1、CentOS6.5 安装Open×××

wxyfj

　　1、实验拓扑

　　2、实验目的
　　S1为Open***服务器端，C1、C2为Open***客户端，通过配置Open***实现C1、C2访问S1所在网段的所有主机。
　　3、实验环境
　　GNS3 0.8.7 CentOS6.5

　　4、安装配置Open***服务器端
　　4.1、在服务器S1上安装lzo和open***
　　[root@S1 src]# rpm -ivh lzo-2.04-3.2.i386.rpm
　　warning: lzo-2.04-3.2.i386.rpm: Header V3 DSA/SHA1 Signature, key ID d164ce99: NOKEY
　　Preparing...                ########################################### [100%]
　　file /usr/lib/liblzo2.so.2.0.0 from install of lzo-2.04-3.2.i386 conflicts with file from package lzo-2.03-3.1.el6.i686
　　[root@S1 src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.i386.rpm
　　error: Failed dependencies:
　　        libcrypto.so.6 is needed by open***-2.1-0.20.rc4.el5.kb.i386
　　        libssl.so.6 is needed by open***-2.1-0.20.rc4.el5.kb.i386
　　[root@S1 src]# yum -y install openssl098e
　　[root@S1 src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.i386.rpm
　　Preparing...                ########################################### [100%]
　　1:open***                ########################################### [100%]
　　[root@S1 src]# cp -r /usr/share/open***/easy-rsa/2.0/ /etc/open***/
　　[root@S1 src]# cp /usr/share/doc/open***-2.1/sample-config-files/server.conf /etc/open***/
　　4.2、初始化PKI
　　[root@S1 src]# cd /etc/open***/2.0/
　　[root@S1 2.0]# vim vars
　　export KEY_COUNTRY="CN"
　　export KEY_PROVINCE="GD"
　　export KEY_CITY="SZ"
　　export KEY_ORG="***"
　　export KEY_EMAIL="test@163.com"
　　[root@S1 2.0]# source ./vars
　　NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys
　　[root@S1 2.0]# ./clean-all
　　[root@S1 2.0]# ./build-ca
　　Generating a 1024 bit RSA private key
　　..................................................++++++
　　..............................................++++++
　　writing new private key to 'ca.key'
　　-----
　　You are about to be asked to enter information that will be incorporated
　　into your certificate request.
　　What you are about to enter is what is called a Distinguished Name or a DN.
　　There are quite a few fields but you can leave some blank
　　For some fields there will be a default value,
　　If you enter '.', the field will be left blank.
　　-----
　　Country Name (2 letter code) [CN]:
　　State or Province Name (full name) [GD]:
　　Locality Name (eg, city) [SZ]:
　　Organization Name (eg, company) [***]:
　　Organizational Unit Name (eg, section) []:
　　Common Name (eg, your name or your server's hostname) [*** CA]:server
　　Email Address [test@163.com]:
　　[root@S1 2.0]#
　　4.3、生成server key

　　[root@S1 2.0]# ./build-key-server server
　　Generating a 1024 bit RSA private key
　　......................................++++++
　　...........++++++
　　writing new private key to 'server.key'
　　-----
　　You are about to be asked to enter information that will be incorporated
　　into your certificate request.
　　What you are about to enter is what is called a Distinguished Name or a DN.
　　There are quite a few fields but you can leave some blank
　　For some fields there will be a default value,
　　If you enter '.', the field will be left blank.
　　-----
　　Country Name (2 letter code) [CN]:
　　State or Province Name (full name) [GD]:
　　Locality Name (eg, city) [SZ]:
　　Organization Name (eg, company) [***]:
　　Organizational Unit Name (eg, section) []:
　　Common Name (eg, your name or your server's hostname) [server]:
　　Email Address [test@163.com]:
　　Please enter the following 'extra' attributes
　　to be sent with your certificate request
　　A challenge password []:root123
　　An optional company name []:
　　Using configuration from /etc/open***/2.0/openssl.cnf
　　Check that the request matches the signature
　　Signature ok
　　The Subject's Distinguished Name is as follows
　　countryName           :PRINTABLE:'CN'
　　stateOrProvinceName   :PRINTABLE:'GD'
　　localityName          :PRINTABLE:'SZ'
　　organizationName      :PRINTABLE:'***'
　　commonName            :PRINTABLE:'server'
　　emailAddress          :IA5STRING:'test@163.com'
　　Certificate is to be certified until Sep 10 17:25:36 2025 GMT (3650 days)
　　Sign the certificate? [y/n]:y
　　1 out of 1 certificate requests certified, commit? [y/n]y
　　Write out database with 1 new entries
　　Data Base Updated
　　4.4、生成client key
　　[root@S1 2.0]# ./build-key C1
　　Generating a 1024 bit RSA private key
　　.......................++++++
　　.....++++++
　　writing new private key to 'C1.key'
　　-----
　　You are about to be asked to enter information that will be incorporated
　　into your certificate request.
　　What you are about to enter is what is called a Distinguished Name or a DN.
　　There are quite a few fields but you can leave some blank
　　For some fields there will be a default value,
　　If you enter '.', the field will be left blank.
　　-----
　　Country Name (2 letter code) [CN]:
　　State or Province Name (full name) [GD]:
　　Locality Name (eg, city) [SZ]:
　　Organization Name (eg, company) [***]:
　　Organizational Unit Name (eg, section) []:
　　Common Name (eg, your name or your server's hostname) [C1]:
　　Email Address [test@163.com]:
　　Please enter the following 'extra' attributes
　　to be sent with your certificate request
　　A challenge password []:root123
　　An optional company name []:
　　Using configuration from /etc/open***/2.0/openssl.cnf
　　Check that the request matches the signature
　　Signature ok
　　The Subject's Distinguished Name is as follows
　　countryName           :PRINTABLE:'CN'
　　stateOrProvinceName   :PRINTABLE:'GD'
　　localityName          :PRINTABLE:'SZ'
　　organizationName      :PRINTABLE:'***'
　　commonName            :PRINTABLE:'C1'
　　emailAddress          :IA5STRING:'test@163.com'
　　Certificate is to be certified until Sep 10 17:27:38 2025 GMT (3650 days)
　　Sign the certificate? [y/n]:y
　　1 out of 1 certificate requests certified, commit? [y/n]y
　　Write out database with 1 new entries
　　Data Base Updated
　　[root@S1 2.0]#
　　[root@S1 2.0]# ./build-key C2
　　Generating a 1024 bit RSA private key
　　.......++++++
　　........++++++
　　writing new private key to 'C2.key'
　　-----
　　You are about to be asked to enter information that will be incorporated
　　into your certificate request.
　　What you are about to enter is what is called a Distinguished Name or a DN.
　　There are quite a few fields but you can leave some blank
　　For some fields there will be a default value,
　　If you enter '.', the field will be left blank.
　　-----
　　Country Name (2 letter code) [CN]:
　　State or Province Name (full name) [GD]:
　　Locality Name (eg, city) [SZ]:
　　Organization Name (eg, company) [***]:
　　Organizational Unit Name (eg, section) []:
　　Common Name (eg, your name or your server's hostname) [C2]:
　　Email Address [test@163.com]:
　　Please enter the following 'extra' attributes
　　to be sent with your certificate request
　　A challenge password []:root123
　　An optional company name []:
　　Using configuration from /etc/open***/2.0/openssl.cnf
　　Check that the request matches the signature
　　Signature ok
　　The Subject's Distinguished Name is as follows
　　countryName           :PRINTABLE:'CN'
　　stateOrProvinceName   :PRINTABLE:'GD'
　　localityName          :PRINTABLE:'SZ'
　　organizationName      :PRINTABLE:'***'
　　commonName            :PRINTABLE:'C2'
　　emailAddress          :IA5STRING:'test@163.com'
　　Certificate is to be certified until Sep 10 17:28:16 2025 GMT (3650 days)
　　Sign the certificate? [y/n]:y
　　1 out of 1 certificate requests certified, commit? [y/n]y
　　Write out database with 1 new entries
　　Data Base Updated
　　[root@S1 2.0]#
　　4.5、生成 Diffie Hellman 参数、创建服务端配置文件
　　[root@S1 2.0]# ./build-dh
　　Generating DH parameters, 1024 bit long safe prime, generator 2
　　This is going to take a long time
　　......+...................+.............................................+................................................................+......................................+..................................................................................................................+............+....................................+......................+................+...................+..............................................++*++*++*
　　[root@S1 2.0]# cd keys/
　　[root@S1 keys]# cp ca.crt  server.crt  server.key  dh1024.pem  /etc/open***/
　　4.6、修改服务器端配置文件
　　[root@S1 keys]# cd ../../
　　[root@S1 open***]# vim server.conf
　　port 1194
　　proto udp
　　dev tun
　　ca ca.crt
　　cert server.crt
　　key server.key
　　dh dh1024.pem
　　server 10.8.0.0 255.255.255.0
　　client-to-client
　　keepalive 10 120
　　comp-lzo
　　persist-key
　　persist-tun
　　status open***-status.log
　　verb 4
　　push "dhcp-option DNS 114.114.114.114"
　　4.7、启动Open***
　　[root@S1 open***]# chkconfig open*** on
　　[root@S1 open***]# service open*** restart
　　Shutting down open***: [  OK  ]
　　Starting open***: [  OK  ]
　　[root@S1 open***]# ifconfig tun0
　　tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
　　inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
　　UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
　　RX packets:0 errors:0 dropped:0 overruns:0 frame:0
　　TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
　　collisions:0 txqueuelen:100
　　RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
　　[root@S1 open***]#
　　5、安装配置Open***客户端
　　5.1、C1客户端安装
　　[root@C1 src]# rpm -ivh lzo-2.04-3.2.i386.rpm
　　warning: lzo-2.04-3.2.i386.rpm: Header V3 DSA/SHA1 Signature, key ID d164ce99: NOKEY
　　Preparing...                ########################################### [100%]
　　file /usr/lib/liblzo2.so.2.0.0 from install of lzo-2.04-3.2.i386 conflicts with file from package lzo-2.03-3.1.el6.i686
　　[root@C1 src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.i386.rpm
　　error: Failed dependencies:
　　libcrypto.so.6 is needed by open***-2.1-0.20.rc4.el5.kb.i386
　　libssl.so.6 is needed by open***-2.1-0.20.rc4.el5.kb.i386
　　[root@C1 src]# yum -y install openssl098e
　　[root@C1 src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.i386.rpm
　　Preparing...                ########################################### [100%]
　　1:open***                ########################################### [100%]
　　[root@C1 src]#
　　将在S1服务器端生成的client证书等文件拷贝到/etc/open***目录下
　　[root@C1 src]# cd /etc/open***/
　　[root@C1 open***]# ll
　　total 12
　　-rw-r--r--. 1 root root 3577 Sep 13 13:56 C1.crt
　　-rw-------. 1 root root  912 Sep 13 13:56 C1.key
　　-rw-r--r--. 1 root root 1119 Sep 13 13:56 ca.crt
　　[root@C1 open***]# vim client.conf
　　client
　　dev tun
　　proto udp
　　remote 8.8.8.10 1194
　　persist-key
　　persist-tun
　　ca ca.crt
　　cert C1.crt
　　key C1.key
　　ns-cert-type server
　　comp-lzo
　　verb 3
　　redirect-gateway def1
　　[root@C1 open***]# service open*** restart
　　Shutting down open***: [  OK  ]
　　Starting open***: [  OK  ]
[root@S1 open***]# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.5  P-t-P:10.8.0.6  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


[root@S1 open***]#

　　5.2、C2客户端安装
　　将在S1服务器端生成的client证书等文件拷贝到C:\Program Files\Open***\config目录下，并将C:\Program Files\Open***\sample-config目录下的client一并拷贝过来

client的内容修改如下

　　client
　　dev tun
　　proto udp
　　remote 8.8.8.10 1194
　　persist-key
　　persist-tun
　　ca ca.crt
　　cert C2.crt
　　key C2.key
　　ns-cert-type server
　　comp-lzo
　　verb 4
　　redirect-gateway def1

　　6、解决无法上外网和只能访问S1问题
　　此时C1、C2已经和S1成功建立了***。但C1、C2无法PING8.8.8.20、8.8.8.30，即无法访问外网,也无法访问除了S1外的其他主机。此时我们需要在S1上开启IP转发、添加路由。
　　[root@S1 2.0]# vim /etc/rc.d/rc.local
　　#!/bin/sh
　　#
　　# This script will be executed *after* all the other init scripts.
　　# You can put your own initialization stuff in here if you don't
　　# want to do the full Sys V style init stuff.
　　touch /var/lock/subsys/local
　　echo 1 > /proc/sys/net/ipv4/ip_forward
　　iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.1.1.1
　　[root@S1 2.0]#
　　至此，C1、C2不仅可以上外网，而且可以访问S1所在网络的所有主机了