当前位置:   article > 正文

OpenWrt -- OpenVPN配置Server&Client(TUN模式)_r2s 当服务器

r2s 当服务器

一、前言

目标是两台设备能通过OpenVPN TUN模式建立连接。
准备如下:

  1. 设备
    友善R2S两台,一台做服务器,一台做客户端。
    一台小米R1C,当作网关。
  2. 固件
    采用openwrt-22.03版本,下载地址:https://downloads.openwrt.org/releases/22.03.5/targets/
    也可以根据实际情况自行编译。
  3. 网络拓扑
    小米R1C作为网关,用于配置端口转发。
    网关下挂OpenVPN Server端,即Server端WAN口连接网关LAN口。
    网关WAN口和Client端在同一网段,或者在不同网段,且保证Client端能够ping通服务端WAN口IP地址。
  4. 注意事项
    三台设备要重新刷机,保持系统为默认、干净状态。

二、安装相应组件包

Server端和Client端分别安装对应组件,执行以下命令:

opkg update
opkg install openvpn-openssl openvpn-easy-rsa luci-app-openvpn
  • 1
  • 2

三、证书及密钥生成

证书及密钥只需要在Server侧生成即可。

  1. easy-rsa var变量设置

    /etc/easy-rsa/vars末尾添加以下内容并设置全局变量,直接执行以下命令:

    VARS="/etc/easy-rsa/vars"
    
    echo ""                                          >> $VARS
    echo "set_var EASYRSA_REQ_COUNTRY \"CN\""        >> $VARS
    echo "set_var EASYRSA_REQ_PROVINCE \"Beijing\""  >> $VARS
    echo "set_var EASYRSA_REQ_CITY \"Haidian\""      >> $VARS
    echo "set_var EASYRSA_REQ_ORG \"IT\""            >> $VARS
    echo "set_var EASYRSA_REQ_EMAIL \"IT\""          >> $VARS
    echo "set_var EASYRSA_REQ_OU \"IT\""             >> $VARS
    echo ""                                          >> $VARS
    echo "set_var EASYRSA_KEY_SIZE 2048"             >> $VARS
    
    cat $VARS
    
    source $VARS
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15

    执行完 source $VARS后,会出现以下打印:

    root@OpenWrt:~# source $VARS
    You appear to be sourcing an Easy-RSA 'vars' file.
    This is no longer necessary and is disallowed. See the section called
    'How to use this file' near the top comments for more details.
    root@OpenWrt:~# 
    
    • 1
    • 2
    • 3
    • 4
    • 5

    设置EasyRAS变量,输入以下命令:

    export EASYRSA_PKI="/etc/easy-rsa/pki"
    export EASYRSA_REQ_CN="ovpnca"
    export EASYRSA_BATCH="1"
    
    • 1
    • 2
    • 3
  2. 初始化pki目录
    输入以下命令:

    cd /etc/easy-rsa
    easyrsa init-pki
    
    • 1
    • 2
  3. 生成Diffie-Hellman pem并打印
    输入以下命令:

    cd /etc/easy-rsa
    easyrsa gen-dh
    cat /etc/easy-rsa/pki/dh.pem
    
    • 1
    • 2
    • 3

    此步骤耗时可能会比较长,请耐心等待。

  4. 生成ca证书及密钥并打印
    输入以下命令:

    cd /etc/easy-rsa
    easyrsa build-ca nopass
    cat /etc/easy-rsa/pki/ca.crt
    
    • 1
    • 2
    • 3
  5. 生成Server证书及密钥并打印
    输入以下命令:

    cd /etc/easy-rsa
    easyrsa build-server-full server nopass
    cat /etc/easy-rsa/pki/private/server.key
    
    • 1
    • 2
    • 3
  6. 生成Client证书及密钥并打印

    输入以下命令:

    cd /etc/easy-rsa
    easyrsa build-client-full client nopass
    cat /etc/easy-rsa/pki/private/client.key
    
    • 1
    • 2
    • 3
  7. 生成tls密钥并打印

    输入以下命令:

    cd /etc/easy-rsa
    openvpn --genkey --secret ${EASYRSA_PKI}/tc.pem
    cat /etc/easy-rsa/pki/tc.pem
    
    • 1
    • 2
    • 3

四、OpenVPN Server配置

以下操作都在第一台R2S路由器上面执行,我们称这台路由器为Server端。

  1. Server防火墙默认配置修改

    规则全部改为ACCEPT,输入以下命令查看防火墙当前默认配置:

    uci show firewall | grep defaults 
    
    • 1

    会有如下打印:

    firewall.@defaults[0]=defaults
    firewall.@defaults[0].syn_flood='1'
    firewall.@defaults[0].input='ACCEPT'
    firewall.@defaults[0].output='ACCEPT'
    firewall.@defaults[0].forward='REJECT'  
    
    • 1
    • 2
    • 3
    • 4
    • 5

    我们需要将firewall.@defaults[0].forward='REJECT'改为firewall.@defaults[0].forward='ACCEPT'

    输入以下命令:

    uci set firewall.@defaults[0].forward='ACCEPT'  
    
    • 1

    同理修改LAN口和WAN口的配置,输入以下命令查看防火墙当前默认配置:

    uci show firewall | grep zone  
    
    • 1

    会有如下打印:

    firewall.@zone[0]=zone
    firewall.@zone[0].name='lan'
    firewall.@zone[0].network='lan'
    firewall.@zone[0].input='ACCEPT'
    firewall.@zone[0].output='ACCEPT'
    firewall.@zone[0].forward='ACCEPT'
    firewall.@zone[1]=zone
    firewall.@zone[1].name='wan'
    firewall.@zone[1].network='wan' 'wan6'
    firewall.@zone[1].input='REJECT'
    firewall.@zone[1].output='ACCEPT'
    firewall.@zone[1].forward='REJECT'
    firewall.@zone[1].masq='1'
    firewall.@zone[1].mtu_fix='1' 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14

    firewall.@zone[1].input='REJECT'改为firewall.@zone[1].input='ACCEPT'

    firewall.@zone[1].forward='REJECT'改为firewall.@zone[1].forward='ACCEPT'

    输入以下命令:

    uci set firewall.@zone[1].input='ACCEPT'
    uci set firewall.@zone[1].forward='ACCEPT'
    
    • 1
    • 2

    执行以下命令更新防火墙配置:

    uci commit firewall
    /etc/init.d/firewall restart  
    
    • 1
    • 2
  2. VPN端口协议及防火墙配置

    定义VPN服务端传输协议及端口,输入以下命令:

    OVPN_PORT="11194"
    OVPN_PROTO="udp"
    
    • 1
    • 2

    防火墙内添加tun+设备接口,输入以下命令:

    uci rename firewall.@zone[0]="lan"
    uci rename firewall.@zone[1]="wan"
    uci del_list firewall.lan.device="tun+"
    uci add_list firewall.lan.device="tun+"
    uci -q delete firewall.ovpn
    
    • 1
    • 2
    • 3
    • 4
    • 5

    根据传输协议及端口对防火墙进行配置,执行以下命令:

    uci set firewall.ovpn="rule"
    uci set firewall.ovpn.name="Allow-OpenVPN"
    uci set firewall.ovpn.src="wan"
    uci set firewall.ovpn.dest_port="${OVPN_PORT}"
    uci set firewall.ovpn.proto="${OVPN_PROTO}"
    uci set firewall.ovpn.target="ACCEPT"
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6

    更新防火墙配置并查看配置参数,执行以下命令

    uci commit firewall
    /etc/init.d/firewall restart
    
    uci show firewall.ovpn
    cat /proc/sys/net/ipv4/ip_forward
    
    • 1
    • 2
    • 3
    • 4
    • 5
  3. 接口创建及信息完善
    创建一个名为ovpn_server的vpn接口,输入以下命令:

    export EASYRSA_PKI="/etc/easy-rsa/pki"
    
    uci set openvpn.ovpn_server="openvpn"
    uci set openvpn.ovpn_server.enabled="1"
    uci set openvpn.ovpn_server.dev="tun"
    uci set openvpn.ovpn_server.port="11194"
    uci set openvpn.ovpn_server.proto="udp"
    uci set openvpn.ovpn_server.comp_lzo="no"
    uci set openvpn.ovpn_server.log="/tmp/openvpn.log"
    uci set openvpn.ovpn_server.status="/tmp/openvpn.status"
    uci set openvpn.ovpn_server.verb="3"
    uci set openvpn.ovpn_server.mute="5"
    uci set openvpn.ovpn_server.keepalive="10 60"
    uci set openvpn.ovpn_server.persist_key="1"
    uci set openvpn.ovpn_server.persist_tun="1"
    uci set openvpn.ovpn_server.user="nobody"
    uci set openvpn.ovpn_server.group="nogroup"
    uci set openvpn.ovpn_server.ca="${EASYRSA_PKI}/ca.crt"
    uci set openvpn.ovpn_server.cert="${EASYRSA_PKI}/issued/server.crt"
    uci set openvpn.ovpn_server.dh="${EASYRSA_PKI}/dh.pem"
    uci set openvpn.ovpn_server.key="${EASYRSA_PKI}/private/server.key"
    uci set openvpn.ovpn_server.mode="server"
    uci set openvpn.ovpn_server.server="192.168.0.0 255.255.255.0"
    uci set openvpn.ovpn_server.tls_server="1"
    uci set openvpn.ovpn_server.topology="subnet"
    uci set openvpn.ovpn_server.route_gateway="dhcp"
    uci set openvpn.ovpn_server.client_to_client="1"
    uci commit openvpn
    
    uci add_list openvpn.ovpn_server.push="comp-lzo no"
    uci add_list openvpn.ovpn_server.push="persist-key"
    uci add_list openvpn.ovpn_server.push="persist-tun"
    uci add_list openvpn.ovpn_server.push="user nobody"
    uci add_list openvpn.ovpn_server.push="user nogroup"
    uci add_list openvpn.ovpn_server.push="topology subnet"
    uci add_list openvpn.ovpn_server.push="route-gateway dhcp"
    uci add_list openvpn.ovpn_server.push="redirect-gateway def1"
    uci add_list openvpn.ovpn_server.push="192.168.0.0 255.255.255.0"
    uci add_list openvpn.ovpn_server.push="dhcp-option DNS 9.9.9.9"
    uci add_list openvpn.ovpn_server.push="dhcp-option DNS 1.1.1.1"
    uci commit openvpn
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
  4. VPN服务使能
    查看ovpn_server和防火墙配置,输入以下命令:

    uci show openvpn.ovpn_server
    uci show firewall.ovpn
    
    • 1
    • 2

    使能ovpn_server服务器以及启动此服务,输入以下命令:

    /etc/init.d/openvpn enable
    /etc/init.d/openvpn start
    
    • 1
    • 2
  5. Server侧状态及log确认
    查看ovpn_server启动状态,输入以下命令:

    pgrep -f -a openvpn
    
    • 1

    有类似以下打印说明服务已启动:

    root@OpenWrt:/# pgrep -f -a openvpn
    2812 /usr/sbin/openvpn --syslog openvpn(ovpn_server) --status /var/run/openvpn.ovpn_server.status --cd /var/etc --config openvpn-ovpn_server.conf --up /usr/libexec/openvpn-hotplug up ovpn_server --down /usr/libexec/openvpn-hotplug down ovpn_server --script-security 2
    root@OpenWrt:/# 
    
    • 1
    • 2
    • 3

    查看Server vpn log及状态log,输入以下命令:

    cat /tmp/openvpn.log 
    cat /tmp/openvpn.status
    
    • 1
    • 2

    有类似以下打印说明成功:

    root@OpenWrt:/# 
    root@OpenWrt:/# cat /tmp/openvpn.log 
    2023-08-08 01:57:40 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
    2023-08-08 01:57:40 OpenVPN 2.5.7 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
    2023-08-08 01:57:40 library versions: OpenSSL 1.1.1u  30 May 2023, LZO 2.10
    2023-08-08 01:57:40 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    2023-08-08 01:57:40 Diffie-Hellman initialized with 2048 bit key
    2023-08-08 01:57:40 TUN/TAP device tun0 opened
    2023-08-08 01:57:40 /sbin/ip link set dev tun0 up mtu 1500
    2023-08-08 01:57:40 /sbin/ip link set dev tun0 up
    2023-08-08 01:57:40 /sbin/ip addr add dev tun0 192.168.0.1/24
    2023-08-08 01:57:40 /usr/libexec/openvpn-hotplug up ovpn_server tun0 1500 1622 192.168.0.1 255.255.255.0 init
    2023-08-08 01:57:40 Could not determine IPv4/IPv6 protocol. Using AF_INET
    2023-08-08 01:57:40 Socket Buffers: R=[212992->212992] S=[212992->212992]
    2023-08-08 01:57:40 UDPv4 link local (bound): [AF_INET][undef]:1193
    2023-08-08 01:57:40 UDPv4 link remote: [AF_UNSPEC]
    2023-08-08 01:57:40 GID set to nogroup
    2023-08-08 01:57:40 UID set to nobody
    2023-08-08 01:57:40 MULTI: multi_init called, r=256 v=256
    2023-08-08 01:57:40 IFCONFIG POOL IPv4: base=192.168.0.2 size=253
    2023-08-08 01:57:40 Initialization Sequence Completed
    root@OpenWrt:/# 
    root@OpenWrt:/# cat /tmp/openvpn.status 
    OpenVPN CLIENT LIST
    Updated,2023-08-08 02:00:42
    Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
    ROUTING TABLE
    Virtual Address,Common Name,Real Address,Last Ref
    GLOBAL STATS
    Max bcast/mcast queue length,0
    END
    root@OpenWrt:/# 
    root@OpenWrt:/# 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33

    执行ifconfig命令后,能够看到显示的信息中有tun0接口,如下:

    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
              inet addr:192.168.0.1  P-t-P:192.168.0.1  Mask:255.255.255.0
              inet6 addr: fe80::5c0:4e74:d46b:8601/64 Scope:Link
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:500 
              RX bytes:0 (0.0 B)  TX bytes:304 (304.0 B)
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
  6. LAN侧默认网关修改
    由于OpenWrt LAN侧默认网关为192.168.1.1,通过Luci界面将其修改为其它网段,这儿修改为192.168.12.1
    修改原因是OpenVPN建立隧道后,在每个私有网络中,确保私有网络内的主机具有对方私有网络的IP地址和子网掩码,以便它们可以相互通信。

五、OpenVPN Client配置

以下操作都在第二台R2S路由器上面执行,我们称这台路由器为Client端。

  1. 配置文件设置
    创建/root/vpn并且在此文件夹下创建client.conf文件,输入以下命令:
    mkdir -p /root/vpn
    vi /root/vpn/client.conf
    
    • 1
    • 2
    client.conf里面输入以下信息:
    auth-nocache                                                    
    client                                                          
    comp-lzo no                                                     
    dev tun                                                         
    mute 10                                                         
    nobind                                                          
                                                                    
    persist-key                                                     
    persist-tun                                                     
                                                                    
    proto udp                                                       
    remote 192.168.2.200 11194                                      
                                                                    
    remote-cert-tls server                                          
    resolv-retry infinite                                           
    script-security 1                                               
                                                                    
    verb 3                  
    log-append /tmp/openvpn.log
    status /tmp/openvpn.status
    
    <key>
    # Insert here the client's generated private key from:
    # cat /etc/easy-rsa/pki/private/client.key
    </key>
    <cert>
    # Insert here the client's generated certificate from:
    # cat /etc/easy-rsa/pki/issued/client.crt
    </cert>
    <ca>
    # Place here the server's generated certificate from:
    # cat /etc/easy-rsa/pki/ca.crt
    </ca>
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    其中,remote 192.168.2.200 11194192.168.2.200表示网关的IP地址,即网关WAN口地址。将Server生成的证书密钥按照要求填写到配置文件最后的key/cert/ca中。
  2. Client防火墙默认配置修改
    Client侧的修改方式同Server侧一样,输入以下命令即可:
    uci set firewall.@defaults[0].forward='ACCEPT'
    uci set firewall.@zone[1].input='ACCEPT'
    uci set firewall.@zone[1].forward='ACCEPT'
    
    • 1
    • 2
    • 3
    执行以下命令更新防火墙配置:
    uci commit firewall
    /etc/init.d/firewall restart
    
    • 1
    • 2
  3. 配置文件修改及服务使能
    打开openvpn配置文件,输入以下命令:
    vi /etc/config/openvpn
    
    • 1
    修改config openvpn custom_config里面的配置:
    option enabled 0改为option enabled 1
    option config /etc/openvpn/my-vpn.conf改为option config /etc/openvpn/my-vpn.conf
    修改后的配置文件如下:
    package openvpn
    
    #################################################
    # Sample to include a custom config file.       #
    #################################################
    
    config openvpn custom_config
    
            # Set to 1 to enable this instance:
            option enabled 1
    
            # Credentials to login
            #option username 'login'
            #option password 'password'
    
            # Password for client certificate
            #option cert_password 'cert_password'
    
            # Include OpenVPN configuration
            option config /root/vpn/client.conf   
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    输入以下命令启动客户端vpn服务:
    /etc/init.d/openvpn enable
    /etc/init.d/openvpn start
    
    • 1
    • 2
  4. Client侧状态及log确认
    同Server侧一样,查看方式为:
    pgrep -f -a openvpn
    cat /tmp/openvpn.log 
    cat /tmp/openvpn.status
    
    • 1
    • 2
    • 3

六、网关配置

  1. 网络拓扑
    小米R1C网关WAN侧地址192.168.2.200
    小米R1C网关LAN侧地址192.168.50.1
    友善R2S Server侧WAN口接小米R1C网关LAN口,R2S Server WAN口地址为192.168.50.201
    友善R2S Client侧WAN口和小米R1C网关WAN口为同一网段,R2S Client WAN口地址为192.168.2.116

  2. 网关防火墙配置
    浏览器输入192.168.50.1登录网关,选择【网络】->【防火墙】打开防火墙配置,如下图:
    在这里插入图片描述
    防火墙具体配置见下图画红框的部分:

    [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-2v3JYLm5-1692177001052)(C:\Users\xuyanbin\AppData\Roaming\Typora\typora-user-images\image-20230816170351323.png)]
    注意上图中【WAN => 】侧的编辑里面的一个配置项【MSS clamping】也要勾选,配置完后检测网关的防火墙设置是否和上图一样,如果一样,点击【保存并应用】。

  3. 网关端口转发配置

    在上一步骤网关防火墙配置的基础上,点击选择【网络】->【防火墙】->【Port Forwards】-> 【添加】配置端口转发,如下图:

    [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-KkWFuByr-1692177001054)(C:\Users\xuyanbin\AppData\Roaming\Typora\typora-user-images\image-20230816170426335.png)]
    弹出配置界面,按以下配置:

    [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-YHqMeRUr-1692177001054)(C:\Users\xuyanbin\AppData\Roaming\Typora\typora-user-images\image-20230816170434820.png)]

    说明:
    名称填写vpn_tun
    External port填写外部端口即Client侧的端口11194
    Internal adress填写内部Server WAN侧的IP地址,192.168.50.201
    Internal port填写内部Server侧的端口11194
    配置完成后点击【保存】返回到上一层页面,确认配置无误后,点击【保存并应用】,如下图:
    [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-riM9ZiKU-1692177001055)(C:\Users\xuyanbin\AppData\Roaming\Typora\typora-user-images\image-20230816170524798.png)]
    此配置的含义是将外部11194端口的数据,通过网关转发到内部192.168.50.201设备上的11194端口上。

七、测试

先重启服务端再重启客户端。
Client侧输入ifconfig tun0,如果tun0有IP显示,则说明VPN隧道建立成功,如下所示:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.0.2  P-t-P:192.168.0.2  Mask:255.255.255.0
          inet6 addr: fe80::762a:9b34:4ee9:edb7/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2631 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:176649 (172.5 KiB)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

如果关闭网关的端口转发或者关掉Server侧的OpenVPN服务,Client侧执行ifconfig命令则不会有tun0设备。

八、参考

https://github.com/OpenVPN/openvpn/
https://openwrt.org/docs/guide-user/services/vpn/openvpn/start

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/Gausst松鼠会/article/detail/182670
推荐阅读
相关标签
  

闽ICP备14008679号