openvpn

1. 服务端 openwrt安装配置openvpn

引用

1.1. 安装

opkg update
opkg install openvpn-openssl openvpn-easy-rsa luci-app-openvpn

1.2. 证书及密钥生成

1.2.1. easy-rsa var变量设置

/etc/easy-rsa/vars末尾添加以下内容并设置全局变量，直接执行以下命令：

VARS="/etc/easy-rsa/vars"

echo ""                                          >> $VARS
echo "set_var EASYRSA_REQ_COUNTRY \"CN\""        >> $VARS
echo "set_var EASYRSA_REQ_PROVINCE \"Beijing\""  >> $VARS
echo "set_var EASYRSA_REQ_CITY \"Haidian\""      >> $VARS
echo "set_var EASYRSA_REQ_ORG \"IT\""            >> $VARS
echo "set_var EASYRSA_REQ_EMAIL \"IT\""          >> $VARS
echo "set_var EASYRSA_REQ_OU \"IT\""             >> $VARS
echo ""                                          >> $VARS
echo "set_var EASYRSA_KEY_SIZE 2048"             >> $VARS

cat $VARS
source $VARS

执行完 source $VARS后，会出现以下打印：

root@OpenWrt:~# source $VARS
You appear to be sourcing an Easy-RSA 'vars' file.
This is no longer necessary and is disallowed. See the section called
'How to use this file' near the top comments for more details.
root@OpenWrt:~# 

设置EasyRAS变量，输入以下命令：

export EASYRSA_PKI="/etc/easy-rsa/pki"
export EASYRSA_REQ_CN="ovpnca"
export EASYRSA_BATCH="1"

1.2.2. 初始化pki目录

cd /etc/easy-rsa
easyrsa init-pki

1.2.3. 生成Diffie-Hellman pem并打印

cd /etc/easy-rsa
# 此步骤耗时可能会比较长，请耐心等待。
easyrsa gen-dh
cat /etc/easy-rsa/pki/dh.pem

1.2.4. 生成ca证书及秘钥

cd /etc/easy-rsa
easyrsa build-ca nopass
cat /etc/easy-rsa/pki/ca.crt

1.2.5. 生成Server证书及密钥并打印

cd /etc/easy-rsa
easyrsa build-server-full server nopass
cat /etc/easy-rsa/pki/private/server.key

1.2.6. 生成tls密钥并打印

输入以下命令：

cd /etc/easy-rsa
# 这里执行完成会有一个警告 WARNING: Using --genkey --secret filename is DEPRECATED.  Use --genkey secret filename instead.
openvpn --genkey --secret ${EASYRSA_PKI}/tc.pem
cat /etc/easy-rsa/pki/tc.pem

1.3. OpenVPN Server配置

Server防火墙默认配置修改

规则全部改为ACCEPT，输入以下命令查看防火墙当前默认配置：

uci show firewall | grep defaults 

会有如下打印：

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'  

我们需要将firewall.@defaults[0].forward='REJECT'改为firewall.@defaults[0].forward='ACCEPT'

输入以下命令：

uci set firewall.@defaults[0].forward='ACCEPT'  

同理修改LAN口和WAN口的配置，输入以下命令查看防火墙当前默认配置：

uci show firewall | grep zone  

会有如下打印：

firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1' 

将firewall.@zone[1].input='REJECT'改为firewall.@zone[1].input='ACCEPT'；

将firewall.@zone[1].forward='REJECT'改为firewall.@zone[1].forward='ACCEPT'。

输入以下命令：

uci set firewall.@zone[1].input='ACCEPT'
uci set firewall.@zone[1].forward='ACCEPT'

执行以下命令更新防火墙配置：

uci commit firewall
/etc/init.d/firewall restart  

VPN端口协议及防火墙配置

定义VPN服务端传输协议及端口，输入以下命令：

OVPN_PORT="11194"
# 我这里使用tcp，我也不知道为啥udp就是不通
OVPN_PROTO="tcp"

防火墙内添加tun+设备接口，输入以下命令：

uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.device="tun+"
uci add_list firewall.lan.device="tun+"
uci -q delete firewall.ovpn

根据传输协议及端口对防火墙进行配置，执行以下命令：

uci set firewall.ovpn="rule"
uci set firewall.ovpn.name="Allow-OpenVPN"
uci set firewall.ovpn.src="wan"
uci set firewall.ovpn.dest_port="${OVPN_PORT}"
uci set firewall.ovpn.proto="${OVPN_PROTO}"
uci set firewall.ovpn.target="ACCEPT"

更新防火墙配置并查看配置参数，执行以下命令

uci commit firewall
/etc/init.d/firewall restart

uci show firewall.ovpn

# 内核转发开启了则可以转发内网ip（如本地192.168.1.2 访问192.168.5.5 两个网关都在一台机器上），1为开启
cat /proc/sys/net/ipv4/ip_forward

其他非Openvrt可能在这里

[root@Web01 ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf    #确保openvpn开启了ip转发
[root@Web01~]# sysctl -p
net.ipv4.ip_forward = 1

接口创建及信息完善
创建一个名为ovpn_server的vpn接口，输入以下命令：

export EASYRSA_PKI="/etc/easy-rsa/pki"

uci set openvpn.ovpn_server="openvpn"
uci set openvpn.ovpn_server.enabled="1"
uci set openvpn.ovpn_server.dev="tun"
uci set openvpn.ovpn_server.port="11194"
# 一般使用udp，这里我使用tcp,不知为啥udp不通
uci set openvpn.ovpn_server.proto="tcp"
uci set openvpn.ovpn_server.comp_lzo="no"
uci set openvpn.ovpn_server.log="/tmp/openvpn.log"
uci set openvpn.ovpn_server.status="/tmp/openvpn.status"
uci set openvpn.ovpn_server.verb="3"
uci set openvpn.ovpn_server.mute="5"
uci set openvpn.ovpn_server.keepalive="10 60"
uci set openvpn.ovpn_server.persist_key="1"
uci set openvpn.ovpn_server.persist_tun="1"
uci set openvpn.ovpn_server.user="nobody"
uci set openvpn.ovpn_server.group="nogroup"
uci set openvpn.ovpn_server.ca="${EASYRSA_PKI}/ca.crt"
uci set openvpn.ovpn_server.cert="${EASYRSA_PKI}/issued/server.crt"
uci set openvpn.ovpn_server.dh="${EASYRSA_PKI}/dh.pem"
uci set openvpn.ovpn_server.key="${EASYRSA_PKI}/private/server.key"
uci set openvpn.ovpn_server.mode="server"
uci set openvpn.ovpn_server.server="192.168.0.0 255.255.255.0"
uci set openvpn.ovpn_server.tls_server="1"
uci set openvpn.ovpn_server.topology="subnet"
uci set openvpn.ovpn_server.route_gateway="dhcp"
uci set openvpn.ovpn_server.client_to_client="1"
uci commit openvpn

uci add_list openvpn.ovpn_server.push="comp-lzo no"
uci add_list openvpn.ovpn_server.push="persist-key"
uci add_list openvpn.ovpn_server.push="persist-tun"
uci add_list openvpn.ovpn_server.push="user nobody"
uci add_list openvpn.ovpn_server.push="user nogroup"
uci add_list openvpn.ovpn_server.push="topology subnet"
uci add_list openvpn.ovpn_server.push="route-gateway dhcp"
uci add_list openvpn.ovpn_server.push="redirect-gateway def1"
uci add_list openvpn.ovpn_server.push="192.168.0.0 255.255.255.0"
uci add_list openvpn.ovpn_server.push="dhcp-option DNS 9.9.9.9"
uci add_list openvpn.ovpn_server.push="dhcp-option DNS 1.1.1.1"
uci commit openvpn

VPN服务使能
查看ovpn_server和防火墙配置，输入以下命令：

uci show openvpn.ovpn_server
uci show firewall.ovpn

使能ovpn_server服务器以及启动此服务，输入以下命令：

/etc/init.d/openvpn enable
/etc/init.d/openvpn start

Server侧状态及log确认
查看ovpn_server启动状态，输入以下命令：

pgrep -f -a openvpn

有类似以下打印说明服务已启动：

root@OpenWrt:/# pgrep -f -a openvpn
2812 /usr/sbin/openvpn --syslog openvpn(ovpn_server) --status /var/run/openvpn.ovpn_server.status --cd /var/etc --config openvpn-ovpn_server.conf --up /usr/libexec/openvpn-hotplug up ovpn_server --down /usr/libexec/openvpn-hotplug down ovpn_server --script-security 2
root@OpenWrt:/# 

查看Server vpn log及状态log，输入以下命令：

cat /tmp/openvpn.log 
cat /tmp/openvpn.status

有类似以下打印说明成功：

root@OpenWrt:/# 
root@OpenWrt:/# cat /tmp/openvpn.log 
2023-08-08 01:57:40 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-08-08 01:57:40 OpenVPN 2.5.7 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2023-08-08 01:57:40 library versions: OpenSSL 1.1.1u  30 May 2023, LZO 2.10
2023-08-08 01:57:40 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-08-08 01:57:40 Diffie-Hellman initialized with 2048 bit key
2023-08-08 01:57:40 TUN/TAP device tun0 opened
2023-08-08 01:57:40 /sbin/ip link set dev tun0 up mtu 1500
2023-08-08 01:57:40 /sbin/ip link set dev tun0 up
2023-08-08 01:57:40 /sbin/ip addr add dev tun0 192.168.0.1/24
2023-08-08 01:57:40 /usr/libexec/openvpn-hotplug up ovpn_server tun0 1500 1622 192.168.0.1 255.255.255.0 init
2023-08-08 01:57:40 Could not determine IPv4/IPv6 protocol. Using AF_INET
2023-08-08 01:57:40 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-08-08 01:57:40 UDPv4 link local (bound): [AF_INET][undef]:1193
2023-08-08 01:57:40 UDPv4 link remote: [AF_UNSPEC]
2023-08-08 01:57:40 GID set to nogroup
2023-08-08 01:57:40 UID set to nobody
2023-08-08 01:57:40 MULTI: multi_init called, r=256 v=256
2023-08-08 01:57:40 IFCONFIG POOL IPv4: base=192.168.0.2 size=253
2023-08-08 01:57:40 Initialization Sequence Completed
root@OpenWrt:/# 
root@OpenWrt:/# cat /tmp/openvpn.status 
OpenVPN CLIENT LIST
Updated,2023-08-08 02:00:42
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END
root@OpenWrt:/# 
root@OpenWrt:/# 

执行ifconfig命令后，能够看到显示的信息中有tun0接口，如下：

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.0.1  P-t-P:192.168.0.1  Mask:255.255.255.0
          inet6 addr: fe80::5c0:4e74:d46b:8601/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:304 (304.0 B)

下面看着修改，我在主路由上也没有执行这个操作

LAN侧默认网关修改
由于OpenWrt LAN侧默认网关为192.168.1.1，通过Luci界面将其修改为其它网段，这儿修改为192.168.12.1。
修改原因是OpenVPN建立隧道后，在每个私有网络中，确保私有网络内的主机具有对方私有网络的IP地址和子网掩码，以便它们可以相互通信。

2. 客户端配置

首先需要在服务端生成客户端的秘钥

easyrsa gen-req client nopass
easyrsa sign client client

执行完成了之后才有pki/private/client.key、pki/issued/client.crt这两个文件

2.1. Windows Client配置

引用

2.1.1. 下载安装软件

略…

2.1.2. 配置

• 从服务端安装目录上获取配置文件并存入client端config目录
  获取pki/ca.crt、pki/private/client.key、pki/issued/client.crt

再创建client.ovpn，写入如下内容

auth-nocache
client
comp-lzo no
dev tun
mute 10
nobind

persist-key
persist-tun

# 协议这里保持服务端统一
proto tcp
remote lqingyu.com 11194                                      
remote-cert-tls server
resolv-retry infinite
script-security 1

verb 3

# 此处和从服务器下载的文件名保持一致
ca ca.crt
cert client.crt
key client.key

#comp-lzo