Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
zh:docs:guide-user:services:vpn:openvpn:basic [2019/08/18 05:04] – links updated vgaeterazh:docs:guide-user:services:vpn:openvpn:basic [2022/10/27 18:36] – [Troubleshooting] OpenWrt 22.03 update vgaetera
Line 7: Line 7:
   * 如何在OpenWrt上配置运行[[wp>OpenVPN|OpenVPN]]服务器.   * 如何在OpenWrt上配置运行[[wp>OpenVPN|OpenVPN]]服务器.
   * 生成易于在不同的客户端设备间导入导出的OpenVPN客户端配置文件(profiles).   * 生成易于在不同的客户端设备间导入导出的OpenVPN客户端配置文件(profiles).
-  * 客户端的设置参考[[docs:guide-user:services:vpn:openvpn:client|OpenVPN client]],更多OpenVPN的高级特性的调整参考[[docs:guide-user:services:vpn:openvpn:extra|OpenVPN extras]].+  * 客户端的设置参考[[docs:guide-user:services:vpn:openvpn:client|OpenVPN client]],更多OpenVPN的高级特性的调整参考[[docs:guide-user:services:vpn:openvpn:extras|OpenVPN extras]].
  
 ===== 目标 ===== ===== 目标 =====
-  * Encrypt your internet connection to enforce security and privacy. +  * 使用加密的网络连接模式来增强安全性和私密性 
-    * Prevent data leak and traffic spoofing on the client side. +    * 避免在客户端发生的数据泄露(Data leak)和流量欺骗(Traffic spoofing) 
-  * Bypass regional restrictions using commercial providers. +  * 绕过地区性限制 
-    * Escape client side content filters and internet censorship. +    * 摆脱针对客户端侧的内容审查和过滤 
-  * Access your LAN services remotely without port forwarding.+  * 在访问局域网内服务的同时,避免通过端口映射将指定端口提供的服务直接暴露向公共网络
  
 ===== 指导 ===== ===== 指导 =====
Line 36: Line 36:
  
 ==== 2. PKI(公钥基础设施) ==== ==== 2. PKI(公钥基础设施) ====
-使用[[https://github.com/OpenVPN/easy-rsa#overview|EasyRSA]]来处理[[docs:guide-user:services:vpn:openvpn:extra#pki|PKI]]相关的事务。如果需要,可以给私钥加上密码保护.+使用[[https://github.com/OpenVPN/easy-rsa#overview|EasyRSA]]来处理[[docs:guide-user:services:vpn:openvpn:extras#pki|PKI]]相关的事务。如果需要,可以给私钥加上密码保护.
  
 <code bash> <code bash>
Line 57: Line 57:
 easyrsa --batch build-ca nopass easyrsa --batch build-ca nopass
  
-# Generate a keypair and sign locally for vpnserver+# Generate a key pair and sign locally for vpnserver
 easyrsa --batch build-server-full vpnserver nopass easyrsa --batch build-server-full vpnserver nopass
  
-# Generate a keypair and sign locally for vpnclient+# Generate a key pair and sign locally for vpnclient
 easyrsa --batch build-client-full vpnclient nopass easyrsa --batch build-client-full vpnclient nopass
 </code> </code>
Line 123: Line 123:
 </code> </code>
  
-See also: [[docs:guide-user:services:vpn:openvpn:extra#instance_management|Instance management]], [[docs:guide-user:services:vpn:openvpn:extra#dual-stack_gateway|Dual-stack gateway]]+See also: [[docs:guide-user:services:vpn:openvpn:extras#instance_management|Instance management]], [[docs:guide-user:services:vpn:openvpn:extras#dual-stack_gateway|Dual-stack gateway]]
  
 ==== 4. 客户端的配置文件(profiles) ==== ==== 4. 客户端的配置文件(profiles) ====
Line 129: Line 129:
  
 <code bash> <code bash>
-# Fetch IP address+# Fetch WAN IP address
 source /lib/functions/network.sh source /lib/functions/network.sh
 network_find_wan NET_IF network_find_wan NET_IF
Line 182: Line 182:
 Extract client profiles from the archive and import them to your clients. Extract client profiles from the archive and import them to your clients.
  
-See also: [[docs:guide-user:services:vpn:openvpn:extra#client_fixes|Client fixes]], [[docs:guide-user:services:vpn:openvpn:extra#recommended_clients|Recommended clients]]+See also: [[docs:guide-user:services:vpn:openvpn:extras#client_fixes|Client fixes]], [[docs:guide-user:services:vpn:openvpn:extras#recommended_clients|Recommended clients]]
 ===== 测试 ===== ===== 测试 =====
 建立VPN连接。检查客户端的流量全部经过VPN服务器的网关。 建立VPN连接。检查客户端的流量全部经过VPN服务器的网关。
Line 195: Line 195:
 确保在客户端一侧没有DNS leak。  * [[https://dnsleaktest.com/]] 确保在客户端一侧没有DNS leak。  * [[https://dnsleaktest.com/]]
  
-Delegate a public IPv6 prefix to VPN6 network to use IPv6 by default.  * [[https://ipv6-test.com/]]+Delegate a public IPv6 prefix to the IPv6 VPN network to use IPv6 by default.  * [[https://ipv6-test.com/]]
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 201: Line 201:
  
 <code bash> <code bash>
-# Restart the services, then try to reconnect+# Restart services
 service log restart; service openvpn restart; sleep 10 service log restart; service openvpn restart; sleep 10
  
Line 209: Line 209:
 # Runtime configuration # Runtime configuration
 pgrep -f -a openvpn pgrep -f -a openvpn
-ip addr show; ip route showip rule show; iptables-save +ip address show; ip route show table all 
-ip -6 addr show; ip -6 route show; ip -6 rule show; ip6tables-save+ip rule show; ip -6 rule show; nft list ruleset
  
 # Persistent configuration # Persistent configuration
  • Last modified: 2023/09/09 10:57
  • by vgaetera