OpenVPN
参考:
http://wiki.openwrt.org/doc/howto/vpn.openvpn
一、烧写固件
编译选项选上
│ -> Network │
│ -> VPN
二、生成证书
1. If running Attitude Adjustment (specifically, version 2.2.2-2 of the Easy-RSA package), then you must ‘tweak‘ the PKI configuration to prevent problems later on (this step ‘comments-out‘ the relevant code):
sed -i ‘/KEY_CN/ s:^export:# &:‘ /etc/easy-rsa/vars ## do not set the KEY_CN environment variable
2. Establish the shell variables, and start with a clean slate (you may get warnings about ./clean-all, which you can ignore):
source /etc/easy-rsa/vars
clean-all
3. Create the Certification Authority, Server, and Client certificates:
pkitool --initca ## equivalent to the ‘build-ca‘ script
pkitool --server my-server ## equivalent to the ‘build-key-server‘ script
pkitool my-client ## equivalent to the ‘build-key‘ script
4. Finally, create the Diffie Hellman parameters (left until last because it can take a long time):
build-dh ## this script will ‘take a long time‘
如果出现错误,运行unset KEY_CN,然后从步骤1重新开始。
测试和故障排除:
输入
ls $KEY_DIR
there should be index.txt and serial, the Diffie-Hellman files, and three pairs of .crt/.key files (plus some other files).
三、分发证书
1. On the server, copy the server certificate to where OpenVPN needs it to be ($KEY_DIR is a variable set by source /etc/easy-rsa/vars):
cd $KEY_DIR
mkdir -p /etc/openvpn
cp ca.crt my-server.* dh*.pem /etc/openvpn/ ## the server files (note: dh*.pem is required)
2. Next, you‘ll need to copy the client certificate from the server to the client (e.g. via a USB stick, or using the scp utility).
3. On the client, copy the server certificate to where OpenVPN needs it to be, example:
cp ca.crt my-client.* /etc/openvpn/ ## the client files (note: dh*.pem is not used)
四、配置网络
四(一)、服务器上
1. Create the VPN interface (note that the tun0 device does not yet exist):
uci set network.vpn0=interface
uci set network.vpn0.ifname=tun0
uci set network.vpn0.proto=none
uci commit network; /etc/init.d/network reload
2. Allow OpenVPN tunnel negotiation (i.e. accept inbound traffic and thereby allow a tunnel to be created):
uci add firewall rule
uci set firewall.@rule[-1].name=Allow-OpenVPN-Inbound
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].src=*
uci set firewall.@rule[-1].proto=udp
uci set firewall.@rule[-1].dest_port=1194
3. Allow OpenVPN tunnel utilization (i.e. allow a tunnel to be used):
uci add firewall zone
uci set firewall.@zone[-1].name=vpn
uci set firewall.@zone[-1].input=ACCEPT
uci set firewall.@zone[-1].forward=ACCEPT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].network=vpn0
4. Finally, commit the changes:
uci commit firewall; /etc/init.d/firewall reload
测试和故障排除:
Execute:
uci show network | grep ifname
to see the interface of each network (e.g. 3gwan network via usb0 interface). Execute:
uci show firewall | grep zone | grep -E "(net|name)"
to see the networks of each zone (e.g. wan/3gwan networks in wan zone).
四(二)、客户端上
- Create the VPN interface (note that the tun0 device does not yet exist):
uci set network.vpn0=interface
uci set network.vpn0.ifname=tun0
uci set network.vpn0.proto=none
uci commit network; /etc/init.d/network reload
2. Allow OpenVPN tunnel utilization (i.e. allow a tunnel to be used)(可不必)
uci add firewall zone
uci set firewall.@zone[-1].name=vpn
uci set firewall.@zone[-1].input=ACCEPT
uci set firewall.@zone[-1].forward=ACCEPT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].network=vpn0
3. Finally, commit the changes:
uci commit firewall; /etc/init.d/firewall reload
五、配置OpenVPN
1. Clear the existing OpenVPN configuration, and create a new configuration called (in this case) ‘myvpn‘ (NB: this step is the same for the OpenWrt OpenVPN client as well). Ensure that, in particular, the last three lines (the ca, cert, and key options) do not produce an error (such as "No such file or directory"):
echo > /etc/config/openvpn ## Clear the existing configuration
uci set openvpn.myvpn=openvpn ## This tunnel is called ‘myvpn‘
uci set openvpn.myvpn.enabled=1
uci set openvpn.myvpn.dev=tun ## This is the basic tunnel configuration
uci set openvpn.myvpn.proto=udp
uci set openvpn.myvpn.log=/tmp/openvpn.log ## These options produce a useful log file
uci set openvpn.myvpn.verb=3
uci set openvpn.myvpn.ca=/etc/openvpn/ca.crt ## These options are required for tunnel negotiation
uci set openvpn.myvpn.cert=`ls /etc/openvpn/my-*.crt` ## NB: these are back-quotes
uci set openvpn.myvpn.key=`ls /etc/openvpn/my-*.key` ## NB: these are back-quotes
- To that, add the server-specific options. Ensure that, in particular, the last line (the dh option) does not produce an error:
uci set openvpn.myvpn.server=‘10.8.0.0 255.255.255.0‘ ## NB: these are single quotes
uci set openvpn.myvpn.port=1194
uci set openvpn.myvpn.keepalive=‘10 120‘ ## NB: these are single quotes
uci set openvpn.myvpn.dh=`ls /etc/openvpn/dh*.pem` ## NB: these are back-quotes
3. And finally, the tricky server-specific option (this will be changed later):
uci set openvpn.myvpn.push=‘‘ ## NB: these are single quotes
4. Commit the configuration, and enable OpenVPN:
uci commit openvpn; /etc/init.d/openvpn enable
Testing & troubleshooting the configuration
Now you can start the OpenVPN server and check the listener.
1. Start OpenVPN, and confirm that there is an OpenVPN daemon and a TUN:
/etc/init.d/openvpn start; sleep 3
ps -w | grep openvpn
ifconfig | grep tun0
2. If the OpenVPN server is working OK, then you would expect there to be a result from (this is only for a server):
netstat -an | grep 1194
If things go wrong (now or later), then for troubleshooting:
1. A good place to start is the log file:
cat /tmp/openvpn.log
五(一)、客户端
ping -c 4 XXX.XXX.XXX.XXX ##openvpn服务器的公网IP
1、
echo > /etc/config/openvpn ## Clear the existing configuration
uci set openvpn.myvpn=openvpn ## This tunnel is called ‘myvpn‘
uci set openvpn.myvpn.enabled=1
uci set openvpn.myvpn.dev=tun ## This is the basic tunnel configuration
uci set openvpn.myvpn.proto=udp
uci set openvpn.myvpn.log=/tmp/openvpn.log ## These options produce a useful log file
uci set openvpn.myvpn.verb=3
uci set openvpn.myvpn.ca=/etc/openvpn/ca.crt ## These options are required for tunnel negotiation
uci set openvpn.myvpn.cert=`ls /etc/openvpn/my-*.crt` ## NB: these are back-quotes
uci set openvpn.myvpn.key=`ls /etc/openvpn/my-*.key` ## NB: these are back-quotes
2、 To that, add the client-specific parameters (this is different from above):
uci set openvpn.myvpn.client=1
uci set openvpn.myvpn.remote_cert_tls=server
3、 The client also has a tricky bit (read 
above before you execute this command):
uci set openvpn.myvpn.remote=‘ XXX.XXX.XXX.XXX 1194‘ ## NB: these are single quotes XXX.XXX.XXX.XXX 为openvpn公网IP
4、 Commit the configuration, and enable OpenVPN (as for a server, above):
uci commit openvpn
Testing & troubleshooting your configuration
That‘s it for the client! Now you can start the OpenVPN client and check the tunnel.
1. Before starting the tunnel, you should (again) be able to ping the server from the client:
ping -c 4 $(uci -P/var/state get openvpn.myvpn.remote | awk ‘{print $1;}‘)
2. Start OpenVPN, and confirm that there is an OpenVPN daemon and a TUN:
/etc/init.d/openvpn start; sleep 3
ps | grep openvpn
ifconfig | grep tun0
Testing the tunnel:
1. The tunnel should have made a change to the client‘s route table (so you can access the tunnel end-point, should be 10.8.0.1):
cat /tmp/openvpn.log | grep ‘route add‘
...
route
2. You should be able to ping the tunnel end-point (i.e. the OpenVPN server):
traceroute 10.8.0.1
3. You should still be able to ping hosts on the Internet via your default gateway:
traceroute 8.8.8.8
4. You should be able to ping hosts on the Internet via the tunnel:
route add -net 8.8.4.4 netmask 255.255.255.255 gateway 10.8.0.5
route
...
traceroute 8.8.4.4
Before you do this, you should know whether your network is Scenario 1 (client and server in different subnets), or Scenario 2 (client and server in the same subnet).
In Scenario 1, the client and server are in different subnets:
1. On the OpenVPN server, execute the following
uci set openvpn.myvpn.push=‘redirect-gateway def1‘ ## NB: these are single quotes
uci commit openvpn; /etc/init.d/openvpn restart
2. On the OpenVPN client, execute the following:
/etc/init.d/openvpn restart
traceroute 8.8.8.8
Alternatively, in Scenario 2, the client and server are in the same subnet (useful for creating/testing an OpenVPN tunnel at home):
1. On the OpenVPN server, execute the following:
uci set openvpn.myvpn.push=‘redirect-gateway def1 local‘ ## NB: these are single quotes
uci commit openvpn; /etc/init.d/openvpn restart
2. On the OpenVPN client, execute the following:
/etc/init.d/openvpn restart
traceroute 8.8.8.8
补充,
参考网络拓扑:
网络拓扑:
(现象一)
疑惑,如果电脑通过无线连上OpenWrt-wifi,
C:\Users\tingpan>ping 172.16.1.1
正在 Ping 172.16.1.1 具有 32 字节的数据:
来自 172.16.1.1 的回复: 字节=32 时间=10ms TTL=64
来自 172.16.1.1 的回复: 字节=32 时间=12ms TTL=64
172.16.1.1 的 Ping 统计信息:
数据包: 已发送 = 2,已接收 = 2,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 10ms,最长 = 12ms,平均 = 11ms
Control-C
^C
C:\Users\tingpan>ping 172.16.1.1
正在 Ping 172.16.1.1 具有 32 字节的数据:
来自 172.16.1.1 的回复: 字节=32 时间=2ms TTL=63
来自 172.16.1.1 的回复: 字节=32 时间=2ms TTL=63
来自 172.16.1.1 的回复: 字节=32 时间=3ms TTL=63
来自 172.16.1.1 的回复: 字节=32 时间=4ms TTL=63
172.16.1.1 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 2ms,最长 = 4ms,平均 = 2ms
C:\Users\tingpan>ping 172.16.1.12
正在 Ping 172.16.1.12 具有 32 字节的数据:
来自 172.16.1.12 的回复: 字节=32 时间=3ms TTL=63
来自 172.16.1.12 的回复: 字节=32 时间=6ms TTL=63
来自 172.16.1.12 的回复: 字节=32 时间=4ms TTL=63
来自 172.16.1.12 的回复: 字节=32 时间=10ms TTL=63
172.16.1.12 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 3ms,最长 = 10ms,平均 = 5ms
C:\Users\tingpan>ping 192.168.1.11
正在 Ping 192.168.1.11 具有 32 字节的数据:
来自 192.168.1.11 的回复: 字节=32 时间=3ms TTL=64
来自 192.168.1.11 的回复: 字节=32 时间=7ms TTL=64
来自 192.168.1.11 的回复: 字节=32 时间=3ms TTL=64
来自 192.168.1.11 的回复: 字节=32 时间=833ms TTL=64
192.168.1.11 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 3ms,最长 = 833ms,平均 = 211ms
(现象二)
而连到SensCom_Vsystem,却
C:\Users\tingpan>ping 192.168.1.11
正在 Ping 192.168.1.11 具有 32 字节的数据:
请求超时。
来自 172.16.1.1 的回复: 无法访问目标网。
请求超时。
来自 172.16.1.1 的回复: 无法访问目标网。
192.168.1.11 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 2,丢失 = 2 (50% 丢失),
如果去掉客户端,则无法实现现象一
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。
