我有一個 OpenWRT 10.03 路由器上的 OpenVPN 分步指南：（wl500gpv2）

需要的包

opkg install openvpn_2.1.1-1_brcm-2.4.ipk kmod-tun_2.4.37.9-1_brcm-2.4.ipk libopenssl_0.9.8m-3_brcm-2.4.ipk liblzo_2.03-3_brcm-2.4.ipk openssl-util_0.9.8m-3_brcm-2.4.ipk ntpd_4.2.6-4_brcm-2.4.ipk

生成證書

# 0)
mkdir -p /etc/ssl/certs/demoCA/newcerts /etc/ssl/certs/demoCA/private /etc/ssl/private; touch /etc/ssl/certs/demoCA/index.txt; echo "01" >> /etc/ssl/certs/demoCA/serial; cd /etc/ssl/certs

# 1)
# cakey.pem: CA's private key - needed by key signing machine only, purpose: Root CA key, keep it in SECRET!!
# cacert.pem: CA's cert - needed by server + all clients, purpose: Root CA certificate, not secret
# common name: "vpnserver" - in every other case just hit enter
time openssl req -nodes -new -x509 -days 3650 -keyout /etc/ssl/certs/demoCA/private/cakey.pem -out demoCA/cacert.pem

# 2)
# server.key: needed by server only, purpose: Server Key, keep it in SECRET!!
# server.csr: [???]
# common name: "vpnserver" - in every other case just hit enter
time openssl req -nodes -new -keyout /etc/ssl/private/server.key -out server.csr # password not advised - only if you're paranoic..

# 3)
# server.crt: needed by server only, purpose: Server Certificate, not secret
# Sign the certificate? [y/n]:y
# 1 out of 1 certificate requests certified, commit? [y/n]y
time openssl ca -cert demoCA/cacert.pem -keyfile /etc/ssl/certs/demoCA/private/cakey.pem -out server.crt -in server.csr -days 3650

# 4)
# shared.key: [???]
time openvpn --genkey --secret shared.key

# 5)
# dh.pem: Diffie-Hellman file for secure SSL/TLS negotiation, identical on the server and all clients
time openssl dhparam -out dh.pem 1024

# 6)
# give a common name! it will be the user name
# client1.key: needed at client1 only, purpose: Client1 Key, keep it in SECRET!
# client1.csr: [???]
# client1.crt: needed at client1 only, purpose: Client1 Certificate, not secret
# Give the client's key file a password for better security.
time openssl req -nodes -new -keyout /etc/ssl/private/client1.key -out client1.csr
# Sign the certificate? [y/n]:y
# 1 out of 1 certificate requests certified, commit? [y/n]y
time openssl ca -out client1.crt -in client1.csr

複製證書

# on the router
mkdir -p /etc/ssl/certs/client1; cp demoCA/cacert.pem client1.crt /etc/ssl/private/client1.key shared.key dh.pem client1; tar -cvf /root/client1.tar client1; rm -fr /etc/ssl/certs/client1

# on the pc [with a normal user]
mkdir ~/.cert/; rm ~/.cert/*; cd ~/.cert/; scp root@192.168.1.1:/root/client1.tar ~/.cert/; tar -xvf ~/.cert/client1.tar; mv ~/.cert/client1/* .; rm -fr client1; chmod 600 ~/.cert/*

# if you're using e.g.: Fedora/SELinux, then
restorecon -Rv ~/.cert*

OpenVPN 伺服器配置

mkdir /etc/openvpn; vim /etc/openvpn/server.conf

port 1194
proto udp
dev tun
ca /etc/ssl/certs/demoCA/cacert.pem
cert /etc/ssl/certs/server.crt
key /etc/ssl/private/server.key
dh /etc/ssl/certs/dh.pem
tls-auth /etc/ssl/certs/shared.key 0
server 192.168.80.0 255.255.255.0
push "redirect-gateway"
comp-lzo
keepalive 10 120
status /tmp/openvpn.status

OpenWrt 路由器上的防火牆

vim /etc/firewall.user

iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT

重啟

sync; sync; sync
reboot

啟動並檢查

openvpn --daemon --config /etc/openvpn/server.conf

root@OpenWrt:/etc/ssl/certs# ps aux | fgrep -i openvpn
941 root      2876 S    openvpn --daemon --config /etc/openvpn/server.conf 
root@OpenWrt:/etc/ssl/certs# netstat -tulpn | fgrep -i 1194
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           941/openvpn
root@OpenWrt:/etc/ssl# 

客戶端配置

yum install openvpn
vim /etc/openvpn/client.conf

client
dev tun
proto udp
remote 192.168.1.1 1194
nobind
ca /home/USERNAME/.cert/cacert.pem
cert /home/USERNAME/.cert/client1.crt
key /home/USERNAME/.cert/client1.key
dh /home/USERNAME/.cert/dh.pem
tls-auth /home/USERNAME/.cert/shared.key 1
comp-lzo

走！

openvpn /etc/openvpn/client.conf

---

但是在我嘗試之後，客戶端給出了一個錯誤：（當我​​使用 VPN 時，我無法從客戶端 ping google.com.. 只是路由器）

Sat Jul  9 13:14:19 2011 OpenVPN 2.1.1 i686-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Jan  5 2010
Sat Jul  9 13:14:19 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Jul  9 13:14:19 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Jul  9 13:14:19 2011 Control Channel Authentication: using '/home/USERNAME/.cert/shared.key' as a OpenVPN static key file
Sat Jul  9 13:14:19 2011 LZO compression initialized
Sat Jul  9 13:14:19 2011 UDPv4 link local: [undef]
Sat Jul  9 13:14:19 2011 UDPv4 link remote: 192.168.1.1:1194
Sat Jul  9 13:14:19 2011 [vpnserver] Peer Connection Initiated with 192.168.1.1:1194
Sat Jul  9 13:14:21 2011 TUN/TAP device tun0 opened
Sat Jul  9 13:14:21 2011 /sbin/ip link set dev tun0 up mtu 1500
Sat Jul  9 13:14:21 2011 /sbin/ip addr add dev tun0 local 192.168.80.6 peer 192.168.80.5
Sat Jul  9 13:14:21 2011 OpenVPN ROUTE: omitted no-op route: 192.168.1.1/255.255.255.255 -> 192.168.1.1

Sat Jul  9 13:14:21 2011 WARNING: potential route subnet conflict between local LAN [192.168.80.0/255.255.255.0] and remote VPN [192.168.80.1/255.255.255.255]

Sat Jul  9 13:14:21 2011 Initialization Sequence Completed
^CSat Jul  9 13:16:10 2011 event_wait : Interrupted system call (code=4)
RTNETLINK answers: No such process
Sat Jul  9 13:16:10 2011 ERROR: Linux route delete command failed: external program exited with error status: 2
Sat Jul  9 13:16:10 2011 /sbin/ip addr del dev tun0 local 192.168.80.6 peer 192.168.80.5
Sat Jul  9 13:16:10 2011 SIGINT[hard,] received, process exiting

問題是，我做錯了什麼？為什麼它不起作用？我是否提供了錯誤的子網？我怎樣才能給好的？（例如：“openvpn 伺服器配置”中的“伺服器”行錯誤？）

---

拓撲：

ISP -> OPENWRT ROUTER（給出 192.168.1.0/24）-> MYPC（dhcp，不是靜態 ip）

感謝您的幫助/提示。我已經用Google搜尋了幾個小時並詢問了許多專家，但沒有運氣。我的目的是從我的 PC 到這個 openwrt 路由器的 openvpn 以擁有一個安全的“通道”（來自網吧，或來自提到的拓撲等）。“MYPC”正在執行 Fedora 14

更新問：

有人能解釋一下這些文件是什麼嗎？：

伺服器.csr：$$ ??? $$

共享密鑰：$$ ??? $$

客戶端1.csr：$$ ??? $$

:D

我解決了這個問題：

當我從客戶端 OpenVPN 到伺服器時，與路由器的 SSH 連接被終止，OpenVPN 伺服器也被終止，因為我使用了：

openvpn --daemon --config /etc/openvpn/server.conf

並不是：

nohup openvpn --daemon --config /etc/openvpn/server.conf >/dev/null &

：） 問題解決了。現在它完美地工作了.. :D headshot :D LOL。

2011 年 7 月 9 日星期六 13:14:21 警告：本地 LAN 之間的潛在路由子網衝突

$$ 192.168.80.0/255.255.255.0 $$和遠端 VPN$$ 192.168.80.1/255.255.255.255 $$

出於某種原因，您的配置似乎正在共享 IP 地址空間。您的 VPN 正在從192.168.80.x地址空間中選擇地址，而您的本地 LAN 正在從192.168.80.x地址空間中選擇地址。如果發生這種情況，那麼當來自 VPN 的流量被路由到您的 MyPC 時，它將不知道要從哪個路由器獲得地址解析，一切都會中斷。

此外，您需要在路由器中使用 iptables。它應該是內置的，但需要一條規則來告訴它通過 VPN 重定向來自 MyPC 的所有流量。這裡有一篇很好的文章應該會有所幫助。

引用自：https://unix.stackexchange.com/questions/16412