公司有在日本服务器搭建open***,并通过×××代理访问国外站点的需求。
公司需求:需要在日本服务器搭建一个open***,然后通过×××代理的方式访问国外站点.
服务器ip:
[root@li493-137 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr F2:3C:91:AE:0A:55
inet addr:57.17.20.30 Bcast:57.17.20.255 Mask:255.255.255.0
inet6 addr: 2400:8900::f03c:91ff:feae:a55/64 Scope:Global
inet6 addr: fe80::f03c:91ff:feae:a55/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4620022758 errors:0 dropped:0 overruns:0 frame:0
TX packets:3853593707 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2417829468272 (2.1 TiB) TX bytes:1308999444228 (1.1 TiB)
Interrupt:44
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:113 errors:0 dropped:0 overruns:0 frame:0
TX packets:113 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7926 (7.7 KiB) TX bytes:7926 (7.7 KiB)
[root@li493-137 ~]# yum -y install gcc*
[root@li493-137 ~]# mkdir -p /home/jc/tools/open***
[root@li493-137 ~]# cd /home/jc/tools/open***/
[root@li493-137 open***]# yum install lrzsz -y
[root@li493-137 open***]# rz -y
rz waiting to receive.
开始 zmodem 传输。 按 Ctrl+C 取消。
100% 585 KB 585 KB/s 00:00:01 0 Errors
100% 653 KB 653 KB/s 00:00:01 0 Errors
[root@li493-137 open***]# ll
total 1252
-rw-r--r-- 1 root root 599387 Aug 21 2011 lzo-2.02.tar.gz
-rw-r--r-- 1 root root 669076 Aug 20 2011 open***-2.0.9.tar.gz
#安装lzo
[root@li493-137 open***]# tar -zxf lzo-2.02.tar.gz
[root@li493-137 open***]# cd lzo-2.02
[root@li493-137 lzo-2.02]# ./configure && make && make install
#安装open***
[root@li493-137 lzo-2.02]# cd ../
[root@li493-137 open***]# tar -zxf open***-2.0.9.tar.gz
[root@li493-137 open***]# cd open***-2.0.9
[root@li493-137 open***-2.0.9]# ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib && make && make install
[root@li493-137 open***-2.0.9]# ll /usr/local/sbin/open***
-rwxr-xr-x 1 root root 1862822 Dec 4 02:27 /usr/local/sbin/open***
#配置open*** server-建立CA证书
[root@li493-137 open***-2.0.9]# cd easy-rsa/2.0/
[root@li493-137 2.0]# vi vars #←(shift+g到结尾删除结尾最后5行,如下:)
删除如下5行:
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL=”me@myhost.mydomain”
然后添加,如下行:
#by JC 408822635
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="Beijing"
export KEY_ORG="jc"
export KEY_EMAIL="408822635@qq.com"
删除,并添加完之后,保存退出,执行以下命令,生效:
[root@li493-137 2.0]# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/jc/tools/open***/open***-2.0.9/easy-rsa/2.0/keys
根据红色提示,执行:
[root@li493-137 2.0]# ./clean-all #清楚所有证书相关
[root@li493-137 2.0]# ./build-ca #生成CA证书
Generating a 1024 bit RSA private key
...........++++++
........................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:(直接回车)
State or Province Name (full name) [BJ]: (直接回车)
Locality Name (eg, city) [Beijing]: (直接回车)
Organization Name (eg, company) [jc]: (直接回车)
Organizational Unit Name (eg, section) []:jc (直接jc)
Common Name (eg, your name or your server's hostname) [jc CA]: (直接回车)
Email Address [408822635@qq.com]: (直接回车)
[root@li493-137 2.0]# ll keys/ #查看生成后的证书
total 28
-rw-r--r-- 1 root root 1200 Jun 27 16:40 ca.crt
-rw------- 1 root root 887 Jun 27 16:40 ca.key
-rw-r--r-- 1 root root 0 Jun 27 16:39 index.txt
-rw-r--r-- 1 root root 3 Jun 27 16:39 serial
#生成服务器端证书和密钥key文件
[root@li493-137 2.0]# cd /home/jc/tools/open***/open***-2.0.9/easy-rsa/2.0/
[root@li493-137 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
.................++++++
..........................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: (直接回车)
State or Province Name (full name) [BJ]: (直接回车)
Locality Name (eg, city) [Beijing]: (直接回车)
Organization Name (eg, company) [jc]: (直接回车)
Organizational Unit Name (eg, section) []:jc (输入jc,然后回车)
Common Name (eg, your name or your server's hostname) [server]: (直接回车)
Email Address [408822635@qq.com]: (直接回车)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:jc123456 (输入密码jc123456,然后回车)
An optional company name []:jc (输入用户名jc,然后回车)
Using configuration from /home/jc/tools/open***/open***-2.0.9/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'Beijing'
organizationName :PRINTABLE:'jc'
organizationalUnitName:PRINTABLE:'jc'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'408822635@qq.com'
Certificate is to be certified until Jun 25 08:46:51 2022 GMT (3650 days)
Sign the certificate? [y/n]:y (输入y)
1 out of 1 certificate requests certified, commit? [y/n]y (输入y)
Write out database with 1 new entries
Data Base Updated
#生成客户端证书和key文件:
生成client证书和key文件。若建立多个客户证书,则重复如下步骤接。只需修改oldboy的名称。
在open***中,这种配置方法是每一个登陆的×××客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接(如果有两个机器安装相同证书,同时拨服务器,都能拨上,但是只有第一个拨上的才能连通网络)。所以此种需要建立许多份证书的情况(建立一份证书多人登陆情况在后文中讲)。
下面建立2份,名称分别为jack 和 dream
[root@li493-137 2.0]# cd /home/jc/tools/open***/
[root@li493-137 open***]# cd open***-2.0.9
[root@li493-137 open***-2.0.9]# cd easy-rsa/2.0/
[root@li493-137 2.0]# ./build-key jack
Generating a 1024 bit RSA private key
..++++++
.........................................++++++
writing new private key to 'jack.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [jc]:
Organizational Unit Name (eg, section) []:jack
Common Name (eg, your name or your server's hostname) [jack]:
Email Address [408822635@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:jack123456
An optional company name []:jack
Using configuration from /home/jc/tools/open***/open***-2.0.9/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'Beijing'
organizationName :PRINTABLE:'jc'
organizationalUnitName:PRINTABLE:'jack'
commonName :PRINTABLE:'jack'
emailAddress :IA5STRING:'408822635@qq.com'
Certificate is to be certified until Dec 2 02:47:51 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@li493-137 2.0]# ./build-key dream
Generating a 1024 bit RSA private key
..............................................++++++
..++++++
writing new private key to 'dream.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [jc]:
Organizational Unit Name (eg, section) []:dream
Common Name (eg, your name or your server's hostname) [dream]:
Email Address [408822635@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:dream123456
An optional company name []:dream
Using configuration from /home/jc/tools/open***/open***-2.0.9/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'Beijing'
organizationName :PRINTABLE:'jc'
organizationalUnitName:PRINTABLE:'dream'
commonName :PRINTABLE:'dream'
emailAddress :IA5STRING:'408822635@qq.com'
Certificate is to be certified until Dec 2 02:48:43 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#生成generate diffie hellman parameters(生成传输进行密钥交换时用到的交换密钥协议文件)
[root@li493-137 2.0]# cd /home/jc/tools/open***/open***-2.0.9/easy-rsa/2.0/
[root@li493-137 2.0]# ./build-dh
[root@li493-137 2.0]# pwd
/home/jc/tools/open***/open***-2.0.9/easy-rsa/2.0
[root@li493-137 2.0]# ll keys/
total 84
-rw-r--r-- 1 root root 3826 Dec 4 02:45 01.pem
-rw-r--r-- 1 root root 3705 Dec 4 02:47 02.pem
-rw-r--r-- 1 root root 3711 Dec 4 02:48 03.pem
-rw-r--r-- 1 root root 1200 Dec 4 02:38 ca.crt
-rw------- 1 root root 912 Dec 4 02:38 ca.key
-rw-r--r-- 1 root root 245 Dec 4 02:49 dh1024.pem
-rw-r--r-- 1 root root 3711 Dec 4 02:48 dream.crt
-rw-r--r-- 1 root root 745 Dec 4 02:48 dream.csr
-rw------- 1 root root 916 Dec 4 02:48 dream.key
-rw-r--r-- 1 root root 305 Dec 4 02:48 index.txt
-rw-r--r-- 1 root root 21 Dec 4 02:48 index.txt.attr
-rw-r--r-- 1 root root 21 Dec 4 02:47 index.txt.attr.old
-rw-r--r-- 1 root root 202 Dec 4 02:47 index.txt.old
-rw-r--r-- 1 root root 3705 Dec 4 02:47 jack.crt
-rw-r--r-- 1 root root 737 Dec 4 02:47 jack.csr
-rw------- 1 root root 916 Dec 4 02:47 jack.key
-rw-r--r-- 1 root root 3 Dec 4 02:48 serial
-rw-r--r-- 1 root root 3 Dec 4 02:47 serial.old
-rw-r--r-- 1 root root 3826 Dec 4 02:45 server.crt
-rw-r--r-- 1 root root 733 Dec 4 02:45 server.csr
-rw------- 1 root root 916 Dec 4 02:45 server.key
#为防止恶意***(如DOS、UDP port flooding),我们生成一个"HMAC firewall"
[root@li493-137 2.0]# open*** --genkey --secret keys/ta.key
#配置服务器端×××配置文件server.conf
[root@li493-137 2.0]# mkdir -p /etc/open***
[root@li493-137 2.0]# cd /home/jc/tools/open***/open***-2.0.9/easy-rsa/2.0/
[root@li493-137 2.0]# /bin/cp keys/* /etc/open***/
[root@li493-137 2.0]# cd /home/jc/tools/open***/open***-2.0.9/sample-config-files/
[root@li493-137 sample-config-files]# /bin/cp server.conf client.conf /etc/open***/
[root@li493-137 sample-config-files]# cd /etc/open***/
[root@li493-137 open***]# ls -l
total 104
-rw-r--r-- 1 root root 3826 Dec 4 02:59 01.pem
-rw-r--r-- 1 root root 3705 Dec 4 02:59 02.pem
-rw-r--r-- 1 root root 3711 Dec 4 02:59 03.pem
-rw-r--r-- 1 root root 1200 Dec 4 02:59 ca.crt
-rw------- 1 root root 912 Dec 4 02:59 ca.key
-rw-r--r-- 1 root root 3427 Dec 4 02:59 client.conf
-rw-r--r-- 1 root root 245 Dec 4 02:59 dh1024.pem
-rw-r--r-- 1 root root 3711 Dec 4 02:59 dream.crt
-rw-r--r-- 1 root root 745 Dec 4 02:59 dream.csr
-rw------- 1 root root 916 Dec 4 02:59 dream.key
-rw-r--r-- 1 root root 305 Dec 4 02:59 index.txt
-rw-r--r-- 1 root root 21 Dec 4 02:59 index.txt.attr
-rw-r--r-- 1 root root 21 Dec 4 02:59 index.txt.attr.old
-rw-r--r-- 1 root root 202 Dec 4 02:59 index.txt.old
-rw-r--r-- 1 root root 3705 Dec 4 02:59 jack.crt
-rw-r--r-- 1 root root 737 Dec 4 02:59 jack.csr
-rw------- 1 root root 916 Dec 4 02:59 jack.key
-rw-r--r-- 1 root root 3 Dec 4 02:59 serial
-rw-r--r-- 1 root root 3 Dec 4 02:59 serial.old
-rw-r--r-- 1 root root 9970 Dec 4 02:59 server.conf
-rw-r--r-- 1 root root 3826 Dec 4 02:59 server.crt
-rw-r--r-- 1 root root 733 Dec 4 02:59 server.csr
-rw------- 1 root root 916 Dec 4 02:59 server.key
-rw------- 1 root root 636 Dec 4 02:59 ta.key
[root@li493-137 open***]# /bin/cp server.conf server.conf.jc.$(date +%F)
[root@li493-137 open***]# vi server.conf #把原先配置文件清空
local 57.17.20.30
port 52198
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.9.0.0 255.255.255.0
push "route 10.9.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp bypass-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
ifconfig-pool-persist ipp.txt
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/open***/open***-status.log
log /var/log/open***/open***.log
verb 3
备注57.17.20.30是外网Ip,10.9.0.0网段是我随便指定的,就是在拨号成功,open***会自动分配以10.9.0.0网段一个ip地址给本机客户端.
[root@li493-137 open***]# dos2unix server.conf
[root@li493-137 open***]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#' /etc/sysctl.conf
[root@li493-137 open***]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
[root@li493-137 open***]# iptables -X
[root@li493-137 open***]# iptables -F
[root@li493-137 open***]# iptables -Z
[root@li493-137 open***]# iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j SNAT --to-source 57.17.20.30
[root@li493-137 open***]# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 52117 -j ACCEPT
[root@li493-137 open***]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@li493-137 open***]# /usr/local/sbin/open*** --config /etc/open***/server.conf &
[root@li493-137 open***]# netstat -lntup|grep open***
udp 0 0 57.17.20.30:52117 0.0.0.0:* 12126/open***
转载于:https://blog.51cto.com/jiechao2012/1081455
扫一扫
1096
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
