知乎专栏 |
https://github.com/gaomd/docker-ikev2-vpn-server
启动 VPN Server
docker run --privileged -d --name ikev2-vpn-server --restart=always -p 500:500/udp -p 4500:4500/udp gaomd/ikev2-vpn-server:0.3.0
复制配置文件,并将配置文件 ikev2-vpn.mobileconfig 发送给客户端
docker run --privileged -i -t --rm --volumes-from ikev2-vpn-server -e "HOST=vpn1.example.com" gaomd/ikev2-vpn-server:0.3.0 generate-mobileconfig > ikev2-vpn.mobileconfig docker run --privileged -i -t --rm --volumes-from ikev2-vpn-server -e "HOST=8.219.81.14" gaomd/ikev2-vpn-server:0.3.0 generate-mobileconfig > ikev2-vpn.mobileconfig
http://www.strongswan.org/
User -> Windows 10 Desktop -> Inside Greatwall -> VPN Server(Hongkong/Other) -> Outside Greatwall
首先在海外部署一台服务器,将服务器配置成为VPN服务器,然后桌面用户通过该服务器,你懂的......
由于pptp,l2tp,openvpn 先后被墙,所以我选择了IKEv2。
CentOS 7 环境
yum install -y strongswane yum install -y haveged systemctl enable haveged systemctl start haveged cd /etc/strongswan
创建自签名CA根证书
# 私钥证书 strongswan pki --gen --type rsa --size 4096 --outform der > ipsec.d/private/CARootKey.der chmod 600 ipsec.d/private/CARootKey.der # 公钥证书 strongswan pki --self --ca --lifetime 3650 --in ipsec.d/private/CARootKey.der --type rsa --dn "C=NL, O=Example Company, CN=StrongSwan Root CA" --outform der > ipsec.d/cacerts/CARootCert.der strongswan pki --print --in ipsec.d/cacerts/CARootCert.der
颁发服务器证书
# 私钥证书 strongswan pki --gen --type rsa --size 2048 --outform der > ipsec.d/private/ServerKey.der chmod 600 ipsec.d/private/ServerKey.der # 公钥证书 strongswan pki --pub --in ipsec.d/private/ServerKey.der --type rsa | strongswan pki --issue --lifetime 730 --cacert ipsec.d/cacerts/CARootCert.der --cakey ipsec.d/private/CARootKey.der --dn "C=NL, O=Example Company, CN=vpn.example.org" --san vpn.example.com --san vpn.example.net --san 147.90.44.87 --san @147.90.44.87 --flag serverAuth --flag ikeIntermediate --outform der > ipsec.d/certs/ServerCert.der strongswan pki --print --in ipsec.d/certs/ServerCert.der
颁发客户端用户证书
# 私钥证书 cd /etc/strongswan/ strongswan pki --gen --type rsa --size 2048 --outform der > ipsec.d/private/ClientKey.der chmod 600 ipsec.d/private/ClientKey.der # 公钥证书 strongswan pki --pub --in ipsec.d/private/ClientKey.der --type rsa | strongswan pki --issue --lifetime 730 --cacert ipsec.d/cacerts/CARootCert.der --cakey ipsec.d/private/CARootKey.der --dn "C=NL, O=Example Company, CN=netkiller@msn.com" --san "netkiller@msn.com" --san "neo.chan@live.com" --outform der > ipsec.d/certs/ClientCert.der # 证书转换,转过过程是 der -> pem -> p12 openssl rsa -inform DER -in ipsec.d/private/ClientKey.der -out ipsec.d/private/ClientKey.pem -outform PEM openssl x509 -inform DER -in ipsec.d/certs/ClientCert.der -out ipsec.d/certs/ClientCert.pem -outform PEM openssl x509 -inform DER -in ipsec.d/cacerts/CARootCert.der -out ipsec.d/cacerts/CARootCert.pem -outform PEM # 请为证书设置一个密码 openssl pkcs12 -export -inkey ipsec.d/private/ClientKey.pem -in ipsec.d/certs/ClientCert.pem -name "Client's VPN Certificate" -certfile ipsec.d/cacerts/CARootCert.pem -caname "strongSwan Root CA" -out Client.p12 </screen> <para>p12中包含了CA证书,客户端私钥证书,客户端公钥证书。Client.p12 发送给最终用户即可</para> <tip> <para>如果你安装过 OpenVPN 那么会很好理解,上述的几个步骤等同于:</para> <screen><![CDATA[ build-ca = CARootKey/CARootCert build-key-server server = ServerKey/ServerCert build-key client1 = Client.p12
开启转发
cat > /etc/sysctl.d/vpn.conf <<EOF # VPN net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 EOF sysctl -p /etc/sysctl.d/vpn.conf
开放500,4500两个端口,注意是UDP协议,允许esp,ah协议通过,最后IP伪装
# for ISAKMP (handling of security associations) iptables -A INPUT -p udp --dport 500 --j ACCEPT # for NAT-T (handling of IPsec between natted devices) iptables -A INPUT -p udp --dport 4500 --j ACCEPT # for ESP payload (the encrypted data packets) iptables -A INPUT -p esp -j ACCEPT iptables -A INPUT -p ah -j ACCEPT # for the routing of packets on the server iptables -I POSTROUTING -t nat -o eth1 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx 改为你的出口IP,也就是 eth1的IP地址。
启动 strongswan 服务
如果你使用 CentOS 7 firewalld 请用下面命令
firewall-cmd --zone=dmz --permanent --add-rich-rule='rule protocol value="esp" accept' # ESP (the encrypted data packets) firewall-cmd --zone=dmz --permanent --add-rich-rule='rule protocol value="ah" accept' # AH (authenticated headers) firewall-cmd --zone=dmz --permanent --add-port=500/udp #IKE (security associations) firewall-cmd --zone=dmz --permanent --add-port=4500/udp # IKE NAT Traversal (IPsec between natted devices) firewall-cmd --permanent --add-service="ipsec" firewall-cmd --zone=dmz --permanent --add-masquerade firewall-cmd --permanent --set-default-zone=dmz firewall-cmd --reload firewall-cmd --list-all
下面配置 IPSEC 复制粘贴即可
cp /etc/strongswan/ipsec.conf{,.original} cat > /etc/strongswan/ipsec.conf <<EOF # ipsec.conf - strongSwan IPsec configuration file config setup charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" conn %default keyexchange=ikev2 ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! dpdaction=clear dpddelay=300s rekey=no left=%any leftsubnet=0.0.0.0/0 leftcert=ServerCert.der right=%any rightdns=8.8.8.8,8.8.4.4 rightsourceip=10.10.0.0/24 conn IPSec-IKEv2 keyexchange=ikev2 auto=add conn IPSec-IKEv2-EAP also="IPSec-IKEv2" rightauth=eap-mschapv2 rightauthby2=pubkey rightsendcert=never eap_identity=%any conn CiscoIPSec keyexchange=ikev1 forceencaps=yes authby=xauthrsasig xauth=server auto=add EOF
配置 VPN 账号与密码
# VPN user accounts and secrets cat > /etc/strongswan/ipsec.secrets <<EOF : RSA ServerKey.der neo : EAP "hWAS5IJWD8NxlQvVFaUVAKid6IFJ6uNO" jam : EAP "1cNEwkfsaN6GzcmWYLedUvJXSpb16UPH" EOF
启动 strongswan
systemctl enable strongswan systemctl start strongswan
导入客户端p12证书,直接双击Client.p12文件即可
选择“本地计算机”
下一步
输入证书密码,下一步
下一步
点击“完成”按钮
证书导入成功
接下来配置 Windows 10 VPN 链接
任务条最右测系统托盘区,点击网络图标,再点击“网络设置”
点击“VPN”,然后点击“添加 VPN 链接”
填写信息并保存
点击“更改适配器选项”
找到VPN网络适配器,鼠标右键点击,选择“属性”
切换到“网络”选项卡,选中“IPv4”后点击“属性按钮”
点击“高级”按钮
勾选“在远程网络上使用默认网关”,然后点击“确定”按钮
回到网络设置界面,点击VPN图标,再点击链接
现在查看你的IP地址,正确应该是经过VPN Server 访问互联网。