Linux系统安装配置OpenV*N教程
来自: http://my.oschina.net/foundation00523wuxi/blog/616105
OpenV*N在安全性上比PPTP,L2TP和IPsec都高,因为它通过三个证书的安全验证,实现了整个通信链路的完整加密。
安装步骤:
一、首先检查VPS上的tun设备是否可用,如果不可用需要联系客服打开,否则OpenV*N无法启用。
通过root用户登陆,执行
代码如下:
1 2 | #cat /dev/net/tun cat: /dev/net/tun: File descriptor in bad state |
如果现实结果如上所示,则表示tun设备可用,其它则表示设备异常,无法安装OpenV*N。
二、下载安装所需软件包:
代码如下:
1 2 3 4 | wget ftp://rpmfind.net/linux/epel/5/i386/pkcs11-helper-devel-1.07-2.el5.1.i386.rpm wget ftp://rpmfind.net/linux/epel/5/i386/pkcs11-helper-1.07-2.el5.1.i386.rpm wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz wget http://swupdate.openV*N.net/community/releases/openV*N-2.1.4.tar.gz |
三、使用yum安装程序所需开发包
代码如下:
1 | yum install -y openssl openssl-devel automake pkgconfig iptables |
四、安装OpenV*N服务端
1.安装pkcs11-helper RPM包
代码如下:
1 2 | rpm -ivh pkcs11-helper-1.07-2.el5.1.i386.rpm rpm -ivh pkcs11-helper-devel-1.07-2.el5.1.i386.rpm |
2.安装 LZO
代码如下:
1 2 3 4 5 6 7 | tar zxvf lzo-2.04.tar.gz cd lzo-2.04/ ./configure –prefix=/opt/lzo make make check make install cd ../ |
3.安装 OpenV*N
代码如下:
1 2 3 4 5 | tar zxvf openV*N-2.1.4.tar.gz cd openV*N-2.1.4 ./configure –prefix=/opt/openV*N –with-lzo-headers=/opt/lzo/include –with-lzo-lib=/opt/lzo/lib –with-ssl-headers=/usr/include/openssl –with-ssl-lib=/usr/lib make make install |
然后,下面就开始key证书文件的创建,总共需要创建三个,即ca,server key,client key。
4.生成证书Key
代码如下:
cp -r easy-rsa /opt/openV*N/
cd /opt/openV*N/easy-rsa/2.0/
vim export_new_var
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN #国家
export KEY_PROVINCE=BJ #省份
export KEY_CITY=BJ #城市
export KEY_ORG=”btschina.com” #组织
export KEY_EMAIL=”root@btschina.com” #邮箱
source export_new_var
./clean-all
./build-ca
Generating a 1024 bit RSA private key
..++++++...........++++++
writing new private key to 'ca.key'
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [btschina.com]:
Organizational Unit Name (eg, section) []:btschina
Common Name (eg, your name or your server's hostname) [btschina.com CA]:btschina
.com
Name []:btschina
Email Address [root@btschina.com]:
5.建立 server key
代码如下:
[root@centos 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key............................++++++..........++++++
writing new private key to 'server.key'
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [btschina.com]:
Organizational Unit Name (eg, section) []:btschina
Common Name (eg, your name or your server's hostname) [server]:btschina.com
Name []:btschina
Email Address [root@btschina.com]:</p> <p>Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:btschina.com
Using configuration from /etc/openV*N/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName RINTABLE:'CN'
stateOrProvinceName RINTABLE:'BJ'
localityName RINTABLE:'BJ'
organizationName RINTABLE:'btschina.com'
organizationalUnitName:PRINTABLE:'btschina'
commonName RINTABLE:'btschina.com'
name RINTABLE:'btschina'
emailAddress :IA5STRING:'root@btschina.com'
Certificate is to be certified until Apr 12 08:21:52 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
6.生成客户端 key
代码如下:
[root@centos 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
.........................................................................................++++++......................++++++
writing new private key to 'client1.key'
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [btschina.com]:
Organizational Unit Name (eg, section) []:btschina
Common Name (eg, your name or your server's hostname) [client1]:
Name []:btschina
Email Address [root@btschina.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:btschina.com
Using configuration from /etc/openV*N/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName RINTABLE:'CN'
stateOrProvinceName RINTABLE:'BJ'
localityName RINTABLE:'BJ'
organizationName RINTABLE:'btschina.com'
organizationalUnitName:PRINTABLE:'btschina'
commonName RINTABLE:'client1′
name RINTABLE:'btschina'
emailAddress :IA5STRING:'root@btschina.com'
Certificate is to be certified until Apr 12 08:24:33 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
如果想生成多个client key的话,重复以上步骤,修改client1为client2,client3......即可。
至此,所有的key都已经生成完毕,如果你想删除这些key,重新生成的话,执行以下命令。
代码如下:
source var
./clean-all
7.生成 Diffie Hellman 参数
代码如下:
./build-dh
8.将 keys 下的所有文件打包下载到本地
代码如下:
tar -cf keys.tar keys
9.创建服务端配置文件
代码如下:
vi /opt/openV*N/etc/server.conf
内容如下:
port 1194
proto udp
dev tun
ca /opt/openV*N/easy-rsa/2.0/keys/ca.crt
cert /opt/openV*N/easy-rsa/2.0/keys/server.crt
key /opt/openV*N/easy-rsa/2.0/keys/server.key
dh /opt/openV*N/easy-rsa/2.0/keys/dh1024.pem
server 10.10.20.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /opt/openV*N/easy-rsa/2.0/keys/openV*N-status.log
verb 4
push “dhcp-option DNS 10.10.20.1″
push “dhcp-option DNS 8.8.8.8″
push “dhcp-option DNS 8.8.4.4″
10.创建客户端配置文件
代码如下:
vi /opt/openV*N/etc/client.conf
内容如下
client
dev tun
proto udp
remote 204.74.215.57 1194 #请换成自己ip
persist-key
persist-tun
ca /opt/openV*N/easy-rsa/2.0/keys/ca.crt
cert /opt/openV*N/easy-rsa/2.0/keys/client1.crt
key /opt/openV*N/easy-rsa/2.0/keys/client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
route-method exe
route-delay 2
12.设置 OpenV*N 服务器 reboot后自动启动 openV*N
代码如下:
vi /etc/rc.local
加入:
代码如下:
/opt/openV*N/sbin/openV*N –config /opt/openV*N/etc/server.conf > /dev/null 2>&1 &
运行OpenV*N服务端
代码如下:
/opt/openV*N/sbin/openV*N –config /opt/openV*N/etc/server.conf > /dev/null 2>&1 &
检查服务端是否启动
执行
代码如下:
netstat -lnp
如果看到有 0.0.0.0:1194 则证明服务端已经成功启动。
五、防火墙规则设置
1.开放OpenV*N服务器端口
代码如下:
iptables -A INPUT -p udp -m state –state NEW -m udp –dport 1194 -j ACCEPT
2.启用NAT映射,实现共享上网
代码如下:
iptables -t nat -A POSTROUTING -s 10.10.20.0/255.255.255.0 -o eth0 -j MASQUERADE
3.开启数据转发
代码如下:
sysctl -w net.ipv4.ip_forward=1
六、OpenV*N GUI for Windows 客户端安装
1.下载并安装 .NET Framwork 3.5 SP1
由于OpenV*N客户端需要 .NET Framwork 3.5 SP1 以上的支持,所以很遗憾,我们不得不先安装它。
下载地址:http://www.microsoft.com/downloads/zh-cn/details.aspx?FamilyID=333325fd-ae52-4e35-b531-508d977d32a6&DisplayLang=zh-cn
2.下载并安装OpenV*N客户端
下载地址:http://swupdate.openV*N.net/downloads/openV*N-client.msi
3.创建客户端配置文件
进入程序目录,C:/Program Files/OpenV*N Technologies/OpenV*N Client/etc/profile
创建配置文件client.oV*N,内容如下:
client
dev tun
proto udp
remote 204.74.215.57 1194 #请换成自己ip
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
route-method exe
route-delay 2
4.将所需的证书等文件放入客户端目录
将之前压缩的keys.tar压缩文件解压,并将目录下的所有文件移动到目录:
C:/Program Files/OpenV*N Technologies/OpenV*N Client/etc/profile
至此,整个OpenV*N的安装过程就已经完成了,如果你也是国外的VPS主机的话,那就开始体验翻过GFW的快乐吧。
七、卸载OpenV*N
如果你觉得OpenV*N用起来太过于麻烦或其它原因想卸载OpenV*N,那么,请执行以下操作。
代码如下:
killall openV*N
rpm -e pkcs11-helper-1.07-2.el5.1.i386.rpm
rpm -e pkcs11-helper-devel-1.07-2.el5.1.i386.rpm
rm -rf /opt/lzo
rm -rf /opt/openV*N