Open*** 是一个基于 OpenSSL 库的应用层 *** 实现。和传统 *** 相比,它的优点是简单易用。[1]
Open***允许参与建立***的单点使用共享金钥,电子证书,或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函式库。Open***能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Windows 2000/XP/Vista上运行,并包含了许多安全性的功能。它并不是一个基于Web的***软件,也不与IPsec及其他***软件包兼容
实验环境
centos6.5_x64
open***_server eth0 xx.xx.xx.xx(公网IP) eth1 192.168.10.11
open***_client eth0 192.168.10.12
实验软件
openssl lzo open*** easy-rsa
软件安装
yum install -y openssl lzo* open****easy-rsa* pam pam-devel
cp /usr/share/easy-rsa/2.0/vars/usr/share/easy-rsa/2.0/vars.bak
cp /usr/share/easy-rsa/2.0/vars /usr/share/easy-rsa/2.0/vars.bak
vim /usr/share/easy-rsa/2.0/vars
export KEY_COUNTRY="CN"
export KEY_PROVINCE="Beijing"
export KEY_CITY="Beijing"
export KEY_ORG="MyOrganization"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyOrganizationalUnit" 此配置为修改后配置
source vars
./clean-all
./build-ca
./build-key-server server
./build-key client
./build-dh
open*** --genkey --secret keys/ta.key
mkdir -p /etc/open***/keys
cp/usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key}/etc/open***/keys/
cp/usr/share/doc/open***-2.3.12/sample/sample-config-files/server.conf/etc/open***/
touch /etc/open***/open***-status.log
touch /etc/open***/open***.log
cp -p /etc/sysctl.conf /etc/sysctl.conf.bak
sed -i "s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g" /etc/sysctl.conf 打开双网卡路由转发
sysctl -p
vim /etc/open***/server.conf
port 1194
proto udp
dev tun
ca /etc/open***/ca.crt
cert /etc/open***/server.crt
key /etc/open***/server.key
dh /etc/open***/dh1024.pem
server 10.8.0.0 255.255.255.0 虚拟网段ip
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 3
/usr/local/open***/sbin/open*** --config /etc/open***/server.conf & 启动服务
netstat -tuplna | grep open***
udp 0 0 0.0.0.0:1194 0.0.0.0:* 12195/open***
ps -ef | grep open***
nobody 12195 12100 0 16:50 pts/1 00:00:00 /usr/local/open***/sbin/open*** --config /etc/open***/server.conf
root 12331 12130 0 17:10 pts/2 00:00:00 grep open***
ip addr | grep tun0
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 拨号虚拟IP