如何开通open*** admin 2023-01-31 11:45:01 篇首语:本文由小编为大家整理,主要介绍了如何开通open***相关的知识,希望对你有一定的参考价值。 一.系统环境服务端:CentOS 6.6 x86_64 使用repo:epel客户端:CentOS 6.4 使用repo:epel,Windows二.软件安装服务端 yum install open*** easy-rsa客户端 yum install open***windows客户端 open***-install-2.3.5-I601-i686.zip,默认安装目录三.服务端设置密钥生成与制作复制eay-rsa脚本到open***目录cp -r /usr/share/easy-sra /etc/open***修改密钥生成参数配置vi /etc/open***/easy-rsa/2.0/varseasy-rsa parameter settingsNOTE: If you installed from an RPM,don"t edit this file in place in/usr/share/open***/easy-rsa --instead, you should copy the wholeeasy-rsa directory to another location(such as /etc/open***) so that youredits will not be wiped out by a futureOpen××× package upgrade.This variable should point tothe top level of the easy-rsatree.export EASY_RSA="pwd"#This variable should point tothe requested executables#export OPENSSL="openssl"export PKCS11TOOL="pkcs11-tool"export GREP="grep"This variable should point tothe openssl.cnf file includedwith easy-rsa.export KEY_CONFIG=$EASY_RSA/whichopensslcnf $EASY_RSAEdit this variable to point toyour soon-to-be-created keydirectory.#WARNING: clean-all will doa rm -rf on this directoryso make sure you defineit correctly!export KEY_DIR="$EASY_RSA/keys"Issue rm -rf warningecho NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIRPKCS11 fixesexport PKCS11_MODULE_PATH="dummy"export PKCS11_PIN="dummy"Increase this to 2048 if youare paranoid. This will slowdown TLS negotiation performanceas well as the one-time DH parmsgeneration process.export KEY_SIZE=2048In how many days should the root CA key expire?export CA_EXPIRE=3650In how many days should certificates expire?export KEY_EXPIRE=3650These are the default values for fieldswhich will be placed in the certificate.Don"t leave any of these fields blank.export KEY_COUNTRY="CN"export KEY_PROVINCE="BJ"export KEY_CITY="BeiJing"export KEY_ORG="example.cn"export KEY_EMAIL="[email protected]"export KEY_OU="Tech"X509 Subject Fieldexport KEY_NAME="RSA"PKCS11 Smart Cardexport PKCS11_MODULE_PATH="/usr/lib/changeme.so"export PKCS11_PIN=1234export PKCS11_PIN=1234If you"d like to sign all keys with the same Common Name, uncomment the KEY_CN export belowYou will also need to make sure your Open××× server config has the duplicate-cn option setexport KEY_CN="CommonName"#export KEY_CN="example,Inc"应用生效vars定义的参数source /etc/open***/easy-rsa/2.0/vars执行bash /etc/open***/easy-rsa/2.0/clean-all #清理旧的密钥bash /etc/open***/easy-rsa/2.0/build-ca #建立ca为服务器生成密钥bash /etc/open***/easy-rsa/2.0/build-key-server server #生成服务器密钥,名字server为客户端生成密钥bash /etc/open***/easy-rsa/2.0/build-key user01 #生成服务器密钥,名字user01bash /etc/open***/easy-rsa/2.0/build-key user02 #生成服务器密钥,名字user02建立 Diffie Hellman parametersbash /etc/open***/easy-rsa/2.0/build-dhns.jsZhUOER.COM在/etc/open***/easy-rsa/2.0/keys目录下会生成以下文件,注意妥善保存密钥文件,功能如表中所述文件名 使用位置 用途 是否保密ca.crt server + all clients Root CA certificate NOca.key key signing machine only Root CA key YESdh{n}.pem server only Diffie Hellman parameters NOserver.crt server only Server Certificate NOserver.key server only Server Key YESclient1.crt client1 only Client1 Certificate NOclient1.key client1 only Client1 Key YESclient2.crt client2 only Client2 Certificate NOclient2.key client2 only Client2 Key YESclient3.crt client3 only Client3 Certificate NOclient3.key client3 only Client3 Key YES拷贝文件/etc/open***/easy-rsa/2.0/keys目录里面文件全部拷到 /etc/open***目录然后启用open***服务修改服务端配置文件vim /etc/open***/server.conf#################################################Sample Open××× 2.0 config file formulti-client server.This file is for the server sideof a many-clients <-> one-serverOpen××× configuration.Open××× also supportssingle-machine <-> single-machineconfigurations (See the Examples pageon the web site for more info).This config should work on Windowsor Linux/BSD systems. Remember onWindows to quote pathnames and usedouble backslashes, e.g.:"C:Program FilesOpen×××configfoo.key"Comments are preceded with "#" or ";"#################################################Which local IP address should Open×××listen on? (optional)local 0.0.0.0Which TCP/UDP port should Open××× listen on?If you want to run multiple Open××× instanceson the same machine, use a different portnumber for each one. You will need toopen up this port on your firewall.port 1194TCP or UDP server?proto tcp;proto udp"dev tun" will create a routed IP tunnel,"dev tap" will create an ethernet tunnel.Use "dev tap0" if you are ethernet bridgingand have precreated a tap0 virtual interfaceand bridged it with your ethernet interface.If you want to control access policiesover the ×××, you must create firewallrules for the the TUN/TAP interface.On non-Windows systems, you can givean explicit unit number, such as tun0.On Windows, use "dev-node" for this.On most systems, the ××× will not functionunless you partially or fully disablethe firewall for the TUN/TAP interface.dev tapdev tunWindows needs the TAP-Win32 adapter namefrom the Network Connections panel if youhave more than one. On XP SP2 or higher,you may need to selectively disable theWindows firewall for the TAP adapter.Non-Windows systems usually don"t need this.ns.jsZhUOER.COM#dev-node ***SSL/TLS root certificate (ca), certificate(cert), and private key (key). Each clientand the server must have their own cert andkey file. The server and all clients willuse the same ca file.#See the "easy-rsa" directory for a seriesof scripts for generating RSA certificatesand private keys. Remember to usea unique Common Name for the serverand each of the client certificates.#Any X509 key management system can be used.Open××× can also use a PKCS #12 formatted key file(see "pkcs12" directive in man page).ca ca.crtcert server.crtkey server.key # This file should be kept secretDiffie hellman parameters.Generate your own with:openssl dhparam -out dh1024.pem 1024Substitute 2048 for 1024 if you are using2048 bit keys.;dh dh1024.pemdh dh2048.pemConfigure server mode and supply a ××× subnetfor Open××× to draw client addresses from.The server will take 10.8.0.1 for itself,the rest will be made available to clients.Each client will be able to reach the serveron 10.8.0.1. Comment this line out if you areethernet bridging. See the man page for more info.;server 10.8.0.0 255.255.255.0server 10.8.0.0 255.255.255.0Maintain a record of client <-> virtual IP addressassociations in this file. If Open××× goes down oris restarted, reconnecting clients can be assignedthe same virtual IP address from the pool that waspreviously assigned.ifconfig-pool-persist ipp.txtConfigure server mode for ethernet bridging.You must first use your OS"s bridging capabilityto bridge the TAP interface with the ethernetNIC interface. Then you must manually set theIP/netmask on the bridge interface, here weassume 10.8.0.4/255.255.255.0. Finally wemust set aside an IP range in this subnet(start=10.8.0.50 end=10.8.0.100) to allocateto connecting clients. Leave this line commentedout unless you are ethernet bridging.;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100Configure server mode for ethernet bridgingusing a DHCP-proxy, where clients talkto the Open××× server-side DHCP serverto receive their IP address allocationand DNS server addresses. You must first useyour OS"s bridging capability to bridge the TAPinterface with the ethernet NIC interface.Note: this mode only works on clients (such asWindows), where the client-side TAP adapter isbound to a DHCP client.;server-bridgePush routes to the client to allow itto reach other private subnets behindthe server. Remember that theseprivate subnets will also needto know to route the Open××× clientaddress pool (10.8.0.0/255.255.255.0)back to the Open××× server.;push "route 192.168.10.0 255.255.255.0";push "route 192.168.20.0 255.255.255.0"push "route 10.0.2.0 255.255.255.0"push "route 10.0.3.0 255.255.255.0"push "route 10.0.4.0 255.255.255.0"To assign specific IP addresses to specificclients or if a connecting client has a privatesubnet behind it that should also have ××× access,use the subdirectory "ccd" for client-specificconfiguration files (see man page for more info).EXAMPLE: Suppose the clienthaving the certificate common name "Thelonious"also has a small subnet behind his connectingmachine, such as 192.168.40.128/255.255.255.248.First, uncomment out these lines:;client-config-dir ccdclient-config-dir clients-conf;route 192.168.40.128 255.255.255.248Then create a file ccd/Thelonious with this line:iroute 192.168.40.128 255.255.255.248This will allow Thelonious" private subnet toaccess the ×××. This example will only workif you are routing, not bridging, i.e. you areusing "dev tun" and "server" directives.EXAMPLE: Suppose you want to giveThelonious a fixed ××× IP address of 10.9.0.1.First uncomment out these lines:;client-config-dir ccd;route 10.9.0.0 255.255.255.252Then add this line to ccd/Thelonious:ifconfig-push 10.9.0.1 10.9.0.2Suppose that you want to enable differentfirewall access policies for different groupsof clients. There are two methods:(1) Run multiple Open××× daemons, one for eachgroup, and firewall the TUN/TAP interfacefor each group/daemon appropriately.(2) (Advanced) Create a script to dynamicallymodify the firewall in response to accessfrom different clients. See manpage for more info on learn-address script.;learn-address ./scriptIf enabled, this directive will configureall clients to redirect their defaultnetwork gateway through the ×××, causingall IP traffic such as web browsing andand DNS lookups to go through the ×××(The Open××× server machine may need to NATor bridge the TUN/TAP interface to the internetin order for this to work properly).;push "redirect-gateway def1 bypass-dhcp"Certain Windows-specific network settingscan be pushed to clients, such as DNSor WINS server addresses. CAVEAT:http://open***.net/faq.html#dhcpcaveatsThe addresses below refer to the publicDNS servers provided by opendns.com.;push "dhcp-option DNS 208.67.222.222";push "dhcp-option DNS 208.67.220.220"Uncomment this directive to allow differentclients to be able to "see" each other.By default, clients will only see the server.To force clients to only see the server, youwill also need to appropriately firewall theserver"s TUN/TAP interface.;client-to-clientUncomment this directive if multiple clientsmight connect with the same certificate/keyfiles or common names. This is recommendedonly for testing purposes. For production use,each client should have its own certificate/keypair.#IF YOU HAVE NOT GENERATED INDIVIDUALCERTIFICATE/KEY PAIRS FOR EACH CLIENT,EACH HAVING ITS OWN UNIQUE "COMMON NAME",UNCOMMENT THIS LINE OUT.;duplicate-cnThe keepalive directive causes ping-likemessages to be sent back and forth overthe link so that each side knows whenthe other side has gone down.Ping every 10 seconds, assume that remotepeer is down if no ping received duringa 120 second time period.keepalive 10 120For extra security beyond that providedby SSL/TLS, create an "HMAC firewall"to help block DoS attacks and UDP port flooding.#Generate with:open*** --genkey --secret ta.key#The server and each client must havea copy of this key.The second parameter should be "0"on the server and "1" on the clients.;tls-auth ta.key 0 # This file is secretSelect a cryptographic cipher.This config item must be copied tothe client config file as well.;cipher BF-CBC # Blowfish (default);cipher AES-128-CBC # AES;cipher DES-EDE3-CBC # Triple-DESEnable compression on the ××× link.If you enable it here, you must alsoenable it in the client config file.comp-lzoThe maximum number of concurrently connectedclients we want to allow.;max-clients 100It"s a good idea to reduce the Open×××daemon"s privileges after initialization.#You can uncomment this out onnon-Windows systems.user nobodygroup nobodyThe persist options will try to avoidaccessing certain resources on restartthat may no longer be accessible becauseof the privilege downgrade.persist-keypersist-tunOutput a short status file showingcurrent connections, truncatedand rewritten every minute.status open***-status.logBy default, log messages will go to the syslog (oron Windows, if running as a service, they will go tothe "Program FilesOpen×××log" directory).Use log or log-append to override this default."log" will truncate the log file on Open××× startup,while "log-append" will append to it. Use oneor the other (but not both).log open***.log;log-append open***.logSet the appropriate level of logfile verbosity.#0 is silent, except for fatal errors4 is reasonable for general usage5 and 6 can help to debug connection problems9 is extremely verboseverb 3Silence repeating messages. At most 20sequential messages of the same messagecategory will be output to the log.;mute 20chkconfig open*** onservice open*** startns.jsZhUOER.COM用netstat –nl查看1194端口已经在listening状态防火墙设置iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE查看一下服务器的IP地址:ifconfig –a 看tun0是10.8.0.1 这是初始的IP地址至此服务端配置完成服务端 固定IP分配,每个客户端用固定的隧道IP四.客户端配置linux 客户端复制且仅复制服务端的证书权威ca.crt、相对应的客户端证书user01.crt以及相对应的客户端私玥user01.key 到客户端/etc/open*** 目录注意不要复制多余的文件避免泄密。建立修改客户端配置文件vim /etc/open***/client.conf##############################################Sample client-side Open××× 2.0 config filefor connecting to multi-client server.This configuration can be used by multipleclients, however each client should haveits own cert and key files.On Windows, you might want to rename thisfile so it has a .o*** extension##############################################Specify that we are a client and that wewill be pulling certain config file directivesfrom the server.clientUse the same setting as you are using onthe server.On most systems, the ××× will not functionunless you partially or fully disablethe firewall for the TUN/TAP interface.;dev tapdev tunWindows needs the TAP-Win32 adapter namefrom the Network Connections panelif you have more than one. On XP SP2,you may need to disable the firewallfor the TAP adapter.;dev-node MyTapAre we connecting to a TCP orUDP server? Use the same setting ason the server.proto tcp;proto udpThe hostname/IP and port of the server.You can have multiple remote entriesto load balance between the servers.remote 122.112.12.154 1194;remote my-server-2 1194Choose a random host from the remotelist for load-balancing. Otherwisetry hosts in the order specified.;remote-randomKeep trying indefinitely to resolve thehost name of the Open××× server. Very usefulon machines which are not permanently connectedto the internet such as laptops.ns.jsZhUOER.COMresolv-retry infiniteMost clients don"t need to bind toa specific local port number.nobindDowngrade privileges after initialization (non-Windows only);user nobody;group nobodyTry to preserve some state across restarts.persist-keypersist-tunIf you are connecting through anHTTP proxy to reach the actual Open×××server, put the proxy server/IP andport number here. See the man pageif your proxy server requiresauthentication.;http-proxy-retry # retry on connection failures;http-proxy [proxy server] [proxy port #]Wireless networks often produce a lotof duplicate packets. Set this flagto silence duplicate packet warnings.;mute-replay-warningsSSL/TLS parms.See the server config file for moredescription. It"s best to usea separate .crt/.key file pairfor each client. A single cafile can be used for all clients.ca ca.crtcert user01.crtkey user01.keyVerify server certificate by checkingthat the certicate has the nsCertTypefield set to "server". This is animportant precaution to protect againsta potential attack discussed here:http://open***.net/howto.html#mitm#To use this feature, you will need to generateyour server certificates with the nsCertTypefield set to "server". The build-key-serverscript in the easy-rsa folder will do this.ns-cert-type serverIf a tls-auth key is used on the serverthen every client must also have the key.;tls-auth ta.key 1Select a cryptographic cipher.If the cipher option is used on the serverthen you must also specify it here.;cipher xEnable compression on the ××× link.Don"t enable this unless it is alsoenabled in the server config file.ns.jsZhUOER.COMcomp-lzoSet log file verbosity.verb 3Silence repeating messages;mute 20需要修改的内容 指定服务端IP和端口,指定客户端使用的证书和私玥文件chkconfig open*** onservice open*** start查看一下客户端的IP地址:ifconfig –a ping 10.8.0.1 这是服务端初始的隧道IP地址至此linux客户端配置完成windows 客户端C:Program Files (x86)Open×××config 64位windowsC:Program FilesOpen×××config 32位windows复制且仅复制服务端的证书权威ca.crt、相对应的客户端证书user01.crt以及相对应的客户端私玥user01.key 到客户端config目录注意不要复制多余的文件避免泄密。建立修改客户端配置文件文件名client.o***需要修改的内容 指定服务端IP和端口,指定客户端使用的证书和私玥文件remote server-ip 1194ca ca.crtcert user01.crtkey user01.key然后 用管理员权限打开 桌面的 Open××× GUIwindows 客户端配置完成windows客户端多配置不同的用户连接不同的服务端,写多个名字不同的*.o***配置文件 以上是关于如何开通open***的主要内容,如果未能解决你的问题,请参考以下文章 CentOS7 tcpdump安装与使用 WebSocket对象的“readyState”属性记录连接过程中的状态值 您可能还会对下面的文章感兴趣: 相关文章 商丘私人空放联系方式_基本资料审核后快速就能放款平台 济宁私人借钱24小时在线,5万以上级别的贷款|无抵押个人借贷|秒下| 湖州空放私借2小时放款—身无分文借贷100%直接放款 宜昌纯私人放款微信电话——马上为您安排信贷服务+当日到账 蚌埠24小时私人放款联系方式随借随到-做生意借贷|应急周转|大额优先| 遵义空放借钱贷款联系电话:走投无路申请放款马上就到账 绵阳专业空放贷款私人联系方式,不看过往|先贷后放|马上拿钱| 德州附近个人放款电话号码多少:不审核+随借随还+当日成功+直接到账