实现效果:openwrt作为openvpn客户端,让连接OpenWRT路由器的终端设备访问VPN服务器资源
问题:需解决路由推送、防火墙放行和NAT豁免三个核心问题。
🔧 一、OpenWRT路由器端关键配置
1.安装openvpn,安装好如下所示3个包,安装后重启一下路由器
2.配置vpn客户端
配置文件内容如下:
client
dev-type tun
dev tunx
proto udp
tun-mtu 1400
cipher BF-CBC
comp-lzo
remote ikuai.rongtech.top 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
auth-user-pass '/etc/openvpn/auth-user.txt'#这个文件存放vpn用户名和密码,第一行用户名,第二行密码
script-security 2
push 'route 192.168.6.0 255.255.255.0'#推送openwrt 网段到vpn服务器
<ca>
#换成自己的证书
</ca>
# redirect-gateway def1 bypass-dns # uncomment to set as default gateway
# route-nopull # uncomment to disable server route push
#
3. 推送终端子网到VPN服务器.见上面的配置
修改OpenVPN客户端配置文件(/etc/openvpn/你的配置.ovpn),添加本地子网路由推送指令:
push "route 192.168.7=6.0 255.255.255.0" # 替换为你的终端设备所在子网[3,6](@ref)作用:告知VPN服务器客户端终端子网的存在,使其能正确回传数据包。
验证:VPN连接后执行
ip route,确认目标网络(如192.168.10.0/24) 的下一跳为VPN接口(如tunx)。
2. 防火墙放行终端流量
通过SSH登录OpenWRT,执行以下命令:
# 允许终端子网流量进入VPN隧道
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-LAN-to-VPN'
uci set firewall.@rule[-1].src='lan' # 源区域为LAN
uci set firewall.@rule[-1].dest='wan' # 目标区域为WAN(VPN流量出口)
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
service firewall restart3. 豁免VPN流量的NAT伪装
# 避免终端流量被错误NAT导致回程失败
iptables -t nat -I POSTROUTING -o tunx -j MASQUERADE # 对VPN接口流量启用MASQUERADE
iptables -I FORWARD -i br-lan -o tunx -j ACCEPT # 允许LAN→VPN转发
iptables -I FORWARD -i tunx -o br-lan -j ACCEPT # 允许VPN→LAN转发[4,7](@ref)注:
tunx需替换为你的VPN接口名(通过ifconfig查看)。等效UCI配置命令
# 1. 配置 VPN 区域(如果尚未配置) uci set firewall.vpn=zone uci set firewall.vpn.name='vpn' uci set firewall.vpn.input='ACCEPT' uci set firewall.vpn.output='ACCEPT' uci set firewall.vpn.forward='ACCEPT' uci set firewall.vpn.masq='1' # 这相当于 MASQUERADE uci set firewall.vpn.network='vpn' # 2. 配置转发规则(FORWARD 规则) uci set firewall.lan_to_vpn=forwarding uci set firewall.lan_to_vpn.src='lan' uci set firewall.lan_to_vpn.dest='vpn' uci set firewall.vpn_to_lan=forwarding uci set firewall.vpn_to_lan.src='vpn' uci set firewall.vpn_to_lan.dest='lan' # 3. 配置 NAT 规则(POSTROUTING 规则) uci set firewall.vpn_nat=nat uci set firewall.vpn_nat.name='vpn_masquerade' uci set firewall.vpn_nat.src='vpn' uci set firewall.vpn_nat.dest='wan' uci set firewall.vpn_nat.target='MASQUERADE' uci set firewall.vpn_nat.family='ipv4' # 提交配置 uci commit firewall /etc/init.d/firewall restart #最后将tunx加入到VPN区域。重启vpn /etc/init.d/openvpn restart
💻 二、终端设备配置
网关与DNS设置
终端网关必须指向OpenWRT的LAN IP(如
192.168.6.1)。若需解析VPN内网域名,在终端手动设置DNS为VPN服务器内网DNS(如
192.168.9.1)
静态路由(非必须)
仅当路由器未自动下发路由时需手动添加:# Linux终端 sudo ip route add 192.168.9.0/24 via 192.168.6.1 # Windows终端 route add 192.168.9.0 mask 255.255.255.0 192.168.6.1
三、验证
使用连接openwrt路由器的终端直接ping 爱快路由器网关192.168.9.1,验证连通成功。
