OpenWrt VTun Client

OpenWrt VTun Client

参考 https://marquistj13.github.io/MyBlog/2018/12/openwrt-openvpn-client-setup/

 

# 安装软件包

opkg update
opkg install openvpn-openssl luci-app-openvpn openssl-util

# 服务自启动

/etc/init.d/openvpn enable

 

# 创建虚拟通道接口

# a new network interface for tun:
uci set network.vtun=interface
uci set network.vtun.proto='none' #dhcp #none
uci set network.vtun.ifname='tun0'

uci commit network && service network restart

# 设置防火墙规则

# a new firewall zone (for VPN):
uci add firewall zone
uci set firewall.@zone[-1].name='vpn'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='vtun'

# enable forwarding from LAN to VPN:
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpn'
 
uci commit firewall && service firewall restart

 

# 上传客户端证书和根证书到指定目录

ls -alh /etc/openvpn/
drwxr-xr-x    1 root     root           0 Dec  3 13:24 .
drwxr-xr-x    1 root     root           0 Dec  2 06:46 ..
-rw-r--r--    1 root     root        1.2K Dec  2 13:22 ca.crt
-rw-r--r--    1 root     root        4.4K Dec  2 13:22 client.crt
-rw-r--r--    1 root     root        1.7K Dec  2 13:22 client.key
-rw-r--r--    1 root     root         636 Dec  2 13:21 ta.key

# OpenWrt中客户端配置

##############################################
# Sample client-side OpenVPN 2.0 uci config  #
# for connecting to multi-client server.     #
##############################################

config openvpn vtun_client

	# Set to 1 to enable this instance:
	option enabled 1

	# Specify that we are a client and that we
	# will be pulling certain config file directives
	# from the server.
	option client 1

	# Use the same setting as you are using on
	# the server.
	# On most systems, the VPN will not function
	# unless you partially or fully disable
	# the firewall for the TUN/TAP interface.
#	option dev tap
	option dev tun

	# Are we connecting to a TCP or
	# UDP server?  Use the same setting as
	# on the server.
#	option proto udp
	option proto tcp

	# The hostname/IP and port of the server.
	# You can have multiple remote entries
	# to load balance between the servers.
#	list remote "my_server_2 1194"
	list remote "10.0.0.228 1194"

	# Choose a random host from the remote
	# list for load_balancing.  Otherwise
	# try hosts in the order specified.
#	option remote_random 1

	# Keep trying indefinitely to resolve the
	# host name of the OpenVPN server.  Very useful
	# on machines which are not permanently connected
	# to the internet such as laptops.
	option resolv_retry infinite

	# Most clients don't need to bind to
	# a specific local port number.
	option nobind 1

	# Try to preserve some state across restarts.
	option persist_key 1
	option persist_tun 1
	option user nobody

	# If you are connecting through an
	# HTTP proxy to reach the actual OpenVPN
	# server, put the proxy server/IP and
	# port number here.  See the man page
	# if your proxy server requires
	# authentication.
	# retry on connection failures:
#	option http_proxy_retry 1
	# specify http proxy address and port:
#	option http_proxy "192.168.1.100 8080"

	# Wireless networks often produce a lot
	# of duplicate packets.  Set this flag
	# to silence duplicate packet warnings.
#	option mute_replay_warnings 1

	# SSL/TLS parms.
	# See the server config file for more
	# description.  It's best to use
	# a separate .crt/.key file pair
	# for each client.  A single ca
	# file can be used for all clients.
	option ca /etc/openvpn/ca.crt
	option cert /etc/openvpn/client.crt
	option key /etc/openvpn/client.key

	# Verify server certificate by checking
	# that the certicate has the nsCertType
	# field set to "server".  This is an
	# important precaution to protect against
	# a potential attack discussed here:
	#  http://openvpn.net/howto.html#mitm
	#
	# To use this feature, you will need to generate
	# your server certificates with the nsCertType
	# field set to "server".  The build_key_server
	# script in the easy_rsa folder will do this.
	option remote_cert_tls 'server'
#	option ns_cert_type server

	# If a tls_auth key is used on the server
	# then every client must also have the key.
	option tls_auth "/etc/openvpn/ta.key 1"

	# Select a cryptographic cipher.
	# If the cipher option is used on the server
	# then you must also specify it here.
	option cipher AES-256-CBC
	#option ncp-ciphers AES-256-GCM

	# Enable compression on the VPN link.
	# Don't enable this unless it is also
	# enabled in the server config file.
	# LZ4 requires OpenVPN 2.4+ on server and client
#	option compress lz4
	# LZO is compatible with most OpenVPN versions
	option compress lzo

	# Set log file verbosity.
	option verb 3

	# Silence repeating messages
#	option mute 20

# 去掉注释后的内容

config openvpn 'vtun_client'
	option enabled '1'
	option client '1'
	option dev 'tun'
	option proto 'tcp'
	list remote '10.0.0.228 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option remote_cert_tls 'server'
	option tls_auth "/etc/openvpn/ta.key 1"
	option cipher 'AES-256-CBC'
	option compress 'lzo'
	option verb '3'

# 查看进程运行时的输出日志

service openvpn restart
ps | grep [o]penvpn; echo && logread -e openvpn

# 输出的日志内容

 6857 root      1208 S    sh -c /etc/init.d/openvpn start vtun_client
 6858 root      1324 R    {openvpn} /bin/sh /etc/rc.common /etc/init.d/openvpn start vtun_client

17134 root      3428 S    /usr/sbin/openvpn --syslog openvpn(vtun_client) --status /var/run/openvpn.vtun_client.status --cd /var/etc --config openvpn-vtun_client.conf

Tue Dec  8 05:13:30 2020 daemon.notice openvpn(vtun_client)[17134]: OpenVPN 2.4.0 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Dec  8 05:13:30 2020 daemon.notice openvpn(vtun_client)[17134]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Tue Dec  8 05:13:30 2020 daemon.notice openvpn(vtun_client)[17134]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec  8 05:13:30 2020 daemon.notice openvpn(vtun_client)[17134]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec  8 05:13:30 2020 daemon.notice openvpn(vtun_client)[17134]: TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.0.228:1194
Tue Dec  8 05:13:30 2020 daemon.notice openvpn(vtun_client)[17134]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Tue Dec  8 05:13:30 2020 daemon.notice openvpn(vtun_client)[17134]: Attempting to establish TCP connection with [AF_INET]10.0.0.228:1194 [nonblock]
Tue Dec  8 05:13:31 2020 daemon.notice openvpn(vtun_client)[17134]: TCP connection established with [AF_INET]10.0.0.228:1194
Tue Dec  8 05:13:31 2020 daemon.notice openvpn(vtun_client)[17134]: TCP_CLIENT link local: (not bound)
Tue Dec  8 05:13:31 2020 daemon.notice openvpn(vtun_client)[17134]: TCP_CLIENT link remote: [AF_INET]10.0.0.228:1194
Tue Dec  8 05:13:31 2020 daemon.notice openvpn(vtun_client)[17134]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Tue Dec  8 05:13:32 2020 daemon.notice openvpn(vtun_client)[17134]: TLS: Initial packet from [AF_INET]10.0.0.228:1194, sid=5253fc94 4bdcef8c
Tue Dec  8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: VERIFY OK: depth=1, CN=openvpn-ditel
Tue Dec  8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: Validating certificate key usage
Tue Dec  8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: ++ Certificate has key usage  00a0, expects 00a0
Tue Dec  8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: VERIFY KU OK
Tue Dec  8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: Validating certificate extended key usage
Tue Dec  8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Dec  8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: VERIFY EKU OK
Tue Dec  8 05:13:35 2020 daemon.notice openvpn(vtun_client)[17134]: VERIFY OK: depth=0, CN=openvpn-server1

 

============= End