Linux 下 Open××× 安装和 Windows Open××× GUI 安装笔记
一. Open××× 安装环境
Server 端的环境
kernel 须要支持 tun 设备, 须要加载 iptables 模块.
检查 tun 是否安装:
代码:
若是没有 modinfo 命令, 直接找一下, 看看 kernel 里是否有 tun.o 文件:
代码:
检查iptables 模块, 查看是否有下列文件:
/etc/init.d/iptables
OpenSSL。若是须要启用 SSL 链接,则须要先安装 OpenSSL。安装 OpenSSL 的方法在这里不作介绍,具体能够用 Google 搜索。CentOS 下能够用 yum install:
#yum install openssl
#yum install openssl-devel
安装的 Open××× 的版本: 2.0.5. 更新的版本. 能够在http://open***.net 上下载.
Client 端的环境:
Windows XP PRO SP2
Open××× GUI For windows 1.0.3 , 可在 open***.se 下载
注意: Open××× GUI for windows 的版本要和 Open××× Server 的版本配套.
例如, 服务器装的是 Open××× 2.0.5, 那么下载的 Open××× GUI fow windows 应该是: open***-2.0.5-gui-1.0.3-install.exe
Open××× GUI的全部历史版本: http://open***.se/files/install_packages/
二. Open××× 服务端安装过程 /usr/local/src/
下载 LZO,解压到lzo-2.02.
地址: http://www.oberhumer.com/opensource/lzo/download/ 代码:
#wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
下载 Open×××, 解压到open***-2.0.5
地址: http://open***.net/download.html 代码:
#wget http://open***.net/release/open***-2.0.5.tar.gz
安装 LZO 代码:
#cd /lzo-2.02
#./configure
#make
#make check
#make install
安装 Open×××
代码:
#cd /open***-2.0.5
#./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/local/include/openssl --with-ssl-lib=/usr/local/lib
#make
#make install
生成证书Key
初始化 PKI
(若是没有 export 命令也能够用 setenv [name] [value] 命令)
代码:
# cd /etc/open***/2.0/
#vim vars
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="zhaoyong.com"
export KEY_EMAIL="zhaoyong012@qq.com"
#source vars
#./clean-all
#./build-ca
Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [zhaoyong.com]:
Organizational Unit Name (eg, section) []:zhaoyong.com
Common Name (eg, your name or your server's hostname) []:server
Email Address [zhaoyong012@qq.com]:
# 创建 server key 代码: 代码:
#./build-key-server server
Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [zhaoyong.com]:
Organizational Unit Name (eg, section) []:zhaoyong.com
Common Name (eg, your name or your server's hostname) []:server
Email Address [zhaoyong012@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:zhaoyong
An optional company name []:zhaoyong.com
Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'zhaoyong.com'
organizationalUnitName:PRINTABLE:'zhaoyong.com'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'zhaoyong012@qq.com'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#生成客户端 key
代码:
#./build-key client1
Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [zhaoyong.com]:
Organizational Unit Name (eg, section) []:zhaoyong.com
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每一个不一样的 client 生成的证书, 名字必须不一样.
Email Address [zhaoyong012@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:zhaoyong
An optional company name []:zhaoyong.com
Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'zhaoyong.com'
organizationalUnitName:PRINTABLE:'zhaoyong.com'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'zhaoyong012@qq.com'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
依次类推生成其余客户端证书/key
代码:
#./build-key client2
#./build-key client3
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每一个证书输入的名字必须不一样.
生成 Diffie Hellman 参数 。代码:
#./build-dh
将 keys 下的全部文件打包下载到本地
建立服务端配置文件
server.conf 的内容
# cat server.conf | grep -v ^$ | grep -v ^# | grep -v ^\;
local 192.168.5.72
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh /usr/local/etc/dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
verb 4
push "dhcp-option DNS 202.106.0.20"
三. Open××× GUI For Windows 客户端安装过程
安装 Open××× GUI For Windows, 到 http://open***.se 下载. 目前的版本是 1.0.3. 注意: Open××× GUI 的版本要和 Open××× Server 的版本配套. 详见第一节一. 安装环境中的说明.
依屏幕指示安装open*** gui.
配置 open*** gui
安装结束后, 进入安装文件夹下的 config 目录, 而后将上面的 client.conf 文件从 server 上下载到此文件夹, 并改名为 client.o***
同时, 将server服务器上的以下密钥拷贝到本地
ca.crt
ca.key
Server 端的环境
[root@localhost etc]# lsb_release -a
LSB Version: :core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 5.8 (Final)
Release: 5.8
Codename: Final
[root@localhost etc]# uname -a
Linux localhost 2.6.18-308.el5 #1 SMP Tue Feb 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
kernel 须要支持 tun 设备, 须要加载 iptables 模块.
检查 tun 是否安装:
代码:
[root@localhost etc]# modinfo tun
filename: /lib/modules/2.6.18-308.el5/kernel/drivers/net/tun.ko
alias: char-major-10-200
license: GPL
author: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
description: Universal TUN/TAP device driver
srcversion: 430A127E593C2F7EFE6855C
depends:
vermagic: 2.6.18-308.el5 SMP mod_unload gcc-4.1
module_sig: 883f3504f44473a48d0a1fbae482c4c112353409f741ba97727abe79e7a1b293a4b6ac46577b82809e28dd61309aa75474d3abbbe30da852c9a01d67
若是没有 modinfo 命令, 直接找一下, 看看 kernel 里是否有 tun.o 文件:
代码:
检查iptables 模块, 查看是否有下列文件:
/etc/init.d/iptables
OpenSSL。若是须要启用 SSL 链接,则须要先安装 OpenSSL。安装 OpenSSL 的方法在这里不作介绍,具体能够用 Google 搜索。CentOS 下能够用 yum install:
#yum install openssl
#yum install openssl-devel
安装的 Open××× 的版本: 2.0.5. 更新的版本. 能够在http://open***.net 上下载.
Client 端的环境:
Windows XP PRO SP2
Open××× GUI For windows 1.0.3 , 可在 open***.se 下载
注意: Open××× GUI for windows 的版本要和 Open××× Server 的版本配套.
例如, 服务器装的是 Open××× 2.0.5, 那么下载的 Open××× GUI fow windows 应该是: open***-2.0.5-gui-1.0.3-install.exe
Open××× GUI的全部历史版本: http://open***.se/files/install_packages/
二. Open××× 服务端安装过程 /usr/local/src/
下载 LZO,解压到lzo-2.02.
地址: http://www.oberhumer.com/opensource/lzo/download/ 代码:
#wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
下载 Open×××, 解压到open***-2.0.5
地址: http://open***.net/download.html 代码:
#wget http://open***.net/release/open***-2.0.5.tar.gz
安装 LZO 代码:
#cd /lzo-2.02
#./configure
#make
#make check
#make install
安装 Open×××
代码:
#cd /open***-2.0.5
#./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/local/include/openssl --with-ssl-lib=/usr/local/lib
#make
#make install
cp /usr/local/src/open***-2.0.5/easy-rsa/ -r /etc/open***
初始化 PKI
(若是没有 export 命令也能够用 setenv [name] [value] 命令)
代码:
# cd /etc/open***/2.0/
#vim vars
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="zhaoyong.com"
export KEY_EMAIL="zhaoyong012@qq.com"
#source vars
#./clean-all
#./build-ca
Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [zhaoyong.com]:
Organizational Unit Name (eg, section) []:zhaoyong.com
Common Name (eg, your name or your server's hostname) []:server
Email Address [zhaoyong012@qq.com]:
# 创建 server key 代码: 代码:
#./build-key-server server
Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [zhaoyong.com]:
Organizational Unit Name (eg, section) []:zhaoyong.com
Common Name (eg, your name or your server's hostname) []:server
Email Address [zhaoyong012@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:zhaoyong
An optional company name []:zhaoyong.com
Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'zhaoyong.com'
organizationalUnitName:PRINTABLE:'zhaoyong.com'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'zhaoyong012@qq.com'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#生成客户端 key
代码:
#./build-key client1
Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [zhaoyong.com]:
Organizational Unit Name (eg, section) []:zhaoyong.com
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每一个不一样的 client 生成的证书, 名字必须不一样.
Email Address [zhaoyong012@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:zhaoyong
An optional company name []:zhaoyong.com
Using configuration from /open***-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'zhaoyong.com'
organizationalUnitName:PRINTABLE:'zhaoyong.com'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'zhaoyong012@qq.com'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
依次类推生成其余客户端证书/key
代码:
#./build-key client2
#./build-key client3
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每一个证书输入的名字必须不一样.
生成 Diffie Hellman 参数 。代码:
#./build-dh
将 keys 下的全部文件打包下载到本地
建立服务端配置文件
mkdir /etc/open***/2.0/conf
cp /usr/local/src/open***-2.0.5/sample-config-files/server.conf /etc/open***/2.0/conf/server.conf
编辑服务器配置文件
vim /etc/open***/2.0/conf/server.conf
从样例文件建立:
server.conf 的内容
# cat server.conf | grep -v ^$ | grep -v ^# | grep -v ^\;
local 192.168.5.72
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh /usr/local/etc/dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
verb 4
push "dhcp-option DNS 202.106.0.20"
#须要将ca.crt、server.crt、server.key、dh1024.pem从keys目录下拷贝到server.conf的同目录
建立客户端配置文件
代码:
#vim
/etc/open***/2.0/conf/client.conf
client
dev tun
proto udp
remote 192.168.5.72 1194
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
建立客户端配置文件
代码:
cp /usr/local/src/open***-2.0.5/sample-config-files/client.conf /etc/open***/2.0/conf/
#cp客户端配置文件
client
dev tun
proto udp
remote 192.168.5.72 1194
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
将keys下的文件打包放到vsftpd目录下
tar zcvf yskeys.tar.gz keys/
cp yskeys.tar.gz /var/ftp/pub/
启动Open×××
/usr/local/sbin/open*** --config /etc/open***/2.0/conf/server.conf &
#cp /usr/local/src/open***-2.0.5/sample-scripts/open***.init /etc/init.d/open***
#service open*** restart
#chkconfig -add open***
#chkconfig open*** on
至此,接下来该设置iptables了
============================
启用iptables
service iptables start
开启CentOS 5 的路由转发功能
echo 1 > /proc/sys/net/ipv4/ip_forward
#为了使CentOS重启后仍然开启路由转发功能咱们须要再执行下列命令
sysctl -w net.ipv4.ip_forward=1
添加包过滤规则
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 119.57.16.5
备注:119.57.16.5 换成你服务器的公网ip
三. Open××× GUI For Windows 客户端安装过程
安装 Open××× GUI For Windows, 到 http://open***.se 下载. 目前的版本是 1.0.3. 注意: Open××× GUI 的版本要和 Open××× Server 的版本配套. 详见第一节一. 安装环境中的说明.
依屏幕指示安装open*** gui.
配置 open*** gui
安装结束后, 进入安装文件夹下的 config 目录, 而后将上面的 client.conf 文件从 server 上下载到此文件夹, 并改名为 client.o***
同时, 将server服务器上的以下密钥拷贝到本地
ca.crt
ca.key
client1.crt--->更名client.crt
client1.csr--->更名client.csr
client1.key--->更名client.key
而后双击 client.o*** 便可启动 open***, 或者经过 Open××× GUI 的控制启动 ×××. 若是双击 client.o*** 没有反应, 则在任务栏点 Open××× GUI 的小图标右键, 选择 edit config, 将内容复制过去再保存. 而后再点右键中的 connect便可. 若是须要第二台机器上使用 *** , 进行一样的配置, 只须要将 client1.crt, client1.csr, client1.key 换成对应的 client2.xxx 便可, 而后将 client.o*** 中的对应key文件值改掉.
相关文章
- 1. 【Open-Falcon】Linux下安装Open-Falcon
- 2. centos6.2下安装open***
- 3. Open×××安装配置
- 4. CentOS6.5下安装Open vSwitch
- 5. windows下open GL的glut如何安装
- 6. Ubuntu下安装open-falcon-v0.2.1
- 7. Open Live Writer 安装
- 8. Docker下的Open STF安装
- 9. linux上安装和卸载open-vswitch
- 10. CentOS 8.2 安装 open-vm-tools
- 更多相关文章...
- • Windows Docker 安装 - Docker教程
- • SQLite 安装 - SQLite教程
- • Composer 安装与使用
- • IntelliJ IDEA安装代码格式化插件
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
