Openvpn | @sskaje

OpenVPN Site-to-Site VPN between Asus Merlin And Ubnt EdgeRouter

By @sskaje
Link: https://sskaje.me/2017/10/openvpn-site-to-site-vpn-asus-merlin-ubnt-edgerouter/

前言

Network Topology

RT-AC68U 使用PPPoE拨号上网，但是分配的IP是100.64.204.111, 看着像公网IP实际却是Carrier-grade NAT.

现在需要将RT-AC68U与一台在公网的EdgeRouter使用OpenVPN Site-to-Site连接起来，并在RT-AC68U端实现policy-based routing。
需要让RT-AC68U下的所有设备能访问EdgeRouter LAN的网络，并根据需求透过VPS访问指定互联网。

本实验参考下列文章：
Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite
EdgeRouter OpenVPN Connectivity Monitor
EdgeRouter 策略路由实现分析
 EdgeRouter Policy Based Routing Using DNSMASQ IPSET

Continue reading “OpenVPN Site-to-Site VPN between Asus Merlin And Ubnt EdgeRouter” »

OpenVPN Site-to-Site VPN between Asus Merlin And Ubnt EdgeRouter by @sskaje: https://sskaje.me/2017/10/openvpn-site-to-site-vpn-asus-merlin-ubnt-edgerouter/

Incoming search terms:

EdgeRouter OpenVPN Connectivity Monitor

By @sskaje
Link: https://sskaje.me/2016/08/edgerouter-openvpn-connectivity-monitor/

VPN protocols are censored and blocked in China.

I’ve set up an PPTP client and a Site-to-site OpenVPN connection on my EdgeRouter Lite.

PPTP is insecure and is easier to censor, so I’ve removed PPTP client from my router.

OpenVPN is better than PPTP, not only secured, but also much more stable. But traffics are occasionally lost, reset works at most cases.

reset openvpn interface vtun0

1	reset openvpn interface vtun0

But I cannot get ssh access anywhere anytime, so I have to write an script monitor and run ‘reset’ if necessary.

You are not authorised to read all content in this post.

Please login…

EdgeRouter OpenVPN Connectivity Monitor by @sskaje: https://sskaje.me/2016/08/edgerouter-openvpn-connectivity-monitor/

Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite

By @sskaje
Link: https://sskaje.me/2016/02/set-openvpn-site-to-site-ubnt-edgerouter-lite/

参考：https://help.ubnt.com/hc/en-us/articles/204949694-EdgeMAX-OpenVPN-Site-to-Site
不同的是，我一端是Ubuntu Linux，另一端是EdgeRouter Lite。

实现的目的也是让EdgeRouter连上远程vpn实现XXXX。
PPTP的方案参考：EdgeOS PPTP VPN客户端配置

环境

Ubuntu Linux, 10.99.99.2
EdgeRouter Lite, 10.99.99.1

配置EdgeRouter Lite

SSH到Ubnt EdgeRouter Lite
生成共享密钥文件

generate vpn openvpn-key /config/auth/secret

1	generate vpn openvpn-key /config/auth/secret

执行命令创建VPN

configure
set interfaces openvpn vtun0
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 remote-host 服务器公网地址
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
set interfaces openvpn vtun0 local-address 10.99.99.1 
set interfaces openvpn vtun0 remote-address 10.99.99.2
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194
set interfaces openvpn vtun0 openvpn-option --comp-lzo
set interfaces openvpn vtun0 openvpn-option --float
set interfaces openvpn vtun0 openvpn-option "--ping 10"
set interfaces openvpn vtun0 openvpn-option "--ping-restart 20"
set interfaces openvpn vtun0 openvpn-option --ping-timer-rem
set interfaces openvpn vtun0 openvpn-option --persist-tun
set interfaces openvpn vtun0 openvpn-option --persist-key
set interfaces openvpn vtun0 openvpn-option "--user nobody"
set interfaces openvpn vtun0 openvpn-option "--group nogroup"
commit
save
exit

configure

set interfaces openvpn vtun0

set interfaces openvpn vtun0 mode site-to-site

set interfaces openvpn vtun0 remote-host 服务器公网地址

set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret

set interfaces openvpn vtun0 local-address 10.99.99.1

set interfaces openvpn vtun0 remote-address 10.99.99.2

set interfaces openvpn vtun0 local-port 1194

set interfaces openvpn vtun0 remote-port 1194

set interfaces openvpn vtun0 openvpn-option --comp-lzo

set interfaces openvpn vtun0 openvpn-option --float

set interfaces openvpn vtun0 openvpn-option "--ping 10"

set interfaces openvpn vtun0 openvpn-option "--ping-restart 20"

set interfaces openvpn vtun0 openvpn-option --ping-timer-rem

set interfaces openvpn vtun0 openvpn-option --persist-tun

set interfaces openvpn vtun0 openvpn-option --persist-key

set interfaces openvpn vtun0 openvpn-option "--user nobody"

set interfaces openvpn vtun0 openvpn-option "--group nogroup"

commit

save

exit

执行命令启用NAT

configure
set service nat rule 5020 outbound-interface vtun0
set service nat rule 5020 type masquerade
commit
save
exit

configure

set service nat rule 5020 outbound-interface vtun0

set service nat rule 5020 type masquerade

commit

save

exit

如果需要重启tunnel

reset openvpn interface vtun0

1	reset openvpn interface vtun0

配置Linux

安装openvpn

apt-get install openvpn

1	apt-get install openvpn

把EdgeRouter的 /config/auth/secret 复制到 /etc/openvpn/er-site2site-static.key

编辑 /etc/openvpn/server.conf

dev tun
ifconfig 10.99.99.2 10.99.99.1 
secret /etc/openvpn/er-site2site-static.key
lport 1194
rport 1194
user nobody
group nogroup
comp-lzo
ping 10
ping-restart 20
ping-timer-rem
persist-tun
persist-key
verb 3
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log

dev tun

ifconfig 10.99.99.2 10.99.99.1

secret /etc/openvpn/er-site2site-static.key

lport 1194

rport 1194

user nobody

group nogroup

comp-lzo

ping 10

ping-restart 20

ping-timer-rem

persist-tun

persist-key

verb 3

status /var/log/openvpn/openvpn-status.log

log-append /var/log/openvpn/openvpn.log

启动openvpn

/etc/init.d/openvpn start

1	/etc/init.d/openvpn start

测试

在EdgeRouter ping Linux

ping 10.99.99.2

1	ping 10.99.99.2

在Linux ping EdgeRouter

ping 10.99.99.1

1	ping 10.99.99.1

如果还有问题，可以看日志

配置路由

参考下一篇文章 UBNT EdgeOS 配置设备路由(interface-route)的方法

Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite by @sskaje: https://sskaje.me/2016/02/set-openvpn-site-to-site-ubnt-edgerouter-lite/

Incoming search terms:

Easy-RSA 3 HowTo

By @sskaje
Link: https://sskaje.me/2015/09/easy-rsa-3-howto/

OpenVPN 自带了一套CA相关的脚本，乱七八糟的，用起来并没觉得有多easy，不过新版把文件整合了，github: https://github.com/OpenVPN/easy-rsa
Easy-RSA 3.0 今天刚Release。

配置

配置起来比较简单，把下列文件放在同一个目录里即可，或者下载官方的release，直接改名 vars.example 为 vars。

easyrsa
openssl-1.0.cnf
vars
x509-types

以前的版本，需要修改vars文件，然后 source 加载一下，新版本可以用 –vars=/path/to/vars 或者完全靠命令行参数传参。
vars文件需要配置，可以看文件注释，给一个参考的版本。

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "Beijing"
set_var EASYRSA_REQ_CITY        "Beijing"
set_var EASYRSA_REQ_ORG         "SSKAJE CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL       "sskaje@gmail.com"
set_var EASYRSA_REQ_OU          "SSKAJE EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "SSKAJE CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST          "sha256"

set_var EASYRSA "$PWD"

set_var EASYRSA_PKI "$EASYRSA/pki"

set_var EASYRSA_DN "cn_only"

set_var EASYRSA_REQ_COUNTRY "CN"

set_var EASYRSA_REQ_PROVINCE "Beijing"

set_var EASYRSA_REQ_CITY "Beijing"

set_var EASYRSA_REQ_ORG "SSKAJE CERTIFICATE AUTHORITY"

set_var EASYRSA_REQ_EMAIL "sskaje@gmail.com"

set_var EASYRSA_REQ_OU "SSKAJE EASY CA"

set_var EASYRSA_KEY_SIZE 2048

set_var EASYRSA_ALGO rsa

set_var EASYRSA_CA_EXPIRE 7500

set_var EASYRSA_CERT_EXPIRE 365

set_var EASYRSA_NS_SUPPORT "no"

set_var EASYRSA_NS_COMMENT "SSKAJE CERTIFICATE AUTHORITY"

set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"

set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"

set_var EASYRSA_DIGEST "sha256"

Continue reading “Easy-RSA 3 HowTo” »

Easy-RSA 3 HowTo by @sskaje: https://sskaje.me/2015/09/easy-rsa-3-howto/