介绍
不使用openwrt的openvpn,使用通用linux做转发的配置方法
其中eth0(wan),eth1(lan)
并有配置DHCP服务器(eth1)的思路
配置方法
使用debian-12.7.0-netinstall.iso作为镜像,思路和命令如下
OpenVPN部分
1
2
3
4
| su --
apt install sudo
sudoedit /etc/sudoers
exit
|
1
2
| sudo apt install openvpn openssh-server
sshkey-gen
|
- /etc/systemd/system/openvpn-client.service:
1
2
3
4
5
6
7
8
9
10
11
12
13
| [Unit]
Description=OpenVPN client service
After=network.target
[Service]
Type=simple
ExecStart=/usr/sbin/openvpn --config /home/kt/router.ovpn
Restart=always
RestartSec=3
StartLimitBurst=3
[Install]
WantedBy=multi-user.target
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
flush ruleset
table inet nat {
chain postrouting {
type nat hook postrouting priority srcnat
oif "eth1" masquerade
}
}
table inet filter {
chain input {
type filter hook input priority filter
iif "eth1" accept
}
chain forward {
type filter hook forward priority filter
ip saddr 10.0.0.0/24 ip daddr 172.27.60.0/24 accept
ip saddr 172.27.60.0/24 ip daddr 10.0.0.0/24 accept
}
chain output {
type filter hook output priority filter
oif "eth1" accept
}
}
|
1
2
3
4
5
6
| allow-hotplug eth1
iface eth1 inet static
address 172.27.60.1
netmask 255.255.255.0
gateway 172.27.60.1
dns-nameservers 127.0.0.1
|
1
2
3
4
5
6
7
8
9
10
11
12
| sudo sysctl -p
sudo chmod 700 router.ovpn
sudo chown root:root router.ovpn
sudo systemctl enable --now opensshd
sudo systemctl enable --now openvpn-client.service
sudo systemctl enable --now nftables
sudo reboot
sudo nft list ruleset
|
DHCP部分
1
| sudo apt install isc-dhcp-server
|
1
2
3
4
5
6
| subnet 172.27.60.0 netmask 255.255.255.0 {
range 172.27.60.2 172.27.60.254
option routers 172.27.60.1
option subnet-mask 255.255.255.0
option domain-name-servers 127.0.0.1
}
|
- /etc/default/isc-dhcp-server
1
| sudo systemctl enable --now isc-dhcp-server
|