服务端:192.168.2.188/24
客户端:192.168.2.199/24
虚拟IP段:22.22.22.x/24
服务端配置:
mkdir -p /opt/{open***,source}
mkdir -p /opt/open***/{ccd,conf,log}
cd /opt/source/
tar zxvf lzo-2.03.tar.gz
cd lzo-2.03
./configure
make
make install
tar -zxvf open***-2.0.9.tar.gz
cd open***-2.0.9
./configure
make
make install
cd /opt/source/open***-2.0.9
cp -r easy-rsa /opt/open***
cd /opt/open***/easy-rsa
修改/opt/open***/easy-rsa/vars文件,将相应内容替换
注:KEY_DIR千万别写错,不然下面执行初始化证书会执行rm -rf而造成误删除文件
vi /opt/open***/easy-rsa/vars
------------------------------------------------ config ------------------------------------------------
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG="Chinatree"
export KEY_EMAIL="vip@chinatree.com"
------------------------------------------------ config ------------------------------------------------
source vars
./clean-all
./build-ca
------------------------------------------------ config ------------------------------------------------
Generating a 1024 bit RSA private key
....++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [Chinatree]:
Organizational Unit Name (eg, section) []:Chinatree
Common Name (eg, your name or your server's hostname) []:server
Email Address [vip@chinatree.com]:
------------------------------------------------ config ------------------------------------------------
./build-dh
./build-key-server server
------------------------------------------------ config ------------------------------------------------
Generating a 1024 bit RSA private key
.................++++++
........................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [Chinatree]:
Organizational Unit Name (eg, section) []:Chinatree
Common Name (eg, your name or your server's hostname) []:server
Email Address [vip@chinatree.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /opt/open***/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'Chinatree'
organizationalUnitName:PRINTABLE:'Chinatree'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'vip@chinatree.com'
Certificate is to be certified until Jul 17 03:02:31 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
------------------------------------------------ config ------------------------------------------------
./build-key client1
------------------------------------------------ config ------------------------------------------------
Generating a 1024 bit RSA private key
..........++++++
.....++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) [Chinatree]:
Organizational Unit Name (eg, section) []:Chinatree
Common Name (eg, your name or your server's hostname) []:client1
Email Address [vip@chinatree.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /opt/open***/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'Chinatree'
organizationalUnitName:PRINTABLE:'Chinatree'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'vip@chinatree.com'
Certificate is to be certified until Jul 17 03:05:32 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
------------------------------------------------ config ------------------------------------------------
open*** --genkey --secret keys/ta.key
chmod 755 /opt/open***/easy-rsa/make-crl
./make-crl ***crl.pem
------------------------------------------------ config ------------------------------------------------
Using configuration from /opt/open***/easy-rsa/openssl.cnf
------------------------------------------------ config ------------------------------------------------
添加配置文件
vi /opt/open***/conf/server.conf
------------------------------------------------ config ------------------------------------------------
local 192.168.2.188
port 9999
proto tcp-server
dev tap
management 192.168.2.188 9898
ca /opt/open***/easy-rsa/keys/ca.crt
cert /opt/open***/easy-rsa/keys/server.crt
key /opt/open***/easy-rsa/keys/server.key
#crl-verify /opt/open***/easy-rsa/keys/***crl.pem
dh /opt/open***/easy-rsa/keys/dh1024.pem
server 22.22.22.0 255.255.255.0
ifconfig-pool-persist /opt/open***/conf/ipp.txt
client-config-dir /opt/open***/ccd
push "route 22.22.22.0 255.255.255.0"
client-to-client
keepalive 10 120
tls-auth /opt/open***/easy-rsa/keys/ta.key 0
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status /opt/open***/log/open***-status.log
log /opt/open***/log/open***.log
verb 3
------------------------------------------------ config ------------------------------------------------
添加对外NAT映射
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
或者
echo 1 > /proc/sys/net/ipv4/ip_forward
或者
sysctl -w net.ipv4.ip_forward=1
添加iptables进行地址转换
iptables -t nat -A POSTROUTING -s 22.22.22.0/24 -o eth0 -j MASQUERADE
为客户端分配固定IP
vi /opt/open***/ccd/client1
------------------------------------------------ config ------------------------------------------------
ifconfig-push 22.22.22.22 255.255.255.0
------------------------------------------------ config ------------------------------------------------
客户端配置:
mkdir -p /opt/{open***,source}
mkdir -p /opt/open***/{ccd,conf,keys,log}
cd /opt/source/
tar zxvf lzo-2.03.tar.gz
cd lzo-2.03
./configure
make
make install
tar -zxvf open***-2.0.9.tar.gz
cd open***-2.0.9
./configure
make
make install
cd /opt/open***/
------------------------------------------------ config ------------------------------------------------
在服务端打包以下文件
cd /opt/open***/easy-rsa/keys
scp ca.crt ta.key client1.crt client1.key 192.168.2.199:/opt/open***/keys
------------------------------------------------ config ------------------------------------------------
添加配置文件
vi /opt/open***/conf/client.conf
------------------------------------------------ config ------------------------------------------------
client
proto tcp-client
dev tap
remote 192.168.2.188 9999
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /opt/open***/keys/ca.crt
cert /opt/open***/keys/client1.crt
key /opt/open***/keys/client1.key
tls-auth /opt/open***/keys/ta.key 1
comp-lzo
log /opt/open***/log/open***.log
verb 4
------------------------------------------------ config ------------------------------------------------
启动服务端:
/usr/local/sbin/open*** --config /opt/open***/conf/server.conf &
------------------------------------------------ config ------------------------------------------------
tap0 Link encap:Ethernet HWaddr 3A:25:6D:E9:DC:DC
inet addr:22.22.22.1 Bcast:22.22.22.255 Mask:255.255.255.0
inet6 addr: fe80::3825:6dff:fee9:dcdc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:82 errors:0 dropped:0 overruns:0 frame:0
TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:23976 (23.4 KiB) TX bytes:6876 (6.7 KiB)
------------------------------------------------ config ------------------------------------------------
route -n
------------------------------------------------ config ------------------------------------------------
22.22.22.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
------------------------------------------------ config ------------------------------------------------
启动客户端:
/usr/local/sbin/open*** --config /opt/open***/conf/client.conf &
------------------------------------------------ config ------------------------------------------------
tap0 Link encap:Ethernet HWaddr 3E:9E:D5:FF:1F:7F
inet addr:22.22.22.22 Bcast:22.22.22.255 Mask:255.255.255.0
inet6 addr: fe80::3c9e:d5ff:feff:1f7f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:7974 (7.7 KiB)
------------------------------------------------ config ------------------------------------------------
route -n
------------------------------------------------ config ------------------------------------------------
22.22.22.0 22.22.22.1 255.255.255.0 UG 0 0 0 tap0
22.22.22.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
------------------------------------------------ config ------------------------------------------------
表示已经成功配置,管理open***拔上来的客户端:
------------------------------------------------ config ------------------------------------------------
Trying 192.168.2.188...
Connected to icap1 (192.168.2.188).
Escape character is '^]'.
>INFO:Open××× Management Interface Version 1 -- type 'help' for more info
status
Open××× CLIENT LIST
Updated,Thu Jul 19 12:01:14 2012
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
client1,192.168.2.199:47654,13440,7086,Thu Jul 19 11:58:27 2012
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
3e:9e:d5:ff:1f:7f,client1,192.168.2.199:47654,Thu Jul 19 11:58:29 2012
GLOBAL STATS
Max bcast/mcast queue length,1
END
------------------------------------------------ config ------------------------------------------------
拔号中出现错误情况及解决:
问题no.1
us=7339 TLS Error: TLS object -> incoming plaintext read error
us=7347 TLS Error: TLS handshake failed
原因及解决办法:
客户端与服务端的时间对不上导致异常,使用ntpupdate同步修正。
参考网址:
http://carywu.blog.51cto.com/13185/34880/
http://www.unxmail.com/read.php?145