#1 2008-12-04 17:32:10
dd-wrt open vpn 設定範例
1 主點的DD-WRT 設定 (主要提供OPEN VPN STATIC KEY SITE TO SITE 用)
先在dd-wrt 下把port 1 2 3 4 設為 vlan 2 3 4 5
在DHCP 選項中 設定各VLAN DHCP
interface=vlan2
dhcp-range=192.168.226.100,192.168.226.149,255.255.255.0,1440m
interface=vlan3
dhcp-range=192.168.227.100,192.168.227.149,255.255.255.0,1440m
interface=vlan4
dhcp-range=192.168.228.100,192.168.228.149,255.255.255.0,1440m
interface=vlan5
dhcp-range=192.168.229.100,192.168.229.149,255.255.255.0,1440m
防火牆
iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
iptables -I INPUT 3 -i tun1 -p icmp -j ACCEPT
# Open firewall holes for Client1
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
# Open firewall holes for Client2
iptables -I INPUT 2 -p udp --dport 1999 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
# Allow Forwarding packets between Client1 and Client2
iptables -I FORWARD -i tun0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o tun0 -j ACCEPT
啟動中設定
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
ifconfig vlan2 192.168.226.254 netmask 255.255.255.0
ifconfig vlan3 192.168.227.254 netmask 255.255.255.0
ifconfig vlan4 192.168.228.254 netmask 255.255.255.0
ifconfig vlan5 192.168.229.254 netmask 255.255.255.0
ifconfig vlan2 up
ifconfig vlan3 up
ifconfig vlan4 up
ifconfig vlan5 up
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
# Config for Site-to-Site Server-Client1
echo "
proto udp
port 2000
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > Server-Client1.conf
# Config for Site-to-Site Server-Client2
echo "
proto udp
port 1999
dev tun1
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > Server-Client2.conf
echo "
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----
" > /tmp/static.key
# Create interfaces
/tmp/myvpn --mktun --dev tun0
/tmp/myvpn --mktun --dev tun1
ifconfig tun0 10.0.1.1 netmask 255.255.255.0 promisc up
ifconfig tun1 10.0.2.1 netmask 255.255.255.0 promisc up
# Create 另二個SITE routes
route add -net 192.168.216.0 netmask 255.255.248.0 gw 10.0.1.2
route add -net 192.168.232.0 netmask 255.255.248.0 gw 10.0.2.2
# Initiate the tunnel
sleep 5
/tmp/myvpn --config Server-Client1.conf
/tmp/myvpn --config Server-Client2.conf
離線
#2 2008-12-04 17:35:12
Re: dd-wrt open vpn 設定範例
2 1 A點的DD-WRT 設定 (主要提供OPEN VPN STATIC KEY SITE TO SITE 用 , 及提供CA 撥入 , STATIC KEY撥入)
UDP 800 為XP 使用OPEN VPN GUI 配合CA 設定撥入用
UDP 900 為XP 使用OPEN VPN GUI 配合static key 設定撥入用
UDP 2000 則為和主點SITE TO SITE 用
先在dd-wrt 下把port 1 2 3 4 設為 vlan 2 3 4 5
在DHCP 選項中 設定各VLAN DHCP
interface=vlan2
dhcp-range=192.168.218.100,192.168.218.149,255.255.255.0,1440m
interface=vlan3
dhcp-range=192.168.219.100,192.168.219.149,255.255.255.0,1440m
interface=vlan4
dhcp-range=192.168.220.100,192.168.220.149,255.255.255.0,1440m
interface=vlan5
dhcp-range=192.168.221.100,192.168.221.149,255.255.255.0,1440m
防火牆設
iptables -I INPUT 2 -p udp --dport 800
iptables -I INPUT 2 -p udp --dport 900
iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
# Open firewall holes
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
啟動中設
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
ifconfig vlan2 192.168.218.254 netmask 255.255.255.0
ifconfig vlan3 192.168.219.254 netmask 255.255.255.0
ifconfig vlan4 192.168.220.254 netmask 255.255.255.0
ifconfig vlan5 192.168.221.254 netmask 255.255.255.0
ifconfig vlan2 up
ifconfig vlan3 up
ifconfig vlan4 up
ifconfig vlan5 up
# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
openvpn --mktun --dev tap1
brctl addif br0 tap1
ifconfig tap1 0.0.0.0 promisc up
echo "
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 800 # TCP/UDP port number
dev tap1 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression
# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic
duplicate-cn # Allow multiple clients with the same common name
# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
" > openvpn.conf
# Config for Site-to-Site Client1-Server
echo "
remote 主點的ip
proto udp
port 2000
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > Client1-Server.conf
# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
" > /tmp/static.key
echo "
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END RSA PRIVATE KEY-----
" > server.key
chmod 600 server.key
echo "
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
" > server.crt
echo "
-----BEGIN DH PARAMETERS-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END DH PARAMETERS-----
" > dh1024.pem
# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.1.2 netmask 255.255.255.0 promisc up
# Create routes
route add -net 192.168.224.0 netmask 255.255.248.0 gw 10.0.1.1
route add -net 192.168.232.0 netmask 255.255.248.0 gw 10.0.1.1
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf
# Initiate the tunnel
sleep 5
/tmp/myvpn --config Client1-Server.conf
sleep 5
/tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 900 --cipher BF-CBC --proto udp --keepalive 10 60 --verb 3 --daemon
另外B 點也可以同上即可以
最後修改: hsyah (2008-12-04 17:37:04)
離線
