当前各大高校几乎都被IPV6网络覆盖,而大多数高校IPV6网络并未收费,所以我们可以考虑使用IPV6 TO IPV4 从而IPV6 to ipv4网络。
硬件配置: 服务器:自带独立ipv6地址 centos 6.5 vps [linux、windows均可] 路由器: 华为hg255d 路由器系统版本:OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530) 系统下载:链接:http://pan.baidu.com/s/1gd4FC23 密码:b5zu hg255d软件源: http://downloads.openwrt.org/barrier_breaker/14.07/ramips/rt305x/packages/
步骤一:部署openvpn服务器环境
具体方法可参考:
http://www.hiclk.com/2015/03/20/ipv6openvpn/[推荐] http://www.hiclk.com/2015/05/13/openvpn_ipv6_easy-rsa3/
若服务器没有IPV6地址,可参考以下教程给服务器配置IPV6地址:
http://www.hiclk.com/2015/03/20/ipv6tunnel/
步骤二:给HD255D路由器安装OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530)
刷机方法请自行百度,openwrt 系统建议使用:
系统下载:链接:http://pan.baidu.com/s/1gd4FC23 密码:b5zu
步骤三:给hg255d安装openvpn客户端
废话:我在给路由器安装软件是发现了好多好多问题,我发现这个版本的操作系统不能自动获取DNS, 所以不能直接从上述源下载软件安装,所以就我就只能采取本地安装的方法。 在本地安装的过程中,我又发现,这个版本的系统不能挂载U盘,所以用U盘拷贝openvpn到路由器是不可能的。 最后我采取在本地搭建WEB服务器,然后路由器通过本地web,下载软件到服务器上。
建议安装openvpn客户端版本:openvpn-openssl 2.3.6-2
安装方法:
1、在luci界面中=》软件包=》刷新源列表=》查找openvpn-openssl 2.3.6-2并安装
注意安装时间较长,如遇卡机等待片刻即可。
2、下载openvpn-openssl2.3.6-2.ipk 并拷贝到路由器内,使用opkg命令安装。
下载软件的命令:wget http://192.168.1.100/**.ipk 本地安装软件的命令:opkg install -i **.ipk 注意:使用此方法需要安装其它依赖包,在安装时根据界面提示安装各个依赖包即可。
步骤三:配置OPENVPN客户端
将步骤一生产了ca.crt client.crt client.key[具体名称随你当时设定的名称]拷贝到路由器中[可用wget或U盘拷贝,或使用VIM新建这三个文件,将内容粘贴进去即可],拷贝到/etc/openvpn目录下。
使用命令vi /etc/openvpn/client.ovpn创建客户端配置文件,参考内容如下:
client dev tun proto udp6 remote 2607:fcd0:***:4301::***:*** 8080//openvpn 服务器IPV6地址及端口 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt //证书地址 cert /etc/openvpn/client.crt key /etc/openvpn/client.key #list route "0.0.0.0 0.0.0.0" comp-lzo cipher AES-128-CBC verb 3
配置好之后,使用命令openvpn /etc/openvpn/client.ovpn测试OpenVPN客户端能否链接到openvpn服务器。
步骤四:配置路由器/h2>
以下类容有参考:http://renxifeng.is-programmer.com/posts/43701.html,特此声明且对原创作者表示感谢@!
注意:配置以下内容是请提前备份相关系统文件
(1)配置/etc/config/system
config system
option hostname 'OpenWrt'
option timezone 'UTC'
config timeserver 'ntp'
list server '0.openwrt.pool.ntp.org'
list server '1.openwrt.pool.ntp.org'
list server '2.openwrt.pool.ntp.org'
list server '3.openwrt.pool.ntp.org'
option enabled '1'
option enable_server '0'
config led 'led_wifi_led'
option name 'wifi'
option sysfs 'hg255d:wlan'
option trigger 'netdev'
option dev 'wlan0'
option mode 'link tx rx'
config led 'led_usb'
option name 'USB'
option trigger 'netdev'
option dev 'tun0' //将USB的LED映射到openvpn-tun设备上
option interval '50'
option default '0'
option mode 'link tx rx'
option sysfs 'hg255d:usb'
config led 'led_eth'
option name 'Internet'
option sysfs 'hg255d:internet'
option trigger 'netdev'
option dev 'eth0.2'
option mode 'link tx rx'
(2)配置/etc/config/network/h3>
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdcd:517a:905b::/48'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option macaddr '00:0c:43:30:52:77'
option _orig_ifname 'eth0.1 wlan0'
option _orig_bridge 'true'
option ifname 'eth0.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option macaddr '00:0c:43:30:52:78'
config interface 'ovpn' #这段内容是我们增加的,为后续的防火墙做准备。
option ifname 'tun0' #openvpn使用的interface名称
option proto 'none' #这里也不用配置,他的网络是由程序配置的。
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
(3)配置/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'ovpn' #增加这一行把openvpn增加的wan区域里面,否则即使你连接上了,路由器可以正常上网,但局域网客户端不能上。
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 ovpn wwan' #增加这一行把openvpn增加的wan区域里面,否则即使你连接上了,路由器可以正常上网,但局域网客户端不能上。
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
(4)配置dns解析服务,这里我们修改/etc/dnsmasq.conf
# Change the following lines if you want dnsmasq to serve SRV
# records.
# You may add multiple srv-host lines.
# The fields are ,,,,
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 289
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD.
# The fields are ,
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf.
# The fields are ,,...
#Example SPF.
#txt-record=example.com,"v=spf1 a -all"
#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4
# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
# The fields are ,
#cname=bertand,bert
server=2001:4860:4860::8844 # google ipv6 public dns
server=2001:4860:4860::8888 #
server=8.8.8.8 #在文件尾部增加DNS服务器,越靠下优先级越高
(5)配置/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path '10180000.wmac'
option htmode 'HT20'
option txpower '20'
option country '00'
# option disabled '0' #注意这里原来是没有前面那个#的
option channel '6'
config wifi-iface
option device 'radio0'
option mode 'ap' #无线工作模式,ap路由,sta客户端
option encryption 'none'
option ssid 'FREE WIFI' #默认是OpenWrt改为你想要的名字
option network 'lan'
步骤五:添加计划任务/h2>
每隔四小时重新连接:
0 0-23/4 * * * /openvpn /etc/openvpn/client.conf
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdcd:517a:905b::/48'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option macaddr '00:0c:43:30:52:77'
option _orig_ifname 'eth0.1 wlan0'
option _orig_bridge 'true'
option ifname 'eth0.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option macaddr '00:0c:43:30:52:78'
config interface 'ovpn' #这段内容是我们增加的,为后续的防火墙做准备。
option ifname 'tun0' #openvpn使用的interface名称
option proto 'none' #这里也不用配置,他的网络是由程序配置的。
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
(3)配置/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'ovpn' #增加这一行把openvpn增加的wan区域里面,否则即使你连接上了,路由器可以正常上网,但局域网客户端不能上。
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 ovpn wwan' #增加这一行把openvpn增加的wan区域里面,否则即使你连接上了,路由器可以正常上网,但局域网客户端不能上。
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
(4)配置dns解析服务,这里我们修改/etc/dnsmasq.conf
# Change the following lines if you want dnsmasq to serve SRV # records. # You may add multiple srv-host lines. # The fields are, , , , # A SRV record sending LDAP for the example.com domain to # ldapserver.example.com port 289 #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 # Two SRV records for LDAP, each with different priorities #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 # A SRV record indicating that there is no LDAP server for the domain # example.com #srv-host=_ldap._tcp.example.com # The following line shows how to make dnsmasq serve an arbitrary PTR # record. This is useful for DNS-SD. # The fields are , #ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" # Change the following lines to enable dnsmasq to serve TXT records. # These are used for things like SPF and zeroconf. # The fields are , , ... #Example SPF. #txt-record=example.com,"v=spf1 a -all" #Example zeroconf #txt-record=_http._tcp.example.com,name=value,paper=A4 # Provide an alias for a "local" DNS name. Note that this _only_ works # for targets which are names from DHCP or /etc/hosts. Give host # "bert" another name, bertrand # The fields are , #cname=bertand,bert server=2001:4860:4860::8844 # google ipv6 public dns server=2001:4860:4860::8888 # server=8.8.8.8 #在文件尾部增加DNS服务器,越靠下优先级越高
(5)配置/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path '10180000.wmac'
option htmode 'HT20'
option txpower '20'
option country '00'
# option disabled '0' #注意这里原来是没有前面那个#的
option channel '6'
config wifi-iface
option device 'radio0'
option mode 'ap' #无线工作模式,ap路由,sta客户端
option encryption 'none'
option ssid 'FREE WIFI' #默认是OpenWrt改为你想要的名字
option network 'lan'