Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
zh:docs:guide-user:services:vpn:openvpn:basic [2019/07/26 12:06] – [3. Basic server] hgaozh:docs:guide-user:services:vpn:openvpn:basic [2022/10/27 18:36] – [Troubleshooting] OpenWrt 22.03 update vgaetera
Line 7: Line 7:
   * 如何在OpenWrt上配置运行[[wp>OpenVPN|OpenVPN]]服务器.   * 如何在OpenWrt上配置运行[[wp>OpenVPN|OpenVPN]]服务器.
   * 生成易于在不同的客户端设备间导入导出的OpenVPN客户端配置文件(profiles).   * 生成易于在不同的客户端设备间导入导出的OpenVPN客户端配置文件(profiles).
-  * 客户端的设置参考[[client|OpenVPN client]],更多OpenVPN的高级特性的调整参考[[extra|OpenVPN extras]].+  * 客户端的设置参考[[docs:guide-user:services:vpn:openvpn:client|OpenVPN client]],更多OpenVPN的高级特性的调整参考[[docs:guide-user:services:vpn:openvpn:extras|OpenVPN extras]].
  
 ===== 目标 ===== ===== 目标 =====
-  * Encrypt your internet connection to enforce security and privacy. +  * 使用加密的网络连接模式来增强安全性和私密性 
-    * Prevent data leak and traffic spoofing on the client side. +    * 避免在客户端发生的数据泄露(Data leak)和流量欺骗(Traffic spoofing) 
-  * Bypass regional restrictions using commercial providers. +  * 绕过地区性限制 
-    * Escape client side content filters and internet censorship. +    * 摆脱针对客户端侧的内容审查和过滤 
-  * Access your LAN services remotely without port forwarding.+  * 在访问局域网内服务的同时,避免通过端口映射将指定端口提供的服务直接暴露向公共网络
  
 ===== 指导 ===== ===== 指导 =====
Line 36: Line 36:
  
 ==== 2. PKI(公钥基础设施) ==== ==== 2. PKI(公钥基础设施) ====
-使用[[https://github.com/OpenVPN/easy-rsa#overview|EasyRSA]]来处理PKI相关的事务。如果需要,可以给私钥加上密码保护.+使用[[https://github.com/OpenVPN/easy-rsa#overview|EasyRSA]]来处理[[docs:guide-user:services:vpn:openvpn:extras#pki|PKI]]相关的事务。如果需要,可以给私钥加上密码保护.
  
 <code bash> <code bash>
Line 57: Line 57:
 easyrsa --batch build-ca nopass easyrsa --batch build-ca nopass
  
-# Generate a keypair and sign locally for vpnserver+# Generate a key pair and sign locally for vpnserver
 easyrsa --batch build-server-full vpnserver nopass easyrsa --batch build-server-full vpnserver nopass
  
-# Generate a keypair and sign locally for vpnclient+# Generate a key pair and sign locally for vpnclient
 easyrsa --batch build-client-full vpnclient nopass easyrsa --batch build-client-full vpnclient nopass
 </code> </code>
- 
-See also: [[extra#pki|PKI]] 
- 
 ==== 3. VPN服务器的配置 ==== ==== 3. VPN服务器的配置 ====
 安装并配置VPN服务器. 安装并配置VPN服务器.
Line 126: Line 123:
 </code> </code>
  
-See also: [[extra#instance_management|Instance management]], [[extra#dual-stack_gateway|Dual-stack gateway]]+See also: [[docs:guide-user:services:vpn:openvpn:extras#instance_management|Instance management]], [[docs:guide-user:services:vpn:openvpn:extras#dual-stack_gateway|Dual-stack gateway]]
  
-==== 4. Client profiles ==== +==== 4. 客户端的配置文件(profiles==== 
-Set up [[docs:guide-user:services:ddns:client|DDNS client]] if required. +为VPN客户端生成配置文件(profiles)。 如果需要,也可以设置 [[docs:guide-user:services:ddns:client|DDNS client]]。 
-Generate VPN client profiles.+
  
 <code bash> <code bash>
-# Fetch IP address+# Fetch WAN IP address
 source /lib/functions/network.sh source /lib/functions/network.sh
 network_find_wan NET_IF network_find_wan NET_IF
Line 186: Line 182:
 Extract client profiles from the archive and import them to your clients. Extract client profiles from the archive and import them to your clients.
  
-See also: [[extra#client_fixes|Client fixes]], [[extra#recommended_clients|Recommended clients]] +See also: [[docs:guide-user:services:vpn:openvpn:extras#client_fixes|Client fixes]], [[docs:guide-user:services:vpn:openvpn:extras#recommended_clients|Recommended clients]]
 ===== 测试 ===== ===== 测试 =====
 建立VPN连接。检查客户端的流量全部经过VPN服务器的网关。 建立VPN连接。检查客户端的流量全部经过VPN服务器的网关。
Line 196: Line 191:
 </code> </code>
  
-Check your client public IP addresses. +检查客户端的公网IP地址:  * [[https://ipleak.net/]] 
-  * [[https://ipleak.net/]] + 
-Make sure there is no DNS leak on the client side. +确保在客户端一侧没有DNS leak。  * [[https://dnsleaktest.com/]] 
-  * [[https://dnsleaktest.com/]] + 
-Delegate a public IPv6 prefix to VPN6 network to use IPv6 by default. +Delegate a public IPv6 prefix to the IPv6 VPN network to use IPv6 by default.  * [[https://ipv6-test.com/]]
-  * [[https://ipv6-test.com/]]+
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 207: Line 201:
  
 <code bash> <code bash>
-# Restart the services, then try to reconnect+# Restart services
 service log restart; service openvpn restart; sleep 10 service log restart; service openvpn restart; sleep 10
  
Line 215: Line 209:
 # Runtime configuration # Runtime configuration
 pgrep -f -a openvpn pgrep -f -a openvpn
-ip addr show; ip route showip rule show; iptables-save +ip address show; ip route show table all 
-ip -6 addr show; ip -6 route show; ip -6 rule show; ip6tables-save+ip rule show; ip -6 rule show; nft list ruleset
  
 # Persistent configuration # Persistent configuration
Line 222: Line 216:
 head -n -0 /etc/openvpn/*.conf head -n -0 /etc/openvpn/*.conf
 </code> </code>
- 
-{{tag>How-to VPN OpenVPN EasyRSA}} 
  
  • Last modified: 2023/09/09 10:57
  • by vgaetera