注意：在安装open***之前，首先需要确认你VPS上的tun设备可用（很多OpenVZ VPS需要联系客服打开），否则open***无法启动

以root用户运行：

[root@s9 ~]# cat /dev/net/tun

cat: /dev/net/tun: File descriptor in bad state

只有这种显示的才是正确的，如果有

cat: /dev/net/tun: No such file or directory

或者

cat: /dev/net/tun: Permission denied

则TUN设备异常，无法安装Open××× 第一步 下载安装所需软件包：

官方下载：

wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz

wget http://swupdate.open***.net/community/releases/open***-2.1.4.tar.gz

第二步： 使用 yum 程序安装所需开发包

yum install -y openssl openssl-devel automake pkgconfig iptables

yum install gcc* -y

yum groupinstall “Development tools” –y

第三步：安装 Open××× 服务端

1. 安装 LZO

tar zxvf lzo-2.04.tar.gz cd lzo-2.04/ ./configure make make check make install cd ../

2. 安装 Open×××

tar zxvf open***-2.1.4.tar.gz cd open***-2.1.4 ./configure --with-lzo-headers=/usr/local/include \ --with-lzo-lib=/usr/local/lib \ --with-ssl-headers=/usr/include/openssl \ --with-ssl-lib=/usr/lib (./configure --prefix=/opt/open*** --with-lzo-headers=/opt/lzo/include --with-lzo-lib =/opt/lzo/lib --with-ssl- headers=/usr/include/openssl --with-ssl-lib=/usr/lib) make make install cd ../

3. 生成证书 Key(cd open***-2.1.4)

mkdir /etc/open*** cp -r easy-rsa /etc/open***/ cd /etc/open***/easy-rsa/2.0/ cp openssl-0.9.6.cnf openssl.cnf vim vars，修改如下所示参数 export KEY_COUNTRY=CN #国家 CN就行 export KEY_PROVINCE=ZJ #省份 export KEY_CITY=HZ #城市 export KEY_ORG="yy***.net" #组织 export KEY_EMAIL="***@yy***.net" #邮箱

注意：如果没有export命令，请直接编辑vars；以上设置根据提示修改 接着执行：

source vars

./clean-all

./build-ca

请按照提示设置，我们的设置示例：

[root@test 2.0]# ./build-ca Generating a 1024 bit RSA private key ............................++++++ ..........................................................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. （此步开始到第6步的Common Name都不一样） Country Name (2 letter code) [CN]:CN #国家 CN就行 State or Province Name (full name) [ZJ]:ZJ #省份 Locality Name (eg, city) [HZ]:HZ #城市 Organization Name (eg, company) [yy***.net]:yy***.net #公司 Organizational Unit Name (eg, section) []:yy*** #组织 Common Name (eg, your name or your server's hostname) [yy***.net CA]:yy***.net Name []:yy*** Email Address [***@yy***.net]:***@yy***.net #邮箱

5. 建立 server key 代码 :

./build-key-server server

请按照提示设置，我们的设置示例：

[root@test 2.0]# ./build-key-server server Generating a 1024 bit RSA private key .......++++++ ............++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]:CN State or Province Name (full name) [ZJ]:ZJ Locality Name (eg, city) [HZ]:HZ Organization Name (eg, company) [yy***.net]:yy***.net Organizational Unit Name (eg, section) []:yy*** Common Name (eg, your name or your server's hostname) [server]:yy*** Name []:yy*** Email Address [***@yy***.net]:***@yy***.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:12345678 An optional company name []:yy*** Using configuration from /etc/open***/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'ZJ' localityName :PRINTABLE:'HZ' organizationName :PRINTABLE:'yy***.net' organizationalUnitName:PRINTABLE:'yy***' commonName :PRINTABLE:'server' name :PRINTABLE:'yy***' emailAddress :IA5STRING:'***@yy***.net' Certificate is to be certified until Dec 8 11:37:33 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

6. 生成客户端 key

./build-key client1 #client1可以改名 但要以下面步骤一致

请按照提示设置，我们的设置示例：

[root@test 2.0]# ./build-key client1 Generating a 1024 bit RSA private key .....................++++++ ...............++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]:CN State or Province Name (full name) [ZJ]:ZJ Locality Name (eg, city) [HZ]:HZ Organization Name (eg, company) [yy***.net]:yy***.net Organizational Unit Name (eg, section) []:yy*** Common Name (eg, your name or your server's hostname) [client1]:client1 Name []:yy*** Email Address [***@yy***.net]:***@yy***.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:12345678 An optional company name []:yy*** Using configuration from /etc/open***/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'ZJ' localityName :PRINTABLE:'HZ' organizationName :PRINTABLE:'yy***.net' organizationalUnitName:PRINTABLE:'yy***' commonName :T61STRING:'client1' name :PRINTABLE:'yy***' emailAddress :IA5STRING:'***@yy***.net' Certificate is to be certified until Aug 9 15:21:18 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

重复上面步骤可以生成客户端证书/key 但注意client1得不同 包括上面提示的 Common Name (eg, your name or your server’s hostname) [client1]: client1 可以是client2,client3….

7. 生成 Diffie Hellman 参数 首先修改vi build-dh，把$OPENSSL 改成openssl，然后执行

./build-dh

8. 将 keys 下的所有文件打包下载到本地 (ssh secure shell client)

tar -cf  keys.tar keys

你可以移动到你的web目录下载，也可以使用ftp（winscp）下载到本地！

9. 创建服务端配置文件 vi

vim /usr/local/etc/server.conf

内容如下：

local 10.10.10.10 port 1194 proto udp dev tun ca /etc/open***/easy-rsa/2.0/keys/ca.crt cert /etc/open***/easy-rsa/2.0/keys/server.crt key /etc/open***/easy-rsa/2.0/keys/server.key dh /etc/open***/easy-rsa/2.0/keys/dh1024.pem server 192.168.100.0 255.255.255.0 client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status /etc/open***/easy-rsa/2.0/keys/open***-status.log verb 4 push "dhcp-option DNS 202.140.96.51 " push "dhcp-option DNS 202.85.146.104 "

10. 创建客户端配置文件

vim /usr/local/etc/client1.conf

内容如下

client dev tun proto udp remote 10.10.10.10 1194 persist-key persist-tun ca ca.crt cert sige.liu.crt key sige.liu.key ns-cert-type server comp-lzo verb 3 redirect-gateway def1 route-method exe route-delay 2

11. 启动 Open***: open*** [server config file] 执行

/usr/local/sbin/open*** --config /usr/local/etc/server.conf

12. 设置 Open××× 服务器 reboot 后自动启动 open***, 编辑

vim /etc/rc.local

加入：

/usr/local/sbin/open*** --config /usr/local/etc/server.conf > /dev/null 2>&1 &

第四步 Open××× 访问外网的设置   1.打开路由 ×××连接成功后, 还需要设置路由, 才能透过×××访问Internet. 在 VPS上添加路由，代码:

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source 10.10.10.10 #替换为自己的 IP /etc/init.d/iptables save /etc/init.d/iptables restart

不同的服务器，-o 参数可能不一样，OpenVZ VPS一般是venet0，而XEN VPS则是eth0，具体可输入 ifconfig 查看，同时搞清 ip(10.10.10.10)替换上述命令中最后的IP地址. 同时, 需要将 ip forward 打开. 不要用 echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 这种方式重启后无效. 请执行：

sysctl -w net.ipv4.ip_forward=1

第五步： Open××× GUI For Windows 客户端安装

请到 官网下载Open××× GUI For Windows 客户端，请按照提示安装到你的本机 请到C:\Program Files\Open×××\config目录，用编辑器新建文件，文件名为：client1.o***，内容如下：要保证与服务器上client1.conf文件内容一致

client dev tun proto udp remote 10.10.10.10 1194 #请换成自己 ×××公网的ip，指定端口为1194 persist-key persist-tun ca ca.crt cert client1.crt #指定 client所用的证书 key client1.key #指定 client所用的key ns-cert-type server comp-lzo verb 3 redirect-gateway def1 route-method exe route-delay 2

其实就是上面的client1.conf 文件！ 然后把你下载到的keys.tar 解压，把所有内容放到C:\Program Files\Open×××\config 目录

最后则是在WinXP PC上运行Open×××客户端软件，点击添加连接配置，选择本地文件导入，选中刚才保存的client.o***文件。

 

 

若有多个×××客户端，则要添加配置文件文件：

在服务器上: vim /usr/local/etc/client2.conf

client

 

dev tun

proto udp

remote 10.10.10.10 1194 #请换成自己 ×××公网的ip，指定端口为1194

persist-key

persist-tun

ca ca.crt

cert client2.crt      #指定 client所用的证书

key client2.key #指定 client所用的key (证书和key不能是别的用户在用的)

ns-cert-type server

comp-lzo

verb 3

 

redirect-gateway def1

route-method exe

route-delay 2

 

在客户端：

请到C:\Program Files\Open×××\config目录，用编辑器新建文件，文件名为：client2.o***，内容如下：要保证与服务器上client2.conf文件内容一致

client dev tun proto udp remote 10.10.10.10 1194 persist-key persist-tun ca ca.crt cert client2.crt key client2.key ns-cert-type server comp-lzo verb 3 redirect-gateway def1 route-method exe route-delay 2

 

转载于:https://blog.皇冠云.com/6046781/1156827