By

最近考虑搞个双线或者精品网,但有时出门在外,无法享受,岂不浪费。于是考虑通过openvpn连回家里路由器来上网,还能访问家里的设备。。。家里的刚升了上行带宽,正好来试试。

首先在刷了openwrt的wrt1900ac路由器上安装软件:

opkg update
opkg install openvpn-openssl openvpn-easy-rsa luci-app-openvpn

然后编辑/etc/easy-rsa/vars,修改部分内容

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="xx"
export KEY_PROVINCE="xx"
export KEY_CITY="xxxx"
export KEY_ORG="XXxxxx"
export KEY_EMAIL="xxxxxx@gmail.com"
export KEY_OU="XXxxxxxx"

# X509 Subject Field
export KEY_NAME="EasyRSA"

接着生成证书和diffie-hellman key:
手工清空/etc/easy-rsa/下的key目录或者运行clean-all
生成ca证书
build-ca
生成dh密钥
build-dh
服务器证书
build-key-server server
客户端证书
build-key coffeecat
最后两个后面的名字都可以改

拷贝到服务器目录下:

cd /etc/easy-rsa/keys/
cp ca.crt ca.key dh1024.pem server.key server.crt /etc/openvpn/

拷贝到客户端:
ca.crt dh1024.pem coffeecat.key coffeecat.crt

然后就是最关键的配置openvpn服务器端和客户端了:
路由器服务器端:
编辑/etc/config/openvpn :

注意:172.24.1.1为路由器的lan ip,172.24.1.100-172.24.1.105是为vpn客户端分配的ip端,一定要和路由器为lan dhcp的ip段错开。

config openvpn 'cert_verify'
	option port '1194'
	option proto 'tcp'
	option dev 'tap0'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh1024.pem'
	option server_bridge '172.24.1.1 255.255.255.0 172.24.1.100 172.24.1.105'
	option ifconfig_pool_persist '/tmp/ipp.txt'
        option client_to_client 1
        list push 'redirect-gateway def1 local'
	option keepalive '10 120'
	option comp_lzo 'yes'
	option status '/tmp/openvpn-status.log'
	option verb '3'
	option enabled '1'

然后在luci或者命令行启动openvpn:

/etc/init.d/openvpn start

ps一下有进程就对了

windows7 openvpn客户端配置:
C:\Program Files\OpenVPN\config\client.ovpn

client

dev tap
proto tcp

remote xxxxxxxxxxxxx 1194 #路由器的ddns地址或者IP 端口
resolv-retry infinite
nobind

persist-tun
persist-key

float
ca ca.crt
cert coffeecat.crt
key coffeecat.key
mute-replay-warnings
comp-lzo
verb 4
##下面两行for WIN7
route-method exe
route-delay 2

最后在路由器上增加自定义iptables规则:
先把tap0放到lan区域中,然后在自定义规则里面加上:

iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

另外win7里面要设置一下metric,否则可能不是走的vpn这个路,设完以后,可以看到vpn的跃点最小:

IPv4 路由表
===========================================================================
活动路由:
网络目标        网络掩码          网关       接口   跃点数
          0.0.0.0          0.0.0.0       172.24.1.1     172.24.1.100     50
          0.0.0.0          0.0.0.0       172.24.0.1     172.24.0.150    281

参考:

1.http://blog.ltns.info/linux/connect_two_home_networks_using_openvpn_and_openwrt/
2.http://huxos.me/blog/openwrt-openvpn/