Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
zh:docs:guide-user:services:vpn:openvpn:server [2022/05/26 13:27] – created yodozh:docs:guide-user:services:vpn:openvpn:server [2022/05/27 05:36] – [OpenVPN 服务器] yodo
Line 2: Line 2:
  
 ====== OpenVPN 服务器 ====== ====== OpenVPN 服务器 ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>zh:meta:infobox:howto_links#CLI命令技能&noheader&nofooter&noeditbutton}}
  
 ===== 简介 ===== ===== 简介 =====
Line 9: Line 9:
  
 ===== 目标 ===== ===== 目标 =====
-{{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}}+{{section>zh:docs:guide-user:services:vpn:wireguard:server#目标&noheader&nofooter&noeditbutton}}
  
 ===== 实现过程(命令、配置) ===== ===== 实现过程(命令、配置) =====
 +以下流程的实操环境为 OpenWrt **21.02**.
  
-The instructions below have been tested with OpenWrt **21.02**+如果你想在 **更早版本的OpenWrt** 上搭建OpenVPN服务器,为避免tls-crypt错误,请参照之前版本说明。 
- +例如:[[https://forum.openwrt.org/t/problem-setting-up-openvpn-server/109953/5|forum post]]
-If you wish to install OpenVPN server on a **previous version of OpenWrt**, please refer to an older revision of this article, to avoid tls-crypt generation errors. +
-eg.[[https://forum.openwrt.org/t/problem-setting-up-openvpn-server/109953/5|forum post]]+
 ==== 1. 准备工作 ==== ==== 1. 准备工作 ====
-Install the required packages. +安装所需软件包。 
-Specify the VPN server configuration parameters.+ 
 +设定VPN服务器配置的一些参数。
  
 <code bash> <code bash>
-Install packages+安装软件包
 opkg update opkg update
 opkg install openvpn-openssl openvpn-easy-rsa opkg install openvpn-openssl openvpn-easy-rsa
  
-Configuration parameters  # OVPN_POOL config any network are OK except your local network+配置参数  # OVPN_POOL 除了本地网段意外,可以是任何网段。
 OVPN_DIR="/etc/openvpn" OVPN_DIR="/etc/openvpn"
 OVPN_PKI="/etc/easy-rsa/pki" OVPN_PKI="/etc/easy-rsa/pki"
Line 35: Line 35:
 OVPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)" OVPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
  
-Fetch WAN IP address+获取WAN IP地址作为OVPN_SERV服务器地址
 . /lib/functions/network.sh . /lib/functions/network.sh
 network_flush_cache network_flush_cache
Line 42: Line 42:
 OVPN_SERV="${NET_ADDR}" OVPN_SERV="${NET_ADDR}"
  
-Fetch FQDN from DDNS client+对于非固定ip(例如PPPoE拨号上网)建议通过DDNS将动态IP地址映射到固定的域名 
 +# 如果在openwrt部署DDNS,从DDNS获取FQDN,作为OVPN_SERV服务器地址 
 +# 如果DDNS未部署在openwrt上,需自行设定OVPN_SERV
 NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)" NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)"
 if [ -n "${NET_FQDN}" ] if [ -n "${NET_FQDN}" ]
Line 48: Line 50:
 fi fi
 </code> </code>
- 
 ==== 2. 证书体系建立 ==== ==== 2. 证书体系建立 ====
-Use [[https://github.com/OpenVPN/easy-rsa#overview|EasyRSA]] to manage the PKI. +使用 [[https://github.com/OpenVPN/easy-rsa#overview|EasyRSA]] 管理 PKI 体系
-Utilize private key password protection if necessary.+如有必要,可使用私钥密码保护。
  
 <code bash> <code bash>
-Configuration parameters+配置参数
 export EASYRSA_PKI="${OVPN_PKI}" export EASYRSA_PKI="${OVPN_PKI}"
 export EASYRSA_REQ_CN="ovpnca" export EASYRSA_REQ_CN="ovpnca"
Line 60: Line 61:
 export EASYRSA_CERT_EXPIRE="3650" # Increases the client cert expiry from the default of 825 days to match the CA expiry export EASYRSA_CERT_EXPIRE="3650" # Increases the client cert expiry from the default of 825 days to match the CA expiry
  
-Remove and re-initialize PKI directory+清空,并初始化 PKI 目录
 easyrsa init-pki easyrsa init-pki
  
-Generate DH parameters+生成 DH 参数
 easyrsa gen-dh easyrsa gen-dh
  
-Create a new CA+新建 CA
 easyrsa build-ca nopass easyrsa build-ca nopass
  
-Generate server keys and certificate+生成服务器秘钥和证书
 easyrsa build-server-full server nopass easyrsa build-server-full server nopass
 openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem
  
-Generate client keys and certificate+生成客户端秘钥和证书
 easyrsa build-client-full client nopass easyrsa build-client-full client nopass
 openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \ openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
Line 80: Line 81:
  
 ==== 3. 防火墙设置 ==== ==== 3. 防火墙设置 ====
-Consider VPN network as private. +将 VPN 网络视为私有网络。 
-Assign VPN interface to LAN zone to minimize firewall setup. +将 VPN 接口 tun+ 分配给防火墙 LAN 区域的涵盖设备,以最小化防火墙设置。 
-Allow access to VPN server from WAN zone. +允许从 WAN 区域访问 VPN 服务器。
 <code bash> <code bash>
-Configure firewall+配置防火墙
 uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[0]="lan"
 uci rename firewall.@zone[1]="wan" uci rename firewall.@zone[1]="wan"
Line 102: Line 102:
  
 ==== 4. VPN 服务设置 ==== ==== 4. VPN 服务设置 ====
-Configure VPN service and generate client profiles.+配置VPN服务,生成客户端文件。
  
 <code bash> <code bash>
-Configure VPN service and generate client profiles+配置VPN服务,生成客户端文件
 umask go= umask go=
 OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)" OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)"
Line 173: Line 173:
 </code> </code>
  
-Perform OpenWrt [[docs:guide-user:troubleshooting:backup_restore|backup]]. +通过openwrt luci后台的备份下载包含配置文件的压缩包 [[docs:guide-user:troubleshooting:backup_restore|backup]] 
-Extract client profiles from the archive and import them to your clients.+解压提取客户端配置文件,导入客户端。
  
-For an additional .ovpn after completing the above+在完成以上操作后,如需生成更多客户端配置文件 .ovpn : 
-  - Run this [[docs:guide-user:services:vpn:openvpn:extras#multi-client]] script+  - 通过运行此 [[docs:guide-user:services:vpn:openvpn:extras#multi-client]] 脚本快速生成
-  - Now make a script consisting of the "Configuration parametersof Part 1 above and all of Part above and run itNote that the "remote" line may be missing in the new ovpn (use the original as a reference for that).+  - 需要修改脚本,确保脚本内有:上文第1条的"配置参数"部分,上文第4条的全部,方可运行脚本 
 +  - 注意:新生成的ovpn配置文件的 "remote" 这一行可能不正确,请确认指向设置的服务器地址.
 ===== 测试 ===== ===== 测试 =====
-{{section>docs:guide-user:services:vpn:wireguard:server#testing&noheader&nofooter&noeditbutton}}+{{section>zh:docs:guide-user:services:vpn:wireguard:server#测试&noheader&nofooter&noeditbutton}}
  
 ===== 故障排除 ===== ===== 故障排除 =====
-Collect and analyze the following information.+通过以下步骤,获取、分析日志.
  
 <code bash> <code bash>
-Restart services+重启日志、openvpn服务
 /etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10 /etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10
  
-Log and status+获取日志和openvpn状态
 logread -e openvpn; netstat -l -n -p | grep -e openvpn logread -e openvpn; netstat -l -n -p | grep -e openvpn
  
-Runtime configuration+各项运行中的配置参数(openvpn运行配置、网络信息、防火墙配置)
 pgrep -f -a openvpn pgrep -f -a openvpn
 ip address show; ip route show table all ip address show; ip route show table all
Line 198: Line 199:
 ip -6 rule show; ip6tables-save -c ip -6 rule show; ip6tables-save -c
  
-Persistent configuration+配置文件情况
 uci show network; uci show firewall; uci show openvpn uci show network; uci show firewall; uci show openvpn
 head -v -n -0 /etc/openvpn/*.conf head -v -n -0 /etc/openvpn/*.conf
 </code> </code>
  
  • Last modified: 2022/10/27 18:35
  • by vgaetera