[教學] OPENVPN 用 certificate 設定 : DD-WRT server,DD-WRT client, Windows, Android

本帖最後由 tomleehk 於 2013-1-4 10:44 編輯

爬了無數文章和做了無數試驗,成功研究到將DD-WRT client router, Android client, Windows client連到DD-WRT server router做破網翻墻,設定和大家分享..

PPTP非常容易設定,但在大陸用PPTP破網翻墻,非常容易被官方 block,好快無用,可能已經無用..

現在用OpenVPN (用cert), 除了可以支援 Multi-clients同時連線 ,亦不容易被反破網反翻墻,因為可以設定用其他不會被官方 block 的 Port number

Create OpenVPN certiciates and keys
http://openvpn.net/index.php/ope ... tion/howto.html#pki
1. cd to \Program Files\OpenVPN\easy-rsa
2. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files):
     init-config
3. Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.
4. On Windows:
     vars
     clean-all
     build-ca
   The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command.
   The only parameter which must be explicitly entered is the Common Name. In the example above, I used "OpenVPN-CA".
5. Generate certificate & key for server
   On Windows:
     build-key-server server
     As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

     build-key client1
     build-key client2
     build-key client3
     Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client.
6. Generate Diffie Hellman parameters
   On Windows:
     build-dh
7. Now we will find our newly-generated keys and certificates in the keys subdirectory.
     ca.crt
     ca.key
     dh{n}.pem
     server.crt
     server.key
     client1.crt
     client1.key
     client2.crt
     client2.key
     client3.crt
     client3.key

Remark :
If you want to implement TLS  authentication, which may be helpful (not proved/tested yet) to resolve the issue
"Great Firewall 升咗呢,全面封殺 OpenVPN ?!"
http://www.hkepc.com/forum/viewthread.php?tid=1899354
https://forums.openvpn.net/topic11688.html
https://www.facebook.com/notes/% ... 7/10150993099683078

Click on "Start > Programs ->OpenVPN ->Utility-> Generate a static OpenVPN key"
Note: this will create a c:\Program Files\OpenVPN\config\key.txt file, you will can rename it as ta.key which is to be used in the later configuration steps.

Both server(DD-WRT) and clients ( Windows/Android/DD-WRT) need to do the corresponding configuration with this ta.key file to make connection.

本帖最後由 tomleehk 於 2013-6-21 22:43 編輯

Configure DD-WRT as OPENVPN server  ( e.g. Hong Kong Side as OpenVPN server  that you can freely surf )

Tested with DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko

link : dd-wrt  webpage -> Other downloads -> others -> eko -> V24_TNG -> svn_17084 -> dd-wrt.v24-17084_NEWD_openvpn_jffs_small.bin (17-May-2011)

1. IMPORTANT : Need to synchronize the DD-WRT router's clock by proper configuration at Setup > BasicSetup > Time Settings
2. GUI > Service > VPN
3. Enable OpenVPN Daemon >
   OpenVPN = "Enable" ; Startup Type = "Wan Up"
   Config via - GUI
   Server mode - Router(Tun) or Bridge (TAP) , I used Router(Tun)
   Network - 192.168.60.0
   Netmask - 255.255.255.0
   port    - 1194 or 用其他不會被官方 block 的 Port number
   Tunnel Protocol - TCP or UDP, I used TCP
   Encryption Cipher - Blowfish CBC
   Hash Algorithm - SHA1
   Advanced Options - Enable
   Use LZO Compression - Enable
   Redirect default Gateway - Enable
   Allow Client to Client - Enable
   Allow duplicate cn - Enable
  TLS Cipher - Disable
   Additional Config - push "dhcp-option DNS <Your DNS server IP>"
                                        push "dhcp-option DNS 8.8.8.8"   


   CA Cert = ca.crt
   Certificate Revoke List = blank
   Public Server Cert = server.crt
   Private Server Key = server.key
   DH PEM = dh1024/2048.pem
  
4. GUI > Administration > Commands

   iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
   iptables -I INPUT -p udp --dport 1194 -j ACCEPT

   iptables -I FORWARD 1 --source 192.168.60.0/24 -j ACCEPT

   # These next two lines may or may not be necessary.
   # Thus, we include them so that this works for more people:
   iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
   iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

   >>Save Firewall

Attention : 1194 is Port number, must match with OPENVPN server config


5. Reboot router and see status at Status > OpenVPN
   If VPN server is up properly, GUI>Status > OpenVPN, State will show message "Server: CONNECTED:Local Address:Remote Address 192.168.60.1".


Remark :
1) If your server's IP from ISP is dynamic, you can use DDNS to resolve. See other articles for DDNS setup in DD-WRT.
2) dd-wrt.v24-18946_NEWD_openvpn__jffs_small.bin (07-Apr-2012) tested to be fail in OpenVPN. Even after successful connection with OpenVPN server, the client's request could not be routed to WAN/internet.
3) dd-wrt.v24-17990_NEWD_openvpn_jffs_small.bin (08-Dec-2011) tested to be fail in OpenVPN. Even after successful connection with OpenVPN server, the client's request could not be routed to WAN/internet.
4) Therefore, dd-wrt.v24-17084_NEWD_openvpn_jffs_small.bin (17-May-2011) is the most-updated firmware that tested to be fully working in OpenVPN and general AP/Router functions for me .
5) Remark 2), 3) and 4) were tested/verified again on 27-28/Nov 2012 on the same router.
6) If TLS authentication is to be implemented, populate the content of ta.key(generated in step #1 remark) to the field "TLS Auth Key "
Begin from "-----BEGIN OpenVPN Static key V1-----" to "-----END OpenVPN Static key V1-----" inclusive.

TOP

本帖最後由 tomleehk 於 2014-5-22 16:52 編輯

Configure DD-WRT as OPENVPN client ( e.g. China side router as openvpn client where you need to 破網翻墻 )

成功 Tested with DD-WRT OPENVPN client with firmware DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko connection with DD-WRT  OPENVPN server with firmware DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko

link : dd-wrt  webpage -> Other downloads -> others -> eko -> V24_TNG -> svn_17084 -> dd-wrt.v24-17084_NEWD_openvpn_jffs_small.bin (17-May-2011)

This is OpenVPN site-to-site connection, router-to-router connection.

IMPORTANT :

- Need to synchronize the DD-WRT OpenVPN client router's clock to the same time zone of OpenVPN server by proper configuration at Setup > BasicSetup > Time Settings

- Need to use different subnets for DD-WRT client router and DD-WRT server router
e.g. If DD-WRT server router uses 192.168.10.x,  then DD-WRT client router can use 192.168.20.x

1. Services > VPN
   Start OpenVPN Client - Enable
   Server IP/Name                         - <OpenVPN server URL name or IP address>
   Port                                   - OpenVPN connection port number, default 1194, must match with OpenVPN server config, or 用其他不會被官方 block 的 Port number
   Tunnel Protocol                        - UDP or TCP, I used TCP, must match with OpenVPN server config
   Tunnel Device                          - TUN or TAP, I used TUN, must match with OpenVPN server config
   Encryption Cipher                      - Blowfish CBC, must match with OpenVPN server config
   Hash Algorithm                         - SHA1, must match with  OpenVPN server config
   nsCerttype verification                - Checked, must match with  OpenVPN server config
   Advanced Options                       - Enable
   Use LZO Compression                    - Enable
   Enable NAT                             - Enable
   Local IP Address                       - Leave blank
   TUN MTU Setting                        - Leave blank
   MSS-Fix/Fragment across the tunnel     - Leave blank
   TLS Cipher                             - OFF
   TLS Auth Key                           - Leave blank
   CA Cert                                - ca.crt
   Public Client Cert                     - client1.crt
   Public Client Key                      - client1.key

If TLS authentication is implemented on DD-WRT OpenVPN server, populate the content of ta.key(generated in step #1 remark) to the field "TLS Auth Key ".
Begin from "-----BEGIN OpenVPN Static key V1-----" to "-----END OpenVPN Static key V1-----" inclusive.

2. Setup > Basic Setup
   Network Setup > Local DNS     8.8.8.8                                       
<= Optional, use 8.8.8.8 in case the connected client cannot retrieve properly DNS, otherwise, use default value 0.0.0.0
   Network Address Server Setting(DHCP) > Use DNSMasq for DNS    uncheck box       <= Important, for proper DNS lookup

3. Make sure clock is properly synchronized
   either by proper configuration at Setup > BasicSetup > Time Settings
   or set the time manually at Administration > Commands
        date MMDDHHMMYYYY

3. Reboot DD-WRT OpenVPN client router and test
   - Make sure clock is properly synchronized
   - At Status > OpenVPN, it should show DD-WRT openVPN client router's connection virtual IP address, e.g. 192.168.60.2
   - Use a PC to connect to DD-WRT openVPN client router, the PC should be able to ping the DD-WRT OpenVPN server's virtual IP address, e.g. 192.168.60.1

After the DD-WRT OpenVPN client router (China side) has successfully called/connected to the DD-WRT OpenVPN server router (Hong Kong side),  for any PC, Android, i-phone (China side) connected to DD-WRT openVPN client router (China side) via LAN port or WIFI afterwards, the traffic will be routed to DD-WRT OpenVPN server router (Hong Kong side) as gateway to access the internet. The PC, Android, i-phone (China side) does NOT need to install any software or do any special configuration. The DD-WRT OpenVPN client router (China side) will handle the 破網翻墻 job for the PC, Android, i-phone (China side) connected.

TOP

本帖最後由 tomleehk 於 2013-4-28 00:41 編輯

Configure Windows OPENVPN client configuration (e.g. China side PC as openvpn client where you need to 破網翻墻)

成功 Tested with Windows OPENVPN client connection with DD-WRT OpenVPN server with firmware DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko

IMPORTANT : Need to synchronize the Windows workstation to the same time zone of  OpenVPN server

1) Edit  c:\program files\OpenVPN\config\client.ovpn

         remote <OpenVPN server IP> 1194  ( or 用其他不會被官方 block 的 Port number, must match with OPENVPN server config)
         client
         dev tun0
         proto tcp-client                              
         resolv-retry infinite
         nobind
         persist-key
         persist-tun
         ca ca.crt
         cert client1.crt
         key client1.key
         ns-cert-type server
         comp-lzo

2) Copy ca.crt, client1.crt and client1.key to c:\program files\OpenVPN\config\

If TLS authentication is implemented on DD-WRT OpenVPN server, copy the file ta.key(generated in step #1 remark) to the  c:\program files\OpenVPN\config\ and

add the statement

tls-auth   ta.key   1

to the file c:\program files\OpenVPN\config\client.ovpn

TOP

本帖最後由 tomleehk 於 2013-1-4 00:45 編輯

Configure Android client ( e.g. China side Android client where you need to 破網翻墻 )

成功Tested with CM 7.2 內置openvpn client connection with DD-WRT OPENVPN server with firmware DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko

IMPORTANT : Need to synchronize the Android's clock to the same time zone of the OpenVPN server.

1) you have to merge three files into a .p12 file for certification.
Use a terminal on Linux or command window on Windows to merge these files. Just type "openssl pkcs12 -export -in client1.crt -inkey client1.key -certfile ca.crt -out client1.p12"

2) copy the file client1.p12 to sdcard in your phone, put client1.p12 in root folder

3) install certification on Android. Settings>>Location&security>>Install from SD card
Select client1.p12 and it will prompt for name (e.g. give it VPNDDWRT)

4) setup your Openvpn. Settings>>Wireless&networks>>VPN settings>>Add VPN>>Add OpenVPN VPN

5) VPN name: as you wish
Set VPN server : IP of your OpenVPN server, without port.
User authentication: No
Set CA certificate: your ca installed in step3. (i.e. VPNDDWRT)
Set user certificate: your ca installed in step3. (i.e. VPNDDWRT)
DNS search domains: For me, leave it blank. For some situation you can use 8.8.8.8, google's free server.

Then tap "menu" and go to "Advanced".
Server port: this is the port you specified in your openvpn server, must match with server setup or 用其他不會被官方 block 的 Port number
Protocol to use: tcp or udp, I used tcp, this is the protocol you set in your openvpn server, must match with server setup
Device to use: tun or tap, I used tun, must match with server setup
LZO compression: Yes, must match with server setup
Redirect gateway: Yes
Remote Sets Addresses: Yes
Cipher algorithm:default
Size of cipher key:default

If TLS authentication is implemented on DD-WRT OpenVPN server, copy the file ta.key ( generated in step #1 remark) to root directory of SD card  and do the corresponding configuration
TLS-Auth: <- Check this box
TA key file location: /mnt/sdcard/ta.key
Tls-Auth key direction:1(Client default)

TOP

旱兩日研究緊, Android 可唔可以 connect linksys RV042 VPN. 據 linksys 話佢 VPN 係 base on OpenSSL VPN.

呢篇教學似乎幾啱駛 wor, tks

TOP

openwrt我得左,Android用緊

TOP

師兄好勁!
不過我冇刷DD-WRT....應該唔岩洗了....

TOP

本帖最後由 cwchan3618 於 2012-4-2 12:01 編輯

我在 DD-WRT (build 18777) services -> vpn 只設定 dns1 = router private IP; server IP = router private IP, client IP = any non-dhcp range ip, 並設定 chap-secrets;再在 Android 設定 -> 無線和網絡 -> 虛擬私人網絡設定 -> 基本VPN -> 添加虛擬私人網絡 -> 添加 VPN"PPTP",再設定就連到 Android 手機。無手動 gen 過 cert 都連到,不過很快斷,應該是 wellknown Android 問題,未必唔關 cert 事。想問樓主是否因為斷線才研究 gen cert 定你個 dd-wrt 太舊無 GUI 個 VPN 設定?

Windows 7 做 client 也不需要 generate certificate 一樣上到。

TOP

CHING..我BUILD KEY 果時佢話unable to write random state 咁即係點呀?

TOP