OpenWrt VTun Client
OpenWrt VTun Client
参考 https://marquistj13.github.io/MyBlog/2018/12/openwrt-openvpn-client-setup/
# 安装软件包
opkg update
opkg install openvpn-openssl luci-app-openvpn openssl-util
# 服务自启动
/etc/init.d/openvpn enable
# 创建虚拟通道接口
# a new network interface for tun: uci set network.vtun=interface uci set network.vtun.proto='none' #dhcp #none uci set network.vtun.ifname='tun0' uci commit network && service network restart
# 设置防火墙规则
# a new firewall zone (for VPN): uci add firewall zone uci set firewall.@zone[-1].name='vpn' uci set firewall.@zone[-1].input='REJECT' uci set firewall.@zone[-1].output='ACCEPT' uci set firewall.@zone[-1].forward='REJECT' uci set firewall.@zone[-1].masq='1' uci set firewall.@zone[-1].mtu_fix='1' uci add_list firewall.@zone[-1].network='vtun' # enable forwarding from LAN to VPN: uci add firewall forwarding uci set firewall.@forwarding[-1].src='lan' uci set firewall.@forwarding[-1].dest='vpn' uci commit firewall && service firewall restart
# 上传客户端证书和根证书到指定目录
ls -alh /etc/openvpn/ drwxr-xr-x 1 root root 0 Dec 3 13:24 . drwxr-xr-x 1 root root 0 Dec 2 06:46 .. -rw-r--r-- 1 root root 1.2K Dec 2 13:22 ca.crt -rw-r--r-- 1 root root 4.4K Dec 2 13:22 client.crt -rw-r--r-- 1 root root 1.7K Dec 2 13:22 client.key -rw-r--r-- 1 root root 636 Dec 2 13:21 ta.key
# OpenWrt中客户端配置
############################################## # Sample client-side OpenVPN 2.0 uci config # # for connecting to multi-client server. # ############################################## config openvpn vtun_client # Set to 1 to enable this instance: option enabled 1 # Specify that we are a client and that we # will be pulling certain config file directives # from the server. option client 1 # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. # option dev tap option dev tun # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. # option proto udp option proto tcp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. # list remote "my_server_2 1194" list remote "10.0.0.228 1194" # Choose a random host from the remote # list for load_balancing. Otherwise # try hosts in the order specified. # option remote_random 1 # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. option resolv_retry infinite # Most clients don't need to bind to # a specific local port number. option nobind 1 # Try to preserve some state across restarts. option persist_key 1 option persist_tun 1 option user nobody # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. # retry on connection failures: # option http_proxy_retry 1 # specify http proxy address and port: # option http_proxy "192.168.1.100 8080" # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. # option mute_replay_warnings 1 # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. option ca /etc/openvpn/ca.crt option cert /etc/openvpn/client.crt option key /etc/openvpn/client.key # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build_key_server # script in the easy_rsa folder will do this. option remote_cert_tls 'server' # option ns_cert_type server # If a tls_auth key is used on the server # then every client must also have the key. option tls_auth "/etc/openvpn/ta.key 1" # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. option cipher AES-256-CBC #option ncp-ciphers AES-256-GCM # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. # LZ4 requires OpenVPN 2.4+ on server and client # option compress lz4 # LZO is compatible with most OpenVPN versions option compress lzo # Set log file verbosity. option verb 3 # Silence repeating messages # option mute 20
# 去掉注释后的内容
config openvpn 'vtun_client' option enabled '1' option client '1' option dev 'tun' option proto 'tcp' list remote '10.0.0.228 1194' option resolv_retry 'infinite' option nobind '1' option persist_key '1' option persist_tun '1' option user 'nobody' option ca '/etc/openvpn/ca.crt' option cert '/etc/openvpn/client.crt' option key '/etc/openvpn/client.key' option remote_cert_tls 'server' option tls_auth "/etc/openvpn/ta.key 1" option cipher 'AES-256-CBC' option compress 'lzo' option verb '3'
# 查看进程运行时的输出日志
service openvpn restart ps | grep [o]penvpn; echo && logread -e openvpn
# 输出的日志内容
6857 root 1208 S sh -c /etc/init.d/openvpn start vtun_client
6858 root 1324 R {openvpn} /bin/sh /etc/rc.common /etc/init.d/openvpn start vtun_client
17134 root 3428 S /usr/sbin/openvpn --syslog openvpn(vtun_client) --status /var/run/openvpn.vtun_client.status --cd /var/etc --config openvpn-vtun_client.conf
Tue Dec 8 05:13:30 2020 daemon.notice openvpn(vtun_client)[17134]: OpenVPN 2.4.0 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Dec 8 05:13:30 2020 daemon.notice openvpn(vtun_client)[17134]: library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Tue Dec 8 05:13:30 2020 daemon.notice openvpn(vtun_client)[17134]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 8 05:13:30 2020 daemon.notice openvpn(vtun_client)[17134]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 8 05:13:30 2020 daemon.notice openvpn(vtun_client)[17134]: TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.0.228:1194
Tue Dec 8 05:13:30 2020 daemon.notice openvpn(vtun_client)[17134]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Tue Dec 8 05:13:30 2020 daemon.notice openvpn(vtun_client)[17134]: Attempting to establish TCP connection with [AF_INET]10.0.0.228:1194 [nonblock]
Tue Dec 8 05:13:31 2020 daemon.notice openvpn(vtun_client)[17134]: TCP connection established with [AF_INET]10.0.0.228:1194
Tue Dec 8 05:13:31 2020 daemon.notice openvpn(vtun_client)[17134]: TCP_CLIENT link local: (not bound)
Tue Dec 8 05:13:31 2020 daemon.notice openvpn(vtun_client)[17134]: TCP_CLIENT link remote: [AF_INET]10.0.0.228:1194
Tue Dec 8 05:13:31 2020 daemon.notice openvpn(vtun_client)[17134]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Tue Dec 8 05:13:32 2020 daemon.notice openvpn(vtun_client)[17134]: TLS: Initial packet from [AF_INET]10.0.0.228:1194, sid=5253fc94 4bdcef8c
Tue Dec 8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: VERIFY OK: depth=1, CN=openvpn-ditel
Tue Dec 8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: Validating certificate key usage
Tue Dec 8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: ++ Certificate has key usage 00a0, expects 00a0
Tue Dec 8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: VERIFY KU OK
Tue Dec 8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: Validating certificate extended key usage
Tue Dec 8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Dec 8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: VERIFY EKU OK
Tue Dec 8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: VERIFY OK: depth=0, CN=openvpn-server1
============= End
