2014-11-18

Raspberry Pi as OpenVPN

請去看新版的文章(new version)
http://jokercatz.blogspot.tw/2016/08/raspberry-pi-as-openvpn.html



首先 remove X window,來源 : http://raspberrypi.stackexchange.com/questions/4745/how-to-uninstall-x-server-and-desktop-manager-when-running-as-headless-server
sudo apt-get remove --auto-remove --purge libx11-.*
sudo apt-get install deborphan
sudo deborphan -sz
sudo apt-get remove --purge $(deborphan)
sudo apt-get autoremove
然後安裝 NTP :
sudo apt-get install ntp
vim /etc/ntp.conf
#replace
server tick.stdtime.gov.tw prefer
server tock.stdtime.gov.tw prefer
server time.stdtime.gov.tw prefer
server clock.stdtime.gov.tw prefer
server watch.stdtime.gov.tw prefer
然後安裝 OpenVPN,來源 : https://wiki.debian.org/openvpn%20for%20server%20and%20client http://www.raspberrypi.org/forums/viewtopic.php?t=81657
sudo apt-get install openvpn
mkdir /etc/openvpn/easy-rsa
cp -ai /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/2.0
vim vars
#把KEY_*設定加入預設值,之後就免再次輸入
#把export KEY_SIZE=1024改成2048
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-key JokerCatz #這邊建要的使用者,以後也可以來這增加
./build-dh #很久...ZZZzzz
cd /etc/openvpn
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt .
cp /etc/openvpn/easy-rsa/2.0/keys/server.key .
cp /etc/openvpn/easy-rsa/2.0/keys/server.crt .
cp /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem .
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .
gzip -d server.conf.gz
vim server.conf
###################fix to like ( start )###################
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
###################fix to like ( end )###################
然後記得要開 ipv4
vim /etc/sysctl.conf
#net.ipv4.ip_forward=1   #這行取消註解
然後要
sysctl -p
然後還要設定iptables
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables確定後記得save,reboot才可以使用

sudo iptables-save > /etc/firewall.conf
最後開啟服務...
/etc/init.d/openvpn start
這樣就可以一般使用了,而如果你要增加使用者
cd /etc/openvpn/easy-rsa/2.0
. ./vars
./build-key JokerCatz
然後移除
cd /etc/openvpn/easy-rsa/2.0
. ./vars
./revoke-full /etc/openvpn/easy-rsa/2.0/keys/JokerCatz
然後看key的列表
ls /etc/openvpn/easy-rsa/2.0/keys/*.crt
# 類似 JokerCatz.crt = account
之後使用類似 Tunnelblick 的軟體來增加 config 檔,裡面要修改類似
remote 192.168.1.111 1194 # IP & port
ca ca.crt
cert JokerCatz.crt
key JokerCatz.key
所以必須從 server 端的 /etc/openvpn/easy-rsa/keys/ 下載這三個檔案連同 config 檔給使用者
.......anyway 完成了 ... Orz"
addon 20150225 , log optimize , just code 
  $ sudo vim /etc/openvpn/server.conf
#fix
  ;log       openvpn.log
#to
  log        /var/log/openvpn/openvpn.log

  $ sudo vim /etc/logrotate.d/openvpn
#edit it like , keep it 1 year
  /var/log/openvpn/openvpn.log {
    rotate 12
    monthly
    compress
    missingok
    notifempty
  }

  $ sudo mkdir /var/log/openvpn
  $ sudo /etc/init.d/openvpn restart
  #logrotate in cron.d don't need restart
addon 20150317 , ulimit fix (openfile = thread = maxconnection) 
  $ ulimit -a #check value
  $ vim /etc/security/limits.conf
  root hard nofile 65535
  root soft nofile 65535
  root hard noproc 65535
  root soft noproc 65535
  vpn_usr hard nofile 65535
  vpn_usr soft nofile 65535
  vpn_usr hard noproc 65535
  vpn_usr soft noproc 65535
addon 20150721 , pi fix 
  ##remove auto dhcp
  sudo rm /var/lib/dhcp
  

  ##reset network
  vim /etc/network/interface
  
  #fix like
auto lo
iface lo inet loopback

iface eth0 inet static
address 192.168.1.23
netmask 255.255.255.0
gateway 192.168.1.1
  #/fix like


  ##fix cgroup warinig
  sudo vim /boot/cmdline.txt
  #add "cgroup_enable=memory 3" before "elevator=deadline"

  #add TRIM mount for SSD
  sudo vim /etc/fstab
  #change to : "ext4    defaults,discard,nodiratime,noatime"
  #and add
tmpfs   /tmp       tmpfs   defaults,noatime,mode=1777   0  0
tmpfs   /var/spool tmpfs   defaults,noatime,mode=1777   0  0
tmpfs   /var/tmp   tmpfs   defaults,noatime,mode=1777   0  0
  #/and add


  ##change user name and password


  ##auto update
  sudo vim /etc/cron.daily/upgrade
  #add like

#!/bin/sh
apt-get update
apt-get -y dist-upgrade
apt-get autoremove
apt-get clean

  #/add like
  sudo chmod 755 /etc/cron.daily/upgrade

  ##auto restart openvpn
  sudo vim /etc/crontab
  #add like
30 */6  * * *   root    /etc/init.d/openvpn restart
  #/add like 


  ##remove extra tty
  sudo vim /etc/inittab
  #mark like "#3:23:respawn:/sbin/getty 38400 tty3" ...
@ 22:34

1 則留言:

  1. Unknown2016年5月31日 上午10:07:00

    幫補
    在cp easy-rsa那步,會因為raspberry pi 的版本不同而找不到檔案
    可以改用這個
    http://raspberrypi.stackexchange.com/questions/37372/error-installing-openvpn-files-missing

    回覆刪除

訂閱: 張貼留言 (Atom)