OpenWRT入门配置OpenVPN、DDNS
OpenWRT系统常见入门配置、DDNS、OpenVPN
文章共2,843字 · 阅读需要大约10分钟
一键AI生成摘要,助你高效阅读
问答
·
一、密码设置
passwd
二、PPPOE
1、编辑网卡配置文件
vi /etc/config/network
2、编辑各个物理端口的协议
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
config interface 'wan'
option device 'eth0'
option proto 'pppoe'
option username '运营商提供的账号'
option password '运营商提供的密码'
option ipv6 'auto'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
3、重启网络,此时eth0端口为wan、eth1为lan口
service network restart
三、DHCP
一、进入DHCP配置文件
vi /etc/config/dhcp
2、设置MAC/IP绑定
config host
option name '绑定名称'
option dns '1'
option mac 'xx:xx:xx:xx:xx:xx'
option ip 'xxx.xxx.xxx.xxx'
四、端口转发
1、进入firewall配置文件
vi /etc/config/firewall
2、设置端口转发
config redirect
option dest 'lan'
option target 'DNAT'
option name '转发名'
option src 'wan'
option src_dport '外网端口号'
option dest_ip '内网IP'
option dest_port '内网端口'
五、时区设置
1、进入system配置文件
vi /etc/config/system
2、设置时区
config system
option hostname 'OpenWrt'
option ttylogin '0'
option log_size '64'
option urandom_seed '0'
option zonename 'Asia/Shanghai'
option timezone 'CST-8'
option log_proto 'udp'
option conloglevel '8'
option cronloglevel '5'
六、语言设置
1、安装中文语言包
opkg update
opkg install luci-i18n-base-zh-cn
七、DDNS
opkg install ddns-scripts-dnspod
vi /etc/config/ddns
config service 'dnspod'
option service_name 'dnspod.cn'
option use_ipv6 '0'
option enabled '1'
option lookup_host '域名'
option domain '解析域名'
option username '账号'
option password '密码'
option ip_source 'network'
option ip_network 'wan'
option interface 'wan'
option use_syslog '2'
option check_unit 'minutes'
option force_unit 'minutes'
option retry_unit 'seconds'
option retry_count '3'
option retry_interval '10'
八、OPENVPN
1、准备工作
安装所需软件包。
设定VPN服务器配置的一些参数。
# 安装软件包
opkg update
opkg install openvpn-openssl openvpn-easy-rsa
# 配置参数 # OVPN_POOL 除了本地网段意外,可以是任何网段。
OVPN_DIR="/etc/openvpn"
OVPN_PKI="/etc/easy-rsa/pki"
OVPN_PORT="1194"
OVPN_PROTO="udp"
OVPN_POOL="192.168.8.0 255.255.255.0"
OVPN_DNS="${OVPN_POOL%.* *}.1"
OVPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
# 获取WAN IP地址作为OVPN_SERV服务器地址(针对固定IP场景,非必须)
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_ipaddr NET_ADDR "${NET_IF}"
OVPN_SERV="${NET_ADDR}"
# 对于非固定ip(例如PPPoE拨号上网)建议通过DDNS将动态IP地址映射到固定的域名
# 如果在openwrt部署DDNS,从DDNS获取FQDN,作为OVPN_SERV服务器地址
# 如果DDNS未部署在openwrt上,需自行设定OVPN_SERV
NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)"
if [ -n "${NET_FQDN}" ]
then OVPN_SERV="${NET_FQDN}"
fi
2、证书体系建立
使用 EasyRSA 管理 PKI 体系.
# 配置参数
export EASYRSA_PKI="${OVPN_PKI}"
export EASYRSA_REQ_CN="ovpnca"
export EASYRSA_BATCH="1"
export EASYRSA_CERT_EXPIRE="3650" # Increases the client cert expiry from the default of 825 days to match the CA expiry
# 清空,并初始化 PKI 目录
easyrsa init-pki
# 生成 DH 参数
easyrsa gen-dh
# 新建 CA
easyrsa build-ca nopass
# 生成服务器秘钥和证书
easyrsa build-server-full server nopass
openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem
# 生成客户端秘钥和证书
easyrsa build-client-full client nopass
openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
--genkey tls-crypt-v2-client ${EASYRSA_PKI}/private/client.pem
3、防火墙设置
将 VPN 网络视为私有网络。 将 VPN 接口 tun+ 分配给防火墙 LAN 区域的涵盖设备,以最小化防火墙设置。 允许从 WAN 区域访问 VPN 服务器。
# 配置防火墙
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.device="tun+"
uci add_list firewall.lan.device="tun+"
uci -q delete firewall.ovpn
uci set firewall.ovpn="rule"
uci set firewall.ovpn.name="Allow-OpenVPN"
uci set firewall.ovpn.src="wan"
uci set firewall.ovpn.dest_port="${OVPN_PORT}"
uci set firewall.ovpn.proto="${OVPN_PROTO}"
uci set firewall.ovpn.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
4、VPN服务设置
配置VPN服务,生成客户端文件。
# 配置VPN服务,生成客户端文件
umask go=
OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)"
OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
ls ${OVPN_PKI}/issued \
| sed -e "s/\.\w*$//" \
| while read -r OVPN_ID
do
OVPN_TC="$(cat ${OVPN_PKI}/private/${OVPN_ID}.pem)"
OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
OVPN_EKU="$(echo "${OVPN_CERT}" | openssl x509 -noout -purpose)"
case ${OVPN_EKU} in
(*"SSL server : Yes"*)
OVPN_CONF="${OVPN_DIR}/${OVPN_ID}.conf"
cat << EOF > ${OVPN_CONF} ;;
user nobody
group nogroup
dev tun
port ${OVPN_PORT}
proto ${OVPN_PROTO}
server ${OVPN_POOL}
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS ${OVPN_DNS}"
push "dhcp-option DOMAIN ${OVPN_DOMAIN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
${OVPN_DH}
</dh>
EOF
(*"SSL client : Yes"*)
OVPN_CONF="${OVPN_DIR}/${OVPN_ID}.ovpn"
cat << EOF > ${OVPN_CONF} ;;
user nobody
group nogroup
dev tun
nobind
client
remote ${OVPN_SERV} ${OVPN_PORT} ${OVPN_PROTO}
auth-nocache
remote-cert-tls server
EOF
esac
cat << EOF >> ${OVPN_CONF}
<tls-crypt-v2>
${OVPN_TC}
</tls-crypt-v2>
<key>
${OVPN_KEY}
</key>
<cert>
${OVPN_CERT}
</cert>
<ca>
${OVPN_CA}
</ca>
EOF
done
/etc/init.d/openvpn restart
ls ${OVPN_DIR}/*.ovpn
5、多客户端,替换【】括起来的文件名生成多个配置文件
OVPN_PKI="/etc/easy-rsa/pki"
OVPN_DIR="/etc/openvpn"
OVPN_PORT="1194"
OVPN_PROTO="udp"
OVPN_POOL="192.168.8.0 255.255.255.0"
NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)"
if [ -n "${NET_FQDN}" ]
then OVPN_SERV="${NET_FQDN}"
fi
export EASYRSA_PKI="${OVPN_PKI}"
# Add one more client
easyrsa build-client-full 【Client】 nopass
openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
--genkey tls-crypt-v2-client ${EASYRSA_PKI}/private/【Client】.pem
#重复执行第4步,生成ovpn文件
/etc/init.d/openvpn restart
6、将客户端配置文件*.ovpn导入到OpenVPN客户端
7、如需吊销证书可使用以下程序
# Revoke client certificate
easyrsa revoke client
# Generate a CRL
easyrsa gen-crl
# Enable CRL verification
VPN_PKI="/etc/easy-rsa/pki"
VPN_CRL="$(cat ${VPN_PKI}/crl.pem)"
cat << EOF >> /etc/openvpn/server.conf
<crl-verify>
${VPN_CRL}
</crl-verify>
EOF
/etc/init.d/openvpn restart
旨在为数千万中国开发者提供一个无缝且高效的云端环境,以支持学习、使用和贡献开源项目。
更多推荐
1
0- 0
已为社区贡献1条内容
所有评论(0)