Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
zh:docs:guide-user:services:vpn:openvpn:server [2022/05/27 03:09] – [故障排除] yodozh:docs:guide-user:services:vpn:openvpn:server [2022/05/27 05:36] – [OpenVPN 服务器] yodo
Line 2: Line 2:
  
 ====== OpenVPN 服务器 ====== ====== OpenVPN 服务器 ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>zh:meta:infobox:howto_links#CLI命令技能&noheader&nofooter&noeditbutton}}
  
 ===== 简介 ===== ===== 简介 =====
Line 9: Line 9:
  
 ===== 目标 ===== ===== 目标 =====
-{{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}}+{{section>zh:docs:guide-user:services:vpn:wireguard:server#目标&noheader&nofooter&noeditbutton}}
  
 ===== 实现过程(命令、配置) ===== ===== 实现过程(命令、配置) =====
 +以下流程的实操环境为 OpenWrt **21.02**.
  
-The instructions below have been tested with OpenWrt **21.02**+如果你想在 **更早版本的OpenWrt** 上搭建OpenVPN服务器,为避免tls-crypt错误,请参照之前版本说明。 
- +例如:[[https://forum.openwrt.org/t/problem-setting-up-openvpn-server/109953/5|forum post]]
-If you wish to install OpenVPN server on a **previous version of OpenWrt**, please refer to an older revision of this article, to avoid tls-crypt generation errors. +
-eg.[[https://forum.openwrt.org/t/problem-setting-up-openvpn-server/109953/5|forum post]]+
 ==== 1. 准备工作 ==== ==== 1. 准备工作 ====
-Install the required packages. +安装所需软件包。 
-Specify the VPN server configuration parameters.+ 
 +设定VPN服务器配置的一些参数。
  
 <code bash> <code bash>
-Install packages+安装软件包
 opkg update opkg update
 opkg install openvpn-openssl openvpn-easy-rsa opkg install openvpn-openssl openvpn-easy-rsa
  
-Configuration parameters  # OVPN_POOL config any network are OK except your local network+配置参数  # OVPN_POOL 除了本地网段意外,可以是任何网段。
 OVPN_DIR="/etc/openvpn" OVPN_DIR="/etc/openvpn"
 OVPN_PKI="/etc/easy-rsa/pki" OVPN_PKI="/etc/easy-rsa/pki"
Line 35: Line 35:
 OVPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)" OVPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
  
-Fetch WAN IP address+获取WAN IP地址作为OVPN_SERV服务器地址
 . /lib/functions/network.sh . /lib/functions/network.sh
 network_flush_cache network_flush_cache
Line 42: Line 42:
 OVPN_SERV="${NET_ADDR}" OVPN_SERV="${NET_ADDR}"
  
-Fetch FQDN from DDNS client+对于非固定ip(例如PPPoE拨号上网)建议通过DDNS将动态IP地址映射到固定的域名 
 +# 如果在openwrt部署DDNS,从DDNS获取FQDN,作为OVPN_SERV服务器地址 
 +# 如果DDNS未部署在openwrt上,需自行设定OVPN_SERV
 NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)" NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)"
 if [ -n "${NET_FQDN}" ] if [ -n "${NET_FQDN}" ]
Line 48: Line 50:
 fi fi
 </code> </code>
- 
 ==== 2. 证书体系建立 ==== ==== 2. 证书体系建立 ====
-Use [[https://github.com/OpenVPN/easy-rsa#overview|EasyRSA]] to manage the PKI. +使用 [[https://github.com/OpenVPN/easy-rsa#overview|EasyRSA]] 管理 PKI 体系
-Utilize private key password protection if necessary.+如有必要,可使用私钥密码保护。
  
 <code bash> <code bash>
-Configuration parameters+配置参数
 export EASYRSA_PKI="${OVPN_PKI}" export EASYRSA_PKI="${OVPN_PKI}"
 export EASYRSA_REQ_CN="ovpnca" export EASYRSA_REQ_CN="ovpnca"
Line 60: Line 61:
 export EASYRSA_CERT_EXPIRE="3650" # Increases the client cert expiry from the default of 825 days to match the CA expiry export EASYRSA_CERT_EXPIRE="3650" # Increases the client cert expiry from the default of 825 days to match the CA expiry
  
-Remove and re-initialize PKI directory+清空,并初始化 PKI 目录
 easyrsa init-pki easyrsa init-pki
  
-Generate DH parameters+生成 DH 参数
 easyrsa gen-dh easyrsa gen-dh
  
-Create a new CA+新建 CA
 easyrsa build-ca nopass easyrsa build-ca nopass
  
-Generate server keys and certificate+生成服务器秘钥和证书
 easyrsa build-server-full server nopass easyrsa build-server-full server nopass
 openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem
  
-Generate client keys and certificate+生成客户端秘钥和证书
 easyrsa build-client-full client nopass easyrsa build-client-full client nopass
 openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \ openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
Line 80: Line 81:
  
 ==== 3. 防火墙设置 ==== ==== 3. 防火墙设置 ====
-Consider VPN network as private. +将 VPN 网络视为私有网络。 
-Assign VPN interface to LAN zone to minimize firewall setup. +将 VPN 接口 tun+ 分配给防火墙 LAN 区域的涵盖设备,以最小化防火墙设置。 
-Allow access to VPN server from WAN zone. +允许从 WAN 区域访问 VPN 服务器。
 <code bash> <code bash>
-Configure firewall+配置防火墙
 uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[0]="lan"
 uci rename firewall.@zone[1]="wan" uci rename firewall.@zone[1]="wan"
Line 102: Line 102:
  
 ==== 4. VPN 服务设置 ==== ==== 4. VPN 服务设置 ====
-Configure VPN service and generate client profiles.+配置VPN服务,生成客户端文件。
  
 <code bash> <code bash>
-Configure VPN service and generate client profiles+配置VPN服务,生成客户端文件
 umask go= umask go=
 OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)" OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)"
Line 173: Line 173:
 </code> </code>
  
-Perform OpenWrt [[docs:guide-user:troubleshooting:backup_restore|backup]]. +通过openwrt luci后台的备份下载包含配置文件的压缩包 [[docs:guide-user:troubleshooting:backup_restore|backup]] 
-Extract client profiles from the archive and import them to your clients.+解压提取客户端配置文件,导入客户端。
  
-For an additional .ovpn after completing the above+在完成以上操作后,如需生成更多客户端配置文件 .ovpn : 
-  - Run this [[docs:guide-user:services:vpn:openvpn:extras#multi-client]] script+  - 通过运行此 [[docs:guide-user:services:vpn:openvpn:extras#multi-client]] 脚本快速生成
-  - Now make a script consisting of the "Configuration parametersof Part 1 above and all of Part above and run itNote that the "remote" line may be missing in the new ovpn (use the original as a reference for that).+  - 需要修改脚本,确保脚本内有:上文第1条的"配置参数"部分,上文第4条的全部,方可运行脚本 
 +  - 注意:新生成的ovpn配置文件的 "remote" 这一行可能不正确,请确认指向设置的服务器地址.
 ===== 测试 ===== ===== 测试 =====
-{{section>docs:guide-user:services:vpn:wireguard:server#testing&noheader&nofooter&noeditbutton}}+{{section>zh:docs:guide-user:services:vpn:wireguard:server#测试&noheader&nofooter&noeditbutton}}
  
 ===== 故障排除 ===== ===== 故障排除 =====
  • Last modified: 2022/10/27 18:35
  • by vgaetera