技术 ⏱ 5 min

树莓派折腾之:为树莓派安装VPN支持

#树莓派#raspberry#openvpn#vpn

文章更新

  1. 20160705-初次成文
  2. 20160712-继续完善,OPENVPN版本2.3.11
  3. 20160722-完善格式,修改了几个脚本

为什么会有这个文章

主要是因为之前在树莓派上安装了samba服务,但是外网服务访问,所以网上看到的解决办法是要给π安装一个vpn,先拨号进到VPN里,就可以正常访问了。虽然我还没有放弃继续尝试外网访问树莓派的samba服务,但是先学习下如何安装OPENVPN吧。

下载OpenVPN

推荐从OPENVPN的官方网站下载。

cd $HOME
wget http://build.openvpn.net/downloads/releases/latest/openvpn-latest-stable.tar.gz
gzip -dc openvpn-latest-stable.tar.gz | tar xvf -

这里,国内的小伙伴会遇到一个很恶心的问题,就是wget下载失败,多亏了功夫网呗。还好wget以及curl都可以使用代理。

curl -x http://127.0.0.1:1080 github.com
wget -e "http_proxy=127.0.0.1:1080" github.com

至于,如何让树莓派自己可以科学上网,大家可以看我的另外一篇文章,《搬瓦工自动配置shadowsocks翻墙》。

解压缩之后,可以看到OPENVPN解压缩到了openvpn-2.3.11目录,顺便也就知道了OP的版本号。

还有一些工作需要做,执行下列命令升级系统,添加必备组件,以便进行后面的OP编译和安装。

sudo apt-get update
sudo apt-get install --only-upgrade openssl -y
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev chkconfig -y

编译和安装

sudo mkdir /etc/openvpn/
cd $HOME/openvpn-2.3.11/ #注意你的OPENVPN的版本号,这里会稍有不同
sudo ./configure --prefix=/usr
sudo make
sudo make install

加入自动启动,应该在 etc/init.d/ 下创建一个openvpn的服务脚本,我这里直接给出我写好的

sudo wget https://raw.githubusercontent.com/tinyvane/randomfiles/master/etcinitdopenvpn.sh -O /etc/init.d/openvpn
sudo chmod +x /etc/init.d/openvpn #加入可执行权限
sudo update-rc.d openvpn defaults #加入自动启动

通过下面的命令,检查是否设置都正确

chkconfig --list | grep openvpn

结果应该像下面这样

openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off

使用easyras3创建密钥和证书

mkdir $HOME/clientside
cd $HOME/clientside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki #生成了pki目录
./easyrsa gen-req client1 nopass #默认名字,回车即可,生成两个文件client1.req和client1.key

客户端的证书和密钥生成完毕,下面继续生成服务器端的

mkdir $HOME/serverside
cd $HOME/serverside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki #生成pki目录
./easyrsa build-ca #生成证书,这个必须输入一个密码,后面的选项回车即可,生成ca.crt证书文件
./easyrsa gen-req server nopass #生成私钥,server.req和server.key两个文件。
./easyrsa sign-req server server #输入密码,生成服务器证书文件server.crt
openssl dhparam -out dh2048.pem 2048 #时间特别长,可以喝杯咖啡等一会
openvpn --genkey --secret ta.key
./easyrsa import-req $HOME/clientside/easy-rsa/easyrsa3/pki/reqs/client1.req client1
./easyrsa sign-req client client1

下面我写了两个bash脚本,用来合并上面的证书和密钥内容,这样

Copy certs and keys to correct directory,

Later we will merge them with the config file

cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/serverside/ cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/server.crt $HOME/serverside/ cp $HOME/serverside/easy-rsa/easyrsa3/dh2048.pem $HOME/serverside/ cp $HOME/serverside/easy-rsa/easyrsa3/pki/private/server.key $HOME/serverside/ cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/serverside/ cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/client1.crt $HOME/clientside/ cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/clientside/ cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/clientside/ cp $HOME/clientside/easy-rsa/easyrsa3/pki/private/client1.key $HOME/clientside/

Client Script

vim $HOME/clientside/raspberrypi.ovpn

client dev tun proto udp remote change_this_to_server_address 34557 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key tls-auth ta.key 1 remote-cert-tls server cipher AES-256-CBC comp-lzo verb 3

Now merge certs and keys into client script, so we only have one file to handle

cd $HOME/clientside/ wget https://raw.githubusercontent.com/tinyvane/randomfiles/master/merge.sh -O merge.sh sudo chmod +x merge.sh sudo ./merge.sh sudo chown $USER $HOME/clientside/raspberrypi.ovpn

Now transfer client script raspberrypi.ovpn

in $HOME/clientside/ to your client PC

Due to permissions, I had to transfer it to C:\

Then in windows, copy the file

to C:\Program Files (x86)\OpenVPN\config

经过上面的处理,树莓派上的$HOME/clientside/目录下,会多了一个raspberrypi.ovpn文件,这个文件,要在之后,从树莓派上,复制到你本机电脑上OPENVPN的客户端下。

先不用着急,继续在树莓派上处理OPENVPN的服务器端脚本。

Server Script

vim $HOME/serverside/server.conf

port 34557 proto udp dev tun ca ca.crt cert server.crt key server.key tls-auth ta.key 0 dh dh2048.pem server 10.8.0.0 255.255.255.0 cipher AES-256-CBC comp-lzo persist-key persist-tun user nobody group nogroup status openvpn-status.log verb 3 push “redirect-gateway def1” push “dhcp-option DNS 202.106.46.151” push “dhcp-option DNS 202.106.195.68” keepalive 5 30

Now merge certs and keys into server script, so we only have one file to handle

cd $HOME/serverside/ wget https://raw.githubusercontent.com/tinyvane/randomfiles/master/merge_server.sh -O merge_server.sh sudo chmod +x merge_server.sh sudo ./merge_server.sh

经过上面的处理,在 下得到了一个新的文件 server.conf,将这个文件复制到 /etc/openvpn/

sudo cp $HOME/serverside/server.conf /etc/openvpn/

编辑文件 /etc/sysctl.conf

sudo vim /etc/sysctl.conf

找到下面这行,取消注释,允许数据转发。

net.ipv4.ip_forward=1

保存,退出。

让配置生效

sysctl -p

Make file for firewall setting

sudo vim /usr/local/bin/firewall.sh

添加下面内容

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A INPUT -p udp --dport 1194 -j ACCEPT #允许接收目的端口为1194的包;1194就是server.conf中配置的端口
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

#源地址转换:将vpn子网的ip替换为pi的本地ip,这句话我没有加,也能成功,不过还在深入学习防火墙的作用。
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.111



# Make firewall script executable, run it and check

sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

得到类似下面的结果:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.10.0/24      anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


# add new text line into file /etc/rc.local
# before ‘exit 0′ to ensure the firewall rules are run at reboot or power up.
sudo vim /etc/rc.local

/usr/local/bin/firewall.sh 

重启树莓派

sudo reboot

记得在服务器上把server.conf中的端口号加入UDP转发到树莓派上,否则也是无法顺利连接上去的。

# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP



## VPN 客户端 

MAC下我使用的是TUNNELVPN,把之前文章里讨论的 raspberrypi.ovpn 文件,在运行VPN客户端之后,拖拽到右上角的图标上,然后就配置好了,点连接即可。

## 参考文章

1. [树莓派搭建Openvpn](http://blog.csdn.net/wxlguitar/article/details/51175872)
2. [Install latest openvpn and easyrsa3](https://www.raspberrypi.org/forums/viewtopic.php?t=89216&p=626393)
3. [利用 Privoxy 让命令行下的 wgetcurl 等命令实现自动代理](https://fengqi.me/unix/328.html)