OpenWRT, OpenVPN и PIA

Discussion in 'Беспроводные технологии/Wi-Fi/Wardriving' started by Ditfrid, 25 Jun 2018.

  1. Ditfrid

    Ditfrid New Member

    Joined:
    28 May 2018
    Messages:
    37
    Likes Received:
    3
    Reputations:
    0
    Столкнулся с проблемой настройки OpenVPN на роутере Nexx 3020. В качестве провайдера VPN выступает PIA (кто использует поймет о чем речь).

    Перелопатил кучу мануалов. Большая часть устаревшие. Надеюсь текст ниже поможет заблудшей душе :)

    1. Ставим openvpn
      Code:
      opkg update
      opkg install openvpn
    2. Скачиваем конфигурационные файлы OpenVPN
    3. Распаковываем их в директорию /etc/openvpn
    4. Создаем в папке /etc/openvpn файл pia.auth и записываем туда логин и пароль вида
      Code:
      p7777777
      abcdqwerty
    5. В /etc/config/ кладем файл openvpn с таким содержимым
      Code:
      
      config openvpn 'PIA
         
      always-up-vpn-with-pia
      
      package openvpn
      
      
      config openvpn pia
      
          option enabled 1
          option client 1
          option dev tun1337
          option proto udp
          option resolve_retry infinite
          option nobind 1
          option persist_key 1
          option persist_tun 1
          option ca /etc/openvpn/ca.rsa.2048.crt
          option crl_verify /etc/openvpn/crl.rsa.2048.pem
          option tls_client 1
          option comp_lzo yes
          option auth_user_pass /etc/openvpn/pia.auth
          option auth 'SHA1'
          option cipher 'AES-128-CBC'
          option verb 3
      
          # Указываем нужные сервера.
          list remote "us-seattle.privateinternetaccess.com 1198"
          list remote "hk.privateinternetaccess.com 1198"
          list remote "uk-london.privateinternetaccess.com 1198"
          list remote "ro.privateinternetaccess.com 1198"
          list remote "nl.privateinternetaccess.com 1198"
          list remote "us-texas.privateinternetaccess.com 1198"
          list remote "in.privateinternetaccess.com 1198"
          list remote "nz.privateinternetaccess.com 1198"
          list remote "us-east.privateinternetaccess.com 1198"
          list remote "ireland.privateinternetaccess.com 1198"
          list remote "sweden.privateinternetaccess.com 1198"
          list remote "japan.privateinternetaccess.com 1198"
          list remote "ca.privateinternetaccess.com 1198"
          list remote "denmark.privateinternetaccess.com 1198"
          list remote "brazil.privateinternetaccess.com 1198"
          list remote "germany.privateinternetaccess.com 1198"
          list remote "aus.privateinternetaccess.com 1198"
          list remote "us-california.privateinternetaccess.com 1198"
          list remote "mexico.privateinternetaccess.com 1198"
          list remote "us-siliconvalley.privateinternetaccess.com 1198"
          list remote "us-midwest.privateinternetaccess.com 1198"
          list remote "us-florida.privateinternetaccess.com 1198"
          list remote "ca-toronto.privateinternetaccess.com 1198"
          list remote "fi.privateinternetaccess.com 1198"
          list remote "uk-southampton.privateinternetaccess.com 1198"
          list remote "france.privateinternetaccess.com 1198"
          list remote "israel.privateinternetaccess.com 1198"
          list remote "us-newyorkcity.privateinternetaccess.com 1198"
          list remote "us-west.privateinternetaccess.com 1198"
          list remote "no.privateinternetaccess.com 1198"
          list remote "italy.privateinternetaccess.com 1198"
          list remote "turkey.privateinternetaccess.com 1198"
          list remote "us-chicago.privateinternetaccess.com 1198"
          list remote "sg.privateinternetaccess.com 1198"
          list remote "swiss.privateinternetaccess.com 1198"
      list remote "aus-melbourne.privateinternetaccess.com 1198"
    6. Создаем интерфейс
      Code:
      cat >> /etc/config/network << EOF
      config interface 'PIA'
      option ifname 'tun1337'
      option proto 'none'
      EOF
    7. Настраиваем файрвол
      Code:
      cat >> /etc/config/firewall << EOF
      config defaults
      option syn_flood '1'
      option input 'ACCEPT'
      option output 'ACCEPT'
      option forward 'REJECT'
      config zone
      option name 'lan'
      option network 'lan'
      option input 'ACCEPT'
      option output 'ACCEPT'
      option forward 'REJECT'
      
      
      config zone
      option name 'wan'
      option output 'ACCEPT'
      option forward 'REJECT'
      option network 'wan'
      option input 'ACCEPT'
      
      
      config zone
      option name 'ipr'
      option input 'REJECT'
      option output 'ACCEPT'
      option forward 'REJECT'
      option masq '1'
      option mtu_fix '1'
      option network 'IPredator'
      
      
      config rule
      option name 'Allow-DHCP-Renew'
      option src 'wan'
      option proto 'udp'
      option dest_port '68'
      option target 'ACCEPT'
      option family 'ipv4'
      
      
      config rule
      option name 'Allow-Ping'
      option src 'wan'
      option proto 'icmp'
      option icmp_type 'echo-request'
      option family 'ipv4'
      option target 'ACCEPT'
      
      
      config rule
      option name 'Allow-DHCPv6'
      option src 'wan'
      option proto 'udp'
      option src_ip 'fe80::/10'
      option src_port '547'
      option dest_ip 'fe80::/10'
      option dest_port '546'
      option family 'ipv6'
      option target 'ACCEPT'
      
      
      config rule
      option name 'Allow-ICMPv6-Input'
      option src 'wan'
      option proto 'icmp'
      list icmp_type 'echo-request'
      list icmp_type 'echo-reply'
      list icmp_type 'destination-unreachable'
      list icmp_type 'packet-too-big'
      list icmp_type 'time-exceeded'
      list icmp_type 'bad-header'
      list icmp_type 'unknown-header-type'
      list icmp_type 'router-solicitation'
      list icmp_type 'neighbour-solicitation'
      list icmp_type 'router-advertisement'
      list icmp_type 'neighbour-advertisement'
      option limit '1000/sec'
      option family 'ipv6'
      option target 'ACCEPT'
      
      
      config rule
      option name 'Allow-ICMPv6-Forward'
      option src 'wan'
      option dest '*'
      option proto 'icmp'
      list icmp_type 'echo-request'
      list icmp_type 'echo-reply'
      list icmp_type 'destination-unreachable'
      list icmp_type 'packet-too-big'
      list icmp_type 'time-exceeded'
      list icmp_type 'bad-header'
      list icmp_type 'unknown-header-type'
      option limit '1000/sec'
      option family 'ipv6'
      option target 'ACCEPT'
      config include
      option path '/etc/firewall.user'
      config forwarding
      option dest 'ipr'
      option src 'lan'
      EOF
    8. Перезагружаем роутер