Install Open*** on Ubuntu 12.04.4 Server
需要在外部防火墙上建立udp 1194的映射
Open***版本: 2.2.1-8ubuntu1.2
On Open*** Server:
1. aptitude update
aptitude -y install open*** lzop
2. cp -r /usr/share/doc/open***/examples/easy-rsa/2.0/* /etc/open***/easy-rsa/
cp /usr/share/doc/open***/examples/sample-config-files/server.conf.gz /etc/open***
gzip -d server.conf.gz
3. vi /etc/open***/easy-rsa/vars
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SH"
export KEY_CITY="SH"
export KEY_ORG="GKY"
export KEY_EMAIL="me@gkytech.com"
export KEY_EMAIL=me@gkytech.com
export KEY_CN=CN
export KEY_NAME=GKY
export KEY_OU=GKY
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
4. cd /etc/open***/easy-rsa/
source vars
./clean-all
./build-ca
./build-key-server server# you specify server name
./build-dh
cd keys/
cp server.crt server.key ca.crt dh1024.pem /etc/open***/
5. build client certificates:
cd /etc/open***/easy-rsa/
source vars
./build-key client1
6. vi /etc/open***/server.conf
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
;ifconfig-pool-persist ipp.txt
max-clients 60# (255/4-4)=60
user nobody
group nogroup
cipher none # 取消加密
logopen***.log
verb 4
push "ip-win32 dynamic 0 3600" # to change windows clients dchp lease time, 3600 is seconds for lease time
service open*** start
netstat -ltunp | grep 1194
给客户设置固定IP:
mkdir /etc/open***/ccd
vi /etc/open***/server.conf
client-config-dir ccd
route 10.8.0.4 255.255.255.252
vi /etc/open***/ccd/client1#这个名称要和build-key时的客户名称一致
ifconfig-push 10.8.0.5 10.8.0.6
service open*** restart
Notes: 这个客户网段必需用0,4,8,12...,掩码252
On Ubuntu 12.04 Client:
1. aptitude update
aptitude -y install open*** lzop
2. cp /usr/share/doc/open***/examples/sample-config-files/client.conf /etc/open***/
copy below files on ***server to client /etc/open***
/etc/open***/ca.crt
/etc/open***/easy-rsa/keys/client1.crt
/etc/open***/easy-rsa/keys/client1.key
3. vi /etc/open***/client.conf
client
remote 192.168.1.29 1194 # public open*** server ip
user nobody
group nogroup
ca ca.crt
cert client1.crt
key client1.key
cipher none # 取消加密
verb 4
service open*** start
netstat -rn
On Windows 8.1 64bit:
1. Download open***-install-2.3.4-I602-x86_64.exe from http://swupdate.open***.org/community/releases/
Install it with "run as administrator", all with default settings
2. copy below files on ***server to client C:\Program Files\Open***\config
/etc/open***/ca.crt
/etc/open***/easy-rsa/keys/win8.crt
/etc/open***/easy-rsa/keys/win8.key
copy C:\Program Files\Open***\sample-config\client.o*** to C:\Program Files\Open***\config\win8.o***
edit C:\Program Files\Open***\config\win8.o***
client
remote 192.168.1.29 1194 # public open*** server ip
ca ca.crt
cert win8.crt
key win8.key
cipher none # 取消加密
verb 4
3. run Open*** GUI with "run as administrator"
or
***设置,所有流量走***服务器:
on client:
vi /etc/open***/client.conf
redirect-gateway def1
#below is just for non-win32 platform
up /etc/open***/update-resolv-conf
down /etc/open***/update-resolv-conf
service open*** restart or reboot
on open*** server:
vi /etc/open***/server.conf
push "redirect-gateway local bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
vi /etc/rc.local
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service open*** restart
参考资料:
情况1:服务器和客户端在同一网络内(不经过其他路由器,在同一个广播域内)
在Server的配置文件中添加 push "redirect-gatewaylocal def1 bypass-dhcp bypass-dns"
这种情况下如果缺少 local 关键字,客户端ping不通服务器.
情况2:服务器和客户端不在同一网络内(经过其他路由器,不在同一个广播域内)
在Server的配置文件中添加 push "redirect-gateway def1 bypass-dhcp bypass-dns"
下面是Open***的官方说明:
--redirect-gateway flags...
(Experimental) Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the ***.
This option performs three steps:
(1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that will not create a routing loop.
(2) Delete the default gateway route.
(3) Set the new default gateway to be the *** endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified).
When the tunnel is torn down, all of the above steps are reversed so that the original default route is restored.
Option flags:
local -- Add the local flag if both Open*** servers are directly connected via a common subnet, such as with wireless. The local flag will cause step 1 above tobe omitted.
def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit ofoverriding but not wiping out the original default gateway.
bypass-dhcp -- Add a direct route to the DHCP server (if it is non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).
bypass-dns -- Add a direct route to the DNS server(s) (if they are non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).
Using the def1 flag is highly recommended.
设置使用用户名和密码登录:
在Open***服务器上建立用户:
useradd -M -s /bin/false username
passwd username
vi /etc/open***/server.conf
# add below two lines for username/password login
client-cert-not-required
plugin /usr/lib/open***/open***-plugin-auth-pam.so login
service open*** restart
Linux User:
vi /etc/open***/client.conf
# add below line to use username/password login
auth-user-pass
auth-nocache
ca ca.crt
# cert client1.crt
# key client1.key
service open*** restart
Windows User:
edit C:\Program Files\Open***\config\win8.o***
auth-user-pass
auth-nocache
ca ca.crt
# cert win8.crt
# key win8.key
页:
[1]