mss的openvirtual** 带证书登录安装方法

sk***

使用jfcai编制的tun.o文件,在宝乙2.66,一键安装包1.05下直接安装.
-------------------------
网络结构:
路由:192.168.1.1
MSS1:192.168.1.100
-------------------------
1.将tun.o放在了/opt/lib/modules/下运行
mkdir /dev/net
chown root:root /dev/net
mknod /dev/net/tun c 10 200
chown root:root /dev/net/tun


2.用ipkg 直接装openvirtual**:
ipkg install openvirtual**

3.我是在/opt/etc/下建了virtual**目录,将证书文件ca.crt,server.key,server.crt,dh1024.pem上传

到virtual**目录下,并用运行以下命令修改文件权限.(略证书的生成方法....)
chmod 600 server.key
修改好后目录下的文件如下:
-rwxr--r-- 1 root root  1245 2009-04-17 10:52 ca.crt
-rwxr--r-- 1 root root   245 2009-04-17 10:52 dh1024.pem
-rwxr--r-- 1 root root  3647 2009-04-17 10:52 server.crt
-rw------- 1 root root   887 2009-04-17 10:52 server.key

4.在/opt/etc/virtual**/下建立服务器配置文件server.conf:
# Tunnel options
script-security 2
mode server
proto tcp-server
port xx #服务端口
dev tap0
keepalive 20 120
push "route-gateway 192.168.1.100"
push "redirect-gateway def1"
daemon
verb 3
comp-lzo
log /opt/etc/virtual**/openvirtual**.log
# Openvirtual** server mode options
client-to-client
duplicate-cn
max-clients 5
# TLS Mode Options
tls-server
ca /opt/etc/virtual**/ca.crt
dh /opt/etc/virtual**/dh1024.pem
cert /opt/etc/virtual**/server.crt
key /opt/etc/virtual**/server.key

5.客户端配置文件client.ovirtual**
pull
tls-client
dev tap
ca ca.crt
cert client.crt
key client.key
proto tcp-client
remote XXX.XXX.XXX.XXX xx  #路由的WAN IP
keepalive 10 60
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
float

6.在/opt/etc/virtual**/下建立bridge-start启动文件:
#!/bin/sh
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.1.100"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
ifconfig $eth down
for t in $tap; do
    /opt/sbin/openvirtual** --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
    brctl addif $br $t
done
for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw 192.168.1.1

7.在/opt/etc/virtual**/下建立bridge-stop停止文件:
#!/bin/sh
####################################
# Tear Down Ethernet bridge on Linux
####################################
# Define Bridge Interface
killall openvirtual**
br="br0"
# Define list of TAP interfaces to be bridged together
tap="tap0"
ifconfig $br down
brctl delbr $br
for t in $tap; do
    /opt/sbin/openvirtual** --rmtun --dev $t
done
eth="eth0"
eth_ip="192.168.1.100"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
ifconfig $eth down
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw 192.168.1.1

8.设置bridge-start,bridge-stop文件权限:
chmod 755 bridge*

注:最终/opt/etc/virtual**/下的文件结构如下
-rwxr-xr-x 1 root root   905 2009-04-20 21:14 bridge-start
-rwxr-xr-x 1 root root   546 2009-04-20 21:15 bridge-stop
-rwxr--r-- 1 root root  1245 2009-04-17 10:52 ca.crt
-rwxr--r-- 1 root root   245 2009-04-17 10:52 dh1024.pem
-rwxr--r-- 1 root root   429 2009-04-20 22:04 server.conf
-rwxr--r-- 1 root root  3647 2009-04-17 10:52 server.crt
-rw------- 1 root root   887 2009-04-17 10:52 server.key

9.编辑开机启动openvirtual**,
vi /opt/etc/init.d/S99local
在最后添加:
echo 1 > /proc/sys/net/ipv4/ip_forward
insmod /opt/lib/modules/tun.o
/opt/etc/virtual**/bridge-start
sleep 5
/opt/sbin/openvirtual**  --cd /opt/etc/virtual** --config server.conf --daemon

10.在路由上打开端口8088转发到MSS1上就可以了.

11.MSS1的系统时间必须在证书的有效期内,如证书有效期是2009-4-1至2019-4-1的,MSS的系统时

间必须在2009-4-1至2019-4-1间.MSS的系统时间可用date命令查看,如不正确可用date命令修改格

式如下:
date 040201012009  #(月日时分年)（完整书写）
注:
1.MSS重启后会出现桥接
br0       Link encap:Ethernet  HWaddr 00:xx:xx:xx:xx:xx  
          inet addr:192.168.1.100  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:485341 errors:0 dropped:0 overruns:0 frame:0
          TX packets:423362 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:379441829 (361.8 MiB)  TX bytes:148264332 (141.3 MiB)

eth0      Link encap:Ethernet  HWaddr 00:xx:xx:xx:xx:xx  
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:485449 errors:0 dropped:0 overruns:0 frame:0
          TX packets:424921 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:388186802 (370.2 MiB)  TX bytes:148371210 (141.4 MiB)
          Interrupt:4 Base address:0x1000

lo        Link encapocal Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:72 errors:0 dropped:0 overruns:0 frame:0
          TX packets:72 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:6165 (6.0 kiB)  TX bytes:6165 (6.0 kiB)

tap0      Link encap:Ethernet  HWaddr 00:FF:xx:xx:xx:xx  
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2208 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 iB)  TX bytes:290169 (283.3 kiB)

2.客户端链接后,default gw 为192.168.1.100 ,可以访问192.168.1.0/24内网的机器,可以通过

MSS访问INTERNET.

收藏 分享 评分

sk***

tun.o

risef***

请问如何在mss上建ca 及自签名证书？

yiny***

楼主能否改造下mss的风扇，现在的风扇不停转，很烦人

shellc***

1# skiy


楼主大作，支持一下，并问下，现在这个教程还可用不？？

yumi***

不错。mark一下

wee***

好主意！收藏了