关于Open***的有关介绍及为何使用Open***在此就不做赘述了，下面直接记录Centos7.2系统下部署Open***环境的操作过程：

1) 先将本机的yum换成阿里云的yum源

[root@test-vm04 ~]#wget -O /etc/yum.repos.d/CentOS-Base.repo

[root@test-vm04 ~]# yum clean all

[root@test-vm04 ~]# yum makecache

如果是centos5，则更换如下：

wget -O /etc/yum.repos.d/CentOS-Base.repo

如果时centos6，则更换如下：

wget -O /etc/yum.repos.d/CentOS-Base.repo

2）安装依赖的软件包

[root@test-vm04 ~]# yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel

[root@test-vm04 ~]# wget

[root@test-vm04 ~]# rpm -ivh epel-release-latest-7.noarch.rpm[root@test-vm04 ~]# yum install -y pkcs11-helper pkcs11-helper-devel

确认已经安装完成：

[root@test-vm04 ~]# rpm -qa lzo lzo-devel openssl openssl-devel pam pam-devel pkcs11-helper pkcs11-helper-develpam-devel-1.1.8-18.el7.x86_64pkcs11-helper-devel-1.11-3.el7.x86_64pam-1.1.8-18.el7.x86_64pkcs11-helper-1.11-3.el7.x86_64lzo-devel-2.06-8.el7.x86_64openssl-1.0.2k-8.el7.x86_64lzo-2.06-8.el7.x86_64openssl-devel-1.0.2k-8.el7.x86_64

3) 安装Open***服务

下载open***的源码包[root@test-vm04 ~]# wget

使用rpmbuild将源码包编译成rpm包来进行安装

[root@test-vm04 ~]# rpmbuild -tb open***-2.2.2.tar.gz

执行上面这条命令以后就会正常开始编译了，编译完成以后会在 /root/rpmbuild/RPMS/x86_64 目录下生成 open***-2.2.2-1.x86_64.rpm 安装包。

[root@test-vm04 ~]# ls /root/rpmbuild/RPMS/x86_64/open***-2.2.2-1.x86_64.rpm

执行rpm -ivh open***-2.2.2-1.x86_64.rpm 以rpm包的方式安装：

[root@test-vm04 ~]# rpm -ivh /root/rpmbuild/RPMS/x86_64/open***-2.2.2-1.x86_64.rpmPreparing... ################################# [100%]Updating / installing...1:open***-2.2.2-1 ################################# [100%]Restarting open*** (via systemctl): [ OK ]

4）配置Open***服务（服务端）

初始化PKI[root@test-vm04 ~]# cd /usr/share/doc/open***-2.2.2/easy-rsa/2.0

进入到 /usr/share/doc/open***-2.2.2/easy-rsa/2.0 目录下，找到 vars 证书环境文件，修改以下几行 export 定义的参数值

[root@test-vm04 2.0]# vim vars......export KEY_COUNTRY="CN" //所在的国家export KEY_PROVINCE="BJ" //所在的省份export KEY_CITY="BEIJING" //所在的城市export KEY_ORG="HUANQIU" //所在的组织export KEY_EMAIL="wangshibo@huanqiu.cn" //邮件地址

上述参数的值可以自定义设置，对配置无影响。

生成服务端的证书

清除并删除keys目录下的所有key[root@test-vm04 2.0]# ln -s openssl-1.0.0.cnf openssl.cnf[root@test-vm04 2.0]# ll openssl*-rwxr-xr-x. 1 root root 7768 Oct 21 2010 openssl-0.9.6.cnf-rwxr-xr-x. 1 root root 8325 Nov 24 2011 openssl-0.9.8.cnf-rwxr-xr-x. 1 root root 8222 Nov 24 2011 openssl-1.0.0.cnflrwxrwxrwx. 1 root root 17 Sep 21 05:19 openssl.cnf -> openssl-1.0.0.cnf

[root@test-vm04 2.0]# source ./vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/open***-2.2.2/easy-rsa/2.0/keys[root@test-vm04 2.0]# ./clean-all

生成CA证书，刚刚上面已经在vars文件中配置了默认参数值，多次回车完成就可以：

[root@test-vm04 2.0]# ./build-ca

Generating a 1024 bit RSA private key

.....++++++

...................................++++++

writing new private key to 'ca.key'

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:Locality Name (eg, city) [BEIJING]:Organization Name (eg, company) [HUANQIU]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [changeme]:Name [changeme]:Email Address [mail@host.domain]:

生成服务器证书

如下huanqiu***是自定义的名字，一直回车，到最后会有两次交互，输入y确认，完成后会在keys目录下保存了huanqiu***.key、huanqiu***.csrl和huanqiu***.crt 三个文件。

[root@test-vm04 2.0]# ./build-key-server huanqiu***

Generating a 1024 bit RSA private key

........................................++++++

......++++++

writing new private key to 'huanqiu***.key'

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:Locality Name (eg, city) [BEIJING]:Organization Name (eg, company) [HUANQIU]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [huanqiu***]:Name [changeme]:Email Address [mail@host.domain]:

Please enter the following 'extra' attributes

to be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /usr/share/doc/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :PRINTABLE:'BJ'localityName :PRINTABLE:'BEIJING'organizationName :PRINTABLE:'HUANQIU'organizationalUnitName:PRINTABLE:'changeme'commonName :PRINTABLE:'huanqiu***'name :PRINTABLE:'changeme'emailAddress :IA5STRING:'mail@host.domain'Certificate is to be certified until Sep 19 09:52:18 2027 GMT (3650 days)Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entriesData Base Updated

[root@test-vm04 2.0]# ls keys/

01.pem 02.pem 03.pem ca.crt ca.key huanqiu***.crt huanqiu***.csr huanqiu***.key index.txt index.txt.attr index.txt.attr.old index.txt.old serial serial.old

创建***登陆用户的秘钥与证书

如下，创建用户名为kevin的秘钥和证书，一直回车，到最后会有两次确认，只要按y确认即可。完成后，在keys目录下生成1024位RSA服务器密钥kevin.key、kevin.crt和kevin.csr 三个文件。

[root@test-vm04 2.0]# ./build-key kevin

Generating a 1024 bit RSA private key

...................++++++

.........++++++

writing new private key to 'kevin.key'

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:Locality Name (eg, city) [BEIJING]:Organization Name (eg, company) [HUANQIU]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [kevin]:Name [changeme]:Email Address [mail@host.domain]:

Please enter the following 'extra' attributes

to be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /usr/share/doc/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :PRINTABLE:'BJ'localityName :PRINTABLE:'BEIJING'organizationName :PRINTABLE:'HUANQIU'organizationalUnitName:PRINTABLE:'changeme'commonName :PRINTABLE:'kevin'name :PRINTABLE:'changeme'emailAddress :IA5STRING:'mail@host.domain'Certificate is to be certified until Sep 19 10:00:46 2027 GMT (3650 days)Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]

CERTIFICATION CANCELED

[root@test-vm04 2.0]# ls keys/

01.pem ca.crt ca.key huanqiu***.crt huanqiu***.csr huanqiu***.key index.txt index.txt.attr index.txt.old kevin.crt kevin.csr kevin.key serial serial.old

---

如果创建用户证书时报错，可以将keys整个目录删除，然后从source ./vars这一步开始重新操作（慎重，否则之前在keys目录里的用户数据就会都删除）

生成Diffie Hellman参数

[root@test-vm04 2.0]# ./build-dhGenerating DH parameters, 1024 bit long safe prime, generator 2This is going to take a long time.....+..............+..+..............................................................................+...................................................................................................+............................+................+............+..+...................+..............+........................................................................+............................................+.......................................................................................................................................+.....................................................+............+.......................+.......................................+............................................................................................................................................++++++*

执行了./build-dh后，会在 keys 目录下生成 dh 参数文件 dh1024.pem。该文件客户端验证的时候会用到

[root@test-vm04 2.0]# ls keys01.pem ca.crt ca.key dh1024.pem huanqiu***.crt huanqiu***.csr huanqiu***.key index.txt index.txt.attr index.txt.old kevin.crt kevin.csr kevin.key serial serial.old

将/usr/share/doc/open**-2.2.2/easy-rsa/2.0/keys 目录下的所有文件复制到 /etc/open***下：

[root@test-vm04 2.0]# cp -a /usr/share/doc/open***-2.2.2/easy-rsa/2.0/keys/ /etc/open***/

复制open***服务端配置文件 server.conf 到 /etc/open*** / 目录下：

[root@test-vm04 2.0]# cp -a /usr/share/doc/open***-2.2.2/sample-config-files/server.conf /etc/open***/

server.conf文件的配置

[root@test-vm04 2.0]# egrep -v "^$|^#|^;" /etc/open***/server.conflocal 111.94.149.74 //监听地址(内网或外网地址)，最好填写open***服务器的公网IP地址（使用"curl ifconfig.me"命令查看）。或者这一行直接注释掉！(我在线上配置的就是注释这行)port 1194proto udpdev tunca ca.crt //CA证书路径cert huanqiu***.crt //此处crt以及下一行的key，请填写生成服务器端证书时用户自定义的名称key huanqiu***.keydh dh1024.pem //秘钥交换协议文件push "redirect-gateway def1 bypass-dhcp" ＃取消“；”注释，这样可以让客户端的所有的流量都必须经过***转发。server 10.8.0.0 255.255.255.0 //给***客户机分配的地址池。最好别和open***部署机的内网ip在一个网段内push "dhcp-option DNS 114.114.114.114"　　＃选择了114和谷歌的8.8.8.8client-to-client ＃取消“；”注释，设置客戶端之间是不能直接通讯的ifconfig-pool-persist ipp.txtpush "route 10.0.0.0 255.0.0.0"keepalive 10 120comp-lzouser nobodygroup nobodypersist-keypersist-tunstatus open***-status.loglog open***.logverb 3

5）设置iptables

先设置转发[root@test-vm04 2.0]# vim /etc/sysctl.confnet.ipv4.ip_forward = 1[root@test-vm04 2.0]# sysctl -p //使内核参数生效

添加iptables规则,确保服务器可以转发数据包到外网：

[root@test-vm04 2.0]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE[root@test-vm04 2.0]# service iptables save[root@test-vm04 2.0]# iptables -t nat -LChain PREROUTING (policy ACCEPT)target prot opt source destination

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination MASQUERADE all -- localhost/24 anywhere

6）启动Open×××

[root@test-vm04 2.0]# /etc/init.d/open start

Starting open (via systemctl): [ OK ]

[root@test-vm04 2.0]# lsof -i:1194

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEopen*** 8547 nobody 5u IPv4 53264 0t0 UDP localhost:open***

如果1194端口启动不起来，可以通过查看/etc/open***/open***.log日志进行原因排查

后续给同事开***账号，只需要下面几步（比如给zhangqiang同事开***）

[root@test-vm04 2.0]# pwd/usr/share/doc/open**-2.2.2/easy-rsa/2.0

[root@test-vm04 2.0]# ./build-key zhangqiang

[root@test-vm04 2.0]# cp -a /usr/share/doc/open***-2.2.2/easy-rsa/2.0/keys/zhangqiang. /etc/open***/[root@test-vm04 2.0]# /etc/init.d/open*** restart[root@test-vm04 2.0]# lsof -i:1194

然后编写zhangqiang用户的config.o***客户端配置文件：

[root@test-vm04 2.0]# vim /tmp/config.o***clientdev tunproto udpremote 111.94.149.74 1194 //注意这里的111.94.149.74是open***服务器端的外围ip。resolv-retry infinitenobindmute-replay-warningsca ca.crtcert zhangqiang.crtkey zhangqiang.keycomp-lzo

然后将ca.crt、config.o***、zhangqiang.crt、zhangqiang.csr、zhangqiang.key这五个文件放到zhagnqiang用户下

[root@test-vm04 2.0]# mkdir /tmp/zhangqiang[root@test-vm04 2.0]# cd keys/[root@test-vm04 keys]# cp ca.crt /tmp/config.o*** zhangqiang.crt zhangqiang.csr zhangqiang.key /tmp/zhangqiang[root@test-vm04 keys]# cd /tmp && tar -zvcf zhangqiang.tar.gz zhangqiang

然后将/opt/zhangqiang.tar.gz文件拷贝给用户zhangqiang，让他在客户机上进行open***的连接。

-----------------------------------------open***使用说明----------------------------------------

一、windows用户

1. 需要向管理员申请open***的配置及秘钥文件(总共包括5个文件：ca.crt证书、config.o***客户端配置文件、用户.crt、用户.csr、用户.key)。(其中，config.o***客户端文件是直接配置好拷贝给客户机的，这个文件在服务器端是不存在的，需要自己编写)
2. 软件安装包见文末

3. 如果你的电脑没有安装过TAP，安装过程中会有下面的提示，选择安装。

4. 鼠标右键点击软件安装包以管理员方式运行，一直点next 或者agree即可

接着下一步,同意直到安装完成.

5. 安装完成后你的桌面会出现下面的图标，出现这个说明安装成功了。

6. 然后打开我的电脑，进到open***安装目录即 C:\Program Files\Open***\config 这个文件夹下，然后拿出管理员给你的配置文件,放到这个目录下，如下

7. 回到桌面，右键open***的图标，选择以管理员身份运行

8. 这时候电脑右下角会出现open***的程序

9. 鼠标右键，选择connect

10. 程序图标变成绿色，就说明open***连接成功了