OpenWRT 如何部署 OpenVPN Server?

如何在公司总部的路由器部署openvpn server 使各区域分公司能用vpn连公司呢?路由器系统是OpenWRT。
正好前段时间在openwrt下了试用了openvpn,在这里也简单聊聊。openwrt 下有2个openvpn server,一个是openvpn-openssl,另一个是openvpn-polarssl,配置方法是通用的。


1.1. OpenVPN - Polarssl
opkg update
opkg install openvpn-polarssl

1.1.1. Config CA files
1) On the OpenVPN Server, install the Easy-RSA package:
opkg update; opkg install openvpn-easy-rsa
2) If running Attitude Adjustment (specifically, version 2.2.2-2 of the Easy-RSA package), then you must 'tweak' the PKI configuration to prevent problems later on (this step 'comments-out' the relevant code):
## do not set the KEY_CN environment variable
sed -i '/KEY_CN/ s:^export:# &:' /etc/easy-rsa/vars
3) Establish the shell variables, and start with a clean slate (you may get warnings about ./clean-all, which you can ignore):
source /etc/easy-rsa/vars
 Define Key Informations
export KEY_SIZE=2048
export KEY_PROVINCE=Canton
export KEY_CITY=city_name
export KEY_ORG=org_name
export KEY_EMAIL=email_address
4) Create the Certification Authority, Server, and Client certificates:
pkitool –initca ## equivalent to the 'build-ca' script
pkitool --server my-server ## equivalent to the 'build-key-server' script
pkitool my-client ## equivalent to the 'build-key' script
pkitool my-client-1
pkitool my-client-2
5) Finally, create the Diffie Hellman parameters (left until last because it can take a long time):
build-dh ## this script will 'take a long time'
6) create OpenVPN static key
openvpn --genkey --secret keys/ta.key
1.1.2. Config OpenVPN Server
config interface 'lan'
chg : option ifname 'wlan0 tun0'

config openvpn servername
option enabled 1
option port 1194
option proto tcp
option dev tun
option ca /etc/openvpn/ca.crt
option cert /etc/openvpn/server.crt
option key /etc/openvpn/server.key
option dh /etc/openvpn/dh2048.pem
option server ""
list push "redirect-gateway def1"
list push "dhcp-option DNS"
option tls_auth "/etc/openvpn/ta.key 0"
option tls_server 1
option comp_lzo yes
option max_clients 10
option persist_key 1
option persist_tun 1
option status /tmp/openvpn-status.log
option log /tmp/openvpn.log
option verb 4
option mute 20

iptables -t nat -A POSTROUTING -s -j MASQUERADE

add: iptables -A forwarding_rule -s -j ACCEPT

#Add rule for openvpn access
config rule
option enabled '1'
option target 'ACCEPT'
option src 'wan'
option name 'Allow-WAN-OpenVPN-Input'
option family 'ipv4'
option proto 'tcp'
option dest_port '1194'

/etc/init.d/openvpn enable
reboot(or /etc/init.d/network restart;/etc/init.d/firewall restart;/etc/init.d/openvpn start)

各区域的终端安装openvpn 客户端拨入即可。