Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| zh:docs:guide-user:services:vpn:openvpn:server [2022/05/27 03:09] – [故障排除] yodo | zh:docs:guide-user:services:vpn:openvpn:server [2022/05/27 05:36] – [OpenVPN 服务器] yodo | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| ====== OpenVPN 服务器 ====== | ====== OpenVPN 服务器 ====== | ||
| - | {{section> | + | {{section> |
| ===== 简介 ===== | ===== 简介 ===== | ||
| Line 9: | Line 9: | ||
| ===== 目标 ===== | ===== 目标 ===== | ||
| - | {{section> | + | {{section> |
| ===== 实现过程(命令、配置) ===== | ===== 实现过程(命令、配置) ===== | ||
| + | 以下流程的实操环境为 OpenWrt **21.02**. | ||
| - | The instructions below have been tested with OpenWrt | + | 如果你想在 |
| - | + | 例如:[[https:// | |
| - | If you wish to install | + | |
| - | eg.[[https:// | + | |
| ==== 1. 准备工作 ==== | ==== 1. 准备工作 ==== | ||
| - | Install the required packages. | + | 安装所需软件包。 |
| - | Specify the VPN server configuration parameters. | + | |
| + | 设定VPN服务器配置的一些参数。 | ||
| <code bash> | <code bash> | ||
| - | # Install packages | + | # 安装软件包 |
| opkg update | opkg update | ||
| opkg install openvpn-openssl openvpn-easy-rsa | opkg install openvpn-openssl openvpn-easy-rsa | ||
| - | # Configuration parameters | + | # 配置参数 |
| OVPN_DIR="/ | OVPN_DIR="/ | ||
| OVPN_PKI="/ | OVPN_PKI="/ | ||
| Line 35: | Line 35: | ||
| OVPN_DOMAIN=" | OVPN_DOMAIN=" | ||
| - | # Fetch WAN IP address | + | # 获取WAN IP地址作为OVPN_SERV服务器地址 |
| . / | . / | ||
| network_flush_cache | network_flush_cache | ||
| Line 42: | Line 42: | ||
| OVPN_SERV=" | OVPN_SERV=" | ||
| - | # Fetch FQDN from DDNS client | + | # 对于非固定ip(例如PPPoE拨号上网)建议通过DDNS将动态IP地址映射到固定的域名 |
| + | # 如果在openwrt部署DDNS,从DDNS获取FQDN,作为OVPN_SERV服务器地址 | ||
| + | # 如果DDNS未部署在openwrt上,需自行设定OVPN_SERV | ||
| NET_FQDN=" | NET_FQDN=" | ||
| if [ -n " | if [ -n " | ||
| Line 48: | Line 50: | ||
| fi | fi | ||
| </ | </ | ||
| - | |||
| ==== 2. 证书体系建立 ==== | ==== 2. 证书体系建立 ==== | ||
| - | Use [[https:// | + | 使用 |
| - | Utilize private key password protection if necessary. | + | 如有必要,可使用私钥密码保护。 |
| <code bash> | <code bash> | ||
| - | # Configuration parameters | + | # 配置参数 |
| export EASYRSA_PKI=" | export EASYRSA_PKI=" | ||
| export EASYRSA_REQ_CN=" | export EASYRSA_REQ_CN=" | ||
| Line 60: | Line 61: | ||
| export EASYRSA_CERT_EXPIRE=" | export EASYRSA_CERT_EXPIRE=" | ||
| - | # Remove and re-initialize | + | # 清空,并初始化 |
| easyrsa init-pki | easyrsa init-pki | ||
| - | # Generate | + | # 生成 |
| easyrsa gen-dh | easyrsa gen-dh | ||
| - | # Create a new CA | + | # 新建 |
| easyrsa build-ca nopass | easyrsa build-ca nopass | ||
| - | # Generate server keys and certificate | + | # 生成服务器秘钥和证书 |
| easyrsa build-server-full server nopass | easyrsa build-server-full server nopass | ||
| openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/ | openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/ | ||
| - | # Generate client keys and certificate | + | # 生成客户端秘钥和证书 |
| easyrsa build-client-full client nopass | easyrsa build-client-full client nopass | ||
| openvpn --tls-crypt-v2 ${EASYRSA_PKI}/ | openvpn --tls-crypt-v2 ${EASYRSA_PKI}/ | ||
| Line 80: | Line 81: | ||
| ==== 3. 防火墙设置 ==== | ==== 3. 防火墙设置 ==== | ||
| - | Consider | + | 将 VPN 网络视为私有网络。 |
| - | Assign | + | 将 VPN 接口 tun+ 分配给防火墙 |
| - | Allow access to VPN server from WAN zone. | + | 允许从 WAN 区域访问 |
| <code bash> | <code bash> | ||
| - | # Configure firewall | + | # 配置防火墙 |
| uci rename firewall.@zone[0]=" | uci rename firewall.@zone[0]=" | ||
| uci rename firewall.@zone[1]=" | uci rename firewall.@zone[1]=" | ||
| Line 102: | Line 102: | ||
| ==== 4. VPN 服务设置 ==== | ==== 4. VPN 服务设置 ==== | ||
| - | Configure | + | 配置VPN服务,生成客户端文件。 |
| <code bash> | <code bash> | ||
| - | # Configure | + | # 配置VPN服务,生成客户端文件 |
| umask go= | umask go= | ||
| OVPN_DH=" | OVPN_DH=" | ||
| Line 173: | Line 173: | ||
| </ | </ | ||
| - | Perform OpenWrt | + | 通过openwrt luci后台的备份下载包含配置文件的压缩包 |
| - | Extract client profiles from the archive and import them to your clients. | + | 解压提取客户端配置文件,导入客户端。 |
| - | For an additional | + | 在完成以上操作后,如需生成更多客户端配置文件 |
| - | - Run this [[docs: | + | - 通过运行此 |
| - | - Now make a script consisting of the "Configuration parameters" | + | - 需要修改脚本,确保脚本内有:上文第1条的"配置参数"部分,上文第4条的全部,方可运行脚本. |
| + | - 注意:新生成的ovpn配置文件的 | ||
| ===== 测试 ===== | ===== 测试 ===== | ||
| - | {{section> | + | {{section> |
| ===== 故障排除 ===== | ===== 故障排除 ===== | ||