一、部署环境 {#一部署环境}
1.1、VMware ESXi {#11vmware-esxi}
VMware ESXi
1.2、iKuai镜像 {#12ikuai镜像}
iKuai ISO
1.3、OpenVPN客户端 {#13openvpn客户端}
OpenVPN Client
二、安装iKuai {#二安装ikuai}
2.1、上传镜像至ESXi {#21上传镜像至esxi}
2.2、创建iKuai {#22创建ikuai}
2.3、首次开机配置 {#23首次开机配置}
2.4、二次开机配置 {#24二次开机配置}
三、配置OpenVPN {#三配置openvpn}
3.1、客户端默认配置说明 {#31客户端默认配置说明}
其中14和15默认是注释的,我们不用开启 、
client
: 表示这是OpenVPN的客户端配置文件。dev-type tun
和dev tunx
: 指定OpenVPN设备的类型和名称。tun
是一种虚拟网络设备类型,tunx
是该设备的名称。proto udp
: 指定OpenVPN使用UDP协议进行通信。tun-mtu 1400
: 设置TUN设备的最大传输单元(MTU),限制了通过该通道的数据包的大小。cipher BF-CBC
: 指定OpenVPN使用的加密算法,此处使用的是BF-CBC算法。comp-lzo
: 启用压缩以提高数据传输效率。remote 192.168.6.104 1194
: 指定服务器的IP地址和端口号。resolv-retry infinite
: 在连接失败时,持续尝试无限次重新解析域名。nobind
: 防止OpenVPN在本地端口上绑定,允许客户端连接到任意可用的本地端口。persist-key
和persist-tun
: 如果连接被意外中断,OpenVPN将保持密钥和TUN/TAP设备的持久性。verb 3
: 设置日志详细级别,值为3意味着显示详细的日志信息。key-direction 1
: 指定密钥方向,通常与加密密钥相关。script-security 2
: 设置脚本的安全级别,以允许特定操作执行。# redirect-gateway def1 bypass-dns
: 重定向所有流量到VPN并绕过DNS# route-nopull
: 禁止拉取任何路由。
3.2、添加客户端配置参数 {#32添加客户端配置参数}
以上默认参数配置完成,openvpn就可以正常使用了,但是还存在几个问题,第一:客户端路由怎么走的,第二:内网域名怎么解析,第三:认证模式单一怎么解决,第一第二问题需要通过服务器端的附加配置解决,认证模式在客户端添加如下参数解决
auth-user-pass #开启客户端账号密码认证
3.3、客户端完整配置 {#33客户端完整配置}
client
dev-type tun
dev tunx
proto udp
tun-mtu 1400
cipher BF-CBC
comp-lzo
remote 192.168.6.104 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
key-direction 1
auth-user-pass
script-security 2
# redirect-gateway def1 bypass-dns
# route-nopull
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
507d6e80efca45285d7b7c00e53ed705
-----END OpenVPN Static key V1-----
</tls-auth>
<cert>
-----BEGIN CERTIFICATE-----
MIIC6jCCAdICBGVy4Z8wDQYJKoZIhvcNAQELBQAwNzELMAkGA1UEBhMCQ04xDjAM
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA1RDOMOu6mfGkOvERiRjBJkPH8NB4IniYvU+KX9j61VFKJaQb
-----END RSA PRIVATE KEY-----
</key>
<ca>
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgIJAJjZXNsCwFjlMA0GCSqGSIb3DQEBCwUAMDcxCzAJBgNV
-----END CERTIFICATE-----
</ca>
3.4、服务端附加配置一(路由) {#34服务端附加配置一路由}
第一条指定223.5.5.5走本地上网网卡不走VPN隧道,第二条指定192.168.6.0/24走VPN隧道,通过这俩个参数,即可实现路由分流动作,通过服务器控制【客户端配置这个也是可以的】
push "route 223.5.5.5 255.255.255.255 net_gateway"
push "route 192.168.6.0 255.255.255.0 vpn_gateway"
3.5、服务端附加配置二(路由) {#35服务端附加配置二路由}
如果希望VPN客户端所有流量进过VPN服务器上网,配置如下参数
push "redirect-gateway def1" #所有流量走VPN
3.6、服务端附加配置三(路由) {#36服务端附加配置三路由}
如果希望VPN客户端所有流量进过VPN服务器上网,且不从VPN服务器获取DHCP,以及DNS,即:本地上网获取的IP从本地DHCP服务器获取,解析域名用本地网卡获取的DNS解析,配置如下参数
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1 bypass-dns"
3.7、服务端附加配置四(路由) {#37服务端附加配置四路由}
如果希望VPN客户端所有流量默认走本地网卡,指定流量走VPN,配置如下参数
push "route 0.0.0.0 0.0.0.0 net_gateway" #这条命令和redirect-gateway def1不能能并存
push "route 192.168.6.0 255.255.255.0 vpn_gateway"
3.8、服务端附加配置五(DNS) {#38服务端附加配置五dns}
通过配置如下参数,可以指定VPN用户使用内网DNS解析域名,这对于有内网DNS服务器且有内网域名的场景适用
push "dhcp-option DNS 192.168.100.3"
四、综合配置 {#四综合配置}
结合以上所有路由以及DNS配置,我们可以进行国内外分流,大致配置如下,有俩种模式(提供一部分参考,第一种原理是,默认路由走VPN,国内明细路由走本地NET,第二种原理是,默认路由走NET,国外谷歌和微软明细路由走VPN),以下配置是准对谷歌和微软的IP库进行的分流配置,仅供参考:
push "route 0.0.0.0 0.0.0.0 net_gateway" #默认路由走本地net
push "route 10.0.0.0 255.0.0.0 net_gateway" # 私网A段走本地
push "route 172.16.0.0 255.240.0.0 net_gateway" # 私网B段走本地
push "route 192.168.0.0 255.255.0.0 net_gateway" # 私网C段走本地
push "dhcp-option DNS 192.168.100.3" #用内网DNS服务器解析域名,避免国内DNS污染
push "dhcp-option DNS 192.168.100.4" #用内网DNS服务器解析域名,避免国内DNS污染
push "route 192.168.100.3 255.255.255.255 vpn_gateway" #DNS服务器走VPN
push "route 192.168.100.4 255.255.255.255 vpn_gateway" #DNS服务器走VPN
push "route 192.168.6.0 255.255.255.0 vpn_gateway" #内网网段走VPN,访问内网资源
push "route 1.0.0.0 255.255.255.0 vpn_gateway" #下面都是谷歌和微软的IP段走VPN
push "route 1.1.1.0 255.255.255.0 vpn_gateway"
push "route 1.2.3.0 255.255.255.0 vpn_gateway"
push "route 8.8.4.0 255.255.255.0 vpn_gateway"
push "route 8.8.8.0 255.255.255.0 vpn_gateway"
push "route 8.15.202.0 255.255.255.0 vpn_gateway"
push "route 8.34.208.0 255.255.240.0 vpn_gateway"
push "route 8.35.192.0 255.255.240.0 vpn_gateway"
push "route 13.64.0.0 255.224.0.0 vpn_gateway"
push "route 13.104.0.0 255.252.0.0 vpn_gateway"
push "route 20.0.0.0 255.224.0.0 vpn_gateway"
push "route 20.33.0.0 255.255.0.0 vpn_gateway"
push "route 20.36.0.0 255.252.0.0 vpn_gateway"
push "route 20.40.0.0 255.248.0.0 vpn_gateway"
push "route 20.48.0.0 255.240.0.0 vpn_gateway"
push "route 20.64.0.0 255.192.0.0 vpn_gateway"
push "route 20.135.0.0 255.255.0.0 vpn_gateway"
push "route 20.136.0.0 255.255.0.0 vpn_gateway"
push "route 20.143.0.0 255.255.0.0 vpn_gateway"
push "route 20.150.0.0 255.254.0.0 vpn_gateway"
push "route 20.152.0.0 255.254.0.0 vpn_gateway"
push "route 20.157.0.0 255.255.0.0 vpn_gateway"
push "route 20.158.0.0 255.254.0.0 vpn_gateway"
push "route 20.160.0.0 255.240.0.0 vpn_gateway"
push "route 20.184.0.0 255.248.0.0 vpn_gateway"
push "route 20.192.0.0 255.192.0.0 vpn_gateway"
push "route 23.96.0.0 255.252.0.0 vpn_gateway"
push "route 23.100.0.0 255.254.0.0 vpn_gateway"
push "route 23.102.0.0 255.255.0.0 vpn_gateway"
push "route 23.103.64.0 255.255.192.0 vpn_gateway"
push "route 23.103.128.0 255.255.128.0 vpn_gateway"
push "route 23.236.48.0 255.255.240.0 vpn_gateway"
push "route 23.251.128.0 255.255.224.0 vpn_gateway"
push "route 40.64.0.0 255.192.0.0 vpn_gateway"
push "route 51.10.0.0 255.254.0.0 vpn_gateway"
push "route 51.12.0.0 255.254.0.0 vpn_gateway"
push "route 51.51.0.0 255.255.0.0 vpn_gateway"
push "route 51.53.0.0 255.255.0.0 vpn_gateway"
push "route 51.103.0.0 255.255.0.0 vpn_gateway"
push "route 51.104.0.0 255.254.0.0 vpn_gateway"
push "route 51.107.0.0 255.255.0.0 vpn_gateway"
push "route 51.116.0.0 255.255.0.0 vpn_gateway"
push "route 51.120.0.0 255.255.0.0 vpn_gateway"
push "route 51.124.0.0 255.255.0.0 vpn_gateway"
push "route 51.132.0.0 255.255.0.0 vpn_gateway"
push "route 51.136.0.0 255.254.0.0 vpn_gateway"
push "route 51.138.0.0 255.255.0.0 vpn_gateway"
push "route 51.140.0.0 255.252.0.0 vpn_gateway"
push "route 51.144.0.0 255.254.0.0 vpn_gateway"
push "route 52.96.0.0 255.240.0.0 vpn_gateway"
push "route 52.112.0.0 255.252.0.0 vpn_gateway"
push "route 52.120.0.0 255.252.0.0 vpn_gateway"
push "route 52.125.0.0 255.255.0.0 vpn_gateway"
push "route 52.136.0.0 255.248.0.0 vpn_gateway"
push "route 52.146.0.0 255.254.0.0 vpn_gateway"
push "route 52.148.0.0 255.252.0.0 vpn_gateway"
push "route 52.152.0.0 255.248.0.0 vpn_gateway"
push "route 52.160.0.0 255.224.0.0 vpn_gateway"
push "route 52.224.0.0 255.224.0.0 vpn_gateway"
push "route 64.4.0.0 255.255.192.0 vpn_gateway"
push "route 64.15.112.0 255.255.240.0 vpn_gateway"
push "route 64.18.0.0 255.255.240.0 vpn_gateway"
push "route 64.18.8.0 255.255.255.0 vpn_gateway"
push "route 64.18.12.0 255.255.252.0 vpn_gateway"
push "route 64.79.152.0 255.255.254.0 vpn_gateway"
push "route 64.233.160.0 255.255.240.0 vpn_gateway"
push "route 64.233.176.0 255.255.240.0 vpn_gateway"
push "route 65.52.0.0 255.252.0.0 vpn_gateway"
push "route 66.102.4.0 255.255.255.0 vpn_gateway"
push "route 66.119.144.0 255.255.240.0 vpn_gateway"
push "route 66.249.64.0 255.255.240.0 vpn_gateway"
push "route 66.249.80.0 255.255.240.0 vpn_gateway"
push "route 70.32.128.0 255.255.224.0 vpn_gateway"
push "route 70.32.134.0 255.255.254.0 vpn_gateway"
push "route 70.32.140.0 255.255.252.0 vpn_gateway"
push "route 70.32.144.0 255.255.255.0 vpn_gateway"
push "route 70.32.146.0 255.255.255.0 vpn_gateway"
push "route 70.32.148.0 255.255.254.0 vpn_gateway"
push "route 70.37.0.0 255.255.128.0 vpn_gateway"
push "route 70.37.128.0 255.255.192.0 vpn_gateway"
push "route 72.14.192.0 255.255.224.0 vpn_gateway"
push "route 72.14.224.0 255.255.224.0 vpn_gateway"
push "route 74.125.0.0 255.255.128.0 vpn_gateway"
push "route 74.125.128.0 255.255.128.0 vpn_gateway"
push "route 94.245.64.0 255.255.192.0 vpn_gateway"
push "route 102.37.0.0 255.255.0.0 vpn_gateway"
push "route 102.133.0.0 255.255.0.0 vpn_gateway"
push "route 104.0.0.0 255.248.0.0 vpn_gateway"
push "route 104.40.0.0 255.248.0.0 vpn_gateway"
push "route 104.132.0.0 255.252.0.0 vpn_gateway"
push "route 104.146.0.0 255.255.224.0 vpn_gateway"
push "route 104.146.128.0 255.255.128.0 vpn_gateway"
push "route 104.154.0.0 255.254.0.0 vpn_gateway"
push "route 104.208.0.0 255.248.0.0 vpn_gateway"
push "route 107.167.160.0 255.255.224.0 vpn_gateway"
push "route 107.178.192.0 255.255.192.0 vpn_gateway"
push "route 108.59.80.0 255.255.240.0 vpn_gateway"
push "route 108.170.192.0 255.255.192.0 vpn_gateway"
push "route 108.177.0.0 255.255.128.0 vpn_gateway"
push "route 111.221.16.0 255.255.240.0 vpn_gateway"
push "route 111.221.64.0 255.255.192.0 vpn_gateway"
push "route 113.197.106.0 255.255.255.0 vpn_gateway"
push "route 128.94.0.0 255.255.0.0 vpn_gateway"
push "route 130.211.0.0 255.255.0.0 vpn_gateway"
push "route 131.253.1.0 255.255.255.0 vpn_gateway"
push "route 131.253.3.0 255.255.255.0 vpn_gateway"
push "route 131.253.5.0 255.255.255.0 vpn_gateway"
push "route 131.253.6.0 255.255.255.0 vpn_gateway"
push "route 131.253.8.0 255.255.255.0 vpn_gateway"
push "route 131.253.12.0 255.255.252.0 vpn_gateway"
push "route 131.253.21.0 255.255.255.0 vpn_gateway"
push "route 131.253.24.0 255.255.248.0 vpn_gateway"
push "route 131.253.32.0 255.255.240.0 vpn_gateway"
push "route 131.253.61.0 255.255.255.0 vpn_gateway"
push "route 131.253.62.0 255.255.254.0 vpn_gateway"
push "route 131.253.128.0 255.255.128.0 vpn_gateway"
push "route 132.245.0.0 255.255.0.0 vpn_gateway"
push "route 134.170.0.0 255.255.0.0 vpn_gateway"
push "route 135.149.0.0 255.255.0.0 vpn_gateway"
push "route 137.116.0.0 255.254.0.0 vpn_gateway"
push "route 137.135.0.0 255.255.0.0 vpn_gateway"
push "route 138.91.0.0 255.255.0.0 vpn_gateway"
push "route 138.239.0.0 255.255.0.0 vpn_gateway"
push "route 142.250.0.0 255.254.0.0 vpn_gateway"
push "route 143.64.0.0 255.255.0.0 vpn_gateway"
push "route 144.188.132.0 255.255.255.0 vpn_gateway"
push "route 144.189.0.0 255.255.0.0 vpn_gateway"
push "route 144.189.152.0 255.255.254.0 vpn_gateway"
push "route 144.189.160.0 255.255.240.0 vpn_gateway"
push "route 146.148.0.0 255.255.128.0 vpn_gateway"
push "route 147.145.0.0 255.255.0.0 vpn_gateway"
push "route 147.243.0.0 255.255.0.0 vpn_gateway"
push "route 148.7.0.0 255.255.0.0 vpn_gateway"
push "route 150.171.0.0 255.255.0.0 vpn_gateway"
push "route 155.62.0.0 255.255.0.0 vpn_gateway"
push "route 157.55.0.0 255.255.0.0 vpn_gateway"
push "route 157.56.0.0 255.255.0.0 vpn_gateway"
push "route 158.158.0.0 255.255.0.0 vpn_gateway"
push "route 159.27.0.0 255.255.0.0 vpn_gateway"
push "route 162.216.148.0 255.255.252.0 vpn_gateway"
push "route 162.222.176.0 255.255.248.0 vpn_gateway"
push "route 163.228.0.0 255.255.0.0 vpn_gateway"
push "route 167.105.0.0 255.255.0.0 vpn_gateway"
push "route 167.220.240.0 255.255.252.0 vpn_gateway"
push "route 168.61.0.0 255.255.0.0 vpn_gateway"
push "route 168.62.0.0 255.254.0.0 vpn_gateway"
push "route 169.0.0.0 255.255.0.0 vpn_gateway"
push "route 169.138.0.0 255.255.0.0 vpn_gateway"
push "route 170.165.0.0 255.255.0.0 vpn_gateway"
push "route 172.217.0.0 255.255.0.0 vpn_gateway"
push "route 172.253.0.0 255.255.0.0 vpn_gateway"
push "route 173.194.0.0 255.255.128.0 vpn_gateway"
push "route 173.194.128.0 255.255.128.0 vpn_gateway"
push "route 173.255.112.0 255.255.240.0 vpn_gateway"
push "route 191.232.0.0 255.248.0.0 vpn_gateway"
push "route 192.48.225.0 255.255.255.0 vpn_gateway"
push "route 192.54.86.0 255.255.254.0 vpn_gateway"
push "route 192.55.22.0 255.255.255.0 vpn_gateway"
push "route 192.84.160.0 255.255.254.0 vpn_gateway"
push "route 192.100.102.0 255.255.254.0 vpn_gateway"
push "route 192.100.104.0 255.255.248.0 vpn_gateway"
push "route 192.100.112.0 255.255.240.0 vpn_gateway"
push "route 192.100.128.0 255.255.252.0 vpn_gateway"
push "route 192.158.28.0 255.255.252.0 vpn_gateway"
push "route 192.178.0.0 255.254.0.0 vpn_gateway"
push "route 192.197.157.0 255.255.255.0 vpn_gateway"
push "route 193.142.125.0 255.255.255.0 vpn_gateway"
push "route 193.149.64.0 255.255.224.0 vpn_gateway"
push "route 193.221.113.0 255.255.255.0 vpn_gateway"
push "route 194.41.16.0 255.255.240.0 vpn_gateway"
push "route 198.49.8.0 255.255.255.0 vpn_gateway"
push "route 198.180.74.0 255.255.255.0 vpn_gateway"
push "route 198.180.97.0 255.255.255.0 vpn_gateway"
push "route 198.200.130.0 255.255.255.0 vpn_gateway"
push "route 198.206.164.0 255.255.255.0 vpn_gateway"
push "route 199.30.16.0 255.255.240.0 vpn_gateway"
push "route 199.60.28.0 255.255.255.0 vpn_gateway"
push "route 199.103.90.0 255.255.254.0 vpn_gateway"
push "route 199.103.122.0 255.255.255.0 vpn_gateway"
push "route 199.192.112.0 255.255.252.0 vpn_gateway"
push "route 199.223.232.0 255.255.248.0 vpn_gateway"
push "route 199.242.32.0 255.255.240.0 vpn_gateway"
push "route 199.242.48.0 255.255.248.0 vpn_gateway"
push "route 202.89.224.0 255.255.248.0 vpn_gateway"
push "route 204.14.180.0 255.255.255.0 vpn_gateway"
push "route 204.79.135.0 255.255.255.0 vpn_gateway"
push "route 204.79.179.0 255.255.255.0 vpn_gateway"
push "route 204.79.195.0 255.255.255.0 vpn_gateway"
push "route 204.79.197.0 255.255.255.0 vpn_gateway"
push "route 204.79.252.0 255.255.255.0 vpn_gateway"
push "route 204.95.96.0 255.255.240.0 vpn_gateway"
push "route 204.152.18.0 255.255.254.0 vpn_gateway"
push "route 204.152.140.0 255.255.254.0 vpn_gateway"
push "route 206.138.168.0 255.255.248.0 vpn_gateway"
push "route 206.191.224.0 255.255.224.0 vpn_gateway"
push "route 207.46.0.0 255.255.224.0 vpn_gateway"
push "route 207.46.36.0 255.255.252.0 vpn_gateway"
push "route 207.46.40.0 255.255.248.0 vpn_gateway"
push "route 207.46.48.0 255.255.240.0 vpn_gateway"
push "route 207.46.64.0 255.255.192.0 vpn_gateway"
push "route 207.46.128.0 255.255.128.0 vpn_gateway"
push "route 207.68.128.0 255.255.192.0 vpn_gateway"
push "route 207.82.250.0 255.255.254.0 vpn_gateway"
push "route 207.126.144.0 255.255.240.0 vpn_gateway"
push "route 207.223.160.0 255.255.240.0 vpn_gateway"
push "route 208.65.152.0 255.255.252.0 vpn_gateway"
push "route 208.68.136.0 255.255.248.0 vpn_gateway"
push "route 208.76.45.0 255.255.255.0 vpn_gateway"
push "route 208.76.46.0 255.255.255.0 vpn_gateway"
push "route 208.84.0.0 255.255.252.0 vpn_gateway"
push "route 208.84.4.0 255.255.255.0 vpn_gateway"
push "route 208.117.224.0 255.255.224.0 vpn_gateway"
push "route 209.85.128.0 255.255.192.0 vpn_gateway"
push "route 209.85.192.0 255.255.192.0 vpn_gateway"
push "route 209.85.238.0 255.255.255.0 vpn_gateway"
push "route 209.185.128.0 255.255.252.0 vpn_gateway"
push "route 209.185.240.0 255.255.252.0 vpn_gateway"
push "route 209.240.192.0 255.255.224.0 vpn_gateway"
push "route 213.199.128.0 255.255.192.0 vpn_gateway"
push "route 216.32.180.0 255.255.252.0 vpn_gateway"
push "route 216.32.240.0 255.255.252.0 vpn_gateway"
push "route 216.33.240.0 255.255.252.0 vpn_gateway"
push "route 216.58.192.0 255.255.224.0 vpn_gateway"
push "route 216.73.81.0 255.255.255.0 vpn_gateway"
push "route 216.73.82.0 255.255.255.0 vpn_gateway"
push "route 216.73.85.0 255.255.255.0 vpn_gateway"
push "route 216.73.88.0 255.255.254.0 vpn_gateway"
push "route 216.73.92.0 255.255.252.0 vpn_gateway"
push "route 216.220.208.0 255.255.240.0 vpn_gateway"
push "route 216.239.32.0 255.255.240.0 vpn_gateway"
push "route 216.239.44.0 255.255.254.0 vpn_gateway"
push "route 216.239.64.0 255.255.240.0 vpn_gateway"
五、验证功能 {#五验证功能}
将导出的OpenVPN-Client.conf配置文件,后缀改成ovpn这样手机电脑才能导入使用
5.1、查看本地路由表 {#51查看本地路由表}
5.2、静态密钥认证 {#52静态密钥认证}
5.3、查看本地路由表 {#53查看本地路由表}
5.4、添加客户端账号密码认证参数 {#54添加客户端账号密码认证参数}
auth-user-pass
5.4.1、创建账号密码 {#541创建账号密码}
5.4.2、重新导入配置文件 {#542重新导入配置文件}
因为这里还是没有添加附加配置,所有还是不会产生路由和DNS的影响
5.5、添加附加配置 {#55添加附加配置}
把上面第四步综合配置的附加配置加入到服务器的附加配置中,点击保存,客户端重新连接即可,不需要重新导入,在观察路由表,以及DNS解析
5.5.1、查看路由表 {#551查看路由表}
多了几百条去谷歌和微软的路由走了100.255.255.1进入了VPN隧道去访问
5.5.2、查看DNS解析 {#552查看dns解析}
发现解析百度使用了内网DNS服务器解析