logo

한국어

[WeVO 11AC NAS] OpenWRT에서 OpenVPN 셋팅

관리자 2019.11.06 15:27 조회 수 : 25

#!/bin/sh
######################################################################
#
# OpenWRT OpenVPN 인증서 생성 스크립트
#
######################################################################

DEVICE_NAME="WeVO 11AC NAS"
######################################################################
#
# 관련 패키지 설치 (이미 설치되어 있으면 불필요)
#
######################################################################
# Install packages
#opkg update
#opkg install openvpn
#opkg install openvpn-easy-rsa
#opkg install openvpn-openssl

######################################################################
#
# /etc/easy-rsa/vars 편집
#
######################################################################
if [ ! -f /etc/easy-rsa/vars.orig ]
then
  cp -fv /etc/easy-rsa/vars /etc/easy-rsa/vars.orig
fi
sed -i "s/#set_var EASYRSA_REQ_COUNTRY\t\"US\"/set_var EASYRSA_REQ_COUNTRY \"KR\"/g" /etc/easy-rsa/vars
sed -i "s/#set_var EASYRSA_REQ_PROVINCE\t\"California\"/set_var EASYRSA_REQ_PROVINCE \"Seoul\"/g" /etc/easy-rsa/vars
sed -i "s/#set_var EASYRSA_REQ_CITY\t\"San Francisco\"/set_var EASYRSA_REQ_CITY \"Seoul\"/g" /etc/easy-rsa/vars
sed -i "s/#set_var EASYRSA_REQ_ORG\t\"Copyleft Certificate Co\"/set_var EASYRSA_REQ_ORG \"${DEVICE_NAME}\"/g" /etc/easy-rsa/vars
sed -i "s/#set_var EASYRSA_REQ_EMAIL\t\"me@example.net\"/set_var EASYRSA_REQ_EMAIL \"openvpn@mydomain\"/g" /etc/easy-rsa/vars
sed -i "s/#set_var EASYRSA_REQ_OU\t\t\"My Organizational Unit\"/set_var EASYRSA_REQ_OU \"${DEVICE_NAME}\"/g" /etc/easy-rsa/vars
sed -i "s/#set_var EASYRSA_CA_EXPIRE\t3650/set_var EASYRSA_CA_EXPIRE 18250/g" /etc/easy-rsa/vars
sed -i "s/#set_var EASYRSA_CERT_EXPIRE\t3650/set_var EASYRSA_CERT_EXPIRE 18250/g" /etc/easy-rsa/vars

######################################################################
#
# PKI 키 생성
#
######################################################################
# Configuration parameters
export EASYRSA_PKI="/etc/easy-rsa/pki"
export EASYRSA_REQ_CN="ovpnca"

# Remove and re-initialize the PKI directory
easyrsa --batch init-pki

# Generate DH parameters
easyrsa --batch gen-dh

# Create a new CA
easyrsa --batch build-ca nopass

# Generate a keypair and sign locally for a server
easyrsa --batch build-server-full server nopass

# Generate a keypair and sign locally for a client
easyrsa --batch build-client-full client nopass

######################################################################
#
# tls-crypt 키 생성
#
######################################################################
rm -f /etc/easy-rsa/pki/tc.pem
openvpn --genkey --secret /etc/easy-rsa/pki/tc.pem

#!/bin/bash
######################################################################
#
# OpenWRT OpenVPN 인증서 생성 스크립트
#
# 이 스크립트는 타겟머신의 인증서 생성이 너무 느린 이유로 일반 PC의
# Linux 머신에서 OpenWRT의 OpenVPN을 위한 인증서를 생성한다.
# 이 스크립트는 CentOS 7에서 테스트 되었으며, openvpn이 설치되어
# 있어야 한다.
#
######################################################################
DEVICE_NAME="WeVO 11AC NAS"
CURRENT_DIR=$(pwd)
EASY_RSA_VER=3.0.6
EASY_RSA_DIR="/tmp/EasyRSA-v${EASY_RSA_VER}"
EASY_RSA_CMD="${EASY_RSA_DIR}/easyrsa"
EASY_RSA_DOWNLOAD="https://github.com/OpenVPN/easy-rsa/releases/download/v${EASY_RSA_VER}/EasyRSA-unix-v${EASY_RSA_VER}.tgz"

# Configuration parameters
export EASYRSA_PKI_DIR="/etc/easy-rsa/pki"
export EASYRSA_REQ_CN="ovpnca"

######################################################################
#
# openvpn 설치
#
######################################################################
yum -y install openvpn

######################################################################
#
# easy-rsa 설치
#
######################################################################
wget -P ~/ ${EASY_RSA_DOWNLOAD}
if [ $? -ne 0 ]; then
  exit 1
fi
tar -C /tmp -xvzf ~/EasyRSA-unix-v${EASY_RSA_VER}.tgz
rm -f ~/EasyRSA-unix-v${EASY_RSA_VER}.tgz

######################################################################
#
# ${EASY_RSA_DIR}/vars 편집
#
######################################################################
rm -rf /etc/easy-rsa /etc/openvpn
mkdir -p ${EASYRSA_PKI_DIR} /etc/openvpn/server /etc/openvpn/client
cp -fv ${EASY_RSA_DIR}/vars.example ${EASY_RSA_DIR}/vars

sed -i "s/#set_var EASYRSA_REQ_COUNTRY\t\"US\"/set_var EASYRSA_REQ_COUNTRY \"KR\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_PROVINCE\t\"California\"/set_var EASYRSA_REQ_PROVINCE \"Seoul\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_CITY\t\"San Francisco\"/set_var EASYRSA_REQ_CITY \"Seoul\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_ORG\t\"Copyleft Certificate Co\"/set_var EASYRSA_REQ_ORG \"${DEVICE_NAME}\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_EMAIL\t\"me@example.net\"/set_var EASYRSA_REQ_EMAIL \"openvpn@mydomain\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_OU\t\t\"My Organizational Unit\"/set_var EASYRSA_REQ_OU \"${DEVICE_NAME}\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_CA_EXPIRE\t3650/set_var EASYRSA_CA_EXPIRE 18250/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_CERT_EXPIRE\t1080/set_var EASYRSA_CERT_EXPIRE 18250/g" ${EASY_RSA_DIR}/vars

clear
######################################################################
#
# PKI 키 생성
#
######################################################################
# Configuration parameters
export BASE_DIR="/tmp/__easyrsa__"
export EASYRSA_PKI="${BASE_DIR}/etc/easy-rsa/pki"
export EASYRSA_REQ_CN="ovpnca"

rm -rf ${EASYRSA_PKI}
mkdir -p ${EASYRSA_PKI}

# Remove and re-initialize the PKI directory
${EASY_RSA_CMD} --batch init-pki

# Generate DH parameters
${EASY_RSA_CMD} --batch gen-dh

# Create a new CA
${EASY_RSA_CMD} --batch build-ca nopass

# Generate a keypair and sign locally for a server
${EASY_RSA_CMD} --batch build-server-full server nopass

# Generate a keypair and sign locally for a client
${EASY_RSA_CMD} --batch build-client-full client nopass

######################################################################
#
# tls-crypt 키 생성
#
######################################################################
rm -f ${EASYRSA_PKI}/tc.pem
openvpn --genkey --secret ${EASYRSA_PKI}/tc.pem

######################################################################
#
# 압축
#
######################################################################
cd ${BASE_DIR}
tar -cvzf ${CURRENT_DIR}/$(date "+%Y%m%d")_openvpn_certs.tar.gz *
rm -rf ${BASE_DIR}
rm -rf ${EASY_RSA_DIR}
cd ${CURRENT_DIR}

#!/bin/sh
######################################################################
#
# OpenWRT OpenVPN 설정 스크립트
#
# OpenVPN 서버 설정과 클라이언트용 ovpn을 생성한다.
#
######################################################################

MY_DDNS="hasu0707.duckdns.org"

######################################################################
#
# OpenVPN 서버 셋팅
#
######################################################################
# Generate TLS PSK
# Configuration parameters
OVPN_DIR="/etc/openvpn"
OVPN_PKI="/etc/easy-rsa/pki"
OVPN_DEV="tun"
OVPN_PORT="1194"
OVPN_PROTO="udp"
OVPN_POOL="192.168.8.0 255.255.255.0"
OVPN_DNS="${OVPN_POOL%.* *}.1"
OVPN_DOMAIN="lan"
OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)"
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)"
OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
NL=$'\n'

# Configure VPN server
umask u=rw,g=,o=
grep -l -r -e "TLS Web Server Auth" "${OVPN_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read -r OVPN_ID
do
OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
cat << EOF > ${OVPN_DIR}/${OVPN_ID}.conf
verb 3
user nobody
group nogroup
dev ${OVPN_DEV}
port ${OVPN_PORT}
proto ${OVPN_PROTO}
server ${OVPN_POOL}
topology subnet
mode server
client-to-client
keepalive 10 120
route_gateway "dhcp"
server "192.168.8.0 255.255.255.0"
tls_server
persist-tun
persist-key
comp-lzo yes
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
${NL}${OVPN_DH}${NL}
${NL}${OVPN_TC}${NL}
${NL}${OVPN_CA}${NL}
${NL}${OVPN_CERT}${NL}
${NL}${OVPN_KEY}${NL}
EOF
done

######################################################################
#
# OpenVPN 클라이언트용 ovpn profile 생성
#
######################################################################
# Fetch IP address
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_ipaddr OVPN_SERV "${NET_IF}"

# Fetch FQDN from DDNS client
OVPN_FQDN="$(uci -q get "$(uci -q show ddns \
| sed -n -e "/\.enabled='1'$/s//.lookup_host/p" \
| sed -n -e "1p")")"
if [ -n "${OVPN_FQDN}" ]
then
OVPN_SERV="${OVPN_FQDN}"
fi

# Configuration parameters
OVPN_DIR="/etc/openvpn"
OVPN_PKI="/etc/easy-rsa/pki"
OVPN_DEV="tun"
OVPN_PORT="1194"
OVPN_PROTO="udp"
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)"
OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
NL=$'\n'

# Generate VPN client profiles
umask u=rw,g=,o=
grep -l -r -e "TLS Web Client Auth" "${OVPN_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read -r OVPN_ID
do
OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
cat << EOF > ${OVPN_DIR}/${MY_DDNS}_client.ovpn
verb 3
dev ${OVPN_DEV%%[0-9]*}
nobind
client
remote ${MY_DDNS} ${OVPN_PORT} ${OVPN_PROTO}
auth-nocache
remote-cert-tls server
tun-mtu 1500
comp-lzo yes
pull-filter ignore "block-outside-dns"
${NL}${OVPN_TC}${NL}
${NL}${OVPN_CA}${NL}
${NL}${OVPN_CERT}${NL}
${NL}${OVPN_KEY}${NL}
EOF
done

ls ${OVPN_DIR}/*.ovpn
/etc/init.d/openvpn enable
/etc/init.d/openvpn stop
/etc/init.d/openvpn start

#!/bin/sh
######################################################################
#
# OpenWRT OpenVPN 설정 스크립트
#
# OpenWRT uci를 사용하여 OpenWRT 환경을 설정한다.
#
######################################################################

######################################################################
#
# Configure firewall
#
######################################################################
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.lan.device="tun0"
uci add_list firewall.lan.device="tun0"
uci -q delete firewall.vpn
uci set firewall.ovpn="rule"
uci set firewall.ovpn.name="Allow-OpenVPN"
uci set firewall.ovpn.src="wan"
uci set firewall.ovpn.dest_port="1194"
uci set firewall.ovpn.proto="udp"
uci set firewall.ovpn.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

uci set openvpn.openvpn_server=openvpn
uci set openvpn.openvpn_server.enabled='1'
uci set openvpn.openvpn_server.verb='5'
uci set openvpn.openvpn_server.dev='tun'
uci set openvpn.openvpn_server.client_to_client='1'
uci set openvpn.openvpn_server.keepalive='10 120'
uci set openvpn.openvpn_server.mode='server'
uci set openvpn.openvpn_server.persist_key='1'
uci set openvpn.openvpn_server.persist_tun='1'
uci set openvpn.openvpn_server.port='1194'
uci set openvpn.openvpn_server.route_gateway='dhcp'
uci set openvpn.openvpn_server.server='192.168.8.0 255.255.255.0'
uci set openvpn.openvpn_server.tls_server='1'
uci set openvpn.openvpn_server.comp_lzo='yes'
uci set openvpn.openvpn_server.ca='/etc/easy-rsa/pki/ca.crt'
uci set openvpn.openvpn_server.cert='/etc/easy-rsa/pki/issued/server.crt'
uci set openvpn.openvpn_server.key='/etc/easy-rsa/pki/private/server.key'
uci set openvpn.openvpn_server.dh='/etc/easy-rsa/pki/dh.pem'
uci set openvpn.openvpn_server.tls_crypt='/etc/easy-rsa/pki/tc.pem'
uci add_list openvpn.openvpn_server.push='redirect-gateway def1 bypass-dhcp'
uci add_list openvpn.openvpn_server.push='dhcp-option DNS 8.8.8.8'
uci add_list openvpn.openvpn_server.push='dhcp-option DNS 8.8.4.4'
uci commit openvpn

uci delete openvpn.custom_config
uci delete openvpn.sample_server
uci delete openvpn.sample_client
uci commit openvpn

/etc/init.d/openvpn enable
/etc/init.d/openvpn stop
/etc/init.d/openvpn start