_COUNTRY="CN"

export KEY_PROVINCE="BeiJing"

export KEY_CITY="BeiJing"

export KEY_ORG=「QSC"

export KEY_EMAIL="xiajie@ndtech.com.cn"

查詢環境變量

[root@localhost 2.0]#env |grep KEY(先查看一下,看到是沒有)

加載環境配置文件

[root@localhost 2.0]# source ./vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys

(注:若是你已經運行了./clean-all,就運行rm -rf /etc/open***/2.0/keys 刪除)

加載後再次查詢環境變量

[root@localhost 2.0]# env |grep KEY

初始化PKI

./clean-all

#生成keys的目錄

####當心,一旦運行clean-all,它會刪除keys下的全部證書。


[root@localhost 2.0]# ./build-ca

Country Name (2 letter code) [CN]:

State or Province Name (full name) [Beijing]:

Locality Name (eg, city) [Beijing]:

Organization Name (eg, company) [PIP]:

Organizational Unit Name (eg, section) []:MIS

Common Name (eg, your name or your server’s hostname) [server CA]:server  (注意必定要添server)

Name []:

Email Address [mis@pearlinpalm.com]:

[root@localhost 2.0]# ls keys/ (能夠看到keys下生成了ca.crt ca.key 兩個文件)

生成Server key

建立服務器的證書和密鑰

[root@localhost 2.0]# ./build-key-server server

Country Name (2 letter code) [CN]:

State or Province Name (full name) [Beijing]:

Locality Name (eg, city) [Beijing]:

Organization Name (eg, company) [PIP]:

Organizational Unit Name (eg, section) []:MIS

Common Name (eg, your name or your server's hostname) [server]:server

Name []:

Email Address [mis@pearlinpalm.com]:

A challenge password []:

An optional company name []:

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

查看生成的  server.crt  server.csr  server.key

[root@localhost 2.0]# ls keys/

生成客戶端的key

[root@localhost 2.0]# ./build-key client1

Country Name (2 letter code) [CN]:

State or Province Name (full name) [Beijing]:

Locality Name (eg, city) [Beijing]:

Organization Name (eg, company) [PIP]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server’s hostname) [client1]:client1

Name []:

Email Address [jie.xia@qianshengcai.com]:

A challenge password []:

An optional company name []:

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

以上選項要和那個server的保持一致。

查看生成的  client1.crt  client1.key  client1.csr

[root@localhost 2.0]# ls keys/

建立Diffie Hellman 參數

Diffie Hellman 用於加強安全性,在Open×××是必須的:

[root@localhost 2.0]# ./build-dh

…….+……………………+………………………………………….++*++*++*

建立服務端證書及配置文件

#將keys下的 ca.crt server.crt server.key dh1024.pem 拷貝到/etc/open***下

[root@localhost 2.0]# cd keys/

[root@localhost keys]# cp ca.crt server.crt server.key dh1024.pem /etc/open***/

修改服務端配置文件,直接所有內容刪除,把下面的粘貼便可

local x.x.x.x

port 1194

proto udp

dev tun

ca ca.crt

cert server.crt

key server.key 

dh dh1024.pem

server 172.16.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 0.0.0.0 0.0.0.0"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 223.5.5.5"

push "dhcp-option DNS 8.8.8.8"

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status open***-status.log

log         open***.log

verb 3

部分解釋

修改配置文件

local  x.x.x.x

#服務器外網地址

port 11940

;dev tap

dev tun

#網絡接口

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

#將key文件放在/etc/open***/和server.conf同級,就不通再配置路徑

server 10.8.0.0 255.255.255.0

#配置固定IP

client-config-dir /etc/open***/ccd

#格式爲  ifconfig-push 10.8.0.100 10.8.0.101

client-to-client

user nobody

group nobody

啓動服務

[root@localhost open***]# service open*** restart

服務啓動後用ifconfig查看 能夠看到有一個新的接口tun0

[root@localhost open***]# ifconfig

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255

UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1

RX packets:26 errors:0 dropped:0 overruns:0 frame:0

TX packets:22 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:2804 (2.7 KiB) TX bytes:18332 (17.9 KiB)

添加防火牆轉發功能

#打開轉發功能

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth1 -j MASQUERADE

#查看轉發規則

iptables -t nat -nL

#保存規則

/etc/init.d/iptables save

client 部分:

下載 服務器上的/etc/open***/2.0/keys/下的ca.crt ca.key client1.crt client1.csr client1.key到C:\Program Files\Open×××\config下 

client

dev tun

proto udp

remote x.x.x.x

#服務器地址

resolv-retry infinite

nobind

#user nobody

#group nobody

persist-key

persist-tun

ca ca.crt

cert client1.crt

key client1.key

#key文件

comp-lzo

verb 3

redirect-gateway def1 

相關文章
相關標籤/搜索