一,开始安装过程:
1,三个包
open***-2.1-0.29.rc15.el5.i386.rpm
lzo-2.02-2.el5.1.i386.rpm
lzo-devel-2.02-2.el5.1.i386.rpm
1,三个包
open***-2.1-0.29.rc15.el5.i386.rpm
lzo-2.02-2.el5.1.i386.rpm
lzo-devel-2.02-2.el5.1.i386.rpm
2,查看一下文件分布:
[root@xxw src]# find / -name open***
/etc/open*** (空的)
/etc/rc.d/init.d/open***
/usr/share/open*** (示例文件)
/usr/share/logwatch/scripts/services/open***
/usr/lib/open***
/usr/sbin/open***
/var/run/open***
[root@xxw src]# find / -name open***
/etc/open*** (空的)
/etc/rc.d/init.d/open***
/usr/share/open*** (示例文件)
/usr/share/logwatch/scripts/services/open***
/usr/lib/open***
/usr/sbin/open***
/var/run/open***
3,查看示例文件,有1.0和2.0两个版本
[root@xxw easy-rsa]# ll /usr/share/open***/easy-rsa
total 8
drwxr-xr-x 2 root root 4096 Jun 5 13:02 1.0
drwxr-xr-x 2 root root 4096 Jun 5 13:02 2.0
[root@xxw easy-rsa]# ll /usr/share/open***/easy-rsa
total 8
drwxr-xr-x 2 root root 4096 Jun 5 13:02 1.0
drwxr-xr-x 2 root root 4096 Jun 5 13:02 2.0
4,复制2.0的到/etc/open***中
cp 2.0/* /etc/open***
cp 2.0/* /etc/open***
二,详细安装
1,创建证书配置文件
vi /etc/open***/vars 最后几行改好
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BJ"
export KEY_ORG="XXW"
export KEY_EMAIL="[email protected]"
vi /etc/open***/vars 最后几行改好
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BJ"
export KEY_ORG="XXW"
export KEY_EMAIL="[email protected]"
2,执行
# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/keys (提示,不必理会)
#./clean-all
#./build-ca
最后的命令build-ca将认证CA证书,这些密匙跟openssl紧密结合.
# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/keys (提示,不必理会)
#./clean-all
#./build-ca
最后的命令build-ca将认证CA证书,这些密匙跟openssl紧密结合.
3,建立认证书和密钥:
服务端的:
#./build-key-server server
建立客户端证书:
#./build-key client1
#./build-key client2
#./build-key client3
如果你想保护你的客户端密匙,请运行build-key-pass脚本.
为了区分每个客户端,必须用适当的名称命名”Common Name”, 比如. "client1", "client2", or "client3". 通常是为每个客户端指定唯一的”common name”.
服务端的:
#./build-key-server server
建立客户端证书:
#./build-key client1
#./build-key client2
#./build-key client3
如果你想保护你的客户端密匙,请运行build-key-pass脚本.
为了区分每个客户端,必须用适当的名称命名”Common Name”, 比如. "client1", "client2", or "client3". 通常是为每个客户端指定唯一的”common name”.
4,创建Diffie Hellman参数:
open***服务必须创建Diffe Hellman:
#./build-dh
#mkdir conf
#vi conf/server.conf
open***服务必须创建Diffe Hellman:
#./build-dh
#mkdir conf
#vi conf/server.conf
port 1194
proto tcp
dev tun
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/server.crt
key /etc/open***/keys/server.key # This file should be kept secret
dh /etc/open***/keys/dh1024.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#push "route 172.16.0.0 255.255.255.0"
#push "route 172.16.0.0 255.255.255.0"
#client-config-dir /etc/open***/ccd
#route 172.16.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 3
proto tcp
dev tun
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/server.crt
key /etc/open***/keys/server.key # This file should be kept secret
dh /etc/open***/keys/dh1024.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#push "route 172.16.0.0 255.255.255.0"
#push "route 172.16.0.0 255.255.255.0"
#client-config-dir /etc/open***/ccd
#route 172.16.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 3
5,启动:
open*** --config /etc/open***/conf/server.conf
open*** --config /etc/open***/conf/server.conf
三,验证(上图)
客户端的client.conf配置文件内容如下(证书和名称要注意对上号)
client
;dev tap
dev tun
;dev-node MyTap
proto tcp
;proto udp
remote 192.168.13.211 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/lin.crt
key /etc/open***/keys/lin.key
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
;dev tap
dev tun
;dev-node MyTap
proto tcp
;proto udp
remote 192.168.13.211 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca /etc/open***/keys/ca.crt
cert /etc/open***/keys/lin.crt
key /etc/open***/keys/lin.key
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3