EdgeRouter-X路由器(下文简称ER-X)是UBNT早些年出的一款小巧的5口千兆路由器,在国内被誉为弱电箱神器。
本文以OpenVPN服务端的搭建及客户端连接文件的配置为主题做个记录。
方法参考自官网帮助中心
服务端配置
- 通过SSH连接ER-X路由,可登录管理后台通过右上角的CLI进入,也可通过putty或xshell等软件工具进行连接;
确保时间正确
show date Sun Mar 17 09:24:29 CST 2024
以root用户身份登录
sudo su
生成一个 Diffie-Hellman (DH) 密钥文件,并将其放在 /config/auth 目录中(这一步较慢,也可以通过另一个工具在windows快速生成后再用winscp等工具放入/config/auth目录,方法点击此处,主要是安装后,两条指令分别生成server与client端的key文件 openvpn-generate init 与 openvpn-generate client)。
openssl dhparam -out /config/auth/dh.pem -2 2048
更改当前目录至/usr/lib/ssl/misc
cd /usr/lib/ssl/misc
生成根证书(将
替换为您想要的密码),将位置和组织字段替换为您自己的信息。 ./CA.pl -newca PEM Passphrase: <secret> Country Name: CN State Or Province Name: HuNan Locality Name: Changsha Organization Name: itvro Organizational Unit Name: Support Common Name: root Email Address: support@abcde.com
将新创建的证书 + 密钥复制到 /config/auth 目录
cp demoCA/cacert.pem /config/auth cp demoCA/private/cakey.pem /config/auth
生成服务器证书
./CA.pl -newreq Country Name: CN State Or Province Name: HuNan Locality Name: Changsha Organization Name: itvro Organizational Unit Name: Support Common Name: server Email Address: support@abcde.com
对服务器证书进行签名
./CA.pl -sign Certificate Details: Validity Not Before: Mar 17 09:44:29 CST 2024 Not After : Mar 17 09:44:29 CST 2025 Subject: countryName = CN stateOrProvinceName = HuNan localityName = Changsha organizationName = itvro organizationalUnitName = Support commonName = server emailAddress = support@abcde.com Certificate is to be certified until Mar 17 09:44:29 CST 2025 (365 days) Sign the certificate? [y/n]: y 1 out of 1 certificate requests certified, commit? [y/n] y
将服务器证书和密钥文件移动并重命名为 /config/auth 目录
mv newcert.pem /config/auth/server.pem mv newkey.pem /config/auth/server.key
为第一个 OpenVPN 客户端生成、签名和移动证书和密钥文件
./CA.pl -newreq Common Name: client1 ./CA.pl -sign Certificate Details: Validity Not Before: Mar 17 09:47:22 CST 2024 Not After : Mar 17 09:47:22 CST 2025 Subject: countryName = CN stateOrProvinceName = HuNan localityName = Changsha organizationName = itvro organizationalUnitName = Support commonName = client1 emailAddress = support@abcde.com Certificate is to be certified until Mar 17 09:47:22 CST 2025 (365 days) Sign the certificate? [y/n]: y 1 out of 1 certificate requests certified, commit? [y/n] y mv newcert.pem /config/auth/client1.pem mv newkey.pem /config/auth/client1.key
对第二个 OpenVPN 客户端重复该过程,例如:
./CA.pl -newreq Common Name: client2 ./CA.pl -sign mv newcert.pem /config/auth/client2.pem mv newkey.pem /config/auth/client2.key
为非 root 用户添加对客户端密钥文件的读取权限
chmod 644 /config/auth/client1.key chmod 644 /config/auth/client2.key
进入配置模式
configure
将 OpenVPN 流量的防火墙规则添加到WAN_LOCAL防火墙策略中
set firewall name WAN_LOCAL rule 30 action accept set firewall name WAN_LOCAL rule 30 description openvpn set firewall name WAN_LOCAL rule 30 destination port 1194 set firewall name WAN_LOCAL rule 30 protocol udp
配置 OpenVPN 虚拟隧道接口
set interfaces openvpn vtun0 mode server set interfaces openvpn vtun0 server subnet 10.8.0.0/24 set interfaces openvpn vtun0 server push-route 192.168.10.0/24 set interfaces openvpn vtun0 server name-server 192.168.10.1
将服务器证书/密钥和 DH 密钥链接到虚拟隧道接口
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem set interfaces openvpn vtun0 tls key-file /config/auth/server.key set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem
将虚拟隧道接口添加到DNS转发接口列表中
set service dns forwarding listen-on vtun0
提交更改并保存配置
commit ; save
客户端配置
打开OpenVPN配置文件夹
C:\Program Files\OpenVPN\config\
- 创建一个新文件夹(可选)和一个 OpenVPN 配置文件 (erx.ovpn)
- 将证书和客户端密钥文件从 EdgeRouter /config/auth 目录传输到 OpenVPN 客户端,仅cacert.pem,client1.key,client1.pem即可
将以下信息添加到 erx.ovpn 配置文件中(将
替换为 EdgeRouter 的外部 IP 地址或主机名) client dev tun proto udp remote <server> 1194 float resolv-retry infinite nobind persist-key persist-tun verb 3 ca cacert.pem cert client1.pem key client1.key
要通过 VPN 连接发送所有流量,请在 er.ovpn 配置文件中附加以下行
redirect-gateway def1
- 完成客户端配置,可以用OpenVPN来连接到服务器啦