Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
zh:docs:guide-user:services:vpn:openvpn:basic [2019/07/26 11:56] – created hgaozh:docs:guide-user:services:vpn:openvpn:basic [2022/10/27 18:36] – [Troubleshooting] OpenWrt 22.03 update vgaetera
Line 6: Line 6:
 ===== 简介 ===== ===== 简介 =====
   * 如何在OpenWrt上配置运行[[wp>OpenVPN|OpenVPN]]服务器.   * 如何在OpenWrt上配置运行[[wp>OpenVPN|OpenVPN]]服务器.
-  * It helps generate OpenVPN client profiles easy to export/import between devices+  * 生成易于在不同的客户端设备间导入导出的OpenVPN客户端配置文件(profiles)
-  * Follow [[client|OpenVPN client]] for client setup and [[extra|OpenVPN extras]] for additional tuning.+  * 客户端的设置参考[[docs:guide-user:services:vpn:openvpn:client|OpenVPN client]],更多OpenVPN的高级特性的调整参考[[docs:guide-user:services:vpn:openvpn:extras|OpenVPN extras]].
  
 ===== 目标 ===== ===== 目标 =====
-  * Encrypt your internet connection to enforce security and privacy. +  * 使用加密的网络连接模式来增强安全性和私密性 
-    * Prevent data leak and traffic spoofing on the client side. +    * 避免在客户端发生的数据泄露(Data leak)和流量欺骗(Traffic spoofing) 
-  * Bypass regional restrictions using commercial providers. +  * 绕过地区性限制 
-    * Escape client side content filters and internet censorship. +    * 摆脱针对客户端侧的内容审查和过滤 
-  * Access your LAN services remotely without port forwarding.+  * 在访问局域网内服务的同时,避免通过端口映射将指定端口提供的服务直接暴露向公共网络
  
 ===== 指导 ===== ===== 指导 =====
Line 35: Line 35:
 </code> </code>
  
-==== 2. PKI ==== +==== 2. PKI(公钥基础设施) ==== 
-Use [[https://github.com/OpenVPN/easy-rsa#overview|EasyRSA]] to manage the PKI+使用[[https://github.com/OpenVPN/easy-rsa#overview|EasyRSA]]来处理[[docs:guide-user:services:vpn:openvpn:extras#pki|PKI]]相关的事务。如果需要,可以给私钥加上密码保护.
-Utilize private key password protection if required.+
  
 <code bash> <code bash>
Line 58: Line 57:
 easyrsa --batch build-ca nopass easyrsa --batch build-ca nopass
  
-# Generate a keypair and sign locally for vpnserver+# Generate a key pair and sign locally for vpnserver
 easyrsa --batch build-server-full vpnserver nopass easyrsa --batch build-server-full vpnserver nopass
  
-# Generate a keypair and sign locally for vpnclient+# Generate a key pair and sign locally for vpnclient
 easyrsa --batch build-client-full vpnclient nopass easyrsa --batch build-client-full vpnclient nopass
 </code> </code>
- +==== 3. VPN服务器的配置 ==== 
-See also: [[extra#pki|PKI]] +安装并配置VPN服务器.
- +
-==== 3. Basic server ==== +
-Install and configure VPN server.+
  
 <code bash> <code bash>
Line 127: Line 123:
 </code> </code>
  
-See also: [[extra#instance_management|Instance management]], [[extra#dual-stack_gateway|Dual-stack gateway]]+See also: [[docs:guide-user:services:vpn:openvpn:extras#instance_management|Instance management]], [[docs:guide-user:services:vpn:openvpn:extras#dual-stack_gateway|Dual-stack gateway]]
  
-==== 4. Client profiles ==== +==== 4. 客户端的配置文件(profiles==== 
-Set up [[docs:guide-user:services:ddns:client|DDNS client]] if required. +为VPN客户端生成配置文件(profiles)。 如果需要,也可以设置 [[docs:guide-user:services:ddns:client|DDNS client]]。 
-Generate VPN client profiles.+
  
 <code bash> <code bash>
-# Fetch IP address+# Fetch WAN IP address
 source /lib/functions/network.sh source /lib/functions/network.sh
 network_find_wan NET_IF network_find_wan NET_IF
Line 187: Line 182:
 Extract client profiles from the archive and import them to your clients. Extract client profiles from the archive and import them to your clients.
  
-See also: [[extra#client_fixes|Client fixes]], [[extra#recommended_clients|Recommended clients]] +See also: [[docs:guide-user:services:vpn:openvpn:extras#client_fixes|Client fixes]], [[docs:guide-user:services:vpn:openvpn:extras#recommended_clients|Recommended clients]] 
- +===== 测试 ===== 
-===== Testing ===== +建立VPN连接。检查客户端的流量全部经过VPN服务器的网关。
-Establish VPN connection. +
-Verify your client traffic is routed via VPN gateway.+
  
 <code bash> <code bash>
Line 198: Line 191:
 </code> </code>
  
-Check your client public IP addresses. +检查客户端的公网IP地址:  * [[https://ipleak.net/]] 
-  * [[https://ipleak.net/]] + 
-Make sure there is no DNS leak on the client side. +确保在客户端一侧没有DNS leak。  * [[https://dnsleaktest.com/]] 
-  * [[https://dnsleaktest.com/]] + 
-Delegate a public IPv6 prefix to VPN6 network to use IPv6 by default. +Delegate a public IPv6 prefix to the IPv6 VPN network to use IPv6 by default.  * [[https://ipv6-test.com/]]
-  * [[https://ipv6-test.com/]]+
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 209: Line 201:
  
 <code bash> <code bash>
-# Restart the services, then try to reconnect+# Restart services
 service log restart; service openvpn restart; sleep 10 service log restart; service openvpn restart; sleep 10
  
Line 217: Line 209:
 # Runtime configuration # Runtime configuration
 pgrep -f -a openvpn pgrep -f -a openvpn
-ip addr show; ip route showip rule show; iptables-save +ip address show; ip route show table all 
-ip -6 addr show; ip -6 route show; ip -6 rule show; ip6tables-save+ip rule show; ip -6 rule show; nft list ruleset
  
 # Persistent configuration # Persistent configuration
Line 224: Line 216:
 head -n -0 /etc/openvpn/*.conf head -n -0 /etc/openvpn/*.conf
 </code> </code>
- 
-{{tag>How-to VPN OpenVPN EasyRSA}} 
  
  • Last modified: 2023/09/09 10:57
  • by vgaetera