我有 OpenWRT 10.03 路由器上的 OpenVPN 分步指南：(wl500gpv2)

需要的包

opkg install openvpn_2.1.1-1_brcm-2.4.ipk kmod-tun_2.4.37.9-1_brcm-2.4.ipk libopenssl_0.9.8m-3_brcm-2.4.ipk liblzo_2.03-3_brcm-2.4.ipk openssl-util_0.9.8m-3_brcm-2.4.ipk ntpd_4.2.6-4_brcm-2.4.ipk

生成证书

# 0)
mkdir -p /etc/ssl/certs/demoCA/newcerts /etc/ssl/certs/demoCA/private /etc/ssl/private; touch /etc/ssl/certs/demoCA/index.txt; echo "01" >> /etc/ssl/certs/demoCA/serial; cd /etc/ssl/certs

# 1)
# cakey.pem: CA's private key - needed by key signing machine only, purpose: Root CA key, keep it in SECRET!!
# cacert.pem: CA's cert - needed by server + all clients, purpose: Root CA certificate, not secret
# common name: "vpnserver" - in every other case just hit enter
time openssl req -nodes -new -x509 -days 3650 -keyout /etc/ssl/certs/demoCA/private/cakey.pem -out demoCA/cacert.pem

# 2)
# server.key: needed by server only, purpose: Server Key, keep it in SECRET!!
# server.csr: [???]
# common name: "vpnserver" - in every other case just hit enter
time openssl req -nodes -new -keyout /etc/ssl/private/server.key -out server.csr # password not advised - only if you're paranoic..

# 3)
# server.crt: needed by server only, purpose: Server Certificate, not secret
# Sign the certificate? [y/n]:y
# 1 out of 1 certificate requests certified, commit? [y/n]y
time openssl ca -cert demoCA/cacert.pem -keyfile /etc/ssl/certs/demoCA/private/cakey.pem -out server.crt -in server.csr -days 3650

# 4)
# shared.key: [???]
time openvpn --genkey --secret shared.key

# 5)
# dh.pem: Diffie-Hellman file for secure SSL/TLS negotiation, identical on the server and all clients
time openssl dhparam -out dh.pem 1024

# 6)
# give a common name! it will be the user name
# client1.key: needed at client1 only, purpose: Client1 Key, keep it in SECRET!
# client1.csr: [???]
# client1.crt: needed at client1 only, purpose: Client1 Certificate, not secret
# Give the client's key file a password for better security.
time openssl req -nodes -new -keyout /etc/ssl/private/client1.key -out client1.csr
# Sign the certificate? [y/n]:y
# 1 out of 1 certificate requests certified, commit? [y/n]y
time openssl ca -out client1.crt -in client1.csr

复制证书

# on the router
mkdir -p /etc/ssl/certs/client1; cp demoCA/cacert.pem client1.crt /etc/ssl/private/client1.key shared.key dh.pem client1; tar -cvf /root/client1.tar client1; rm -fr /etc/ssl/certs/client1

# on the pc [with a normal user]
mkdir ~/.cert/; rm ~/.cert/*; cd ~/.cert/; scp [email protected]:/root/client1.tar ~/.cert/; tar -xvf ~/.cert/client1.tar; mv ~/.cert/client1/* .; rm -fr client1; chmod 600 ~/.cert/*

# if you're using e.g.: Fedora/SELinux, then
restorecon -Rv ~/.cert*

OpenVPN 服务器配置

mkdir /etc/openvpn; vim /etc/openvpn/server.conf

port 1194
proto udp
dev tun
ca /etc/ssl/certs/demoCA/cacert.pem
cert /etc/ssl/certs/server.crt
key /etc/ssl/private/server.key
dh /etc/ssl/certs/dh.pem
tls-auth /etc/ssl/certs/shared.key 0
server 192.168.80.0 255.255.255.0
push "redirect-gateway"
comp-lzo
keepalive 10 120
status /tmp/openvpn.status

OpenWrt 路由器上的防火墙

vim /etc/firewall.user

iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT

重启

sync; sync; sync
reboot

启动并检查

openvpn --daemon --config /etc/openvpn/server.conf

root@OpenWrt:/etc/ssl/certs# ps aux | fgrep -i openvpn
941 root      2876 S    openvpn --daemon --config /etc/openvpn/server.conf 
root@OpenWrt:/etc/ssl/certs# netstat -tulpn | fgrep -i 1194
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           941/openvpn
root@OpenWrt:/etc/ssl# 

客户端配置

yum install openvpn
vim /etc/openvpn/client.conf

client
dev tun
proto udp
remote 192.168.1.1 1194
nobind
ca /home/USERNAME/.cert/cacert.pem
cert /home/USERNAME/.cert/client1.crt
key /home/USERNAME/.cert/client1.key
dh /home/USERNAME/.cert/dh.pem
tls-auth /home/USERNAME/.cert/shared.key 1
comp-lzo

去！

openvpn /etc/openvpn/client.conf

---

但是在我尝试之后，客户端给出了一个错误：（当我使用VPN时，我无法从客户端ping google.com..只是路由器）

Sat Jul  9 13:14:19 2011 OpenVPN 2.1.1 i686-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Jan  5 2010
Sat Jul  9 13:14:19 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Jul  9 13:14:19 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Jul  9 13:14:19 2011 Control Channel Authentication: using '/home/USERNAME/.cert/shared.key' as a OpenVPN static key file
Sat Jul  9 13:14:19 2011 LZO compression initialized
Sat Jul  9 13:14:19 2011 UDPv4 link local: [undef]
Sat Jul  9 13:14:19 2011 UDPv4 link remote: 192.168.1.1:1194
Sat Jul  9 13:14:19 2011 [vpnserver] Peer Connection Initiated with 192.168.1.1:1194
Sat Jul  9 13:14:21 2011 TUN/TAP device tun0 opened
Sat Jul  9 13:14:21 2011 /sbin/ip link set dev tun0 up mtu 1500
Sat Jul  9 13:14:21 2011 /sbin/ip addr add dev tun0 local 192.168.80.6 peer 192.168.80.5
Sat Jul  9 13:14:21 2011 OpenVPN ROUTE: omitted no-op route: 192.168.1.1/255.255.255.255 -> 192.168.1.1

Sat Jul  9 13:14:21 2011 WARNING: potential route subnet conflict between local LAN [192.168.80.0/255.255.255.0] and remote VPN [192.168.80.1/255.255.255.255]

Sat Jul  9 13:14:21 2011 Initialization Sequence Completed
^CSat Jul  9 13:16:10 2011 event_wait : Interrupted system call (code=4)
RTNETLINK answers: No such process
Sat Jul  9 13:16:10 2011 ERROR: Linux route delete command failed: external program exited with error status: 2
Sat Jul  9 13:16:10 2011 /sbin/ip addr del dev tun0 local 192.168.80.6 peer 192.168.80.5
Sat Jul  9 13:16:10 2011 SIGINT[hard,] received, process exiting

问题是，我做错了什么？为什么不起作用？我是否给出了错误的子网？怎样才能给予好的人呢？ （例如：“openvpn 服务器配置”中的“服务器”行错误？）

---

拓扑：

ISP -> OPENWRT ROUTER（提供 192.168.1.0/24） -> MYPC（dhcp，不是静态 ip）

感谢您的帮助/尖端。我已经在谷歌上搜索了几个小时并询问了许多专家，但没有运气。我的目的是从我的 PC openvpn 到这个 openwrt 路由器，以获得一个安全的“通道”（来自网吧，或来自提到的拓扑等）。 “MYPC”正在运行 Fedora 14

更新问：
有人可以解释一下这些文件是什么吗？：

服务器.csr：[？？？]

共享密钥：[???]

client1.csr：[？？？]