Linux
OPENVPN:在 linux 上設置支持 IPv6 的 VPN 的問題
我在 OrangePi 上設置 VPN 時遇到問題(這是一台與 Raspberry Pi 相同的微型電腦)
我的項目是在他身上配置一個帶有ipv6的VPN。所以,我在 github 上找到了一個項目,它建議自動創建這個:
https://github.com/xl-tech/OpenVPN-easy-setup(由xl-tech 提供)
在我的 OrangePi 上對其進行測試之前,我嘗試在執行的 VM 下啟動此腳本
Ubuntu 16.04 LTS 64Bits,它執行良好。但是,當我繼續使用我的 OrangePi 時,它不起作用。瀏覽顯示的錯誤消息後(與我猜的 iptables 防火牆未設置有關),我找不到阻止它真正工作的原因……
我還有很多東西要學,我已經阻止了幾個小時,我找不到為什麼這不起作用..
我的 OrangePi 在
Ubuntu 14.04.5 LTS(GNU/Linux 3.4.39 armv7l).你能引導我走向正確的道路嗎?:(
這是這個腳本在我的 OrangePi 上的返回:
root@OrangePI:~/OpenVPN-easy-setup# bash openvpnsetup.sh TUN/TAP is enabled IPv4 forwarding is already enabled NAME="Ubuntu" Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package netfilter-persistent Firewall stopped and disabled on system startup awk: line 0: regular expression compile failed (missing operand) [ ]+| Select server IP to listen on (only used for IPv4): 1) Internal IP - 192.168.1.11 25.33.106.84 2620:9b::1921:6a54 (in case you are behind NAT) 2) External IP - 90.51.33.97 2 Select server PORT to listen on: 1) tcp 443 (recommended) 2) udp 1194 (default) 3) Enter manually (proto (lowercase!) port) 2 Select server cipher: 1) AES-256-GCM (default for OpenVPN 2.4.x, not supported by Ubuntu Server 16.x) 2) AES-256-CBC 3) AES-128-CBC (default for OpenVPN 2.3.x) 4) BF-CBC (insecure) 2 Enable IPv6? (ensure that your machine have IPv6 support): 1) Yes 2) No 1 Check your selection Server will listen on 90.51.33.97 Server will listen on udp 1194 Server will use AES-256-CBC cipher IPv6 - 1 (1 is enabled, 0 is disabled) Press enter to continue... NAME="Ubuntu" Using CA Common Name: Fort-Funston CA Generating a 2048 bit RSA private key ....................................+++ ...+++ writing new private key to 'ca.key' ----- Generating a 2048 bit RSA private key ............+++ ....+++ writing new private key to 'server-cert.key' ----- Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'MyVPN' commonName :PRINTABLE:'server-cert' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'my@vpn.net' Certificate is to be certified until Sep 21 10:09:07 2023 GMT (1825 days) Write out database with 1 new entries Data Base Updated Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .........+..................................+................................................................................................+..........................................................................................................................................................................................................................................+.................................+....................................................................................................................................................+....+..................................................................................................................................................................................................+.................................................+.........................................+...........................................................................................................................................................................................................................................................................+.................................................................................................+................................................................................................+...........................................................................................................................................+....+....................................................................................+...........................................................................................................................................................................++*++* Generating a 2048 bit RSA private key ...........+++ ..+++ writing new private key to 'revoked.key' ----- Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'MyVPN' commonName :PRINTABLE:'revoked' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'my@vpn.net' Certificate is to be certified until Sep 21 10:17:42 2023 GMT (1825 days) Write out database with 1 new entries Data Base Updated Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Revoking Certificate 01. Data Base Updated Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf revoked.crt: C = US, ST = CA, L = SanFrancisco, O = Fort-Funston, OU = MyVPN, CN = revoked, name = EasyRSA, emailAddress = my@vpn.net error 23 at 0 depth lookup:certificate revoked Error 23 indicates that revoke is successful IPv6 forwarding is already enabled OpenVPN 2.3.2 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2017 NAME="Ubuntu" openvpnsetup.sh: line 360: systemctl: command not found openvpnsetup.sh: line 360: systemctl: command not found openvpnsetup.sh: line 361: systemctl: command not found openvpnsetup.sh: line 361: systemctl: command not found openvpnsetup.sh: line 362: systemctl: command not found Setup is complete. Happy VPNing! Use /etc/openvpn/newclient.sh to generate client config所以:
root@OrangePI:~/OpenVPN-easy-setup# /etc/openvpn/newclient.sh try Script to generate unified config for Windows App sage: newclient.sh <common-name> Generating a 2048 bit RSA private key .......................................+++ ...............................................................................................................................+++ writing new private key to 'try.key' ----- Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'MyVPN' commonName :PRINTABLE:'try' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'my@vpn.net' Certificate is to be certified until Sep 21 10:56:28 2023 GMT (1825 days) Write out database with 1 new entries Data Base Updated OpenVPN 2.3.2 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2017 COMPLETE! Copy the new unified config from here: /etc/openvpn/bundles/try.ovpn
由於腳本找不到
systemctl命令,您會收到錯誤消息:openvpnsetup.sh: line 360: systemctl: command not found缺少的命令用於控制
systemd前沿(有時是前沿)init子系統。根據這個舊的 Ubuntu wiki 頁面,在 Ubuntu 中引入的最早可能版本
systemd是 14.10 或更可能是 15.04。您正在執行的 14.04.5 比其中任何一個都舊。之前systemd,我認為 Ubuntu 曾經upstart用作它的init子系統。從一種
init子系統類型到另一種類型的轉換是一個相當大的變化:它影響系統啟動和關閉的執行方式,以及系統服務的定義和控制方式。使用systemd,該systemctl命令是大多數服務管理任務的通用工具。您現在應該閱讀腳本中的 #360、#361 和 #362 行
openvpnsetup.sh,找出systemctl這些行中的命令試圖做什麼,並將它們替換為適用於upstartinit 子系統的相應命令。很可能您還必須查找放入 的任何文件/etc/systemd/system,並將它們替換為upstart-style 服務定義。從您的 github 連結中,這些行是:
systemctl enable netfilter-persistent & systemctl start netfilter-persistent systemctl enable openvpn@server & systemctl start openvpn@server systemctl restart netfilter-persistent即啟用
netfilter-persistent和openVPN伺服器服務在啟動時自動啟動並立即啟動它們,然後再重新啟動netfilter-persistent服務一次,可能是為了確保OpenVPN啟動可能對防火牆規則所做的任何更改都立即永久儲存。