OrangePi Zero 起 OpenVPN Server

上文提過點樣係隻OrangePi Zero上面起OS,如果只係得個OS隻野放係道真係無乜野好做.我諗用下面幾個玩法
1. 做bitcoin或litecoin既CPU Miner
2. Amazon Alexa
3. OpenVPN Server
4. Squid Proxy Server
5. LAMP stack

經過過去好幾日既trial run, 做bitcoin或litecoin既miner係唔work既,statrum detect new block會快過OrangePi Zero粒CPU好多,反而係OrangePi 2E就ok喎.

至於Amazon Alexa,我搞搞下無心機搞,索性比錢買佐隻 Echo Dot返屋企.

而今之教大家玩既就會係起OpenVPN Server啦,對我就有特定use case,而 如果你成日要去大陸既話,起個OpenVPN一定幫到你.

第一個step當然係su做root啦

sudo -i

跟住行埋下面呢幾個command就得架啦

apt-get update -y
apt-get install openvpn easy-rsa

做完上面呢兩個steps,個OpenVPN server基本上已經install好,再落黎既就係configuration啦

製作Certificate CA及key pair

如果用TCP而唔係用UDP黎行OpenVPN,個人推介張個encryption行低少少(default係2048bits),而修改既方法大致上係行下面既command

openssl dhparam -out /etc/openvpn/dh1024.pem 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.+...................++*++*++*

製作RSA,先copy easy-rsa 既scripts & template,再create directory安放keypairs

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys

修改張cert既default parameters

vi /etc/openvpn/easy-rsa/vars
   export KEY_COUNTRY="HK"
   export KEY_PROVINCE="HK"
   export KEY_CITY="HKG"
   export KEY_ORG="My Company Name"
   export KEY_EMAIL="[email protected]"
   export KEY_OU="MYOrganizationalUnit"
   export KEY_NAME="server"

制作CA

cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca
./build-key-server server

看圖識字,見野就拍’Y’就ok架啦

移送CA及Certificate

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

上面呢3個file對於制作OpenPVN Client好重要,記得要keep好

製作及修改server.conf

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

vi /etc/openvpn/server.conf

如果跟上面修改了dh個size去1024或更低的話,你就將呢 dh 2048.pem 修改成

dh dh1024.pem

另外將 ;push “redirect-gateway def1 bypass-dhcp” 修改成

push "redirect-gateway def1 bypass-dhcp"

另外兩個好重要既parameters分別係service protocol及service port,我自己為例用公司既TCP port 433黎接VPN connection,所以用下面呢組parameters

#port 1194
port 443
proto tcp
#proto udp

用TCP個overhead好大,如果無特別需要最好行返UDP

啟動OpenVPN

如果上面既所有command都已經行晒,就可以activate個OpenPVN server啦,而activate既方法好簡單

service openvpn start

想知行唔行到個OpenVPN, 可以做兩件事,分別係

service openvpn status

tail /etc/openvpn/openvpn.log
或
tail /var/log/syslog.log

Author: Adrian

Just a fxxking moron who see bad money drives out good!