v_p_n 架设

目录

搭建V_P_N.

架构

  • 使用 Openswan 作为 IPsec 服务器.
  • 使用 xl2tpd 提供 L2TP 支持.
  • 使用 ppp 提供用户认证.

环境

  • Linode
  • Ubuntu 14.04 64-bit

安装

1
2
sudo apt-get install openswan xl2tpd ppp lsof
# 安装软件包, 会有设置向导, 全部 Enter 使用默认设置.

配置

防火墙 iptablessysctl 的设置

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
sudo iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
#%SERVERIP% 替换成你的服务器 IP; eth+ 通配符

echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" |  tee -a /etc/sysctl.conf

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

sysctl -p
# 应用设置

添加自启

rc.local 中添加:

1
2
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+

配置 Openswan (IPSEC)

配置 ipsec.conf

/etc/ipsec.conf 中修改:

1
2
left=%SERVERIP%
protostack=netkey

/etc/ipsec.conf 完整文件:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # Do not set debug options to debug configuration issues!
    # plutodebug / klipsdebug = "all", "none" or a combation from below:
    # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
    # eg:
    # plutodebug="control parsing"
    # Again: only enable plutodebug or klipsdebug when asked by a developer
    #
    # enable to get logs per-peer
    # plutoopts="--perpeerlog"
    #
    # Enable core dumps (might require system changes, like ulimit -C)
    # This is required for abrtd to work properly
    # Note: incorrect SElinux policies might prevent pluto writing the core
    dumpdir=/var/run/pluto/
    #
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    # It seems that T-Mobile in the US and Rogers/Fido in Canada are
    # using 25/8 as "private" address space on their 3G network.
    # This range has not been announced via BGP (at least upto 2010-12-21)
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    # OE is now off by default. Uncomment and change to on, to enable.
    oe=off
    # which IPsec stack t                 o use. auto will try netkey, then klips then mast
    protostack=netkey
    # Use this to log to a file, or disable logging on embedded systems (like openwrt)
    #plutostderrlog=/dev/null

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#       # Left security gateway, subnet behind it, nexthop toward right.
#       left=10.0.0.1
#       leftsubnet=172.16.0.0/24
#       leftnexthop=10.22.33.44
#       # Right security gateway, subnet behind it, nexthop toward left.
#       right=10.12.12.1
#       rightsubnet=192.168.0.0/24
#       rightnexthop=10.101.102.103
#       # To authorize this connection, but not actually start it,
#       # at startup, uncomment this.
#       #auto=add
conn L2TP-PSK-noNAT
    authby=secret
    #shared secret. Use rsasig for certificates.

    pfs=no
    #Disable pfs

    auto=add
    #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

    keyingtries=3
    #Only negotiate a conn. 3 times.

    ikelifetime=8h
    keylife=1h

    ike=aes256-sha1;modp1024!
    phase2alg=aes256-sha1;modp1024
    # specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.

    type=transport
    #because we use l2tp as tunnel protocol

    left=%SERVERIP%
    #fill in server IP above

    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

    dpddelay=10
    # Dead Peer Dectection (RFC 3706) keepalives delay
    dpdtimeout=20
    #  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
    dpdaction=clear
    # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

修改 ipsec.secrets

  • 获取服务器 IP:
1
curl http://ip.mtak.nl
  • 生成随机密匙:
1
openssl rand -hex 30

IPSec 握手时的 Shared Secret

/etc/ipsec.secrets 修改为:

1
%SERVERIP%  %any:   PSK "%Shared Secret%"

验证 IPSec

验证 IPSec 是否正常工作

1
ipsec verify

遇到问题

NETKEY: Testing XFRM related proc values [FAILED]

应该是忘记修改网络策略, 解决方法:

1
2
3
4
5
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

问题2 Hardware RNG detected, testing if used properly [FAILED]

Hardware RNG detected, testing if used properly [FAILED]

解决方法:

1
sudo apt-get install rng-tools

再次验证 IPSec 是否正常工作, ipsec verify, 已经正常.

配置 xl2tpd

配置 xl2tpd.conf

/etc/xl2tpd/xl2tpd.conf 修改成:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
[global]
ipsec saref = yes
saref refinfo = 30

;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes

[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

用户认证

编辑 /etc/xl2tpd/xl2tpd.conf:

1
2
3
4
# 增加这一行:
unix authentication = yes
# 删除这一行:
refuse pap = yes

更改 /etc/pam.d/ppp 成:

1
2
3
4
auth    required        pam_nologin.so
auth    required        pam_unix.so
account required        pam_unix.so
session required        pam_unix.so

修改 /etc/ppp/options.xl2tpd:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
login
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

使用

增加用户

修改 /etc/ppp/chap-secrets:

1
2
3
4
# Secrets for authentication using CHAP
# client       server  secret                  IP addresses
user1          l2tpd   pass1                        *
user2          l2tpd   pass2                        *

重启服务

1
2
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart

查看错误日志

1
2
cat /var/log/syslog
cat /var/log/auth.log

Enjoy!