open***提供兩種類型的虛擬網絡接口:TUN和TAP,tun用於創建IP隧道,tap用於創建以太網橋,這兩種模式咱們也稱爲路由模式和網橋模式。 TAP 等同於一個以太網設備,它操做第二層數據包如以太網數據幀。TUN模擬了網絡層設備,操做第三層數據包好比IP數據封包。vim
參考http://blog.csdn.net/guoliquan1/article/details/4851332安全
1、服務器
Lzo庫的編譯安裝:網絡
登陸http://www.oberhumer.com/opensource/lzo/download/,下載lzo-2.04.tar.gz源碼包。ide
或者採用命令:ui
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gzspa
安裝lzo庫:.net
tar -zxvf lzo-2.04.tar.gzrest
cd lzo-2.04code
./configure -–prefix=/usr/local/lzo &
make && make install
2、 open***的配置
安裝open***:
tar -zxvf open***-2.1_rc4.tar.gz
cd open***-2.1_rc4
./configure && make && make install
./configure --prefix=/usr/local/open*** --with-lzo-lib=/usr/local/lzo/lib --with-lzo-headers=/usr/local/lzo/include/
cp easy-rsa/ /etc/open*** -r
cd /etc/open***
cp /usr/src/open***-2.1_rc4/sample-config-files/server.conf .
cd /etc/open***/2.0
×××變量
vim vars
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BeiJing"
export KEY_CITY="BeiJing"
export KEY_ORG=「QSC"
export KEY_EMAIL="xiajie@ndtech.com.cn"
查詢環境變量
[root@localhost 2.0]#env |grep KEY(先查看一下,看到是沒有)
加載環境配置文件
[root@localhost 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys
(注:若是你已經運行了./clean-all,就運行rm -rf /etc/open***/2.0/keys 刪除)
加載後再次查詢環境變量
[root@localhost 2.0]# env |grep KEY
初始化PKI
./clean-all
#生成keys的目錄
####當心,一旦運行clean-all,它會刪除keys下的全部證書。
[root@localhost 2.0]# ./build-ca
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [PIP]:
Organizational Unit Name (eg, section) []:MIS
Common Name (eg, your name or your server’s hostname) [server CA]:server (注意必定要添server)
Name []:
Email Address [mis@pearlinpalm.com]:
[root@localhost 2.0]# ls keys/ (能夠看到keys下生成了ca.crt ca.key 兩個文件)
生成Server key
建立服務器的證書和密鑰
[root@localhost 2.0]# ./build-key-server server
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [PIP]:
Organizational Unit Name (eg, section) []:MIS
Common Name (eg, your name or your server's hostname) [server]:server
Name []:
Email Address [mis@pearlinpalm.com]:
A challenge password []:
An optional company name []:
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
查看生成的 server.crt server.csr server.key
[root@localhost 2.0]# ls keys/
生成客戶端的key
[root@localhost 2.0]# ./build-key client1
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [PIP]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [client1]:client1
Name []:
Email Address [jie.xia@qianshengcai.com]:
A challenge password []:
An optional company name []:
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
以上選項要和那個server的保持一致。
查看生成的 client1.crt client1.key client1.csr
[root@localhost 2.0]# ls keys/
建立Diffie Hellman 參數
Diffie Hellman 用於加強安全性,在Open×××是必須的:
[root@localhost 2.0]# ./build-dh
…….+……………………+………………………………………….++*++*++*
建立服務端證書及配置文件
#將keys下的 ca.crt server.crt server.key dh1024.pem 拷貝到/etc/open***下
[root@localhost 2.0]# cd keys/
[root@localhost keys]# cp ca.crt server.crt server.key dh1024.pem /etc/open***/
修改服務端配置文件,直接所有內容刪除,把下面的粘貼便可
local x.x.x.x
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 0.0.0.0 0.0.0.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
log open***.log
verb 3
部分解釋
修改配置文件
local x.x.x.x
#服務器外網地址
port 11940
;dev tap
dev tun
#網絡接口
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
#將key文件放在/etc/open***/和server.conf同級,就不通再配置路徑
server 10.8.0.0 255.255.255.0
#配置固定IP
client-config-dir /etc/open***/ccd
#格式爲 ifconfig-push 10.8.0.100 10.8.0.101
client-to-client
user nobody
group nobody
啓動服務
[root@localhost open***]# service open*** restart
服務啓動後用ifconfig查看 能夠看到有一個新的接口tun0
[root@localhost open***]# ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2804 (2.7 KiB) TX bytes:18332 (17.9 KiB)
添加防火牆轉發功能
#打開轉發功能
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth1 -j MASQUERADE
#查看轉發規則
iptables -t nat -nL
#保存規則
/etc/init.d/iptables save
client 部分:
下載 服務器上的/etc/open***/2.0/keys/下的ca.crt ca.key client1.crt client1.csr client1.key到C:\Program Files\Open×××\config下
client
dev tun
proto udp
remote x.x.x.x
#服務器地址
resolv-retry infinite
nobind
#user nobody
#group nobody
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
#key文件
comp-lzo
verb 3
redirect-gateway def1