一、部署环境

1.1、VMware ESXi

VMware ESXi

1.2、iKuai镜像

iKuai ISO

1.3、OpenVPN客户端

OpenVPN Client

Snipaste_2023-12-08_15-53-33

二、安装iKuai

2.1、上传镜像至ESXi

Snipaste_2023-12-08_16-04-06

2.2、创建iKuai

Snipaste_2023-12-08_16-05-14
Snipaste_2023-12-08_16-05-53
Snipaste_2023-12-08_16-06-08
Snipaste_2023-12-08_16-08-02
Snipaste_2023-12-08_16-08-18

2.3、首次开机配置

Snipaste_2023-12-08_16-11-32
Snipaste_2023-12-08_16-12-40
Snipaste_2023-12-08_16-17-21
Snipaste_2023-12-08_16-17-42
Snipaste_2023-12-08_16-18-43

2.4、二次开机配置

Snipaste_2023-12-08_16-56-31
Snipaste_2023-12-08_16-58-25
Snipaste_2023-12-08_16-58-56
Snipaste_2023-12-08_17-00-08
Snipaste_2023-12-08_17-10-10
Snipaste_2023-12-08_17-10-38
Snipaste_2023-12-08_17-02-36
Snipaste_2023-12-08_17-03-10
Snipaste_2023-12-08_17-03-37
Snipaste_2023-12-08_17-04-49
Snipaste_2023-12-08_17-05-37

三、配置OpenVPN

http://192.168.6.104

Snipaste_2023-12-08_17-34-21
Snipaste_2023-12-08_17-34-50
Snipaste_2023-12-08_17-36-12

Snipaste_2023-12-09_12-27-59
Snipaste_2023-12-09_12-39-21
Snipaste_2023-12-09_12-40-21
Snipaste_2023-12-09_12-46-20

3.1、客户端默认配置说明

Snipaste_2023-12-09_12-59-50

其中14和15默认是注释的，我们不用开启、
1. client: 表示这是OpenVPN的客户端配置文件。
2. dev-type tun 和 dev tunx: 指定OpenVPN设备的类型和名称。tun 是一种虚拟网络设备类型，tunx 是该设备的名称。
3. proto udp: 指定OpenVPN使用UDP协议进行通信。
4. tun-mtu 1400: 设置TUN设备的最大传输单元（MTU），限制了通过该通道的数据包的大小。
5. cipher BF-CBC: 指定OpenVPN使用的加密算法，此处使用的是BF-CBC算法。
6. comp-lzo: 启用压缩以提高数据传输效率。
7. remote 192.168.6.104 1194: 指定服务器的IP地址和端口号。
8. resolv-retry infinite: 在连接失败时，持续尝试无限次重新解析域名。
9. nobind: 防止OpenVPN在本地端口上绑定，允许客户端连接到任意可用的本地端口。
10. persist-key 和 persist-tun: 如果连接被意外中断，OpenVPN将保持密钥和TUN/TAP设备的持久性。
11. verb 3: 设置日志详细级别，值为3意味着显示详细的日志信息。
12. key-direction 1: 指定密钥方向，通常与加密密钥相关。
13. script-security 2: 设置脚本的安全级别，以允许特定操作执行。
14. # redirect-gateway def1 bypass-dns: 重定向所有流量到VPN并绕过DNS
15. # route-nopull: 禁止拉取任何路由。

3.2、添加客户端配置参数

以上默认参数配置完成，openvpn就可以正常使用了，但是还存在几个问题，第一：客户端路由怎么走的，第二：内网域名怎么解析，第三：认证模式单一怎么解决，第一第二问题需要通过服务器端的附加配置解决，认证模式在客户端添加如下参数解决

auth-user-pass #开启客户端账号密码认证

3.3、客户端完整配置

client
dev-type tun
dev tunx
proto udp
tun-mtu 1400
cipher BF-CBC
comp-lzo
remote 192.168.6.104 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
key-direction 1
auth-user-pass
script-security 2
# redirect-gateway def1 bypass-dns
# route-nopull
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
507d6e80efca45285d7b7c00e53ed705
-----END OpenVPN Static key V1-----
</tls-auth>
<cert>
-----BEGIN CERTIFICATE-----
MIIC6jCCAdICBGVy4Z8wDQYJKoZIhvcNAQELBQAwNzELMAkGA1UEBhMCQ04xDjAM
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA1RDOMOu6mfGkOvERiRjBJkPH8NB4IniYvU+KX9j61VFKJaQb
-----END RSA PRIVATE KEY-----
</key>
<ca>
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgIJAJjZXNsCwFjlMA0GCSqGSIb3DQEBCwUAMDcxCzAJBgNV
-----END CERTIFICATE-----
</ca>

3.4、服务端附加配置一（路由）

第一条指定223.5.5.5走本地上网网卡不走VPN隧道，第二条指定192.168.6.0/24走VPN隧道，通过这俩个参数，即可实现路由分流动作，通过服务器控制【客户端配置这个也是可以的】

push "route 223.5.5.5 255.255.255.255 net_gateway"
push "route 192.168.6.0 255.255.255.0 vpn_gateway"

3.5、服务端附加配置二（路由）

如果希望VPN客户端所有流量进过VPN服务器上网，配置如下参数

push "redirect-gateway def1" #所有流量走VPN

3.6、服务端附加配置三（路由）

如果希望VPN客户端所有流量进过VPN服务器上网，且不从VPN服务器获取DHCP，以及DNS，即：本地上网获取的IP从本地DHCP服务器获取，解析域名用本地网卡获取的DNS解析，配置如下参数

push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1 bypass-dns"

3.7、服务端附加配置四（路由）

如果希望VPN客户端所有流量默认走本地网卡，指定流量走VPN，配置如下参数

push "route 0.0.0.0 0.0.0.0 net_gateway" #这条命令和redirect-gateway def1不能能并存
push "route 192.168.6.0 255.255.255.0 vpn_gateway"

3.8、服务端附加配置五（DNS）

通过配置如下参数，可以指定VPN用户使用内网DNS解析域名，这对于有内网DNS服务器且有内网域名的场景适用

push "dhcp-option DNS 192.168.100.3"

四、综合配置

结合以上所有路由以及DNS配置，我们可以进行国内外分流，大致配置如下，有俩种模式（提供一部分参考，第一种原理是，默认路由走VPN，国内明细路由走本地NET，第二种原理是，默认路由走NET，国外谷歌和微软明细路由走VPN），以下配置是准对谷歌和微软的IP库进行的分流配置，仅供参考：

push "route 0.0.0.0 0.0.0.0 net_gateway"  #默认路由走本地net
push "route 10.0.0.0 255.0.0.0 net_gateway" # 私网A段走本地
push "route 172.16.0.0 255.240.0.0 net_gateway" # 私网B段走本地
push "route 192.168.0.0 255.255.0.0 net_gateway" # 私网C段走本地
push "dhcp-option DNS 192.168.100.3" #用内网DNS服务器解析域名，避免国内DNS污染
push "dhcp-option DNS 192.168.100.4" #用内网DNS服务器解析域名，避免国内DNS污染
push "route 192.168.100.3 255.255.255.255 vpn_gateway" #DNS服务器走VPN
push "route 192.168.100.4 255.255.255.255 vpn_gateway" #DNS服务器走VPN
push "route 192.168.6.0 255.255.255.0 vpn_gateway" #内网网段走VPN，访问内网资源
push "route 1.0.0.0 255.255.255.0 vpn_gateway"  #下面都是谷歌和微软的IP段走VPN
push "route 1.1.1.0 255.255.255.0 vpn_gateway" 
push "route 1.2.3.0 255.255.255.0 vpn_gateway" 
push "route 8.8.4.0 255.255.255.0 vpn_gateway" 
push "route 8.8.8.0 255.255.255.0 vpn_gateway" 
push "route 8.15.202.0 255.255.255.0 vpn_gateway" 
push "route 8.34.208.0 255.255.240.0 vpn_gateway" 
push "route 8.35.192.0 255.255.240.0 vpn_gateway" 
push "route 13.64.0.0 255.224.0.0 vpn_gateway" 
push "route 13.104.0.0 255.252.0.0 vpn_gateway" 
push "route 20.0.0.0 255.224.0.0 vpn_gateway" 
push "route 20.33.0.0 255.255.0.0 vpn_gateway" 
push "route 20.36.0.0 255.252.0.0 vpn_gateway" 
push "route 20.40.0.0 255.248.0.0 vpn_gateway" 
push "route 20.48.0.0 255.240.0.0 vpn_gateway" 
push "route 20.64.0.0 255.192.0.0 vpn_gateway" 
push "route 20.135.0.0 255.255.0.0 vpn_gateway" 
push "route 20.136.0.0 255.255.0.0 vpn_gateway" 
push "route 20.143.0.0 255.255.0.0 vpn_gateway" 
push "route 20.150.0.0 255.254.0.0 vpn_gateway" 
push "route 20.152.0.0 255.254.0.0 vpn_gateway" 
push "route 20.157.0.0 255.255.0.0 vpn_gateway" 
push "route 20.158.0.0 255.254.0.0 vpn_gateway" 
push "route 20.160.0.0 255.240.0.0 vpn_gateway" 
push "route 20.184.0.0 255.248.0.0 vpn_gateway" 
push "route 20.192.0.0 255.192.0.0 vpn_gateway" 
push "route 23.96.0.0 255.252.0.0 vpn_gateway" 
push "route 23.100.0.0 255.254.0.0 vpn_gateway" 
push "route 23.102.0.0 255.255.0.0 vpn_gateway" 
push "route 23.103.64.0 255.255.192.0 vpn_gateway" 
push "route 23.103.128.0 255.255.128.0 vpn_gateway" 
push "route 23.236.48.0 255.255.240.0 vpn_gateway" 
push "route 23.251.128.0 255.255.224.0 vpn_gateway" 
push "route 40.64.0.0 255.192.0.0 vpn_gateway" 
push "route 51.10.0.0 255.254.0.0 vpn_gateway" 
push "route 51.12.0.0 255.254.0.0 vpn_gateway" 
push "route 51.51.0.0 255.255.0.0 vpn_gateway" 
push "route 51.53.0.0 255.255.0.0 vpn_gateway" 
push "route 51.103.0.0 255.255.0.0 vpn_gateway" 
push "route 51.104.0.0 255.254.0.0 vpn_gateway" 
push "route 51.107.0.0 255.255.0.0 vpn_gateway" 
push "route 51.116.0.0 255.255.0.0 vpn_gateway" 
push "route 51.120.0.0 255.255.0.0 vpn_gateway" 
push "route 51.124.0.0 255.255.0.0 vpn_gateway" 
push "route 51.132.0.0 255.255.0.0 vpn_gateway" 
push "route 51.136.0.0 255.254.0.0 vpn_gateway" 
push "route 51.138.0.0 255.255.0.0 vpn_gateway" 
push "route 51.140.0.0 255.252.0.0 vpn_gateway" 
push "route 51.144.0.0 255.254.0.0 vpn_gateway" 
push "route 52.96.0.0 255.240.0.0 vpn_gateway" 
push "route 52.112.0.0 255.252.0.0 vpn_gateway" 
push "route 52.120.0.0 255.252.0.0 vpn_gateway" 
push "route 52.125.0.0 255.255.0.0 vpn_gateway" 
push "route 52.136.0.0 255.248.0.0 vpn_gateway" 
push "route 52.146.0.0 255.254.0.0 vpn_gateway" 
push "route 52.148.0.0 255.252.0.0 vpn_gateway" 
push "route 52.152.0.0 255.248.0.0 vpn_gateway" 
push "route 52.160.0.0 255.224.0.0 vpn_gateway" 
push "route 52.224.0.0 255.224.0.0 vpn_gateway" 
push "route 64.4.0.0 255.255.192.0 vpn_gateway" 
push "route 64.15.112.0 255.255.240.0 vpn_gateway" 
push "route 64.18.0.0 255.255.240.0 vpn_gateway" 
push "route 64.18.8.0 255.255.255.0 vpn_gateway" 
push "route 64.18.12.0 255.255.252.0 vpn_gateway" 
push "route 64.79.152.0 255.255.254.0 vpn_gateway" 
push "route 64.233.160.0 255.255.240.0 vpn_gateway" 
push "route 64.233.176.0 255.255.240.0 vpn_gateway" 
push "route 65.52.0.0 255.252.0.0 vpn_gateway" 
push "route 66.102.4.0 255.255.255.0 vpn_gateway" 
push "route 66.119.144.0 255.255.240.0 vpn_gateway" 
push "route 66.249.64.0 255.255.240.0 vpn_gateway" 
push "route 66.249.80.0 255.255.240.0 vpn_gateway" 
push "route 70.32.128.0 255.255.224.0 vpn_gateway" 
push "route 70.32.134.0 255.255.254.0 vpn_gateway" 
push "route 70.32.140.0 255.255.252.0 vpn_gateway" 
push "route 70.32.144.0 255.255.255.0 vpn_gateway" 
push "route 70.32.146.0 255.255.255.0 vpn_gateway" 
push "route 70.32.148.0 255.255.254.0 vpn_gateway" 
push "route 70.37.0.0 255.255.128.0 vpn_gateway" 
push "route 70.37.128.0 255.255.192.0 vpn_gateway" 
push "route 72.14.192.0 255.255.224.0 vpn_gateway" 
push "route 72.14.224.0 255.255.224.0 vpn_gateway" 
push "route 74.125.0.0 255.255.128.0 vpn_gateway" 
push "route 74.125.128.0 255.255.128.0 vpn_gateway" 
push "route 94.245.64.0 255.255.192.0 vpn_gateway" 
push "route 102.37.0.0 255.255.0.0 vpn_gateway" 
push "route 102.133.0.0 255.255.0.0 vpn_gateway" 
push "route 104.0.0.0 255.248.0.0 vpn_gateway" 
push "route 104.40.0.0 255.248.0.0 vpn_gateway" 
push "route 104.132.0.0 255.252.0.0 vpn_gateway" 
push "route 104.146.0.0 255.255.224.0 vpn_gateway" 
push "route 104.146.128.0 255.255.128.0 vpn_gateway"
push "route 104.154.0.0 255.254.0.0 vpn_gateway" 
push "route 104.208.0.0 255.248.0.0 vpn_gateway" 
push "route 107.167.160.0 255.255.224.0 vpn_gateway"
push "route 107.178.192.0 255.255.192.0 vpn_gateway"
push "route 108.59.80.0 255.255.240.0 vpn_gateway" 
push "route 108.170.192.0 255.255.192.0 vpn_gateway"
push "route 108.177.0.0 255.255.128.0 vpn_gateway" 
push "route 111.221.16.0 255.255.240.0 vpn_gateway" 
push "route 111.221.64.0 255.255.192.0 vpn_gateway" 
push "route 113.197.106.0 255.255.255.0 vpn_gateway"
push "route 128.94.0.0 255.255.0.0 vpn_gateway" 
push "route 130.211.0.0 255.255.0.0 vpn_gateway" 
push "route 131.253.1.0 255.255.255.0 vpn_gateway" 
push "route 131.253.3.0 255.255.255.0 vpn_gateway" 
push "route 131.253.5.0 255.255.255.0 vpn_gateway" 
push "route 131.253.6.0 255.255.255.0 vpn_gateway" 
push "route 131.253.8.0 255.255.255.0 vpn_gateway" 
push "route 131.253.12.0 255.255.252.0 vpn_gateway" 
push "route 131.253.21.0 255.255.255.0 vpn_gateway" 
push "route 131.253.24.0 255.255.248.0 vpn_gateway" 
push "route 131.253.32.0 255.255.240.0 vpn_gateway" 
push "route 131.253.61.0 255.255.255.0 vpn_gateway" 
push "route 131.253.62.0 255.255.254.0 vpn_gateway" 
push "route 131.253.128.0 255.255.128.0 vpn_gateway"
push "route 132.245.0.0 255.255.0.0 vpn_gateway" 
push "route 134.170.0.0 255.255.0.0 vpn_gateway" 
push "route 135.149.0.0 255.255.0.0 vpn_gateway" 
push "route 137.116.0.0 255.254.0.0 vpn_gateway" 
push "route 137.135.0.0 255.255.0.0 vpn_gateway" 
push "route 138.91.0.0 255.255.0.0 vpn_gateway" 
push "route 138.239.0.0 255.255.0.0 vpn_gateway" 
push "route 142.250.0.0 255.254.0.0 vpn_gateway" 
push "route 143.64.0.0 255.255.0.0 vpn_gateway" 
push "route 144.188.132.0 255.255.255.0 vpn_gateway"
push "route 144.189.0.0 255.255.0.0 vpn_gateway" 
push "route 144.189.152.0 255.255.254.0 vpn_gateway"
push "route 144.189.160.0 255.255.240.0 vpn_gateway"
push "route 146.148.0.0 255.255.128.0 vpn_gateway" 
push "route 147.145.0.0 255.255.0.0 vpn_gateway"
push "route 147.243.0.0 255.255.0.0 vpn_gateway"
push "route 148.7.0.0 255.255.0.0 vpn_gateway"
push "route 150.171.0.0 255.255.0.0 vpn_gateway"
push "route 155.62.0.0 255.255.0.0 vpn_gateway"
push "route 157.55.0.0 255.255.0.0 vpn_gateway"
push "route 157.56.0.0 255.255.0.0 vpn_gateway"
push "route 158.158.0.0 255.255.0.0 vpn_gateway"
push "route 159.27.0.0 255.255.0.0 vpn_gateway"
push "route 162.216.148.0 255.255.252.0 vpn_gateway"
push "route 162.222.176.0 255.255.248.0 vpn_gateway"
push "route 163.228.0.0 255.255.0.0 vpn_gateway"
push "route 167.105.0.0 255.255.0.0 vpn_gateway"
push "route 167.220.240.0 255.255.252.0 vpn_gateway"
push "route 168.61.0.0 255.255.0.0 vpn_gateway"
push "route 168.62.0.0 255.254.0.0 vpn_gateway"
push "route 169.0.0.0 255.255.0.0 vpn_gateway"
push "route 169.138.0.0 255.255.0.0 vpn_gateway"
push "route 170.165.0.0 255.255.0.0 vpn_gateway"
push "route 172.217.0.0 255.255.0.0 vpn_gateway"
push "route 172.253.0.0 255.255.0.0 vpn_gateway"
push "route 173.194.0.0 255.255.128.0 vpn_gateway"
push "route 173.194.128.0 255.255.128.0 vpn_gateway"
push "route 173.255.112.0 255.255.240.0 vpn_gateway"
push "route 191.232.0.0 255.248.0.0 vpn_gateway"
push "route 192.48.225.0 255.255.255.0 vpn_gateway"
push "route 192.54.86.0 255.255.254.0 vpn_gateway"
push "route 192.55.22.0 255.255.255.0 vpn_gateway"
push "route 192.84.160.0 255.255.254.0 vpn_gateway"
push "route 192.100.102.0 255.255.254.0 vpn_gateway"
push "route 192.100.104.0 255.255.248.0 vpn_gateway"
push "route 192.100.112.0 255.255.240.0 vpn_gateway"
push "route 192.100.128.0 255.255.252.0 vpn_gateway"
push "route 192.158.28.0 255.255.252.0 vpn_gateway"
push "route 192.178.0.0 255.254.0.0 vpn_gateway"
push "route 192.197.157.0 255.255.255.0 vpn_gateway"
push "route 193.142.125.0 255.255.255.0 vpn_gateway"
push "route 193.149.64.0 255.255.224.0 vpn_gateway"
push "route 193.221.113.0 255.255.255.0 vpn_gateway"
push "route 194.41.16.0 255.255.240.0 vpn_gateway"
push "route 198.49.8.0 255.255.255.0 vpn_gateway"
push "route 198.180.74.0 255.255.255.0 vpn_gateway"
push "route 198.180.97.0 255.255.255.0 vpn_gateway"
push "route 198.200.130.0 255.255.255.0 vpn_gateway"
push "route 198.206.164.0 255.255.255.0 vpn_gateway"
push "route 199.30.16.0 255.255.240.0 vpn_gateway"
push "route 199.60.28.0 255.255.255.0 vpn_gateway"
push "route 199.103.90.0 255.255.254.0 vpn_gateway"
push "route 199.103.122.0 255.255.255.0 vpn_gateway"
push "route 199.192.112.0 255.255.252.0 vpn_gateway"
push "route 199.223.232.0 255.255.248.0 vpn_gateway"
push "route 199.242.32.0 255.255.240.0 vpn_gateway"
push "route 199.242.48.0 255.255.248.0 vpn_gateway"
push "route 202.89.224.0 255.255.248.0 vpn_gateway"
push "route 204.14.180.0 255.255.255.0 vpn_gateway"
push "route 204.79.135.0 255.255.255.0 vpn_gateway"
push "route 204.79.179.0 255.255.255.0 vpn_gateway"
push "route 204.79.195.0 255.255.255.0 vpn_gateway"
push "route 204.79.197.0 255.255.255.0 vpn_gateway"
push "route 204.79.252.0 255.255.255.0 vpn_gateway"
push "route 204.95.96.0 255.255.240.0 vpn_gateway"
push "route 204.152.18.0 255.255.254.0 vpn_gateway"
push "route 204.152.140.0 255.255.254.0 vpn_gateway"
push "route 206.138.168.0 255.255.248.0 vpn_gateway"
push "route 206.191.224.0 255.255.224.0 vpn_gateway"
push "route 207.46.0.0 255.255.224.0 vpn_gateway"
push "route 207.46.36.0 255.255.252.0 vpn_gateway"
push "route 207.46.40.0 255.255.248.0 vpn_gateway"
push "route 207.46.48.0 255.255.240.0 vpn_gateway"
push "route 207.46.64.0 255.255.192.0 vpn_gateway"
push "route 207.46.128.0 255.255.128.0 vpn_gateway"
push "route 207.68.128.0 255.255.192.0 vpn_gateway"
push "route 207.82.250.0 255.255.254.0 vpn_gateway"
push "route 207.126.144.0 255.255.240.0 vpn_gateway"
push "route 207.223.160.0 255.255.240.0 vpn_gateway"
push "route 208.65.152.0 255.255.252.0 vpn_gateway"
push "route 208.68.136.0 255.255.248.0 vpn_gateway"
push "route 208.76.45.0 255.255.255.0 vpn_gateway"
push "route 208.76.46.0 255.255.255.0 vpn_gateway"
push "route 208.84.0.0 255.255.252.0 vpn_gateway"
push "route 208.84.4.0 255.255.255.0 vpn_gateway"
push "route 208.117.224.0 255.255.224.0 vpn_gateway"
push "route 209.85.128.0 255.255.192.0 vpn_gateway"
push "route 209.85.192.0 255.255.192.0 vpn_gateway"
push "route 209.85.238.0 255.255.255.0 vpn_gateway"
push "route 209.185.128.0 255.255.252.0 vpn_gateway"
push "route 209.185.240.0 255.255.252.0 vpn_gateway"
push "route 209.240.192.0 255.255.224.0 vpn_gateway"
push "route 213.199.128.0 255.255.192.0 vpn_gateway"
push "route 216.32.180.0 255.255.252.0 vpn_gateway"
push "route 216.32.240.0 255.255.252.0 vpn_gateway"
push "route 216.33.240.0 255.255.252.0 vpn_gateway"
push "route 216.58.192.0 255.255.224.0 vpn_gateway"
push "route 216.73.81.0 255.255.255.0 vpn_gateway"
push "route 216.73.82.0 255.255.255.0 vpn_gateway"
push "route 216.73.85.0 255.255.255.0 vpn_gateway"
push "route 216.73.88.0 255.255.254.0 vpn_gateway"
push "route 216.73.92.0 255.255.252.0 vpn_gateway"
push "route 216.220.208.0 255.255.240.0 vpn_gateway"
push "route 216.239.32.0 255.255.240.0 vpn_gateway"
push "route 216.239.44.0 255.255.254.0 vpn_gateway"
push "route 216.239.64.0 255.255.240.0 vpn_gateway"