數位天堂

Nokia:科技始終來自於人性; 拜耳:如果文明不能使我們更相愛,那科技便失去意義!
歡迎您的加入,讓我們一起討論科技與環保的整合應用...

您尚未登入。

#1 2008-12-04 17:32:10

hsyah
新生
註冊日期: 2008-11-28
文章數: 13
目前積分 :   

dd-wrt open vpn 設定範例

1    主點的DD-WRT 設定  (主要提供OPEN VPN STATIC KEY SITE TO SITE 用)

    先在dd-wrt 下把port 1 2 3 4 設為 vlan 2 3 4 5

    在DHCP 選項中 設定各VLAN DHCP

interface=vlan2
dhcp-range=192.168.226.100,192.168.226.149,255.255.255.0,1440m
interface=vlan3
dhcp-range=192.168.227.100,192.168.227.149,255.255.255.0,1440m
interface=vlan4
dhcp-range=192.168.228.100,192.168.228.149,255.255.255.0,1440m
interface=vlan5
dhcp-range=192.168.229.100,192.168.229.149,255.255.255.0,1440m


防火牆
iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
iptables -I INPUT 3 -i tun1 -p icmp -j ACCEPT


# Open firewall holes for Client1
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

# Open firewall holes for Client2
iptables -I INPUT 2 -p udp --dport 1999 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT

# Allow Forwarding packets between Client1 and Client2
iptables -I FORWARD -i tun0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o tun0 -j ACCEPT


啟動中設定

#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

ifconfig vlan2 192.168.226.254 netmask 255.255.255.0
ifconfig vlan3 192.168.227.254 netmask 255.255.255.0
ifconfig vlan4 192.168.228.254 netmask 255.255.255.0
ifconfig vlan5 192.168.229.254 netmask 255.255.255.0
ifconfig vlan2 up
ifconfig vlan3 up
ifconfig vlan4 up
ifconfig vlan5 up

cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site Server-Client1
echo "
proto udp         
port 2000
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > Server-Client1.conf

# Config for Site-to-Site Server-Client2
echo "
proto udp         
port 1999
dev tun1
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > Server-Client2.conf

echo "
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----
" > /tmp/static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
/tmp/myvpn --mktun --dev tun1
ifconfig tun0 10.0.1.1 netmask 255.255.255.0 promisc up
ifconfig tun1 10.0.2.1 netmask 255.255.255.0 promisc up

# Create 另二個SITE routes
route add -net 192.168.216.0 netmask 255.255.248.0 gw 10.0.1.2
route add -net 192.168.232.0 netmask 255.255.248.0 gw 10.0.2.2

# Initiate the tunnel
sleep 5
/tmp/myvpn --config Server-Client1.conf
/tmp/myvpn --config Server-Client2.conf




離線

 

#2 2008-12-04 17:35:12

hsyah
新生
註冊日期: 2008-11-28
文章數: 13
目前積分 :   

Re: dd-wrt open vpn 設定範例

2  1    A點的DD-WRT 設定  (主要提供OPEN VPN STATIC KEY SITE TO SITE 用 , 及提供CA 撥入 , STATIC KEY撥入)

UDP 800  為XP 使用OPEN VPN GUI 配合CA 設定撥入用
UDP 900  為XP 使用OPEN VPN GUI 配合static key  設定撥入用
UDP 2000 則為和主點SITE TO SITE 用


   先在dd-wrt 下把port 1 2 3 4 設為 vlan 2 3 4 5

    在DHCP 選項中 設定各VLAN DHCP

interface=vlan2
dhcp-range=192.168.218.100,192.168.218.149,255.255.255.0,1440m
interface=vlan3
dhcp-range=192.168.219.100,192.168.219.149,255.255.255.0,1440m
interface=vlan4
dhcp-range=192.168.220.100,192.168.220.149,255.255.255.0,1440m
interface=vlan5
dhcp-range=192.168.221.100,192.168.221.149,255.255.255.0,1440m


防火牆設

iptables -I INPUT 2 -p udp --dport 800
iptables -I INPUT 2 -p udp --dport 900
iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
# Open firewall holes
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


啟動中設

#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

ifconfig vlan2 192.168.218.254 netmask 255.255.255.0
ifconfig vlan3 192.168.219.254 netmask 255.255.255.0
ifconfig vlan4 192.168.220.254 netmask 255.255.255.0
ifconfig vlan5 192.168.221.254 netmask 255.255.255.0
ifconfig vlan2 up
ifconfig vlan3 up
ifconfig vlan4 up
ifconfig vlan5 up

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up

openvpn --mktun --dev tap1
brctl addif br0 tap1
ifconfig tap1 0.0.0.0 promisc up


echo "
# Tunnel options
mode server       # Set OpenVPN major mode
proto udp         # Setup the protocol (server)
port 800          # TCP/UDP port number
dev tap1          # TUN/TAP virtual network device
keepalive 15 60   # Simplify the expression of --ping
daemon            # Become a daemon after all initialization
verb 3            # Set output verbosity to n
comp-lzo          # Use fast LZO compression

# OpenVPN server mode options
client-to-client  # tells OpenVPN to internally route client-to-client traffic
duplicate-cn      # Allow multiple clients with the same common name

# TLS Mode Options
tls-server        # Enable TLS and assume server role during TLS handshake
ca ca.crt         # Certificate authority (CA) file
dh dh1024.pem     # File containing Diffie Hellman parameters
cert server.crt   # Local peer's signed certificate
key server.key    # Local peer's private key
" > openvpn.conf



# Config for Site-to-Site Client1-Server
echo "
remote 主點的ip
proto udp         
port 2000
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > Client1-Server.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
" > /tmp/static.key

echo "
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END RSA PRIVATE KEY-----
" > server.key
chmod 600 server.key
echo "
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
" > server.crt
echo "
-----BEGIN DH PARAMETERS-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END DH PARAMETERS-----
" > dh1024.pem



# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.1.2 netmask 255.255.255.0 promisc up

# Create routes
route add -net 192.168.224.0 netmask 255.255.248.0 gw 10.0.1.1
route add -net 192.168.232.0 netmask 255.255.248.0 gw 10.0.1.1

ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf


# Initiate the tunnel
sleep 5
/tmp/myvpn --config Client1-Server.conf

sleep 5

/tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 900 --cipher BF-CBC --proto udp --keepalive 10 60 --verb 3 --daemon


另外B 點也可以同上即可以


最後修改: hsyah (2008-12-04 17:37:04)


離線

 

友情連結

論壇頁尾

Powered by PunBB
© Copyright 2018 Rickard Andersson
RSS Feed