文章介绍:iKuai 软路由启动 OpenVPN 服务端,VyOS 配置 OpenVPN 客户端拨号,实现简单组网,采用账号密码加证书认证方式实现。
一、VyOS
1.1、VyOS镜像
1.2、VyOS安装
1.3、VyOS基础
二、iKuai配置OpenVPN
2.1、启动OpenVPN服务端
2.2、创建OpenVPN用户
三、VyOS配置OpenVPN
3.1、配置CA证书
set pki ca ikuai-ca certificate '这里填iKuai服务端OpenVPN的CA证书内容'
set pki ca ikuai-ca certificate 'MIIDQTCCAimgAwIBAgIJAL/NkJg9nDkXMA0GCSqGSIb3DQEBCwUAMDcxCzAJBgNVBAYTAkNOMQ4wDAYDVQQKDAVpS3VhaTEYMBYGA1UEAwwPaUt1YWkgRGV2aWNlIENBMB4XDTE4MDUzMTE2MDAyMVoXDTI4MDUyODE2MDAyMVowNzELMAkGA1UEBhMCQ04xDjAMBgNVBAoMBWlLdWFpMRgwFgYDVQQDDA9pS3VhaSBEZXZpY2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLpabpg/2uN8XTQ7oGMx2QsQqUmwAzlzY+HuJHgOu7LAEuVblJOyB+B4xXhECt98IHELbopapJDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCmH9fPE+mdBvR+0AwMyPbiqCfnl8d
zELMAkGA1UEBhMCQ04xDjAMBgNVBAoMBWlLdWFpMRgwFgYDVQQDDA9pS3VhaSBEZXZpY2UgQ0EwggEiMA0GCSq
GDxyZWEp8dRj6UF99Op2N3vdz0RHitudqieEDgS+u6Lckq8XoLKp91cfNmP348xa2qbL1O4OZ0KIVRXOBYYzL1To6ZB7YtYYbL8xxRHytYp3mtninRgVIhqoQ2zx40R6FYKQ9uCsjVXspgnDUNEDmqkozjBz39BmXWXwAClW+SUNsJprHnhw8oc0ebuF
zELMAkGA1UEBhMCQ04xDjAMBgNVBAoMBWlLdWFpMRgwFgYDVQQDDA9pS3VhaSBEZXZpY2UgQ0EwggEiMA0GCSq
Uo1kcOTZwmhQJxJexRGcLmkdC5/X7Rp7vQQMknO3gqhER58r0MP1arqTGqljWMsSbRtiHJTwL8Lh83xSTJauOTADNcYQz
zELMAkGA1UEBhMCQ04xDjAMBgNVBAoMBWlLdWFpMRgwFgYDVQQDDA9pS3VhaSBEZXZpY2UgQ0EwggEiMA0GCSq
64PmPhBRHFnsqTT/rVJ0AwHEekXFZa5L'
3.2、OpenVPN接口配置
set interfaces openvpn vtun56789 authentication password '账号'
set interfaces openvpn vtun56789 authentication username '密码'
set interfaces openvpn vtun56789 description 'iKuai-OpenVPN'
set interfaces openvpn vtun56789 mode 'client'
set interfaces openvpn vtun56789 openvpn-option '--nobind'
set interfaces openvpn vtun56789 openvpn-option '--script-security 2'
set interfaces openvpn vtun56789 openvpn-option '--allow-compression yes'
set interfaces openvpn vtun56789 openvpn-option '--auth-nocache'
set interfaces openvpn vtun56789 openvpn-option '--cipher AES-256-GCM'
set interfaces openvpn vtun56789 openvpn-option '--tun-mtu 1400'
set interfaces openvpn vtun56789 openvpn-option '--mssfix 1300'
set interfaces openvpn vtun56789 persistent-tunnel
set interfaces openvpn vtun56789 protocol 'udp'
set interfaces openvpn vtun56789 remote-host '拨号地址'
set interfaces openvpn vtun56789 remote-port '56789'
set interfaces openvpn vtun56789 tls ca-certificate 'ikuai-ca'
set interfaces openvpn vtun56789 use-lzo-compression
set interfaces openvpn vtun56789 authentication password '账号':配置客户端用于身份认证的密码set interfaces openvpn vtun56789 authentication username '密码':配置客户端用于身份认证的用户名set interfaces openvpn vtun56789 description 'iKuai-OpenVPN':为接口添加描述,标识其对应目标服务端地址set interfaces openvpn vtun56789 mode 'client':定义接口工作模式为OpenVPN客户端set interfaces openvpn vtun56789 openvpn-option '--nobind':禁用客户端绑定固定本地端口,由系统自动分配临时端口set interfaces openvpn vtun56789 openvpn-option '--script-security 2':设置脚本安全级别为2,允许执行内置脚本及用户脚本(无外部程序调用权限)set interfaces openvpn vtun56789 openvpn-option '--allow-compression yes':允许对传输数据进行双向压缩set interfaces openvpn vtun56789 openvpn-option '--auth-nocache':禁用认证信息(用户名/密码)缓存,重连时需重新提交set interfaces openvpn vtun56789 openvpn-option '--cipher AES-256-GCM':指定客户端与服务端数据通道的加密算法为AES-256-GCMset interfaces openvpn vtun56789 openvpn-option '--tun-mtu 1400':设置客户端TUN设备的MTU为1400字节set interfaces openvpn vtun56789 openvpn-option '--mssfix 1300':限制TCP最大分段大小为1300字节,避免数据包分片set interfaces openvpn vtun56789 persistent-tunnel:启用隧道持久化,空闲时不主动断开VPN连接set interfaces openvpn vtun56789 protocol 'udp':使用UDP协议与OpenVPN服务端通信set interfaces openvpn vtun56789 remote-host '拨号地址':指定目标OpenVPN服务端的域名/IP地址set interfaces openvpn vtun56789 remote-port '56789':指定目标OpenVPN服务端的监听端口set interfaces openvpn vtun56789 tls ca-certificate 'ikuai-ca':指定用于验证服务端证书的根CA证书set interfaces openvpn vtun56789 use-lzo-compression:启用LZO数据压缩功能,优化VPN数据传输效率
四、连接状态查询
