搞起来挺费劲的,记录一下
# Install packages
opkg update
opkg install openvpn-openssl openvpn-easy-rsa
#server-conf
#server
# Configuration parameters
OVPN_DIR="/etc/openvpn"
OVPN_PKI="/etc/easy-rsa/pki"
OVPN_PORT="1194"
OVPN_PROTO="tcp"
OVPN_POOL="10.8.0.0 255.255.255.0"
OVPN_DNS="${OVPN_POOL%.* *}.1"
OVPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
OVPN_SERV="xxxip"
OVPN_ID="server"
# Configuration parameters
export EASYRSA_PKI="${OVPN_PKI}"
export EASYRSA_REQ_CN="ovpnca"
export EASYRSA_BATCH="1"
# Remove and re-initialize the PKI directory
easyrsa init-pki
# Generate DH parameters
easyrsa gen-dh
# Create a new CA
easyrsa --batch build-ca nopass
# Generate a key pair and sign locally for a server
EASYRSA_CERT_EXPIRE=3650 easyrsa build-server-full ${OVPN_ID} nopass
EASYRSA_CRL_DAYS=3650 easyrsa gen-crl
cp ${OVPN_PKI}/crl.pem ${OVPN_DIR}
chown nobody:nogroup ${OVPN_DIR}/crl.pem
# Generate TLS PSK
openvpn --genkey --secret ${OVPN_PKI}/tc.pem
# Configuration parameters
OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)"
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)"
OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
NL=$'\n'
# Configure VPN service and generate client profiles
OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
OVPN_EKU="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt -purpose)"
OVPN_CONF_SERVER="\
user nobody
group nogroup
dev tun
port ${OVPN_PORT}
proto ${OVPN_PROTO}
server ${OVPN_POOL}
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
crl-verify crl.pem
push \"dhcp-option DNS ${OVPN_DNS}\"
push \"dhcp-option DOMAIN ${OVPN_DOMAIN}\"
push \"redirect-gateway def1\"
push \"persist-tun\"
push \"persist-key\"
<dh>${NL}${OVPN_DH}${NL}</dh>"
OVPN_CONF_COMMON="\
<tls-crypt>${NL}${OVPN_TC}${NL}</tls-crypt>
<key>${NL}${OVPN_KEY}${NL}</key>
<cert>${NL}${OVPN_CERT}${NL}</cert>
<ca>${NL}${OVPN_CA}${NL}</ca>"
cat << EOF > ${OVPN_DIR}/${OVPN_ID}.conf
${OVPN_CONF_SERVER}
${OVPN_CONF_COMMON}
EOF
#adduser
#client
# Configuration parameters
OVPN_DIR="/etc/openvpn"
OVPN_PKI="/etc/easy-rsa/pki"
OVPN_PORT="1194"
OVPN_PROTO="tcp"
OVPN_POOL="10.8.0.0 255.255.255.0"
OVPN_DNS="${OVPN_POOL%.* *}.1"
OVPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
OVPN_SERV="xxxip"
OVPN_ID=$1
# Configuration parameters
export EASYRSA_PKI="${OVPN_PKI}"
export EASYRSA_REQ_CN="ovpnca"
export EASYRSA_BATCH="1"
# Generate a key pair and sign locally for a client
EASYRSA_CERT_EXPIRE=3650 easyrsa build-client-full ${OVPN_ID} nopass
# Configuration parameters
OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)"
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)"
OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
NL=$'\n'
# Configure VPN service and generate client profiles
OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
OVPN_EKU="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt -purpose)"
OVPN_CONF_CLIENT="\
dev tun
nobind
client
remote ${OVPN_SERV} ${OVPN_PORT} ${OVPN_PROTO}
auth-nocache
remote-cert-tls server"
OVPN_CONF_COMMON="\
<tls-crypt>${NL}${OVPN_TC}${NL}</tls-crypt>
<key>${NL}${OVPN_KEY}${NL}</key>
<cert>${NL}${OVPN_CERT}${NL}</cert>
<ca>${NL}${OVPN_CA}${NL}</ca>"
cat << EOF > ${OVPN_DIR}/${OVPN_ID}.ovpn
${OVPN_CONF_CLIENT}
${OVPN_CONF_COMMON}
EOF
#deluser
#client
# Configuration parameters
OVPN_DIR="/etc/openvpn"
OVPN_PKI="/etc/easy-rsa/pki"
OVPN_ID=$1
export EASYRSA_PKI="${OVPN_PKI}"
export EASYRSA_REQ_CN="ovpnca"
export EASYRSA_BATCH="1"
easyrsa --batch revoke ${OVPN_ID}
EASYRSA_CRL_DAYS=3650 easyrsa gen-crl
rm -f ${OVPN_DIR}/crl.pem
cp ${OVPN_PKI}/crl.pem ${OVPN_DIR}
chown nobody:nogroup ${OVPN_DIR}/crl.pem
rm -rf ${OVPN_PKI}/issued/${OVPN_ID}.crt
rm -rf ${OVPN_PKI}/private/${OVPN_ID}.key
rm -rf ${OVPN_PKI}/reqs/${OVPN_ID}.req
#vpnnat
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT