Shulou(Shulou.com)06/02 Report--

* literal translation is a virtual private channel, which provides a tunnel for secure data transmission between enterprises or between individuals and companies. Open*** is undoubtedly the vanguard of open source * * under Linux, providing good performance and user-friendly GUI.

It makes extensive use of the SSLv3/TLSv1 protocol library in the OpenSSL encryption library.

At present, Open*** can run on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X and Microsoft Windows, as well as Android and iOS, and includes many security features. It is not a Web-based software, nor is it compatible with IPsec and other * * software packages.

Download of open***: http://open***.ustc.edu.cn/

Server installation

It is recommended to install to disk c

Initialize the operation before you do it:

(1) modify the following parts of C:\ ProgramFiles\ OPEN***\ easy-rsa\ vars.bat.sample

Set HOME=%ProgramFiles%\ Open***\ easy-rsa

Set KEY_COUNTRY=US

Set KEY_PROVINCE=CA

Set KEY_CITY=SanFrancisco

Set KEY_ORG=FortFunston

Set KEY_EMAIL=mail@domain.com

Please modify it according to your own situation, or you can change it to

Set HOME=C:\ Program Files\ OPEN***\ easy-rsa

Set KEY_COUNTRY=CN # (country) set KEY_PROVINCE=GuangDong # (province)

Set KEY_CITY=ShenZhen # (City)

Set KEY_ORG=oovc.com # (Organization)

Set KEY_EMAIL=admin@oovc.com # (email address)

The above # begins with comments, please do not write into the file.

Open the command prompt:

Start-- > run...-- > Type cmd, enter, and go to the command prompt

Or start-- > Program-- > attachment-- > Command prompt

Go to the C:\ ProgramFiles\ open***\ easy-rsa directory:

The command is as follows:

(1) cd C:\ ProgramFiles\ open***\ easy-rsa

Init-config

Vars

Clean-all

The above is the initialization work. In the future, when making the certificate, you still need to initialize it, but you just need to go to the open***\ easy-rsa directory and run vars. You don't need the above steps.

(2) the following begins the production of the certificate:

Generate the root certificate:

Build-ca

Generate the Diffy Herman key:

Build-dh

Generate the server key:

Build-key-server server

Generate client key

Build-key client

Build-key client1// can continue to configure a second * * client key

/ / the generated key is stored in the C:\ ProgramFiles\ open***\ easy\ rsa\ keys directory

Next, start configuring the server and client:

(3) copy the generated ca.crt,dh2024.pem,server.crt,server.key to the C:\ ProgramFiles\ OPEN***\ KEY directory. These four files are required for the server to run.

(4) ca.crt,client.crt,client.key is the file required by the * client. Copy it to the client C:\ ProgramFiles\ OPEN***\ KEY directory

(5) create a server.o***: in the C:\ ProgramFiles\ Open***\ config directory

Server-side file example: (server.o***)

Local 192.168.3.1 # establish * * IP

Port 443 # port number, modify it as needed. If you are using http proxy to connect, please do not modify it.

Proto tcp-server # connects through the TCP protocol

Dev tap # win must be set to tap

Server 192.168.0.0 255.255.255.0 # Virtual local area network segment setting. Please modify it as needed. It is not supported to locate in the same network segment as dial-up network card.

Push "route 0.0.0.0 0.0.0.0" # indicates that client accesses the Internet through * SERVER

Keepalive 20 180

Ca "C:\\ Program Files\\ OPEN***\\ KEY\\ ca.crt" # CA certificate location, please modify it according to the actual situation

Cert "C:\\ Program Files\\ OPEN***\\ KEY\\ server.crt" # Server certificate storage location, please modify it according to the actual situation

Key "C:\\ Program Files\\ OPEN***\\ KEY\\ server.key" # Server key storage location, please modify it according to the actual situation

Dh "C:\\ Program Files\\ OPEN***\\ KEY\\ dh2024.pem" # dh2024.pem storage location, please modify it according to the actual situation

Push "redirect-gateway def1"

Push "dhcp-option DNS 219.141.140.10" # DNS, please modify it according to the actual situation

Mode server

Tls-server

Status "C:\\ Program Files\\ OPEN***\\ log\\ open***-status.log" # LOG record file location, please modify it according to the actual situation

Comp-lzo

Verb 4

(6) client settings: after the client installation is completed, the three ca.crt client.crtclient.key files need to be copied to the C:\ ProgramFiles\ open***\ key directory. These three files are generated by the server, so you need to ask for these three files from whomever you connect to.

Then, edit a client.o*** configuration file and store it in the C:\ ProgramFiles\ open***\ config directory, and the client can connect.

Client file example: (client.o***)

Client

Dev tap # windows use tun under tap,LINUX

Proto tcp-client

Domain name or IP port of remote 192.168.3.1 443 # * * server

Resolv-retry infinite

Nobind

# http-proxy 192.168.1.1 80 # enter your proxy server address and port here

Mute-replay-warnings

Ca "C:\ Program Files\\ OPEN***\\ KEY\\ ca.crt"

Cert "C:\\ Program Files\\ OPEN***\\ KEY\\ client.crt" # here change to the corresponding certificate for each client

Key "C:\\ Program Files\\ OPEN***\\ KEY\\ client.key" # here change to the corresponding key for each client

Comp-lzo

Verb 4

Status open***-status.log

(7) other settings:

After the above configuration is dialed successfully, the IP:192.168.0.1 of * SERVER

* * IP:192.168.0.2 of client

Ping 192.168.0.1 / / should be able to communicate with each other through ping

Then set "internet connection sharing" on * SERVER to enable clinet to access the Internet through * SERVER:

Then you can use the certificate to access it normally.

Method of revocation of certificate:

Execute the command to go to the installation directory of open***, in the easy-rsa directory. Use the revoke-full command to cancel its certificate.

First put a colleague's certificate file under easy-rsa/keys, and then execute

Revoke-full client1

Client1 is the name of the certificate. After the execution of this command, a crl.pem file is generated under the keys directory.

The document contains a list of revoked certificates.

Then execute it again.

Revoke-full client2

After this command is executed, a new crl.pem file is generated under the keys directory to overwrite the old one.

Put this crl.pem file in the appropriate configuration directory config, and then restart the open*** server by adding the following parameters to the configuration file

That's it.

Crl-verify crl.pem

Note: if you need to cancel other certificates later, you can continue to execute revoke-full client3 and generate a new crl.pem file to replace the configuration directory.

Under the file, restart the open*** service.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.