学习笔记：将OpenVPN Access Server on ESXi改造成软路由

dh5658

已于 2023-07-13 22:18:09 修改

阅读量869

点赞数

文章标签：学习笔记

于 2023-07-12 10:54:06 首次发布

本文链接：https://blog.csdn.net/weixin_43589764/article/details/131676652

版权

当前新版本的OpenVPN的镜像是基于Ubuntu18.04制作的，因此很容易改造成软路由。

免费版限定两个并发连接，不限速。

安装ESXi虚拟机版的OAS

参考： https://openvpn.net/vpn-server-resources/deploying-the-access-server-appliance-on-vmware-esxi/

OAS产品信息：

Our appliance for VMWare ESXi is released as an OVA file with virtual hardware revision 8 (vmx-08).
It is built on the Linux Ubuntu 18.04 LTS x64 operating system and has no GUI.
By default it is assigned 1 vCPU and 1GB of memory and has a swapfile of 512MB. Adjust as needed.
When increasing CPU count, remember to increase amount of TCP/UDP daemons as well:
1 TCP plus 1 UDP daemon for each 1 vCPU. This is in Network Settings page in the admin UI.
SSH login as root user is enabled by default, as well as on the console. You should definitely change this password.

Default root user password is openvpnas.

初始默认账户

- - User name: root
  - Password: openvpnas

导入OVA镜像后添加网卡，网卡的类型选择E1000

设置IP

默认netplan里指定了networkd管理IP

参考：https://openvpn.net/vpn-server-resources/set-a-static-ip-address-on-an-ubuntu-18-or-newer-system/

安装NetworkManager

apt install network-manager

修改/etc/netplan/01-netcfg.yaml

一般是这样：

# This file describes the network interfaces available on your system

# For more information, see netplan(5).

network:

version: 2

renderer: networkd

ethernets:

eth0:

dhcp4: no

addresses: [192.168.1.254/24]

gateway4: 192.168.1.1

nameservers:

addresses: [119.29.29.29]

改成这样：

# This file describes the network interfaces available on your system

# For more information, see netplan(5).

network:

version: 2

renderer: NetworkManager

启用NetworkManager

systemctl enable --now network-manager

使用NetworkManager调整网络配置

（可选）安装拨号宽带PPPoE

参考： https://dineshsonachalam.medium.com/creating-a-dsl-connection-on-ubuntu-18-04-1-lts-c5b7845beea0

apt install -y pppoe pppoeconf

#假定使用eth3接ADSL猫

nmcli conn add con-name adsl type pppoe ifname eth3 autoconnect yes pppoe.username USERNAME pppoe.password PASSWORD

nmcli conn modify adsl connection.zone external

nmcli conn modify eth0 connection.zone internal

nmcli conn reload

nmcli conn up adsl

注：

系统中会自动生成一个拨号网卡 ppp0

可以使用pppoeconf自动配置拨号相关参数

设置ubuntu IP转发

安装ufw防火墙并启用

apt install ufw

systemctl enable --now ufw.service

ufw enable

设置ufw防火墙默认值

ufw default deny incoming

ufw default allow outgoing

查看防火墙状态

ufw status verbose

开启IP转发

参考： Verifying your browser... | myfreax

修改 /etc/sysctl.conf :

# Uncomment the next line to enable packet forwarding for IPv4

net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6

# Enabling this option disables Stateless Address Autoconfiguration

# based on Router Advertisements for this host

net.ipv6.conf.all.forwarding=1

运行sysctl -p生效

配置UFW以允许转发数据包。

打开UFW配置文件/etc/default/ufw

找到DEFAULT_FORWARD_POLICY键，将值从DROP更改为ACCEPT。

开启IP masqurade （IP伪装）

修改/etc/ufw/before.rules

#NAT table rules 启用nat 表

*nat

# 允许POSTROUTING 链

:POSTROUTING ACCEPT [0:0]

# 转发eth0接口的数据包，请将eth0更改为你对应的接口

-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE

# don't delete the 'COMMIT' line or these rules won't be processed

COMMIT

注意不要删除COMMIT关键词，它永远是在最后一行。

别忘了在-A POSTROUTING行中替换eth0以匹配你的计算机可以连接到互联网的名称。

重启电脑或ufw.service后策略生效。

设置ufw防火墙，确保局域网连通性（局域网卡eth0）

ufw allow in on eth0 to any

ufw route allow in on eth0 out on eth0

安装设置MiniUPnP

官网： http://miniupnp.free.fr/

安装：apt install miniupnpd

设置:

根据向导提示，指定 WAN口为ppp0， LAN口为eth0 即可。

至此，软路由功能设置完毕！

按照产品文档设置OpenVPN Access Server即可。