OpenWrt/LEDE配置OpenVPN Server

安装openvpn
不再赘述

准备证书文件
主要有以下文件:
(服务端)
ca.crt
dh2048.pem
server.crt
server.key
(客户端)
ca.crt
client01.key
dp-client.key

配置服务端
1. 修改 /etc/config/openvpn, 修改如下

config openvpn sample_server

    # Set to  to enable this instance:
    option enabled 

    # Which local IP address should OpenVPN
    # listen on? (optional)
    option local 0.0.0.0

    # Which TCP/UDP port should OpenVPN listen on?
    # If you want to run multiple OpenVPN instances
    # on the same machine, use a different port
    # number for each one.  You will need to
    # open up this port on your firewall.
    option port 

    # TCP or UDP server?
#    option proto tcp
    option proto udp

    # "dev tun" will create a routed IP tunnel,
    # "dev tap" will create an ethernet tunnel.
    # Use "dev tap0" if you are ethernet bridging
    # and have precreated a tap0 virtual interface
    # and bridged it with your ethernet interface.
    # If you want to control access policies
    # over the VPN, you must create firewall
    # rules for the the TUN/TAP interface.
    # On non-Windows systems, you can give
    # an explicit unit number, such as tun0.
    # On Windows, use "dev-node" for this.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
#    option dev tap
    option dev tun

    # SSL/TLS root certificate (ca), certificate
    # (cert), and private key (key).  Each client
    # and the server must have their own cert and
    # key file.  The server and all clients will
    # use the same ca file.
    #
    # See the "easy-rsa" directory for a series
    # of scripts for generating RSA certificates
    # and private keys.  Remember to use
    # a unique Common Name for the server
    # and each of the client certificates.
    #
    # Any X509 key management system can be used.
    # OpenVPN can also use a PKCS # formatted key file
    # (see "pkcs12" directive in man page).
    option ca /etc/openvpn/ca.crt
    option cert /etc/openvpn/server.crt
    # This file should be kept secret:
    option key /etc/openvpn/server.key

    # Diffie hellman parameters.
    # Generate your own with:
    #   openssl dhparam -out dh1024.pem
    # Substitute   if you are using
    #  bit keys.
    option dh /etc/openvpn/dh2048.pem

    # Configure server mode and supply a VPN subnet
    # for OpenVPN to draw client addresses from.
    # The server will take 10.8.0.1 for itself,
    # the rest will be made available to clients.
    # Each client will be able to reach the server
    # on 10.8.0.1. Comment this line out if you are
    # ethernet bridging. See the man page for more info.
    option server "10.8.0.0 255.255.255.0"

    # Maintain a record of client <-> virtual IP address
    # associations in this file.  If OpenVPN goes down or
    # is restarted, reconnecting clients can be assigned
    # the same virtual IP address from the pool that was
    # previously assigned.
    option ifconfig_pool_persist /tmp/ipp.txt

    # Configure server mode for ethernet bridging.
    # You must first use your OS's bridging capability
    # to bridge the TAP interface with the ethernet
    # NIC interface.  Then you must manually set the
    # IP/netmask on the bridge interface, here we
    # assume 10.8.0.4/255.255.255.0.  Finally we
    # must set aside an IP range in this subnet
    # (start=10.8.0.50 end=10.8.0.100) to allocate
    # to connecting clients.  Leave this line commented
    # out unless you are ethernet bridging.
#    option server_bridge "10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100"

    # Push routes to the client to allow it
    # to reach other private subnets behind
    # the server.  Remember that these
    # private subnets will also need
    # to know to route the OpenVPN client
    # address pool (10.8.0.0/255.255.255.0)
    # back to the OpenVPN server. 注意, 这边需要根据服务端所在的内网网段来修改, 如果有多个, 则需要添加多行
    list push "route 192.168.11.0 255.255.255.0"
#    list push "route 192.168.20.0 255.255.255.0"

    # To assign specific IP addresses to specific
    # clients or if a connecting client has a private
    # subnet behind it that should also have VPN access,
    # use the subdirectory "ccd" for client-specific
    # configuration files (see man page for more info).

    # EXAMPLE: Suppose the client
    # having the certificate common name "Thelonious"
    # also has a small subnet behind his connecting
    # machine, such as 192.168.40.128/255.255.255.248.
    # First, uncomment out these lines:
#    option client_config_dir /etc/openvpn/ccd
#    list route "192.168.40.128 255.255.255.248"
    # Then create a file ccd/Thelonious with this line:
    #   iroute 192.168.40.128 255.255.255.248
    # This will allow Thelonious' private subnet to
    # access the VPN.  This example will only work
    # if you are routing, not bridging, i.e. you are
    # using "dev tun" and "server" directives.

    # EXAMPLE: Suppose you want to give
    # Thelonious a fixed VPN IP address of 10.9.0.1.
    # First uncomment out these lines:
#    option client_config_dir /etc/openvpn/ccd
#    list route "10.9.0.0 255.255.255.252"
#    list route "192.168.100.0 255.255.255.0"
    # Then add this line to ccd/Thelonious:
    #   ifconfig-push "10.9.0.1 10.9.0.2"

    # Suppose that you want to enable different
    # firewall access policies for different groups
    # of clients.  There are two methods:
    # () Run multiple OpenVPN daemons, one for each
    #     group, and firewall the TUN/TAP interface
    #     for each group/daemon appropriately.
    # () (Advanced) Create a script to dynamically
    #     modify the firewall in response to access
    #     from different clients.  See man
    #     page for more info on learn-address script.
#    option learn_address /etc/openvpn/script

    # If enabled, this directive will configure
    # all clients to redirect their default
    # network gateway through the VPN, causing
    # all IP traffic such as web browsing and
    # and DNS lookups to go through the VPN
    # (The OpenVPN server machine may need to NAT
    # the TUN/TAP interface to the internet in
    # order for this to work properly).
    # CAVEAT: May break client's network config if
    # client's local DHCP server packets get routed
    # through the tunnel.  Solution: make sure
    # client's local DHCP server is reachable via
    # a more specific route than the default route
    # of 0.0.0.0/0.0.0.0.
#    list push "redirect-gateway"

    # Certain Windows-specific network settings
    # can be pushed to clients, such as DNS
    # or WINS server addresses.  CAVEAT:
    # http://openvpn.net/faq.html#dhcpcaveats
#    list push "dhcp-option DNS 10.8.0.1"
#    list push "dhcp-option WINS 10.8.0.1"

    # Uncomment this directive to allow different
    # clients to be able to "see" each other.
    # By default, clients will only see the server.
    # To force clients to only see the server, you
    # will also need to appropriately firewall the
    # server's TUN/TAP interface.
#    option client_to_client 

    # Uncomment this directive if multiple clients
    # might connect with the same certificate/key
    # files or common names.  This is recommended
    # only for testing purposes.  For production use,
    # each client should have its own certificate/key
    # pair.
    #
    # IF YOU HAVE NOT GENERATED INDIVIDUAL
    # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
    # EACH HAVING ITS OWN UNIQUE "COMMON NAME",
    # UNCOMMENT THIS LINE OUT.
#    option duplicate_cn 

    # The keepalive directive causes ping-like
    # messages to be sent back and forth over
    # the link so that each side knows when
    # the other side has gone down.
    # Ping every  seconds, assume that remote
    # peer is down if no ping received during
    # a  second time period.
    option keepalive "10 120"

    # For extra security beyond that provided
    # by SSL/TLS, create an "HMAC firewall"
    # to help block DoS attacks and UDP port flooding.
    #
    # Generate with:
    #   openvpn --genkey --secret ta.key
    #
    # The server and each client must have
    # a copy of this key.
    # The second parameter should be '
    # on the server and ' on the clients.
    # This file is secret:
#    option tls_auth "/etc/openvpn/ta.key 0"

    # Select a cryptographic cipher.
    # This config item must be copied to
    # the client config file as well.
    # Blowfish (default):
    option cipher BF-CBC
    # AES:
#    option cipher AES--CBC
    # Triple-DES:
#    option cipher DES-EDE3-CBC

    # Enable compression on the VPN link.
    # If you enable it here, you must also
    # enable it in the client config file.
    # LZ4 requires OpenVPN 2.4+ client and server
#    option compress lz4
    # LZO is compatible with most OpenVPN versions
    # (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
    option compress lzo

    # The maximum number of concurrently connected
    # clients we want to allow.
#    option max_clients 

    # The persist options will try to avoid
    # accessing certain resources on restart
    # that may no longer be accessible because
    # of the privilege downgrade.
    option persist_key
    option persist_tun
    option user nobody

    # Output a short status file showing
    # current connections, truncated
    # and rewritten every minute.
    option status /tmp/openvpn-status.log

    # By default, log messages will go to the syslog (or
    # on Windows, if running as a service, they will go to
    # the "\Program Files\OpenVPN\log" directory).
    # Use log or log-append to override this default.
    # "log" will truncate the log file on OpenVPN startup,
    # while "log-append" will append to it.  Use one
    # or the other (but not both).
    option log         /tmp/openvpn.log
#    option log_append  /tmp/openvpn.log

    # Set the appropriate level of log
    # file verbosity.
    #
    #  is silent, except for fatal errors
    #  is reasonable for general usage
    #  and  can help to debug connection problems
    #  is extremely verbose
    option verb 

    # Silence repeating messages.  At most
    # sequential messages of the same message
    # category will be output to the log.
#    option mute 

2. 通过界面 Network-> Interfaces-> Add New interface:
　　Name of new interface: vpn0,
　　Protocol: Unmanaged
　　Cover the following interface: 勾选 Ethernet Adapter: "tun0"
　　Submit,
　　然后再点击Edit进入, 在Advanced Settings里, 勾选 Bring up on boot, Save & Apply
　　在 Firewall Settings中, 点选 unspecified -or- create输入vpn, Save & Apply

3. 通过界面 Network->Firewall->General Settings->General Settings
　　Input: accept
　　Output: accept
　　Forward: reject
　　Masquerading: 勾选
　　Covered networks: 依然只选vpn0
　　Inter-Zone Forwarding-> Allow forward to destination zones: 如果要openvpn客户端能访问lan, 则勾选lan, 如果要openvpn客户端能访问wan, 则勾选wan
　　Inter-Zone Forwarding-> Allow forward from source zones: 如果要openvpn客户端能访问lan, 则勾选lan, 不勾选wan
　　Save & Apply

注意: 这一步与官网的配置说明 (https://wiki.openwrt.org/doc/howto/vpn.openvpn) 不同, 经测试, 仅配置vpn_forwarding_lan_in, vpn_forwarding_lan_out 这些规则, 而不配置Inter-Zone Forwarding是无效的

配置客户端
这是客户端的配置

client
dev tun
proto udp
remote
resolv-retry infinite
nobind
persist-key
persist-tun
ca      s02/ca.crt
cert    s02/dp-client.crt
key     s02/client01.key
remote-cert-tls server
comp-lzo
verb