利用openvpn远程连回家里openwrt路由器上内/外网。。。
最近考虑搞个双线或者精品网,但有时出门在外,无法享受,岂不浪费。于是考虑通过openvpn连回家里路由器来上网,还能访问家里的设备。。。家里的刚升了上行带宽,正好来试试。
首先在刷了openwrt的wrt1900ac路由器上安装软件:
opkg update opkg install openvpn-openssl openvpn-easy-rsa luci-app-openvpn
然后编辑/etc/easy-rsa/vars,修改部分内容
# Increase this to 2048 if you # are paranoid. This will slow # down TLS negotiation performance # as well as the one-time DH parms # generation process. export KEY_SIZE=1024 # In how many days should the root CA key expire? export CA_EXPIRE=3650 # In how many days should certificates expire? export KEY_EXPIRE=3650 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="xx" export KEY_PROVINCE="xx" export KEY_CITY="xxxx" export KEY_ORG="XXxxxx" export KEY_EMAIL="xxxxxx@gmail.com" export KEY_OU="XXxxxxxx" # X509 Subject Field export KEY_NAME="EasyRSA"
接着生成证书和diffie-hellman key:
手工清空/etc/easy-rsa/下的key目录或者运行clean-all
生成ca证书
build-ca
生成dh密钥
build-dh
服务器证书
build-key-server server
客户端证书
build-key coffeecat
最后两个后面的名字都可以改
拷贝到服务器目录下:
cd /etc/easy-rsa/keys/ cp ca.crt ca.key dh1024.pem server.key server.crt /etc/openvpn/
拷贝到客户端:
ca.crt dh1024.pem coffeecat.key coffeecat.crt
然后就是最关键的配置openvpn服务器端和客户端了:
路由器服务器端:
编辑/etc/config/openvpn :
注意:172.24.1.1为路由器的lan ip,172.24.1.100-172.24.1.105是为vpn客户端分配的ip端,一定要和路由器为lan dhcp的ip段错开。
config openvpn 'cert_verify'
option port '1194'
option proto 'tcp'
option dev 'tap0'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh1024.pem'
option server_bridge '172.24.1.1 255.255.255.0 172.24.1.100 172.24.1.105'
option ifconfig_pool_persist '/tmp/ipp.txt'
option client_to_client 1
list push 'redirect-gateway def1 local'
option keepalive '10 120'
option comp_lzo 'yes'
option status '/tmp/openvpn-status.log'
option verb '3'
option enabled '1'
然后在luci或者命令行启动openvpn:
/etc/init.d/openvpn start
ps一下有进程就对了
windows7 openvpn客户端配置:
C:\Program Files\OpenVPN\config\client.ovpn
client dev tap proto tcp remote xxxxxxxxxxxxx 1194 #路由器的ddns地址或者IP 端口 resolv-retry infinite nobind persist-tun persist-key float ca ca.crt cert coffeecat.crt key coffeecat.key mute-replay-warnings comp-lzo verb 4 ##下面两行for WIN7 route-method exe route-delay 2
最后在路由器上增加自定义iptables规则:
先把tap0放到lan区域中,然后在自定义规则里面加上:
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
另外win7里面要设置一下metric,否则可能不是走的vpn这个路,设完以后,可以看到vpn的跃点最小:
IPv4 路由表
===========================================================================
活动路由:
网络目标 网络掩码 网关 接口 跃点数
0.0.0.0 0.0.0.0 172.24.1.1 172.24.1.100 50
0.0.0.0 0.0.0.0 172.24.0.1 172.24.0.150 281
参考:
1.http://blog.ltns.info/linux/connect_two_home_networks_using_openvpn_and_openwrt/
2.http://huxos.me/blog/openwrt-openvpn/