Deploy OpenVPN on OpenWRT
6月 28th, 2019,由 frank撰写
目录
My VPS(Bandwagon) include OpenVPN script, but only support Centos6.x that version not good for docker (my blog deploy by docker Blog顺利完成搬家之Bandwagonhost VPS), so need to do by other scripts. OpenWRT config OpenVPN client has some different, so summary the info to the article for review.
But due to GFW, OpenVPN couldn’t establish at last, reset happened between server and client, but the setup should workable.
Deploy OpenVPN at Server
Don’t know why couldn’t find OpenVPN pacakage by yum, even if have epel source
[root@frank ~]# rpm -qa |grep epel
epel-release-7-11.noarch
[root@frank ~]# yum install openvpn
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.usc.edu
* extras: repos.lax.quadranet.com
* updates: mirror.fileplanet.com
No package openvpn available.
Error: Nothing to doLocalinstall the OpenVPN
[root@frank ~]# wget http://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/o/openvpn-2.4.7-1.el7.x86_64.rpm
[root@frank ~]# wget http://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/p/pkcs11-helper-1.11-3.el7.x86_64.rpm
[root@frank ~]# yum localinstall openvpn-2.4.7-1.el7.x86_64.rpm pkcs11-helper-1.11-3.el7.x86_64.rpm Deployment OpenVPN on Server by script
[root@frank ~]# wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh -O centos7-vpn.sh
[root@frank ~]# chmod +x centos7-vpn.sh
[root@frank ~]# ./centos7-vpn.shclient key in “/etc/openvpn/easy-rsa/pki/private/” -> frank.key
client ca in “/etc/openvpn/easy-rsa/pki/issued/” -> frank.crt
ca in “/etc/openvpn/easy-rsa/pki/” -> ca.crt
replace ftp server by “python -m SimpleHTTPServer” then download files, much useful and flexible.
Follow server config:
[root@frank pki]# more /etc/openvpn/server.conf
port 2356
proto tcp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
#tls-auth tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_kCSCwDZmauEde1nV.crt
key server_kCSCwDZmauEde1nV.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3Deploy OpenVPN at OpenWRT
Easy to install OpenVPN and UI, so ignore at here.
Config OpenVPN config at UI:
At sometimes, configuration maybe different between UI and real config file, so you need to check the real config that was stored in “/etc/config/openvpn”, as follow:
config openvpn 'frank'
option dev 'tun'
option nobind '1'
option verb '3'
option client '1'
list remote 'x.x.x.x 1194'
option route_delay '2'
option tls_client '1'
option auth_nocache '1'
option ca '/etc/openvpn/ca.crt'
option compress 'lzo'
option cert '/etc/openvpn/frank.crt'
option key '/etc/openvpn/frank.key'
option enabled '1'
option proto 'tcp-client'Config Tun0 port and assign firewall-zone
Open port in Firewall
Troubleshooting
OpenWRT/Client
root@OpenWrt:/etc/openvpn# logread -f
Fri Jun 28 22:38:46 2019 daemon.notice openvpn(frank)[13654]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:2356
Fri Jun 28 22:38:46 2019 daemon.notice openvpn(frank)[13654]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Fri Jun 28 22:38:46 2019 daemon.notice openvpn(frank)[13654]: Attempting to establish TCP connection with [AF_INET]x.x.x.x:2356 [nonblock]
Fri Jun 28 22:38:48 2019 daemon.notice openvpn(frank)[13654]: TCP connection established with [AF_INET]x.x.x.x:2356
Fri Jun 28 22:38:48 2019 daemon.notice openvpn(frank)[13654]: TCP_CLIENT link local: (not bound)
Fri Jun 28 22:38:48 2019 daemon.notice openvpn(frank)[13654]: TCP_CLIENT link remote: [AF_INET]x.x.x.x:2356
Fri Jun 28 22:38:48 2019 daemon.err openvpn(frank)[13654]: Connection reset, restarting [-1]
Fri Jun 28 22:38:48 2019 daemon.notice openvpn(frank)[13654]: SIGUSR1[soft,connection-reset] received, process restarting
Centos/Server
[root@frank pki]# /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Fri Jun 28 09:31:04 2019 TCP connection established with [AF_INET]x.x.x.x:51462
Fri Jun 28 09:31:05 2019 x.x.x.x:51462 TLS: Initial packet from [AF_INET]x.x.x.x:51462, sid=5952b83e a3cc50aa
Fri Jun 28 09:31:05 2019 x.x.x.x:51462 write TCPv4_SERVER: Connection reset by peer (code=104)
Fri Jun 28 09:31:05 2019 x.x.x.x:51462 Connection reset, restarting [0]
Fri Jun 28 09:31:05 2019 x.x.x.x:51462 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Jun 28 09:33:45 2019 TCP connection established with [AF_INET]x.x.x.x:51464
Fri Jun 28 09:33:46 2019 x.x.x.x:51464 TLS: Initial packet from [AF_INET]x.x.x.x:51464, sid=975baa3b 745118ed
Fri Jun 28 09:33:46 2019 x.x.x.x:51464 write TCPv4_SERVER: Connection reset by peer (code=104)
Fri Jun 28 09:33:46 2019 x.x.x.x:51464 Connection reset, restarting [0]
Fri Jun 28 09:33:46 2019 x.x.x.x:51464 SIGUSR1[soft,connection-reset] received, client-instance restarting