Install Open*** on Ubuntu 12.04.4 Server

hx0011yy

　　需要在外部防火墙上建立udp 1194的映射
　　Open***版本： 2.2.1-8ubuntu1.2
　　On Open*** Server:
　　1. aptitude update
　　aptitude -y install open*** lzop
　　2. cp -r /usr/share/doc/open***/examples/easy-rsa/2.0/* /etc/open***/easy-rsa/
　　cp /usr/share/doc/open***/examples/sample-config-files/server.conf.gz /etc/open***
　　gzip -d server.conf.gz
　　3. vi /etc/open***/easy-rsa/vars
　　export KEY_COUNTRY="CN"
　　export KEY_PROVINCE="SH"
　　export KEY_CITY="SH"
　　export KEY_ORG="GKY"
　　export KEY_EMAIL="me@gkytech.com"
　　export KEY_EMAIL=me@gkytech.com
　　export KEY_CN=CN
　　export KEY_NAME=GKY
　　export KEY_OU=GKY
　　export PKCS11_MODULE_PATH=changeme
　　export PKCS11_PIN=1234
　　4. cd /etc/open***/easy-rsa/
　　source vars
　　./clean-all
　　./build-ca
　　./build-key-server server  # you specify server name
　　./build-dh
　　cd keys/
　　cp server.crt server.key ca.crt dh1024.pem /etc/open***/
　　5. build client certificates:
　　cd /etc/open***/easy-rsa/
　　source vars
　　./build-key client1
　　6. vi /etc/open***/server.conf
　　ca ca.crt
　　cert server.crt
　　key server.key
　　dh dh1024.pem
　　server 10.8.0.0 255.255.255.0
　　;ifconfig-pool-persist ipp.txt
　　max-clients 60  # (255/4-4)=60
　　user nobody
　　group nogroup
　　cipher none # 取消加密
　　log  open***.log
　　verb 4
　　push "ip-win32 dynamic 0 3600" # to change windows clients dchp lease time, 3600 is seconds for lease time
　　service open*** start
　　netstat -ltunp | grep 1194
　　给客户设置固定IP:
　　mkdir /etc/open***/ccd
　　vi /etc/open***/server.conf
　　client-config-dir ccd
　　route 10.8.0.4 255.255.255.252
　　vi /etc/open***/ccd/client1  #这个名称要和build-key时的客户名称一致
　　ifconfig-push 10.8.0.5 10.8.0.6
　　service open*** restart
　　Notes: 这个客户网段必需用0,4,8,12...，掩码252
　　On Ubuntu 12.04 Client:
　　1. aptitude update
　　aptitude -y install open*** lzop
　　2. cp /usr/share/doc/open***/examples/sample-config-files/client.conf /etc/open***/
　　copy below files on ***server to client /etc/open***
　　/etc/open***/ca.crt
　　/etc/open***/easy-rsa/keys/client1.crt
　　/etc/open***/easy-rsa/keys/client1.key
　　3. vi /etc/open***/client.conf
　　client
　　remote 192.168.1.29 1194 # public open*** server ip
　　user nobody
　　group nogroup
　　ca ca.crt
　　cert client1.crt
　　key client1.key
　　cipher none # 取消加密
　　verb 4
　　service open*** start
　　netstat -rn
　　On Windows 8.1 64bit:
　　1. Download open***-install-2.3.4-I602-x86_64.exe from http://swupdate.open***.org/community/releases/
　　Install it with "run as administrator", all with default settings
　　2. copy below files on ***server to client C:\Program Files\Open***\config
　　/etc/open***/ca.crt
　　/etc/open***/easy-rsa/keys/win8.crt
　　/etc/open***/easy-rsa/keys/win8.key
　　copy C:\Program Files\Open***\sample-config\client.o*** to C:\Program Files\Open***\config\win8.o***
　　edit C:\Program Files\Open***\config\win8.o***
　　client
　　remote 192.168.1.29 1194 # public open*** server ip
　　ca ca.crt
　　cert win8.crt
　　key win8.key
　　cipher none # 取消加密
　　verb 4
　　3. run Open*** GUI with "run as administrator"
　　or

　　***设置，所有流量走***服务器：
　　on client:
　　vi /etc/open***/client.conf
　　redirect-gateway def1
　　#below is just for non-win32 platform
　　up /etc/open***/update-resolv-conf
　　down /etc/open***/update-resolv-conf
　　service open*** restart or reboot
　　on open*** server:
　　vi /etc/open***/server.conf
　　push "redirect-gateway local bypass-dhcp"
　　push "dhcp-option DNS 223.5.5.5"
　　vi /etc/sysctl.conf
　　net.ipv4.ip_forward = 1
　　sysctl -p
　　vi /etc/rc.local
　　iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
　　service open*** restart
　　参考资料：
　　情况1:服务器和客户端在同一网络内(不经过其他路由器,在同一个广播域内)
　　在Server的配置文件中添加 push "redirect-gatewaylocal def1 bypass-dhcp bypass-dns"
　　这种情况下如果缺少 local 关键字,客户端ping不通服务器.
　　情况2:服务器和客户端不在同一网络内(经过其他路由器,不在同一个广播域内)
　　在Server的配置文件中添加 push "redirect-gateway def1 bypass-dhcp bypass-dns"
　　下面是Open***的官方说明:
　　--redirect-gateway flags...
　　(Experimental) Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the ***.
　　This option performs three steps:
　　(1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that will not create a routing loop.
　　(2) Delete the default gateway route.
　　(3) Set the new default gateway to be the *** endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified).
　　When the tunnel is torn down, all of the above steps are reversed so that the original default route is restored.
　　Option flags:
　　local -- Add the local flag if both Open*** servers are directly connected via a common subnet, such as with wireless. The local flag will cause step 1 above tobe omitted.
　　def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit ofoverriding but not wiping out the original default gateway.
　　bypass-dhcp -- Add a direct route to the DHCP server (if it is non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).
　　bypass-dns -- Add a direct route to the DNS server(s) (if they are non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).
　　Using the def1 flag is highly recommended.
　　设置使用用户名和密码登录：
　　在Open***服务器上建立用户：
　　useradd -M -s /bin/false username
　　passwd username
　　vi /etc/open***/server.conf
　　# add below two lines for username/password login
　　client-cert-not-required
　　plugin /usr/lib/open***/open***-plugin-auth-pam.so login
　　service open*** restart
　　Linux User:
　　vi /etc/open***/client.conf
　　# add below line to use username/password login
　　auth-user-pass
　　auth-nocache
　　ca ca.crt
　　# cert client1.crt
　　# key client1.key
　　service open*** restart
　　Windows User:
　　edit C:\Program Files\Open***\config\win8.o***
　　auth-user-pass
　　auth-nocache
　　ca ca.crt
　　# cert win8.crt
　　# key win8.key