標籤:

OpenWRT 如何部署 OpenVPN Server?

02-02

如何在公司總部的路由器部署openvpn server 使各區域分公司能用vpn連公司呢?路由器系統是OpenWRT。

OpenVPN的資料被少,我看到這篇論壇帖有說怎麼搞OPENVPN:

香港人寫的OpenWRT常用應用合集

裡面的:PPTP和OpenVPN的設置(感謝gl5900as)

而且樓主說「如果大家有什麼資料找不到(例如被屏的openvpn、GoAgent),都可以回覆本帖,小的盡力幫忙~」 你可以回覆找他問資料,謝謝

正好前段時間在openwrt下了試用了openvpn,在這裡也簡單聊聊。openwrt 下有2個openvpn server,一個是openvpn-openssl,另一個是openvpn-polarssl,配置方法是通用的。

以下以openvpn-polarssl為例,(之前寫的備忘錄,怕自己忘記了,供參考,部分內容需要根據你網路實際情況進行調整):

1.1. OpenVPN - Polarssl

opkg update

opkg install openvpn-polarssl

1.1.1. Config CA files

1) On the OpenVPN Server, install the Easy-RSA package:

opkg update; opkg install openvpn-easy-rsa

2) If running Attitude Adjustment (specifically, version 2.2.2-2 of the Easy-RSA package), then you must tweak the PKI configuration to prevent problems later on (this step comments-out the relevant code):

## do not set the KEY_CN environment variable

sed -i /KEY_CN/ s:^export:# : /etc/easy-rsa/vars

3) Establish the shell variables, and start with a clean slate (you may get warnings about ./clean-all, which you can ignore):

source /etc/easy-rsa/vars

clean-all

? Define Key Informations

export KEY_SIZE=2048

export KEY_COUNTRY=CN

export KEY_PROVINCE=Canton

export KEY_CITY=city_name

export KEY_ORG=org_name

export KEY_EMAIL=email_address

4) Create the Certification Authority, Server, and Client certificates:

pkitool –initca ## equivalent to the build-ca script

pkitool --server my-server ## equivalent to the build-key-server script

pkitool my-client ## equivalent to the build-key script

pkitool my-client-1

pkitool my-client-2

.......

5) Finally, create the Diffie Hellman parameters (left until last because it can take a long time):

build-dh ## this script will take a long time

6) create OpenVPN static key

openvpn --genkey --secret keys/ta.key

1.1.2. Config OpenVPN Server

File:/etc/config/network

config interface lan

chg : option ifname wlan0 tun0

File:/etc/config/openvpn

config openvpn servername

option enabled 1

option port 1194

option proto tcp

option dev tun

option ca /etc/openvpn/ca.crt

option cert /etc/openvpn/server.crt

option key /etc/openvpn/server.key

option dh /etc/openvpn/dh2048.pem

option server "172.16.1.0 255.255.255.0"

list push "redirect-gateway def1"

list push "dhcp-option DNS 192.168.1.1"

option tls_auth "/etc/openvpn/ta.key 0"

option tls_server 1

option comp_lzo yes

option max_clients 10

option persist_key 1

option persist_tun 1

option status /tmp/openvpn-status.log

option log /tmp/openvpn.log

option verb 4

option mute 20

cmd:

iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j MASQUERADE

File:/etc/firewall.user

add: iptables -A forwarding_rule -s 172.16.1.0/24 -j ACCEPT

File:/etc/config/firewall

#Add rule for openvpn access

config rule

option enabled 1

option target ACCEPT

option src wan

option name Allow-WAN-OpenVPN-Input

option family ipv4

option proto tcp

option dest_port 1194

然後:

/etc/init.d/openvpn enable

reboot(or /etc/init.d/network restart;/etc/init.d/firewall restart;/etc/init.d/openvpn start)

各區域的終端安裝openvpn 客戶端撥入即可。

推薦閱讀:

OpenWRT和DD-WRT一起上,VLAN解決家裡的IPTV問題

TAG:OpenWrt |