我在 OrangePi 上设置 VPN 时遇到问题(这是一台与 Raspberry Pi 相同的微型计算机)
我的项目是在他身上配置一个ipv6的VPN。所以,我在 github 上找到了一个项目,它建议自动创建这个:
在我的 OrangePi 上进行测试之前,我尝试在运行于 的 VM 上启动此脚本Ubuntu 16.04 LTS 64Bits,并且运行良好。但是,当我在 OrangePi 上运行时,它不起作用。
浏览显示的错误消息后(我猜与 iptables 防火墙未设置有关),我找不到阻止其真正工作的原因......
我还有很多东西要学,我已经阻止了几个小时了,我找不到为什么这不起作用..
我的 OrangePi 运行在Ubuntu 14.04.5 LTS(GNU/Linux 3.4.39 armv7l).
你能引导我走上正确的道路吗? :(
这是此脚本在我的 OrangePi 上的返回结果:
root@OrangePI:~/OpenVPN-easy-setup# bash openvpnsetup.sh
TUN/TAP is enabled
IPv4 forwarding is already enabled
NAME="Ubuntu"
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package netfilter-persistent
Firewall stopped and disabled on system startup
awk: line 0: regular expression compile failed (missing operand)
[ ]+|
Select server IP to listen on (only used for IPv4):
1) Internal IP - 192.168.1.11 25.33.106.84 2620:9b::1921:6a54 (in case you are behind NAT)
2) External IP - 90.51.33.97
2
Select server PORT to listen on:
1) tcp 443 (recommended)
2) udp 1194 (default)
3) Enter manually (proto (lowercase!) port)
2
Select server cipher:
1) AES-256-GCM (default for OpenVPN 2.4.x, not supported by Ubuntu Server 16.x)
2) AES-256-CBC
3) AES-128-CBC (default for OpenVPN 2.3.x)
4) BF-CBC (insecure)
2
Enable IPv6? (ensure that your machine have IPv6 support):
1) Yes
2) No
1
Check your selection
Server will listen on 90.51.33.97
Server will listen on udp 1194
Server will use AES-256-CBC cipher
IPv6 - 1 (1 is enabled, 0 is disabled)
Press enter to continue...
NAME="Ubuntu"
Using CA Common Name: Fort-Funston CA
Generating a 2048 bit RSA private key
....................................+++
...+++
writing new private key to 'ca.key'
-----
Generating a 2048 bit RSA private key
............+++
....+++
writing new private key to 'server-cert.key'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyVPN'
commonName :PRINTABLE:'server-cert'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Sep 21 10:09:07 2023 GMT (1825 days)
Write out database with 1 new entries
Data Base Updated
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.........+..................................+................................................................................................+..........................................................................................................................................................................................................................................+.................................+....................................................................................................................................................+....+..................................................................................................................................................................................................+.................................................+.........................................+...........................................................................................................................................................................................................................................................................+.................................................................................................+................................................................................................+...........................................................................................................................................+....+....................................................................................+...........................................................................................................................................................................++*++*
Generating a 2048 bit RSA private key
...........+++
..+++
writing new private key to 'revoked.key'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyVPN'
commonName :PRINTABLE:'revoked'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Sep 21 10:17:42 2023 GMT (1825 days)
Write out database with 1 new entries
Data Base Updated
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Revoking Certificate 01.
Data Base Updated
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
revoked.crt: C = US, ST = CA, L = SanFrancisco, O = Fort-Funston, OU = MyVPN, CN = revoked, name = EasyRSA, emailAddress = [email protected]
error 23 at 0 depth lookup:certificate revoked
Error 23 indicates that revoke is successful
IPv6 forwarding is already enabled
OpenVPN 2.3.2 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2017
NAME="Ubuntu"
openvpnsetup.sh: line 360: systemctl: command not found
openvpnsetup.sh: line 360: systemctl: command not found
openvpnsetup.sh: line 361: systemctl: command not found
openvpnsetup.sh: line 361: systemctl: command not found
openvpnsetup.sh: line 362: systemctl: command not found
Setup is complete. Happy VPNing!
Use /etc/openvpn/newclient.sh to generate client config
所以:
root@OrangePI:~/OpenVPN-easy-setup# /etc/openvpn/newclient.sh try
Script to generate unified config for Windows App
sage: newclient.sh <common-name>
Generating a 2048 bit RSA private key
.......................................+++
...............................................................................................................................+++
writing new private key to 'try.key'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyVPN'
commonName :PRINTABLE:'try'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Sep 21 10:56:28 2023 GMT (1825 days)
Write out database with 1 new entries
Data Base Updated
OpenVPN 2.3.2 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2017
COMPLETE! Copy the new unified config from here: /etc/openvpn/bundles/try.ovpn
答案1
由于脚本找不到命令,您收到错误消息systemctl:
openvpnsetup.sh: line 360: systemctl: command not found
缺少的命令用于控制systemd尖端(有时是前沿)init子系统。
根据这个旧的 Ubuntu 维基页面,Ubuntu 中引入的最早可能版本systemd是 14.10 或更可能是 15.04。您正在运行 14.04.5,即较老的比其中任何一个。之前systemd,我认为Ubuntu曾经用作upstart它的init子系统。
从一种类型的子系统到另一种类型的转换init是一个相当大的变化:它会影响系统启动和关闭的执行方式以及系统服务的定义和控制方式。通过systemd,该systemctl命令是大多数服务管理任务的通用工具。
您现在应该阅读脚本中的第 #360、#361 和 #362 行openvpnsetup.sh,找出systemctl这些行上的命令试图执行的操作,并将它们替换为适用于 init 子系统的相应命令upstart。很可能您还必须查找放入 的任何文件/etc/systemd/system,并将它们替换为upstart-style 服务定义。
从你的 github 链接来看,这些行是:
systemctl enable netfilter-persistent & systemctl start netfilter-persistent
systemctl enable openvpn@server & systemctl start openvpn@server
systemctl restart netfilter-persistent
即启用netfilter-persistentopenVPN 服务器服务在启动时自动启动并立即启动它们,然后netfilter-persistent再次重新启动该服务,可能是为了确保 OpenVPN 启动时对防火墙规则所做的任何更改立即永久存储。