Open*** networking steps
1. Open*** construction based on ubuntu 16.04
(1) Server firewall configuration
opens port 1194
(2) easy-rsa installation
sudo apt-get -y install easy-rsa
(3) Open *** installation and configuration
sudo apt-get -y install open*** libssl-dev openssl is
detailed in the cloud server /etc/openvpcn/server.conf (it is recommended to check with the original server.conf, the original version has a backup in the same directory)
(4) and cancellation of certificates,
making
1.sudo mkdir / etc / open *** / easy-rsa /
2. Copy the provided keys package to the directory /etc/open***/easy-rsa/
3.source vars
4. Execute the instructions inside vars.txt
5. Execute under /etc/open***/easy-rsa/ ./build-key user1 (user name)
(press y for the last two options of Enter all the way to indicate authorization)
6. User1.crt user1.key will be generated under the keys
7. After placing these two certificates on the client configuration, you can check the server log to determine if the user is online
cat /etc/open***/open***.log
SENT CONTROL [user1]: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Revocation
1.cd /etc/open***/easy-rsa/
2.source vars
3. Execute the instructions inside vars.txt
4../revoke-full nnn (client certificate name)
5. In the server configuration file server.conf, add this line:
crl-verify /etc/open***/easy-rsa/keys/crl.pem
6./etc/init.d/open*** restart
The classification production process includes the following content:
1. One certificate for multiple purposes (gateway equipment), one certificate for one use (operation and maintenance personnel);
gateway equipment uses ***csy, because the personnel refer to the above certificate production by themselves
2. The gateway device with dynamic IP address and fixed IP address can be made according to user needs; the
default is dynamic IP
Static ip setting method
server.conf plus configuration
client-config-dir /etc/open***/ccd
Enter the /etc/open***/ccd directory, and edit the file with the same name as the certificate
Then add a section of ifconfig-push 10.8.0.13 10.8.0.14 to
restart the *** server
3. One certificate, one use for operation and maintenance personnel, can be made at any time, and cancelled at any time;
refer to the above certificate making and revoking
2. Making of compiled firmware based on Openwrt
(1) Compiling firmware step
1. Open network->***->open ***-openssl
2. Open luci->applicatio->luci-app-open***
3. Modify files/open*** files
config open*** 'custom_config'
option config '/etc/open***/my-***.conf'
option dev 'tun'
option nobind '1'
option client '1'
option port '1194'
option remote 'server_ip'
option proto 'tcp'
option keepalive '10 120'
option compress 'lzo'
option status '/tmp/open***-status.log'
option persist_key '1'
option persist_tun '1'
option verb '3'
option user 'nobody'
option group 'nogroup'
option ca '/lib/uci/upload/cbid.open***.custom_config.ca'
option dh '/lib/uci/upload/cbid.open***.custom_config.dh'
option cert '/lib/uci/upload/cbid.open***.custom_config.cert'
option key '/lib/uci/upload/cbid.open***.custom_config.key'
config open*** 'sample_server'
option port '1194'
option dev 'tun'
option remote 'server_ip'
option keepalive '10 120'
option compress 'lzo'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option group 'nogroup'
option status '/tmp/open***-status.log'
option verb '3'
option proto 'tcp'
option client '1'
option dev_type 'tun'
option ca '/lib/uci/upload/cbid.open***.sample_server.ca'
option dh '/lib/uci/upload/cbid.open***.sample_server.dh'
option enabled '1'
option cert '/lib/uci/upload/cbid.open***.sample_server.cert'
option key '/lib/uci/upload/cbid.open***.sample_server.key'
4. Modify the makefile file to add content:
$(INSTALL_DATA) \
files/open***.options \
$(1)/usr/share/open***/open***.options
mkdir -p $(1)/lib/uci/upload
$(INSTALL_DATA) \
files/cert/ca.crt \
$(1)/lib/uci/upload/cbid.open***.sample_server.ca
$(INSTALL_DATA) \
files/cert/dh2048.pem \
$(1)/lib/uci/upload/cbid.open***.sample_server.dh
$(INSTALL_DATA) \
files/cert/***csy.crt \
$(1)/lib/uci/upload/cbid.open***.sample_server.cert
$(INSTALL_DATA) \
files/cert/***csy.key \
$(1)/lib/uci/upload/cbid.open***.sample_server.key
$(INSTALL_CONF) files/open***.config \
$(1)/etc/config/open***(2) Intranet mapping and firewall configuration
add
iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 8888 -j DNAT --to-destination 192.168.1.41:8000 on the web side
删除
iptables -t nat -D PREROUTING -i tun0 -p tcp -m tcp --dport 8888 -j DNAT --to-destination 192.168.1.41:8000
3. For the networking of windows client,
copy the certificate to the specified location and modify the o*** file.
4. Openwrt's client is connected to the network.
1. The dynamic IP of the device is connected to the network.
Use the ***csy certificate to obtain dynamic IP
2. Fixed IP address
Refer to static IP setting method for device networking