之前写过一个版本,基于380.x的,一开始好用,最近过来发现不好使了。索性把家里路由升级到384.9,重新配置。
拓扑结构基本不变,增加了需求让两边家里能互通,所以把NAT关了。
这回直接简化,搞了个github的repo,https://github.com/sskaje/merlin-pbr,把jffs的配置脚本放进去了,依旧是 dnsmasq + ipset,但是openvpn-event脚本 也可以手工维护路由列表,自动走openvpn的网卡。
sskaje's blog, study & research on technology
之前写过一个版本,基于380.x的,一开始好用,最近过来发现不好使了。索性把家里路由升级到384.9,重新配置。
拓扑结构基本不变,增加了需求让两边家里能互通,所以把NAT关了。
这回直接简化,搞了个github的repo,https://github.com/sskaje/merlin-pbr,把jffs的配置脚本放进去了,依旧是 dnsmasq + ipset,但是openvpn-event脚本 也可以手工维护路由列表,自动走openvpn的网卡。
RT-AC68U 使用PPPoE拨号上网,但是分配的IP是100.64.204.111, 看着像公网IP实际却是Carrier-grade NAT.
现在需要将RT-AC68U与一台在公网的EdgeRouter使用OpenVPN Site-to-Site连接起来,并在RT-AC68U端实现policy-based routing。
需要让RT-AC68U下的所有设备能访问EdgeRouter LAN的网络,并根据需求透过VPS访问指定互联网。
本实验参考下列文章:
Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite
EdgeRouter OpenVPN Connectivity Monitor
EdgeRouter 策略路由实现分析
EdgeRouter Policy Based Routing Using DNSMASQ IPSET
Continue reading “OpenVPN Site-to-Site VPN between Asus Merlin And Ubnt EdgeRouter” »
VPN protocols are censored and blocked in China.
I’ve set up an PPTP client and a Site-to-site OpenVPN connection on my EdgeRouter Lite.
PPTP is insecure and is easier to censor, so I’ve removed PPTP client from my router.
OpenVPN is better than PPTP, not only secured, but also much more stable. But traffics are occasionally lost, reset works at most cases.
1 |
reset openvpn interface vtun0 |
But I cannot get ssh access anywhere anytime, so I have to write an script monitor and run ‘reset’ if necessary.
You are not authorised to read all content in this post.
Please login…
参考:https://help.ubnt.com/hc/en-us/articles/204949694-EdgeMAX-OpenVPN-Site-to-Site
不同的是,我一端是Ubuntu Linux,另一端是EdgeRouter Lite。
实现的目的也是让EdgeRouter连上远程vpn实现XXXX。
PPTP的方案参考:EdgeOS PPTP VPN客户端配置
Ubuntu Linux, 10.99.99.2
EdgeRouter Lite, 10.99.99.1
SSH到Ubnt EdgeRouter Lite
生成共享密钥文件
1 |
generate vpn openvpn-key /config/auth/secret |
执行命令创建VPN
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
configure set interfaces openvpn vtun0 set interfaces openvpn vtun0 mode site-to-site set interfaces openvpn vtun0 remote-host 服务器公网地址 set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret set interfaces openvpn vtun0 local-address 10.99.99.1 set interfaces openvpn vtun0 remote-address 10.99.99.2 set interfaces openvpn vtun0 local-port 1194 set interfaces openvpn vtun0 remote-port 1194 set interfaces openvpn vtun0 openvpn-option --comp-lzo set interfaces openvpn vtun0 openvpn-option --float set interfaces openvpn vtun0 openvpn-option "--ping 10" set interfaces openvpn vtun0 openvpn-option "--ping-restart 20" set interfaces openvpn vtun0 openvpn-option --ping-timer-rem set interfaces openvpn vtun0 openvpn-option --persist-tun set interfaces openvpn vtun0 openvpn-option --persist-key set interfaces openvpn vtun0 openvpn-option "--user nobody" set interfaces openvpn vtun0 openvpn-option "--group nogroup" commit save exit |
执行命令启用NAT
1 2 3 4 5 6 |
configure set service nat rule 5020 outbound-interface vtun0 set service nat rule 5020 type masquerade commit save exit |
如果需要重启tunnel
1 |
reset openvpn interface vtun0 |
安装openvpn
1 |
apt-get install openvpn |
把EdgeRouter的 /config/auth/secret 复制到 /etc/openvpn/er-site2site-static.key
编辑 /etc/openvpn/server.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
dev tun ifconfig 10.99.99.2 10.99.99.1 secret /etc/openvpn/er-site2site-static.key lport 1194 rport 1194 user nobody group nogroup comp-lzo ping 10 ping-restart 20 ping-timer-rem persist-tun persist-key verb 3 status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log |
启动openvpn
1 |
/etc/init.d/openvpn start |
在EdgeRouter ping Linux
1 |
ping 10.99.99.2 |
在Linux ping EdgeRouter
1 |
ping 10.99.99.1 |
如果还有问题,可以看日志
参考下一篇文章 UBNT EdgeOS 配置设备路由(interface-route)的方法
OpenVPN 自带了一套CA相关的脚本,乱七八糟的,用起来并没觉得有多easy,不过新版把文件整合了,github: https://github.com/OpenVPN/easy-rsa
Easy-RSA 3.0 今天刚Release。
配置起来比较简单,把下列文件放在同一个目录里即可,或者下载官方的release,直接改名 vars.example 为 vars。
以前的版本,需要修改vars文件,然后 source 加载一下,新版本可以用 –vars=/path/to/vars 或者完全靠命令行参数传参。
vars文件需要配置,可以看文件注释,给一个参考的版本。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "Beijing" set_var EASYRSA_REQ_CITY "Beijing" set_var EASYRSA_REQ_ORG "SSKAJE CERTIFICATE AUTHORITY" set_var EASYRSA_REQ_EMAIL "sskaje@gmail.com" set_var EASYRSA_REQ_OU "SSKAJE EASY CA" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 7500 set_var EASYRSA_CERT_EXPIRE 365 set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_COMMENT "SSKAJE CERTIFICATE AUTHORITY" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf" set_var EASYRSA_DIGEST "sha256" |
Continue reading “Easy-RSA 3 HowTo” »