Deploy OpenVPN on OpenWRT

六月 28th, 2019,由 frank撰写

My VPS(Bandwagon) include OpenVPN script, but only support Centos6.x that version not good for docker (my blog deploy by docker Blog顺利完成搬家之Bandwagonhost VPS), so need to do by other scripts. OpenWRT config OpenVPN client has some different, so summary the info to the article for review.

But due to GFW, OpenVPN couldn’t establish at last, reset happened between server and client, but the setup should workable.

Deploy OpenVPN at Server

Don’t know why couldn’t find OpenVPN pacakage by yum, even if have epel source

[root@frank ~]# rpm -qa |grep epel
epel-release-7-11.noarch
[root@frank ~]# yum install openvpn
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.usc.edu
 * extras: repos.lax.quadranet.com
 * updates: mirror.fileplanet.com
No package openvpn available.
Error: Nothing to do

Localinstall the OpenVPN

[root@frank ~]# wget http://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/o/openvpn-2.4.7-1.el7.x86_64.rpm
[root@frank ~]# wget http://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/p/pkcs11-helper-1.11-3.el7.x86_64.rpm
[root@frank ~]# yum localinstall openvpn-2.4.7-1.el7.x86_64.rpm pkcs11-helper-1.11-3.el7.x86_64.rpm

Deployment OpenVPN on Server by script

[root@frank ~]# wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh -O centos7-vpn.sh
[root@frank ~]# chmod +x centos7-vpn.sh 
[root@frank ~]# ./centos7-vpn.sh

client key in “/etc/openvpn/easy-rsa/pki/private/” -> frank.key

client ca in “/etc/openvpn/easy-rsa/pki/issued/” -> frank.crt

ca in “/etc/openvpn/easy-rsa/pki/” -> ca.crt

replace ftp server by “python -m SimpleHTTPServer” then download files, much useful and flexible.

Follow server config:

[root@frank pki]# more /etc/openvpn/server.conf 
port 2356
proto tcp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
#tls-auth tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_kCSCwDZmauEde1nV.crt
key server_kCSCwDZmauEde1nV.key 
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3

Deploy OpenVPN at OpenWRT

Easy to install OpenVPN and UI, so ignore at here. 

Config OpenVPN config at UI:

At sometimes, configuration maybe different between UI and real config file, so you need to check the real config that was stored in “/etc/config/openvpn”, as follow:

config openvpn 'frank'
        option dev 'tun'
        option nobind '1'
        option verb '3'
        option client '1'
        list remote 'x.x.x.x 1194'
        option route_delay '2'
        option tls_client '1'
        option auth_nocache '1'
        option ca '/etc/openvpn/ca.crt'
        option compress 'lzo'
        option cert '/etc/openvpn/frank.crt'
        option key '/etc/openvpn/frank.key'
        option enabled '1'
        option proto 'tcp-client'

Config Tun0 port and assign firewall-zone

Open port in Firewall

Troubleshooting

OpenWRT/Client

root@OpenWrt:/etc/openvpn# logread -f

Fri Jun 28 22:38:46 2019 daemon.notice openvpn(frank)[13654]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:2356
Fri Jun 28 22:38:46 2019 daemon.notice openvpn(frank)[13654]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Fri Jun 28 22:38:46 2019 daemon.notice openvpn(frank)[13654]: Attempting to establish TCP connection with [AF_INET]x.x.x.x:2356 [nonblock]
Fri Jun 28 22:38:48 2019 daemon.notice openvpn(frank)[13654]: TCP connection established with [AF_INET]x.x.x.x:2356
Fri Jun 28 22:38:48 2019 daemon.notice openvpn(frank)[13654]: TCP_CLIENT link local: (not bound)
Fri Jun 28 22:38:48 2019 daemon.notice openvpn(frank)[13654]: TCP_CLIENT link remote: [AF_INET]x.x.x.x:2356
Fri Jun 28 22:38:48 2019 daemon.err openvpn(frank)[13654]: Connection reset, restarting [-1]
Fri Jun 28 22:38:48 2019 daemon.notice openvpn(frank)[13654]: SIGUSR1[soft,connection-reset] received, process restarting

Centos/Server

[root@frank pki]# /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf

Fri Jun 28 09:31:04 2019 TCP connection established with [AF_INET]x.x.x.x:51462
Fri Jun 28 09:31:05 2019 x.x.x.x:51462 TLS: Initial packet from [AF_INET]x.x.x.x:51462, sid=5952b83e a3cc50aa
Fri Jun 28 09:31:05 2019 x.x.x.x:51462 write TCPv4_SERVER: Connection reset by peer (code=104)
Fri Jun 28 09:31:05 2019 x.x.x.x:51462 Connection reset, restarting [0]
Fri Jun 28 09:31:05 2019 x.x.x.x:51462 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Jun 28 09:33:45 2019 TCP connection established with [AF_INET]x.x.x.x:51464
Fri Jun 28 09:33:46 2019 x.x.x.x:51464 TLS: Initial packet from [AF_INET]x.x.x.x:51464, sid=975baa3b 745118ed
Fri Jun 28 09:33:46 2019 x.x.x.x:51464 write TCPv4_SERVER: Connection reset by peer (code=104)
Fri Jun 28 09:33:46 2019 x.x.x.x:51464 Connection reset, restarting [0]
Fri Jun 28 09:33:46 2019 x.x.x.x:51464 SIGUSR1[soft,connection-reset] received, client-instance restarting
0
Linux, Uncategorized, 学习笔记, 常用资料, 网络技术
你可以留言,或者trackback 从你的网站
«
»

留言哦

返回顶端