電訊茶室 - Powered by Discuz! Board

標題: OPENVPN 用 certificate 設定分享 : DD-WRT server,DD-WRT client, Windows, Android [打印本頁]

作者: tomlee0101 時間: 2012-12-26 23:31 標題: OPENVPN 用 certificate 設定分享 : DD-WRT server,DD-WRT client, Windows, Android

本帖最後由 tomlee0101 於 2013-1-5 15:51 編輯

爬了無數文章和做了無數試驗,成功研究到將DD-WRT client router, Android client, Windows client連到DD-WRT server router做破網翻墻,設定和大家分享..

PPTP非常容易設定,但在大陸用PPTP破網翻墻,非常容易被官方 block,好快無用,可能已經無用..

現在用OpenVPN (用cert), 除了可以支援 Multi-clients同時連線 ,亦不容易被反破網反翻墻,因為可以設定用其他不會被官方 block 的 Port number

Create OpenVPN certiciates and keys
http://openvpn.net/index.php/ope ... tion/howto.html#pki
1. cd to \Program Files\OpenVPN\easy-rsa
2. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files):
   init-config
3. Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.
4. On Windows:
   vars
   clean-all
   build-ca
The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command.
The only parameter which must be explicitly entered is the Common Name. In the example above, I used "OpenVPN-CA".
5. Generate certificate & key for server
On Windows:
   build-key-server server
   As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

   build-key client1
   build-key client2
   build-key client3
   Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client.
6. Generate Diffie Hellman parameters
On Windows:
   build-dh
7. Now we will find our newly-generated keys and certificates in the keys subdirectory.
   ca.crt
   ca.key
   dh{n}.pem
   server.crt
   server.key
   client1.crt
   client1.key
   client2.crt
   client2.key
   client3.crt
   client3.key

Remark :
If you want to implement TLS  authentication, which may be helpful (not proved/tested yet) to resolve the issue "Great Firewall 升咗呢，全面封殺 OpenVPN"
http://www.telecom-cafe.com/forum/viewthread.php?tid=5150
https://forums.openvpn.net/topic11688.html
https://www.facebook.com/notes/% ... 7/10150993099683078

Click on "Start > Programs ->OpenVPN ->Utility-> Generate a static OpenVPN key"
Note: this will create a c:\Program Files\OpenVPN\config\static.key file, you will can rename it as ta.key which is to be used in the later configuration steps.

Both server(DD-WRT) and clients ( Windows/Android/DD-WRT) need to do the corresponding configuration with this ta.key file to make connection.

作者: tomlee0101 時間: 2012-12-26 23:32

本帖最後由 tomlee0101 於 2013-1-4 10:50 編輯

Configure DD-WRT as OPENVPN server  ( e.g. Hong Kong Side as OpenVPN server  that you can freely surf )

Tested with DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko

1. IMPORTANT : Need to synchronize the DD-WRT router's clock by proper configuration at Setup > BasicSetup > Time Settings
2. GUI > Service > VPN
3. Enable OpenVPN Daemon >
OpenVPN = "Enable" ; Startup Type = "Wan Up"
Config via - GUI
Server mode - Router(Tun) or Bridge (TAP) , I used Router(Tun)
Network - 192.168.60.0
Netmask - 255.255.255.0
port - 1194 or 用其他不會被官方 block 的 Port number
Tunnel Protocol - TCP or UDP, I used TCP
Encryption Cipher - Blowfish CBC
Hash Algorithm - SHA1
Advanced Options - Enable
Use LZO Compression - Enable
Redirect default Gateway - Enable
Allow Client to Client - Enable
Allow duplicate cn - Enable
Additional Config - push "dhcp-option DNS <Your DNS server IP>"
                           push "dhcp-option DNS 8.8.8.8"

CA Cert = ca.crt
Certificate Revoke List = blank
Public Server Cert = server.crt
Private Server Key = server.key
DH PEM = dh1024/2048.pem

4. GUI > Administration > Commands

iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT

iptables -I FORWARD 1 --source 192.168.60.0/24 -j ACCEPT

# These next two lines may or may not be necessary.
# Thus, we include them so that this works for more people:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

>>Save Firewall

Attention : 1194 is Port number, must match with OPENVPN server config

5. Reboot router and see status at Status > OpenVPN
If VPN server is up properly, GUI>Status > OpenVPN, State will show message "Server: CONNECTED: Local Address:Remote Address 192.168.60.1".

Remark :
1) If your server's IP from ISP is dynamic, you can use DDNS to resolve. See other articles for DDNS setup in DD-WRT.
2) dd-wrt.v24-18946_NEWD_openvpn__jffs_small.bin (07-Apr-2012) tested to be fail in OpenVPN. Even after successful connection with OpenVPN server, the client's request could not be routed to WAN/internet.
3) dd-wrt.v24-17990_NEWD_openvpn_jffs_small.bin (08-Dec-2011) tested to be fail in OpenVPN. Even after successful connection with OpenVPN server, the client's request could not be routed to WAN/internet.
4) Therefore, dd-wrt.v24-17084_NEWD_openvpn_jffs_small.bin (17-May-2011) is the most-updated firmware that tested to be fully working in OpenVPN and general AP/Router functions for me .
5) Remark 2), 3) and 4) were tested/verified again on 27-28/Nov 2012 on the same router.
6) If TLS authentication is to be implemented, populate the content of ta.key(generated in step #1 remark) to the field "TLS Auth Key "
Begin from "-----BEGIN OpenVPN Static key V1-----" to "-----END OpenVPN Static key V1-----" inclusive.

作者: tomlee0101 時間: 2012-12-26 23:32

本帖最後由 tomlee0101 於 2014-5-22 16:57 編輯

Configure DD-WRT as OPENVPN client ( e.g. China side router as openvpn client where you need to 破網翻墻 )

成功 Tested with DD-WRT OPENVPN client with firmware DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko connection with DD-WRT  OPENVPN server with firmware DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko

This is OpenVPN site-to-site connection, router-to-router connection.

IMPORTANT :

- Need to synchronize the DD-WRT OpenVPN client router's clock to the same time zone of OpenVPN server by proper configuration at Setup > BasicSetup > Time Settings

- Need to use different subnets for DD-WRT client router and DD-WRT server router
e.g. If DD-WRT server router uses 192.168.10.x,  then DD-WRT client router can use 192.168.20.x

1. Services > VPN
Start OpenVPN Client - Enable
Server IP/Name                      - <OpenVPN server URL name or IP address>
Port                                  - OpenVPN connection port number, default 1194, must match with OpenVPN server config, or 用其他不會被官方 block 的 Port number
Tunnel Protocol                      - UDP or TCP, I used TCP, must match with OpenVPN server config
Tunnel Device                         - TUN or TAP, I used TUN, must match with OpenVPN server config
Encryption Cipher                   - Blowfish CBC, must match with OpenVPN server config
Hash Algorithm                      - SHA1, must match with  OpenVPN server config
nsCerttype verification             - Checked, must match with  OpenVPN server config
Advanced Options                      - Enable
Use LZO Compression                   - Enable
Enable NAT                            - Enable
Local IP Address                      - Leave blank
TUN MTU Setting                      - Leave blank
MSS-Fix/Fragment across the tunnel    - Leave blank
TLS Cipher                            - OFF
TLS Auth Key                         - Leave blank
CA Cert                               - ca.crt
Public Client Cert                   - client1.crt
Public Client Key                   - client1.key

If TLS authentication is implemented on DD-WRT OpenVPN server, populate the content of ta.key(generated in step #1 remark) to the field "TLS Auth Key ".
Begin from "-----BEGIN OpenVPN Static key V1-----" to "-----END OpenVPN Static key V1-----" inclusive.

2. Setup > Basic Setup
Network Setup > Local DNS    8.8.8.8                                     <= Optional, use 8.8.8.8 in case the connected client cannot retrieve properly DNS, otherwise, use default value 0.0.0.0
Network Address Server Setting(DHCP) > Use DNSMasq for DNS uncheck box    <= Important, for proper DNS lookup

3. Make sure clock is properly synchronized
either by proper configuration at Setup > BasicSetup > Time Settings
or set the time manually at Administration > Commands
      date MMDDHHMMYYYY

3. Reboot DD-WRT OpenVPN client router and test
- Make sure clock is properly synchronized
- At Status > OpenVPN, it should show DD-WRT openVPN client router's connection virtual IP address, e.g. 192.168.60.2
- Use a PC to connect to DD-WRT openVPN client router, the PC should be able to ping the DD-WRT OpenVPN server's virtual IP address, e.g. 192.168.60.1

After the DD-WRT OpenVPN client router (China side) has successfully called/connected to the DD-WRT OpenVPN server router (Hong Kong side),  for any PC, Android, i-phone (China side) connected to DD-WRT openVPN client router (China side) via LAN port or WIFI afterwards, the traffic will be routed to DD-WRT OpenVPN server router (Hong Kong side) as gateway to access the internet. The PC, Android, i-phone (China side) does NOT need to install any software or do any special configuration. The DD-WRT OpenVPN client router (China side) will handle the 破網翻墻 job for the PC, Android, i-phone (China side) connected.

作者: tomlee0101 時間: 2012-12-26 23:33

本帖最後由 tomlee0101 於 2013-1-4 08:54 編輯

Configure Windows OPENVPN client configuration (e.g. China side PC as openvpn client where you need to 破網翻墻)

成功 Tested with Windows OPENVPN client connection with DD-WRT OpenVPN server with firmware DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko

IMPORTANT : Need to synchronize the Windows workstation to the same time zone of  OpenVPN server

1) Edit  c:\program files\OpenVPN\config\client.ovpn

      remote <OpenVPN server IP> 1194  ( or 用其他不會被官方 block 的 Port number, must match with OPENVPN server config)
      client
      dev tun0
      proto tcp-client
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      ca ca.crt
      cert client1.crt
      key client1.key
      ns-cert-type server
      comp-lzo

2) Copy ca.crt, client1.crt and client1.key to c:\program files\OpenVPN\config\

If TLS authentication is implemented on DD-WRT OpenVPN server, copy the file ta.key(generated in step #1 remark) to the  c:\program files\OpenVPN\config\ and add the statement

tls-auth ta.key 1

to the file c:\program files\OpenVPN\config\client.ovpn

作者: tomlee0101 時間: 2012-12-26 23:33

本帖最後由 tomlee0101 於 2013-1-4 08:56 編輯

Configure Android client ( e.g. China side Android client where you need to 破網翻墻 )

成功Tested with CM 7.2 內置openvpn client connection with DD-WRT OPENVPN server with firmware DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko

IMPORTANT : Need to synchronize the Android's clock to the same time zone of the OpenVPN server.

1) you have to merge three files into a .p12 file for certification.
Use a terminal on Linux or command window on Windows to merge these files. Just type "openssl pkcs12 -export -in client1.crt -inkey client1.key -certfile ca.crt -out client1.p12"

2) copy the file client1.p12 to sdcard in your phone, put client1.p12 in root folder

3) install certification on Android. Settings>>Location&security>>Install from SD card
Select client1.p12 and it will prompt for name (e.g. give it VPNDDWRT)

4) setup your Openvpn. Settings>>Wireless&networks>>VPN settings>>Add VPN>>Add OpenVPN VPN

5) VPN name: as you wish
Set VPN server : IP of your OpenVPN server, without port.
User authentication: No
Set CA certificate: your ca installed in step3. (i.e. VPNDDWRT)
Set user certificate: your ca installed in step3. (i.e. VPNDDWRT)
DNS search domains: For me, leave it blank. For some situation you can use 8.8.8.8, google's free server.

Then tap "menu" and go to "Advanced".
Server port: this is the port you specified in your openvpn server, must match with server setup or 用其他不會被官方 block 的 Port number
Protocol to use: tcp or udp, I used tcp, this is the protocol you set in your openvpn server, must match with server setup
Device to use: tun or tap, I used tun, must match with server setup
LZO compression: Yes, must match with server setup
Redirect gateway: Yes
Remote Sets Addresses: Yes
Cipher algorithm:default
Size of cipher key:default

If TLS authentication is implemented on DD-WRT OpenVPN server, copy the file ta.key ( generated in step #1 remark) to root directory of SD card and do the corresponding configuration
TLS-Auth: <- Check this box
TA key file location: /mnt/sdcard/ta.key
Tls-Auth key direction:1(Client default)

作者: lcs9000 時間: 2012-12-27 14:54

請問可否於大陸的一邊 router 後加一隻 dd-wrt router 行 site to site openvpn 呢？

作者: lttliang 時間: 2012-12-27 15:05

請問可否於大陸的一邊 router 後加一隻 dd-wrt router 行 site to site openvpn 呢？
lcs9000 發表於 2012-12-27 14:54

完全可行，我就是这样，不过我用的是tomato

作者: lcs9000 時間: 2012-12-27 15:57

本帖最後由 lcs9000 於 2012-12-27 18:28 編輯

是否如上設定後把 dd-wrt router 接到大陸的 router 後就已經可以？

作者: 角色 時間: 2012-12-27 19:22

回復 1# tomlee0101

谢谢CHing的无私地奉献！其实我以前用DD-WRT都只能回用static key，而CHing你能把DD-WRT的OpenVPN发挥的淋漓尽致！

作者: tomlee0101 時間: 2012-12-28 00:53

本帖最後由 tomlee0101 於 2012-12-28 08:32 編輯

回復 tomlee0101

谢谢CHing的无私地奉献！其实我以前用DD-WRT都只能回用static key，而CHing你能把DD-WR ...
角色發表於 2012-12-27 19:22

Hope my sharing can really help those working in China..

I do not have Iphone. Hope someone can share the experience/skill of using OpenVPN client on Iphone later as well.

作者: tomlee0101 時間: 2012-12-28 00:57

本帖最後由 tomlee0101 於 2012-12-28 08:35 編輯

回復 8# lcs9000

大陸的一邊 router 後加一隻 dd-wrt router, remember the router and 後加的一隻 DD-WRT router should use different LAN segments.

e.g. if router uses LAN segment 192.168.1.x then 後加的一隻 DD-WRT router cannot use LAN segment 192.168.1.x. The 後加的一隻 DD-WRT router should use LAN segment e.g. 192.168.2.x.

作者: 亞星 時間: 2012-12-28 09:04

回復 5# tomlee0101
師兄, 如果在無 root 機情況下應該如何設定 OPENVPN for android 呢?

作者: tomlee0101 時間: 2012-12-28 21:46

本帖最後由 tomlee0101 於 2012-12-29 11:06 編輯

回復 12# 亞星

Factory Android does not provide built-in OpenVPN client and therefore you need to install third-party OpenVPN client.

If you do not root the phone, many such third-party OpenVPN client cannot work or even cannot be installed.

It appears to me that many users reported functionality and stability problem for these third-party client and therefore I did not even care to try it out at all.

作者: lcs9000 時間: 2013-1-3 15:57

回復 2# tomlee0101
師兄你個 DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko 0向邊度 download? TPLink 1043nd 用唔用到?

作者: tomlee0101 時間: 2013-1-3 18:41

本帖最後由 tomlee0101 於 2013-1-3 19:02 編輯

回復 14# lcs9000

Follows :
www.dd-wrt.com
>Router database
>Other downloads
>Others
>eko
>V24_TNG
>svn17084

Select the firmware file with 'openvpn' as a part of filename and fits with your router's hardware

All my dd-wrt routers are broadcom chipset based and therefore can safely use the appropriate EKO versions.

TP-link 1043nd uses AR9132 chipset and I am also asking/finding if EKO versions can be used on non-broadcom chipset based router.

作者: tomlee0101 時間: 2013-1-3 19:04

本帖最後由 tomlee0101 於 2013-1-3 19:06 編輯

Some OpenVPN users reported "Great Firewall 全面封殺 OpenVPN ?!"

http://www.telecom-cafe.com/foru ... o=lastpost#lastpost

歡迎光臨電訊茶室 (http://telecom-cafe.com/forum/)