OpenWrt21.01.0-rc3の設定とStrongSwan+xl2tpd+adblockを入れる
OpenWrt21.01.0-rc3の設定とVPN・adblockを入れる
- OpenWrt 21.01.0-rc3
- 上流はPPPoE IPv4のみ、フレッツにもPPPoEマルチセッションで接続できるようにする。フレッツ網内の転送速度計測ができる。
- LAN側IPアドレスは192.168.0.254
- LAN側へ提供するDNSは本ルーターを使う。
- VPNはStrongSwan+PPPでL2TP・PreSharedKey
- adblockも入れる
OpenWrtの設定
上流はPPPoE IPv4のみ、FLETSにもPPPoEマルチセッションする
web ui Interfaces - LAN
- Protocol: Static address
- IPv4 address: 192.168.0.254
- Use default gateway: Yes
- Use Custom DNS servers: 192.168.0.254
webui DHCP and DNS
- Local Server: /★自ドメイン名★/
- Local domain: ★自ドメイン名★
- DNS forwardings:
- /flets/123.107.190.5
- /flets/123.107.190.6
- /v4flets-east.jp/123.107.190.5
- /v4flets-east.jp/123.107.190.6
webui Network - Interface
- WANをPPPoEで設定
- Add new interfaceでインターフェースを追加する。
- Name: FLETS
- Protocol: PPPoE
- Device: eth0.2
- Use Default Gateway: No
/etc/config/dhcp に以下追記
config dhcp 'wan6' option interface 'wan6' option dhcpv6 'relay' option ra 'relay' option ndp 'relay' option master '1' option start '100' option leasetime '12h' option limit '150'
ホスト名、DHCPで与えるIPアドレスの固定、ポートフォワーディングはweb uiから設定する。
/etc/config/network に以下追記
#FLETS config route option target '220.210.194.0' option netmask '255.255.255.128' option interface 'FLETS' config route option target '123.107.190.0' option netmask '255.255.255.0' option interface 'FLETS' config route option target '220.210.198.0' option netmask '255.255.255.192' option interface 'FLETS'
adblockの設定
パッケージ導入
# opkg update # opkg install adblock libustream-mbedtls luci-app-adblock tcpdump-mini
webui whitelist
#--rakutenrebates ck.jp.ap.g.valuecommerce.com atrrd.valuecommerce.com ck.jp.ap.valuecommerce.com drd.g.valuecommerce.com vcentry3.valuecommerce.ne.jp vcentry3.g.valuecommerce.ne.jp app.adjust.com app.adjust.net.in app.adjust.world #--rakutenrebates api.branch.io #--rakutenaffiliate hb.afl.rakuten.co.jp www.googleadservices.com fls-fe.amazon.com
webui adblock
- adblock
- Startup Trigger Interface: wan
- Verbose Debug Logging: yes
- Report Interface: br-lan
- DHCP and DNS - Advanced Settings
- Size of DNS Query Cache: 10000
/etc/config/adblockに以下追記
config source 'toufu'
option enabled '1'
option adb_src 'https://raw.githubusercontent.com/tofukko/filter/master/Adblock_Plus_list.txt'
option adb_src_rset 'BEGIN{FS=\"[|^]\"}\$0~/^\|\|([[:alnum:]_-]+\.){1,}:alpha:+\^("\\\$third-party")?$/{print tolower(\$3)}'
option adb_src_desc 'focus on Japanese ads'
VPN: StrongSwan+PPPでL2TP・PreSharedKeyの設定
StrongSwan+PPPでL2TP・PreSharedKey
パッケージ導入
# opkg update # opkg install strongswan-full openssl-util xl2tpd
/etc/config/networkに以下追記
#L2TP config interface 'vpn0' option ifname 'ppp0' option proto 'none' option auto '1' config interface 'vpn1' option ifname 'ppp1' option proto 'none' option auto '1' config interface 'vpn2' option ifname 'ppp2' option proto 'none' option auto '1' config interface 'vpn3' option ifname 'ppp3' option proto 'none' option auto '1'
/etc/config/firewall の下記エントリを削除
config rule option name Allow-IPSec-ESP .... config rule option name Allow-ISAKMP ....
/etc/config/firewall に以下追記
#config IPSec
config rule
option name Allow-ESP
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name Allow-IKE
option src 'wan'
option proto 'udp'
option dest_port '500'
option target 'ACCEPT'
config rule
option name Allow-IKE(NAT-T)
option src 'wan'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'
config rule
option name Allow-AH
option src 'wan'
option proto 'ah'
option target 'ACCEPT'
config rule
option name 'L2TP'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '1701'
config zone
option name 'vpn'
option network 'vpn0 vpn1 vpn2 vpn3'
option conntrack '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'wan'
config include
option path '/etc/firewall.user'
option reload '1' # <- この行を追記する
etc/firewall.user に以下追記
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
/etc/firewall.user に以下追記(なければ作成)
# Add connections here.
conn L2TP-PSK-NAT
rightsubnet=0.0.0.0/0
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
forceencaps=yes
authby=secret
auto=add
keyexchange=ikev1
keyingtries=3
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; macOS is 3DES, sha-1, modp1024
esp=aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is aes256-sha256, macOS is 3des-shal1
rekey=no
ikelifetime=8h
lifetime=1h
type=transport
left=%any
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=40
dpdtimeout=130
dpdaction=clear
/etc/ipsec.secrets に以下追記
: PSK "★PreSharedKeyとして設定する文字列★"
/etc/strongswan.conf に以下追記
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1=192.168.0.254
dns2=192.168.0.3
}
/etc/sysctl.conf に以下追記
net.ipv4.ip_forward=1 net.core.xfrm_larval_drop = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.lo.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.lo.rp_filter = 0
/etc/ppp/chap-secrets に以下追記
# Secrets for authentication using CHAP # client server secret IP addresses ★ユーザー名1★ * ★パスワード1★ * ★ユーザー名2★ * ★パスワード2★ *
/etc/ppp/options.xl2tpd に以下追記
name l2tp ipcp-accept-local ipcp-accept-remote refuse-pap refuse-chap refuse-mschap require-mschap-v2 nodefaultroute ms-dns 192.168.0.254 #nobsdcomp mtu 1350 mru 1350 logfile /var/log/xl2tpd.log netmask 255.255.255.0 #persist proxyarp #lock deflate 15,15 bsdcomp 15,15 vj-max-slots 16
/etc/xl2tpd/xl2tpd.conf に以下追記
VPN接続用にIPアドレスを確保するのは192.168.0.80-192.168.0.89の範囲とする。
[global] ; Global parameters: access control = no ;auth file = /etc/xl2tpd/xl2tp-secrets auth file = /etc/ppp/chap-secrets ; * Where our challenge secrets are port = 1701 debug avp = yes debug network = yes debug packet = yes debug state = yes debug tunnel = yes [lns default] ; Our fallthrough LNS definition ip range = 192.168.0.81-192.168.0.89 ; * Allocate from this IP range local ip = 192.168.0.80 ; * Our local IP to use length bit = yes ; * Use length bit in payload? refuse pap = yes ; * Refuse PAP authentication require chap = yes ; * Refuse CHAP authentication require authentication = yes ; * Require peer to authenticate name = l2tp ; * Report this as our hostname pppoptfile = /etc/ppp/options.xl2tpd