服务器端的配置
安装OpenVPN软件
opkg update opkg install openvpn openvpn-easy-rsa #easy-rsa不一定要安装,我把easy-rsa的操作在PC上进行
[important]下面的操作在Windows上进行,请先下载并安装Windows版的OpenVPN。如果你打算在路由上使用easy-rsa,对应的操作见文末参考来源的①和④[/important]
生成CA和各种证书
修改 OpenVPN\easy-rsa\vars.bat.sample 为你的信息:
set KEY_COUNTRY=CN
set KEY_PROVINCE=Guangdong
set KEY_CITY=Guangzhou
set KEY_ORG=7forz
set KEY_EMAIL=7f@7forz.com
set KEY_CN=7forz
set KEY_NAME=7forz
set KEY_OU=7forz
set PKCS11_MODULE_PATH=7forz.com
set PKCS11_PIN=1234
打开cmd,进入 OpenVPN\easy-rsa,运行以下命令:
init-config
vars
clean-all
build-ca (创建根证书)
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Guangzhou]:
Organization Name (eg, company) [7forz]:
Organizational Unit Name (eg, section) [7forz]:
Common Name (eg, your name or your server’s hostname) [7forz]:
Name [7forz]:
Email Address [7f@7forz.com]:
build-dh
build-key-server server (服务器证书,server为机器名)
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Guangzhou]:
Organization Name (eg, company) [7forz]:
Organizational Unit Name (eg, section) [7forz]:
Common Name (eg, your name or your server’s hostname) [7forz]:
Name [7forz]:
Email Address [7f@7forz.com]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:
build-key client1 (创建客户端证书,client1为用户名,之后还可以创建client2,client3)
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Guangzhou]:
Organization Name (eg, company) [7forz]:
Organizational Unit Name (eg, section) [7forz]:
Common Name (eg, your name or your server’s hostname) [7forz]:
Name [7forz]:
Email Address [7f@7forz.com]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:
如果出现
failed to update database
TXT_DB error number 2
错误,貌似是因为Common Name相同而导致的,请在生成时修改之或者打开keys\index.txt并清除其中内容,再执行一次build-key client1命令
之后把 ca.crt server.* dh*.pem 传到路由的 /etc/openvpn 目录下
再把 ca.crt client*.* 放到你电脑的 OpenVPN\config 目录下
修改路由的网络配置
1.Create the VPN interface
用putty登录路由,运行命令
uci set network.vpn=interface uci set network.vpn.ifname=tun0 uci set network.vpn.proto=none uci commit network; /etc/init.d/network reload
2.Allow OpenVPN tunnel negotiation
uci add firewall rule uci set firewall.@rule[-1].name=Allow-Inbound-OpenVPN uci set firewall.@rule[-1].target=ACCEPT uci set firewall.@rule[-1].src=wan uci set firewall.@rule[-1].family=ipv6 uci set firewall.@rule[-1].proto=udp uci set firewall.@rule[-1].dest_port=1194
3.Allow OpenVPN tunnel utilization
uci add firewall zone uci set firewall.@zone[-1].name=vpn uci set firewall.@zone[-1].input=ACCEPT uci set firewall.@zone[-1].forward=REJECT uci set firewall.@zone[-1].output=ACCEPT uci set firewall.@zone[-1].network=vpn
4.Allow the client to access the OpenVPN server’s LAN via the VPN (可选)
uci add firewall forwarding uci set firewall.@forwarding[-1].src=vpn uci set firewall.@forwarding[-1].dest=lan
5.Allow the client to access the OpenVPN server’s WAN via the VPN (可选)
uci add firewall forwarding uci set firewall.@forwarding[-1].src=vpn uci set firewall.@forwarding[-1].dest=wan
6.Finally, commit the changes
uci commit firewall; /etc/init.d/firewall reload
Note that Step 4 and 5 overrule the REJECT in Step 3. You may want only Step 4, or only Step 5, or maybe both. That is,
Step 3 will allow the VPN client(s) to access the OpenVPN server itself
Step 4 will allow the VPN client(s) to access networks via the OpenVPN server’s LAN interfaces
Step 5 will allow the VPN client(s) to access networks via the OpenVPN server’s WAN interfaces
修改OpenVPN的参数
1.清除默认的OpenVPN配置文档 /etc/config/openvpn,再运行命令:
echo > /etc/config/openvpn uci set openvpn.myvpn=openvpn uci set openvpn.myvpn.enabled=1 uci set openvpn.myvpn.dev=tun uci set openvpn.myvpn.persist_tun=1 uci set openvpn.myvpn.persist_key=1 uci set openvpn.myvpn.proto=udp6 ## ipv6 uci set openvpn.myvpn.comp_lzo=yes uci set openvpn.myvpn.verb=3 uci set openvpn.myvpn.log=/tmp/openvpn.log uci set openvpn.myvpn.status=/tmp/openvpn-status.log uci set openvpn.myvpn.ca=/etc/openvpn/ca.crt uci set openvpn.myvpn.cert=`ls /etc/openvpn/server*.crt` ## NB: these are back-quotes uci set openvpn.myvpn.key=`ls /etc/openvpn/server*.key` ## NB: these are back-quotes
2.To that, add the server-specific parameters.
uci set openvpn.myvpn.server='10.8.0.0 255.255.255.0' ## NB: these are single quotes uci set openvpn.myvpn.port=1194 uci set openvpn.myvpn.ifconfig_pool_persist=/tmp/openvpn-ipp.txt uci set openvpn.myvpn.keepalive='10 120' ## NB: these are single quotes uci set openvpn.myvpn.dh=`ls /etc/openvpn/dh*.pem` ## NB: these are back-quotes uci add_list openvpn.myvpn.push='dhcp-option DNS 114.114.114.114' uci add_list openvpn.myvpn.push='route-gateway 10.8.0.1'
3.And finally, the tricky bit (执行这个命令之前先看下面的提示):
uci add_list openvpn.myvpn.push='redirect-gateway def1' ## NB: these are single quotes
[notice]
If the OpenVPN Client and Server and on the same subnet, then you must add the local flag. Use instead: uci add_list openvpn.myvpn.push=’redirect-gateway def1 local’
If your OpenVPN Client is not to route all it’s traffic via the serevr (and therefor continue to use it’s existing default gateway), then you should not use the redirect-gateway option at all.
[/notice]
4.Commit the configuration, enable and start the OpenVPN daemon:
uci commit openvpn; /etc/init.d/openvpn enable
客户端的配置
用文本编辑器新建一文档,粘贴并修改
client dev tun proto udp6 remote [你的路由的ipv6地址] 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo
并保存为 client1.ovpn,把它导入到你的OpenVPN的客户端,就可以测试了。
一些参考来源:
发表评论