Deploy OpenVPN on OpenWRT
目录
My VPS(Bandwagon) include OpenVPN script, but only support Centos6.x that version not good for docker (my blog deploy by docker Blog顺利完成搬家之Bandwagonhost VPS), so need to do by other scripts. OpenWRT config OpenVPN client has some different, so summary the info to the article for review.
But due to GFW, OpenVPN couldn’t establish at last, reset happened between server and client, but the setup should workable.
Deploy OpenVPN at Server
Don’t know why couldn’t find OpenVPN pacakage by yum, even if have epel source
[root@frank ~]# rpm -qa |grep epel epel-release-7-11.noarch [root@frank ~]# yum install openvpn Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.usc.edu * extras: repos.lax.quadranet.com * updates: mirror.fileplanet.com No package openvpn available. Error: Nothing to do
Localinstall the OpenVPN
[root@frank ~]# wget http://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/o/openvpn-2.4.7-1.el7.x86_64.rpm [root@frank ~]# wget http://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/p/pkcs11-helper-1.11-3.el7.x86_64.rpm [root@frank ~]# yum localinstall openvpn-2.4.7-1.el7.x86_64.rpm pkcs11-helper-1.11-3.el7.x86_64.rpm
Deployment OpenVPN on Server by script
[root@frank ~]# wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh -O centos7-vpn.sh [root@frank ~]# chmod +x centos7-vpn.sh [root@frank ~]# ./centos7-vpn.sh
client key in “/etc/openvpn/easy-rsa/pki/private/” -> frank.key
client ca in “/etc/openvpn/easy-rsa/pki/issued/” -> frank.crt
ca in “/etc/openvpn/easy-rsa/pki/” -> ca.crt
replace ftp server by “python -m SimpleHTTPServer” then download files, much useful and flexible.
Follow server config:
[root@frank pki]# more /etc/openvpn/server.conf port 2356 proto tcp dev tun user nobody group nobody persist-key persist-tun keepalive 10 120 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "redirect-gateway def1 bypass-dhcp" dh none ecdh-curve prime256v1 #tls-auth tls-crypt.key 0 crl-verify crl.pem ca ca.crt cert server_kCSCwDZmauEde1nV.crt key server_kCSCwDZmauEde1nV.key auth SHA256 cipher AES-128-GCM ncp-ciphers AES-128-GCM tls-server tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 status /var/log/openvpn/status.log verb 3
Deploy OpenVPN at OpenWRT
Easy to install OpenVPN and UI, so ignore at here.
Config OpenVPN config at UI:
At sometimes, configuration maybe different between UI and real config file, so you need to check the real config that was stored in “/etc/config/openvpn”, as follow:
config openvpn 'frank' option dev 'tun' option nobind '1' option verb '3' option client '1' list remote 'x.x.x.x 1194' option route_delay '2' option tls_client '1' option auth_nocache '1' option ca '/etc/openvpn/ca.crt' option compress 'lzo' option cert '/etc/openvpn/frank.crt' option key '/etc/openvpn/frank.key' option enabled '1' option proto 'tcp-client'
Config Tun0 port and assign firewall-zone
Open port in Firewall
Troubleshooting
OpenWRT/Client
root@OpenWrt:/etc/openvpn# logread -f Fri Jun 28 22:38:46 2019 daemon.notice openvpn(frank)[13654]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:2356 Fri Jun 28 22:38:46 2019 daemon.notice openvpn(frank)[13654]: Socket Buffers: R=[87380->87380] S=[16384->16384] Fri Jun 28 22:38:46 2019 daemon.notice openvpn(frank)[13654]: Attempting to establish TCP connection with [AF_INET]x.x.x.x:2356 [nonblock] Fri Jun 28 22:38:48 2019 daemon.notice openvpn(frank)[13654]: TCP connection established with [AF_INET]x.x.x.x:2356 Fri Jun 28 22:38:48 2019 daemon.notice openvpn(frank)[13654]: TCP_CLIENT link local: (not bound) Fri Jun 28 22:38:48 2019 daemon.notice openvpn(frank)[13654]: TCP_CLIENT link remote: [AF_INET]x.x.x.x:2356 Fri Jun 28 22:38:48 2019 daemon.err openvpn(frank)[13654]: Connection reset, restarting [-1] Fri Jun 28 22:38:48 2019 daemon.notice openvpn(frank)[13654]: SIGUSR1[soft,connection-reset] received, process restarting
Centos/Server
[root@frank pki]# /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf Fri Jun 28 09:31:04 2019 TCP connection established with [AF_INET]x.x.x.x:51462 Fri Jun 28 09:31:05 2019 x.x.x.x:51462 TLS: Initial packet from [AF_INET]x.x.x.x:51462, sid=5952b83e a3cc50aa Fri Jun 28 09:31:05 2019 x.x.x.x:51462 write TCPv4_SERVER: Connection reset by peer (code=104) Fri Jun 28 09:31:05 2019 x.x.x.x:51462 Connection reset, restarting [0] Fri Jun 28 09:31:05 2019 x.x.x.x:51462 SIGUSR1[soft,connection-reset] received, client-instance restarting Fri Jun 28 09:33:45 2019 TCP connection established with [AF_INET]x.x.x.x:51464 Fri Jun 28 09:33:46 2019 x.x.x.x:51464 TLS: Initial packet from [AF_INET]x.x.x.x:51464, sid=975baa3b 745118ed Fri Jun 28 09:33:46 2019 x.x.x.x:51464 write TCPv4_SERVER: Connection reset by peer (code=104) Fri Jun 28 09:33:46 2019 x.x.x.x:51464 Connection reset, restarting [0] Fri Jun 28 09:33:46 2019 x.x.x.x:51464 SIGUSR1[soft,connection-reset] received, client-instance restarting本文出自 Frank's Blog