在Openwrt上搭建ipv6的OpenVPN服务器

服务器端的配置

安装OpenVPN软件

opkg update
opkg install openvpn openvpn-easy-rsa  #easy-rsa不一定要安装,我把easy-rsa的操作在PC上进行

 

[important]下面的操作在Windows上进行,请先下载并安装Windows版的OpenVPN。如果你打算在路由上使用easy-rsa,对应的操作见文末参考来源的[/important]

生成CA和各种证书

修改 OpenVPN\easy-rsa\vars.bat.sample 为你的信息:

set KEY_COUNTRY=CN
set KEY_PROVINCE=Guangdong
set KEY_CITY=Guangzhou
set KEY_ORG=7forz
set KEY_EMAIL=7f@7forz.com
set KEY_CN=7forz
set KEY_NAME=7forz
set KEY_OU=7forz
set PKCS11_MODULE_PATH=7forz.com
set PKCS11_PIN=1234

 

打开cmd,进入 OpenVPN\easy-rsa,运行以下命令:

init-config

vars

clean-all

build-ca (创建根证书)
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Guangzhou]:
Organization Name (eg, company) [7forz]:
Organizational Unit Name (eg, section) [7forz]:
Common Name (eg, your name or your server’s hostname) [7forz]:
Name [7forz]:
Email Address [7f@7forz.com]:

build-dh

build-key-server server (服务器证书,server为机器名)
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Guangzhou]:
Organization Name (eg, company) [7forz]:
Organizational Unit Name (eg, section) [7forz]:
Common Name (eg, your name or your server’s hostname) [7forz]:
Name [7forz]:
Email Address [7f@7forz.com]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:

build-key client1 (创建客户端证书,client1为用户名,之后还可以创建client2,client3)
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Guangzhou]:
Organization Name (eg, company) [7forz]:
Organizational Unit Name (eg, section) [7forz]:
Common Name (eg, your name or your server’s hostname) [7forz]:
Name [7forz]:
Email Address [7f@7forz.com]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:

如果出现
failed to update database
TXT_DB error number 2
错误,貌似是因为Common Name相同而导致的,请在生成时修改之或者打开keys\index.txt并清除其中内容,再执行一次build-key client1命令

之后把 ca.crt  server.*  dh*.pem  传到路由的 /etc/openvpn 目录下

再把 ca.crt client*.* 放到你电脑的 OpenVPN\config 目录下

修改路由的网络配置

1.Create the VPN interface

用putty登录路由,运行命令

uci set network.vpn=interface
uci set network.vpn.ifname=tun0
uci set network.vpn.proto=none

uci commit network; /etc/init.d/network reload

2.Allow OpenVPN tunnel negotiation

uci add firewall rule
uci set firewall.@rule[-1].name=Allow-Inbound-OpenVPN
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].family=ipv6
uci set firewall.@rule[-1].proto=udp
uci set firewall.@rule[-1].dest_port=1194

3.Allow OpenVPN tunnel utilization

uci add firewall zone
uci set firewall.@zone[-1].name=vpn
uci set firewall.@zone[-1].input=ACCEPT
uci set firewall.@zone[-1].forward=REJECT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].network=vpn

4.Allow the client to access the OpenVPN server’s LAN via the VPN (可选)

uci add firewall forwarding
uci set firewall.@forwarding[-1].src=vpn
uci set firewall.@forwarding[-1].dest=lan

5.Allow the client to access the OpenVPN server’s WAN via the VPN (可选)

uci add firewall forwarding
uci set firewall.@forwarding[-1].src=vpn
uci set firewall.@forwarding[-1].dest=wan

6.Finally, commit the changes

uci commit firewall; /etc/init.d/firewall reload

Note that Step 4 and 5 overrule the REJECT in Step 3. You may want only Step 4, or only Step 5, or maybe both. That is,

Step 3 will allow the VPN client(s) to access the OpenVPN server itself
Step 4 will allow the VPN client(s) to access networks via the OpenVPN server’s LAN interfaces
Step 5 will allow the VPN client(s) to access networks via the OpenVPN server’s WAN interfaces

 

修改OpenVPN的参数

1.清除默认的OpenVPN配置文档 /etc/config/openvpn,再运行命令:

echo > /etc/config/openvpn

uci set openvpn.myvpn=openvpn
uci set openvpn.myvpn.enabled=1
uci set openvpn.myvpn.dev=tun
uci set openvpn.myvpn.persist_tun=1
uci set openvpn.myvpn.persist_key=1
uci set openvpn.myvpn.proto=udp6      ##  ipv6
uci set openvpn.myvpn.comp_lzo=yes

uci set openvpn.myvpn.verb=3
uci set openvpn.myvpn.log=/tmp/openvpn.log
uci set openvpn.myvpn.status=/tmp/openvpn-status.log

uci set openvpn.myvpn.ca=/etc/openvpn/ca.crt
uci set openvpn.myvpn.cert=`ls /etc/openvpn/server*.crt`      ## NB: these are back-quotes
uci set openvpn.myvpn.key=`ls /etc/openvpn/server*.key`     ## NB: these are back-quotes

 2.To that, add the server-specific parameters.

uci set openvpn.myvpn.server='10.8.0.0 255.255.255.0' ## NB: these are single quotes
uci set openvpn.myvpn.port=1194
uci set openvpn.myvpn.ifconfig_pool_persist=/tmp/openvpn-ipp.txt
uci set openvpn.myvpn.keepalive='10 120' ## NB: these are single quotes

uci set openvpn.myvpn.dh=`ls /etc/openvpn/dh*.pem` ## NB: these are back-quotes

uci add_list openvpn.myvpn.push='dhcp-option DNS 114.114.114.114'
uci add_list openvpn.myvpn.push='route-gateway 10.8.0.1'

 

3.And finally, the tricky bit (执行这个命令之前先看下面的提示):

uci add_list openvpn.myvpn.push='redirect-gateway def1' ## NB: these are single quotes

[notice]

If the OpenVPN Client and Server and on the same subnet, then you must add the local flag. Use instead: uci add_list openvpn.myvpn.push=’redirect-gateway def1 local’

If your OpenVPN Client is not to route all it’s traffic via the serevr (and therefor continue to use it’s existing default gateway), then you should not use the redirect-gateway option at all.

[/notice]

4.Commit the configuration, enable and start the OpenVPN daemon:

uci commit openvpn; /etc/init.d/openvpn enable

 

客户端的配置

用文本编辑器新建一文档,粘贴并修改

client
dev tun
proto udp6
remote [你的路由的ipv6地址] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo

并保存为 client1.ovpn,把它导入到你的OpenVPN的客户端,就可以测试了。

 

 

 

一些参考来源:

  1. http://huxos.me/2013/01/13/openwrt-openvpn/
  2. http://www.cnitblog.com/lizhenbao/archive/2006/10/24/18356.html
  3. http://logicmd.net/2010/12/setup-ipv6-openvpn/
  4. http://wiki.openwrt.org/doc/howto/vpn.openvpn

发表评论