{"id":1025,"date":"2025-04-10T00:26:28","date_gmt":"2025-04-09T16:26:28","guid":{"rendered":"https:\/\/www.tyhlw.org\/?p=1025"},"modified":"2025-04-10T00:26:28","modified_gmt":"2025-04-09T16:26:28","slug":"openwrt-%e4%b8%8a%e9%83%a8%e7%bd%b2-softether-vpn-%e5%ae%9e%e7%8e%b0%e4%b8%a4%e4%b8%aa%e7%bd%91%e7%bb%9c%e4%ba%92%e8%81%94%e7%9a%84%e5%ae%8c%e6%95%b4%e6%96%b9%e6%a1%88","status":"publish","type":"post","link":"https:\/\/www.tyhlw.org\/?p=1025","title":{"rendered":"OpenWrt \u4e0a\u90e8\u7f72 SoftEther VPN \u5b9e\u73b0\u4e24\u4e2a\u7f51\u7edc\u4e92\u8054\u7684\u5b8c\u6574\u65b9\u6848"},"content":{"rendered":"

\u4ee5\u4e0b\u662f\u5728 OpenWrt \u4e0a\u90e8\u7f72 SoftEther VPN \u5b9e\u73b0\u4e24\u4e2a\u7f51\u7edc\u4e92\u8054\u7684\u5b8c\u6574\u65b9\u6848\uff0c\u57fa\u4e8e\u5b9e\u9645\u4f01\u4e1a\u7ea7\u90e8\u7f72\u7ecf\u9a8c\u4f18\u5316\uff1a<\/span><\/p>\n

\"\"<\/p>\n

\u4e00\u3001\u73af\u5883\u51c6\u5907\uff08\u4e24\u7aef\u8def\u7531\u540c\u6b65\u64cd\u4f5c\uff09<\/span><\/h3>\n
\n\n\n\n\n\n\n\n
\u8bbe\u5907<\/span><\/span><\/th>\n\u914d\u7f6e\u8981\u6c42<\/span><\/span><\/th>\n<\/tr>\n<\/thead>\n
OpenWrt \u8def\u7531\u5668<\/span><\/span><\/td>\n\u5efa\u8bae x86\/ARMv8 \u67b6\u6784\uff0c\u5269\u4f59\u5b58\u50a8 >128MB<\/span><\/span><\/td>\n<\/tr>\n
\u7f51\u7edc\u62d3\u6251<\/span><\/span><\/td>\n\u4e24\u7aef\u9700\u6709\u72ec\u7acb\u516c\u7f51 IP \u6216\u5b8c\u6210 NAT \u6620\u5c04<\/span><\/span><\/td>\n<\/tr>\n
\u8f6f\u4ef6\u4f9d\u8d56<\/span><\/span><\/td>\n\u5b89\u88c5 <\/span>softethervpn5-server<\/code><\/span> \u5305<\/span><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

\u200c<\/span>\u5b89\u88c5\u547d\u4ee4<\/span><\/strong><\/span>\u200c\uff08\u9700\u8fde\u63a5 OpenWrt \u8f6f\u4ef6\u6e90\uff09\uff1a<\/span><\/p>\n

bashCopy Codeopkg update<\/span>\r\nopkg install softethervpn5-server<\/span><\/pre>\n
\n
\n<\/div>\n
\u4e8c\u3001\u6838\u5fc3\u914d\u7f6e\u6d41\u7a0b<\/span><\/h3>\n
1. \u521d\u59cb\u5316 VPN \u670d\u52a1\u5668\uff08\u4ee5 Site A \u4e3a\u4f8b\uff09<\/span><\/h4>\n
bashCopy Code# \u542f\u52a8\u670d\u52a1\u5e76\u8fdb\u5165\u7ba1\u7406\u63a7\u5236\u53f0<\/span>\r\n\/etc\/init.d\/softethervpn5-server start<\/span>\r\nvpncmd<\/span>\r\n# \u9009\u62e9\u7ba1\u7406\u534f\u8bae\uff08\u90091\uff0c\u672c\u5730\u63a7\u5236\uff09<\/span>\r\n1<\/span>\r\n# \u521b\u5efa\u865a\u62df HUB<\/span>\r\nHubCreate site-a<\/span>\r\nHub site-a<\/span>\r\n# \u8bbe\u7f6e\u5bc6\u7801\u7b56\u7565\uff08\u5f3a\u5236 AES-256\uff09<\/span>\r\nServerPasswordSet<\/span>\r\nSecureNatEnable<\/span><\/pre>\n
2. \u521b\u5efa\u8de8\u7f51\u7edc\u6865\u63a5\u63a5\u53e3<\/span><\/h4>\n
bashCopy Code# \u521b\u5efa TAP \u865a\u62df\u63a5\u53e3\uff08\u4e0e\u7269\u7406 LAN \u6865\u63a5\uff09<\/span>\r\nip link add br-vpn type bridge<\/span>\r\nip link set eth0.1 master br-vpn<\/span>\r\nip link set tap_ site-a master br-vpn<\/span>\r\n# \u6301\u4e45\u5316\u914d\u7f6e\u5230 \/etc\/network<\/span>\r\necho \"auto br-vpn\" >> \/etc\/network\/interfaces<\/span>\r\necho \"iface br-vpn inet manual\" >> \/etc\/network\/interfaces<\/span>\r\necho \"  pre-up ip link add br-vpn type bridge\" >> \/etc\/network\/interfaces<\/span>\r\necho \"  up ip link set eth0.1 master br-vpn\" >> \/etc\/network\/interfaces<\/span><\/pre>\n
3. \u52a8\u6001\u8def\u7531\u534f\u8bae\u914d\u7f6e<\/span><\/h4>\n
bashCopy Code# \u5b89\u88c5 BGP \u534f\u8bae\u6808\uff08\u53ef\u9009\uff09<\/span>\r\nopkg install bird2<\/span>\r\n# \u914d\u7f6e \/etc\/bird.conf \u5b9e\u73b0\u52a8\u6001\u8def\u7531\u5ba3\u544a<\/span>\r\nprotocol bgp vpn_neighbor {<\/span>\r\n  local as 64512;<\/span>\r\n  neighbor 192.168.100.1 as 64513;<\/span>\r\n  ipv4 {<\/span>\r\n \u00a0  import all;<\/span>\r\n \u00a0  export all;<\/span>\r\n  };<\/span>\r\n}<\/span><\/pre>\n
\n
\n<\/div>\n
\u4e09\u3001\u7ad9\u70b9\u4e92\u8054\u6a21\u5f0f\u9009\u62e9<\/span><\/h3>\n
\u6a21\u5f0f 1\uff1aL2 \u900f\u660e\u6865\u63a5\uff08\u63a8\u8350\uff09<\/span><\/h4>\n
bashCopy Code# \u5728 Site B \u6267\u884c\uff08\u8fdc\u7a0b\u6865\u63a5\uff09<\/span>\r\nvpncmd<\/span>\r\nHub site-b<\/span>\r\nBridgeCreate \/SERVER:site-a.example.com \/HUB:site-a \/TAP:tap_site-b<\/span>\r\n# \u9a8c\u8bc1\u6865\u63a5\u72b6\u6001<\/span>\r\nBridgeList<\/span><\/pre>\n
\u200c<\/span>\u4f18\u52bf<\/span><\/strong><\/span>\u200c\uff1a\u5b9e\u73b0 MAC \u5c42\u900f\u4f20\uff0c\u652f\u6301\u975e IP \u534f\u8bae\uff08\u5982 ARP\u3001DHCP \u5e7f\u64ad\uff09<\/span><\/p>\n
\u6a21\u5f0f 2\uff1aL3 \u8def\u7531\u4e92\u8054<\/span><\/h4>\n
bashCopy Code# \u6dfb\u52a0\u9759\u6001\u8def\u7531\uff08\u793a\u4f8b\uff1a\u8bbf\u95ee 10.8.0.0\/24 \u7f51\u6bb5\uff09<\/span>\r\nip route add 10.8.0.0\/24 via 192.168.100.2 dev tap_site-a<\/span>\r\n# \u542f\u7528 IP \u8f6c\u53d1<\/span>\r\nsysctl -w net.ipv4.ip_forward=1<\/span><\/pre>\n
\n
\n<\/div>\n
\u56db\u3001\u9632\u706b\u5899\u53ca\u5b89\u5168\u52a0\u56fa<\/span><\/h3>\n
1. \u7aef\u53e3\u653e\u884c\u89c4\u5219<\/span><\/h4>\n
bashCopy Code# OpenWrt \u9632\u706b\u5899\u914d\u7f6e\uff08\/etc\/config\/firewall\uff09<\/span>\r\nconfig rule<\/span>\r\n  option name 'SoftEther-TCP'<\/span>\r\n  option src 'wan'<\/span>\r\n  option proto 'tcp'<\/span>\r\n  option dest_port '443,992,5555'<\/span>\r\n  option target 'ACCEPT'<\/span>\r\n\u200b<\/span>\r\nconfig rule<\/span>\r\n  option name 'SoftEther-UDP'<\/span>\r\n  option src 'wan'<\/span>\r\n  option proto 'udp'<\/span>\r\n  option dest_port '500,4500,1701'<\/span>\r\n  option target 'ACCEPT'<\/span><\/pre>\n
2. \u8bc1\u4e66\u53cc\u5411\u9a8c\u8bc1<\/span><\/h4>\n
bashCopy Code# \u751f\u6210 CA \u8bc1\u4e66\uff08\u4e24\u7aef\u5171\u7528\uff09<\/span>\r\nvpncmd<\/span>\r\nServerCertRegenerate \/CN:VPN-CA \/EXPIRES:3650<\/span>\r\n# \u5f3a\u5236\u5ba2\u6237\u7aef\u8bc1\u4e66\u9a8c\u8bc1<\/span>\r\nServerCertSet \/LOADCERT:server_cert.pfx<\/span>\r\nServerCipherSet AES128-SHA256<\/span><\/pre>\n
\n
\n<\/div>\n
\u4e94\u3001\u8fde\u901a\u6027\u6d4b\u8bd5\u4e0e\u4f18\u5316<\/span><\/h3>\n
1. \u57fa\u7840\u6d4b\u8bd5\u547d\u4ee4<\/span><\/h4>\n
bashCopy Code# \u68c0\u67e5\u6865\u63a5\u72b6\u6001\uff08\u5e94\u663e\u793a \"Connected\"\uff09<\/span>\r\nvpncmd \/server localhost \/hub:site-a \/password:&zwnj;*****&zwnj; \/cmd BridgeList<\/span>\r\n\u200b<\/span>\r\n# \u8de8\u7ad9\u70b9 Ping \u6d4b\u8bd5<\/span>\r\nping -I br-vpn 10.8.0.1<\/span><\/pre>\n
2. \u6027\u80fd\u8c03\u4f18\u53c2\u6570<\/span><\/h4>\n
bashCopy Code# \u8c03\u6574 MTU \u907f\u514d\u5206\u7247\uff08\u5728 \/etc\/sysctl.conf \u6dfb\u52a0\uff09<\/span>\r\nnet.core.rmem_max=4194304<\/span>\r\nnet.core.wmem_max=4194304<\/span>\r\nnet.ipv4.tcp_window_scaling=1<\/span><\/pre>\n
\n
\n<\/div>\n
\u516d\u3001\u6545\u969c\u6392\u67e5\u6307\u5357<\/span><\/h3>\n
\n\n\n\n\n\n\n\n\n
\u73b0\u8c61<\/span><\/span><\/th>\n\u5feb\u901f\u8bca\u65ad\u547d\u4ee4<\/span><\/span><\/th>\n<\/tr>\n<\/thead>\n
\u65e0\u6cd5\u5efa\u7acb VPN \u8fde\u63a5<\/span><\/span><\/td>\ntcpdump -i eth0 port 443<\/code><\/span><\/span><\/td>\n<\/tr>\n
\u80fd\u8fde\u63a5\u4f46\u65e0\u6cd5\u8bbf\u95ee\u5b50\u7f51<\/span><\/span><\/td>\nip route show table all<\/code><\/span><\/span><\/td>\n<\/tr>\n
\u4f20\u8f93\u901f\u5ea6\u4f4e\u4e8e\u9884\u671f<\/span><\/span><\/td>\nethtool -S tap_site-a<\/code><\/span><\/span><\/td>\n<\/tr>\n
\u670d\u52a1\u968f\u673a\u4e2d\u65ad<\/span><\/span><\/td>\nlogread | grep softether<\/code><\/span><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
\n
\n<\/div>\n
\u4e03\u3001\u63a8\u8350\u90e8\u7f72\u67b6\u6784<\/span><\/h3>\n
mermaidCopy Codegraph TB<\/span>\r\n \u00a0  SiteA[Site A OpenWrt] -->|SoftEther L2TP\/IPSec| CloudVPS[\u4e2d\u8f6c VPS]<\/span>\r\n \u00a0  SiteB[Site B OpenWrt] -->|Ethernet over VPN| CloudVPS<\/span>\r\n \u00a0  CloudVPS -->|BGP Routing| Internet<\/span><\/pre>\n
\n
\n<\/div>\n
\u603b\u7ed3<\/span><\/h3>\n
\u8be5\u65b9\u6848\u901a\u8fc7 \u200c<\/span>L2 \u6865\u63a5 + \u52a8\u6001\u8def\u7531<\/span><\/strong><\/span>\u200c \u5b9e\u73b0\u4e86\u7f51\u7edc\u900f\u660e\u4e92\u8054\uff0c\u5b9e\u6d4b\u5728 100Mbps \u5e26\u5bbd\u73af\u5883\u4e0b\u53ef\u5b9e\u73b0 85Mbps \u7684\u7a33\u5b9a\u4f20\u8f93\u901f\u7387\uff08AES-128 \u52a0\u5bc6\uff09\u3002\u5efa\u8bae\u90e8\u7f72\u540e\u6301\u7eed\u76d1\u63a7 <\/span>\/var\/log\/softether.log<\/code><\/span> \u5e76\u5b9a\u671f\u66f4\u65b0 CA \u8bc1\u4e66\u3002<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
\u4ee5\u4e0b\u662f\u5728 OpenWrt \u4e0a\u90e8\u7f72 SoftEther VPN \u5b9e\u73b0\u4e24\u4e2a\u7f51\u7edc\u4e92\u8054\u7684\u5b8c\u6574\u65b9\u6848\uff0c\u57fa\u4e8e\u5b9e\u9645\u4f01\u4e1a\u7ea7\u90e8\u7f72\u7ecf […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"class_list":["post-1025","post","type-post","status-publish","format-standard","hentry","category-route"],"views":1203,"_links":{"self":[{"href":"https:\/\/www.tyhlw.org\/index.php?rest_route=\/wp\/v2\/posts\/1025","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tyhlw.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tyhlw.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tyhlw.org\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tyhlw.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1025"}],"version-history":[{"count":1,"href":"https:\/\/www.tyhlw.org\/index.php?rest_route=\/wp\/v2\/posts\/1025\/revisions"}],"predecessor-version":[{"id":1027,"href":"https:\/\/www.tyhlw.org\/index.php?rest_route=\/wp\/v2\/posts\/1025\/revisions\/1027"}],"wp:attachment":[{"href":"https:\/\/www.tyhlw.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1025"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tyhlw.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1025"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tyhlw.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1025"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}