利用open***建立桥接***
http://blog.chinaunix.net/u/7667/showart_30753.html

本文介绍利用open***建立桥接***的一种简单方法,使用的服务器为debian GNU/Linux sarge,使用apt-get dist-upgrade更新到最新,内核2.4.27-1-686,未重新编译内核,open***版本1.6.0+2.beta14-1(使用apt -get install open***安装),客户机一为debian GNU/Linux sid,内核2.6.8-1-k7,未重新编译内核,open***版本1.99+2.beta17-1(使用apt-get install open***安装),客户机二为windows 2k adv ser sp4,open***安装在C:Program FilesOpen×××下,版本为1.6(从http://open***.sourceforge.net/ 下载open***-1.6.0-install.exe (http://umn.dl.sourceforge.net/sourceforge/open***/open***-1.6.0-install.exe)后直接安装)

本文介绍利用open***建立桥接***的一种简单方法,使用的服务器为debian GNU/Linux
sarge,使用apt-get dist-upgrade更新到最新,内核2.4.27-1-686,未重新编译内核,
open***版本1.6.0+2.beta14-1(使用apt-get install open***安装),客户机一为
debian GNU/Linux sid,内核2.6.8-1-k7,未重新编译内核,open***版本1.99+2.beta17-1
(使用apt-get install open***安装),客户机二为windows 2k adv ser sp4,open***安装
在C:Program FilesOpen×××下,版本为1.6(从http://open***.sourceforge.net/ 下
载open***-1.6.0-install.exe
(http://umn.dl.sourceforge.net/sourceforge/open***/open***-1.6.0-install.exe)
后直接安装)


1 网络拓扑图如下:

|
|       br0(eth1) |------|eth0          tap0,ip:192.168.0.101|------|
|----------------|server|----------------------------------|client|
|   ip:192.168.0.3|------|ip:1.2.3.4         eth0,ip:5.6.7.8|------|
|
|intranet
|192.168.0.0/24


当server的open***停止时,server使用eth1和intranet通讯,eth1的ip地址为192.168.0.3/24,
当server的open***启动后,server使用br0和intranet通讯,br0的ip地址为192.168.0.3/24,
client的ip地址为5.6.7.8,建立***后,client通过tap0使用192.168.0.101/24和intranet通讯

2 软件安装

服务器及客户机一需要额外安装的软件有bridge-utils,liblzo1,可使用apt-get 进行安装。
客户机2上不需要安装其他特别的软件。


3 建立***

3.1 在服务器上运行open*** --genkey --secret static.key生成建立***时使用的密钥,
static.key为保存密钥的文件,将这个文件复制到server和client 1的/etc/open***/目录
下,以及client 2的open***安装目录下的config目录下.

3.2 将下列文件复制到/etc/open***/下,/etc/init.d/open***启动时会读取该目录下的*.conf
====================server's bridge-up====================
#!/bin/bash

##################################
# Set up Ethernet bridge on Linux#
##################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth1"
eth_ip="192.168.0.3"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

for t in $tap; do
open*** --mktun --dev $t
echo "add tun $t "
done

brctl addbr $br
echo "add bridge $br"
brctl addif $br $eth
echo "add $eth to bridge $br"

for t in $tap; do
brctl addif $br $t
echo "add $t to bridge $br"
done

for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
echo "set $t promisc mode"
done

ifconfig $eth 0.0.0.0 promisc up
echo "set $eth promisc mode"

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
echo "config $br with ip $eth_ip netmask $eth_netmask broadcast $eth_broadcast"
======================end of bridge-up========================

====================server's bridge-down======================
#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

ifconfig $br down
echo "bridge $br down"

brctl delbr $br
echo "delete bridge $br"

for t in $tap; do
open*** --rmtun --dev $t
echo "delete tun $t"
done
======================end of bridge-down========================

====================server's open***.conf=======================
# Linux ××× server config file
port 1194
dev tap0
secret static.key
log-append /var/log/open***.log
fragment 1400
ping 10
ping-restart 35
ping-timer-rem
persist-tun
persist-key
comp-lzo
comp-noadapt
user nobody
group nogroup
verb 4
====================end of open***.conf========================

====================client 1's bridge-up========================
#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

#Client 1 use 192.168.0.101/24 to communicate with intranet
eth_ip="192.168.0.101"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

for t in $tap; do
open*** --mktun --dev $t
echo "add tun $t "
done

brctl addbr $br
echo "add bridge $br"

for t in $tap; do
brctl addif $br $t
echo "add $t to bridge $br"
done

for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
echo "set $t promisc mode"
done

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
echo "config $br with ip $eth_ip netmask $eth_netmask broadcast $eth_broadcast"


======================end of bridge-up==========================

====================client 1's bridge-down======================
#!/bin/bash

#####################################
# Tear Down Ethernet bridge on Linux#
#####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

ifconfig $br down
echo "bridge $br down"

brctl delbr $br
echo "delete bridge $br"

for t in $tap; do
open*** --rmtun --dev $t
echo "delete tun $t"
done
======================end of bridge-down========================

====================client 1's open***.conf=====================
# Linux ××× Client config file
#This file should be put into /etc/open***/
#local and remote port used by open***
#You can specify local port with "lport" option,remote port with "rport"
#By default,Debian's open*** use port 5000
port 1194
#Tap device used by open***
dev tap0
#Enable Static Key encryption mode (non-TLS).Use shared secret file static.key
#this file is generated with "open*** --genkey --secret static.key"
secret static.key
#append log to /var/log/open***.log ,if this file is not exist, it will be
#created.
log-append /var/log/open***.log
#××× server's address
remote 1.2.3.4
fragment 1400
#Ping remote once every 10 seconds over TCP/UDP port
ping 10
#Restart if 35 seconds pass without reception of remote ping
ping-restart 35
# Run the --ping-exit/--ping-restart timer only if we have a remote address
#Only client have a remote address
ping-timer-rem
#Keep tun/tap device open across SIGUSR1 or --ping-restart
persist-tun
#Don't re-read key files across SIGUSR1 or --ping-restart
persist-key
#Use fast LZO compression -- may add up to 1 byte per packet for uncompressible
#data.
comp-lzo
#Don't use adaptive compression when --comp-lzo is specified
comp-noadapt
#Set UID to nobody after initialization.
user nobody
#Set GID to nogroup after initialization
group nogroup
#Set output verbosity to 4
#4 means "show parameters"
verb 4

====================end of open***.conf========================

====================client 2's open***.o***=====================
#Windows ××× Client config file
#This file should be put into C:Program FilesOpen×××config
#if you install Open××× in C:Program FilesOpen×××
port 1194
dev tap
secret static.key
#Client 2 use 192.168.0.101/24 to communicate with intranet
ifconfig 192.168.0.101 255.255.255.0
log-append /var/log/open***.log
remote 1.2.3.4
fragment 1400
tap-sleep 1
ifconfig-nowarn
ip-win32 dynamic
ping 10
comp-lzo
comp-noadapt
verb 4
====================end of open***.conf========================


3.3 启动***

启动时因先启动***server,然后启动***client.

3.3.1 启动***server,运行/etc/open***/bridge-up,然后运行/etc/init.d/open*** start,
如果先启动/etc/init.d/open*** start将出错.

3.3.2 启动***client,运行/etc/open***/bridge-up,然后运行/etc/init.d/open*** start

3.3.3 当***client为windows时,运行 net start open***service.

3.4 关闭***

关闭时因先关闭***client,然后关闭***server

3.4.1 关闭***client,运行/etc/init.d/open*** stop,然后运行/etc/open***/bridge-down

3.4.2 当***client为windows时,运行net stop open***service.

3.4.3 关闭***server,运行/etc/init.d/open*** stop,然后运行/etc/open***/bridge-down

4 参考资料

4.1 open***的老家 http://open***.sourceforge.net/

4.2 Ethernet Bridging http://open***.sourceforge.net/bridge.html

4.3 Implementing Open××× http://fedoranews.org/contributors/florin_andrei/open***/

4.4 利用open***+linux快速建立企业××× http://www.linuxaid.com.cn/articles/1/0/1052518204.shtml

欢迎和我交流 联系方式@xinhuanet.com