对于码农来说,Google上搜索,*上提问,twitter上交流,这样的国际化开放平台才是码农成长的空间。但是,目前遇到的一些现实的困难,无可避免的带来一些麻烦,不过这难不倒我们。
让我们来梳理一下需求,
- 移动设备有随时随地访问海外的需求,特别是Twitter,必须iPhone/Android都支持
- 电脑有访问海外的需求,例如Google IO 2013的直播,WWDC录像,都在Youtube
- 电脑想访问都要先拨号后使用,且拨号以后访问国内网站速度慢,需实现策略路由
- 访问速度要快,不能打开个网页像蜗牛
这样,
- 我们需要一个VPN
- 速度要快
- 实现策略路由
VPN选型
- OpenVPN iOS设备上需要安装专门的软件,证书导入复杂–放弃
- PPTP VPN 安全性和NAT穿透性差,我的工作和生活环境有两个路由,还有自建NAT的情况,使用体验慢,效果差-放弃
- L2TP IPSec VPN IPSec属于高强度加密,L2TP走UDP,NAT穿透好,只要不封闭目的端的指定端口,一般不会出现墙的情况
所以我选择了 L2TP IPSec VPN来解决我的问题
Linode在东京,国内访问速度在 250毫秒左右,速度属于比较快的国外VPS服务器了,我选择的主机操作系统是Ubuntu 12.04 LTS,属于比较常用的操作系统。
Ubuntu上的安装过程就比较简单了:
sudo apt-get install openswan xl2tpd
抱歉,为了基本的安全原因,我的Ubuntu 运行在非root用户下,linode的ubuntu运行在root下,需要进行一下改造,如何改造另文描述
Linode Ubuntu IPSec 提示是否是有X.509证书
Linode Ubuntu IPSec X.509证书 导入还是创建,选择创建
Linode Ubuntu IPSec X.509是否使用自签名,选择使用自签名
Linode Ubuntu IPSec 安装完成
seaman@li600-18:~$ sudo apt-get install openswan xl2tpd [sudo] password for seaman: Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: openswan-modules-source openswan-modules-dkms openswan-doc The following NEW packages will be installed: openswan xl2tpd 0 upgraded, 2 newly installed, 0 to remove and 31 not upgraded. Need to get 1,177 kB of archives. After this operation, 2,940 kB of additional disk space will be used. Get:1 http://us.archive.ubuntu.com/ubuntu/ precise/universe openswan amd64 1:2.6.37-1 [1,103 kB] Get:2 http://us.archive.ubuntu.com/ubuntu/ precise/universe xl2tpd amd64 1.3.1+dfsg-1 [74.1 kB] Fetched 1,177 kB in 3s (387 kB/s) Preconfiguring packages ... Selecting previously unselected package openswan. (Reading database ... 21184 files and directories currently installed.) Unpacking openswan (from .../openswan_1%3a2.6.37-1_amd64.deb) ... Selecting previously unselected package xl2tpd. Unpacking xl2tpd (from .../xl2tpd_1.3.1+dfsg-1_amd64.deb) ... Processing triggers for ureadahead ... Processing triggers for man-db ... Setting up openswan (1:2.6.37-1) ... Generating a 2048 bit RSA private key ....................+++ .............+++ writing new private key to '/etc/ipsec.d/private/li600-18Key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (e.g. server FQDN or YOUR name) []:Email Address []:Successfully created x509 certificate. ipsec_setup: Starting Openswan IPsec U2.6.37/K3.9.3-x86_64-linode33... Setting up xl2tpd (1.3.1+dfsg-1) ... Starting xl2tpd: xl2tpd.
编辑/etc/ipsec.conf,拷贝粘贴即可,注意left服务器IP地址,需要改成您的:
seaman@li600-18:~$ sudo vi /etc/ipsec.conf [sudo] password for seaman: version 2.0 config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey conn L2TP-PSK-NAT dpddelay=40 dpdtimeout=130 dpdaction=clear rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=106.186.178.35 leftprotoport=17/1701 right=%any rightprotoport=17/%any
修改/etc/ipsec.secrets 设置IPSec握手时的Machine Authentication – Shared Secret
seaman@li600-18:~$ sudo vi /etc/ipsec.secrets [sudo] password for seaman: # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". # this file is managed with debconf and will contain the automatically created RSA keys # include /var/lib/openswan/ipsec.secrets.inc 106.186.178.35 %any: PSK "password"
编辑/etc/xl2tpd/xl2tpd.conf ,配置监听端口和监听服务
seaman@li600-18:~$ sudo vi /etc/xl2tpd/xl2tpd.conf [global] ipsec saref = yes [lns default] ip range = 10.1.2.2-10.1.2.255 local ip = 10.1.2.1 ;require chap = yes refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
新建xl2tpd的配置文件,用户拨叫后,服务器的处理流程,这里debug开启后可以在日志中看到详细记录
seaman@li600-18:~$ sudo vi /etc/ppp/options.xl2tpd require-mschap-v2 ms-dns 8.8.8.8 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4
编辑一个密码文件,配置用户名和密码 /etc/ppp.chap-secrets 记得红色字部分换成自己的。这里的l2tpd必须和options文件中的name字段一致。
seaman@li600-18:~$ sudo vi /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses seaman l2tpd password *
最后,配置一下端口转发,防火墙的规则
seaman@li600-18:~$ sudo vi /etc/rc.local #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. iptables --table nat --append POSTROUTING --jump MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done /etc/init.d/ipsec restart exit 0
重启相关服务
seaman@li600-18:~$ sudo service ipsec restart seaman@li600-18:~$ sudo service xl2tpd restart
重启相关服务的日志,如果是这样的日志,那就是正确的:
Jul 15 00:13:19 li600-18 ipsec_setup: Stopping Openswan IPsec... Jul 15 00:13:20 li600-18 ipsec_setup: ...Openswan IPsec stopped Jul 15 00:13:20 li600-18 ipsec_setup: Starting Openswan IPsec U2.6.37/K3.9.3-x86_64-linode33... Jul 15 00:13:20 li600-18 ipsec_setup: Using NETKEY(XFRM) stack Jul 15 00:13:20 li600-18 ipsec_setup: ...Openswan IPsec started Jul 15 00:13:20 li600-18 pluto: adjusting ipsec.d to /etc/ipsec.d Jul 15 00:13:20 li600-18 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d Jul 15 00:13:21 li600-18 ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT" Jul 15 00:13:21 li600-18 ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT" Jul 15 00:13:52 li600-18 xl2tpd[4400]: death_handler: Fatal signal 15 received Jul 15 00:13:53 li600-18 xl2tpd[5291]: Enabling IPsec SAref processing for L2TP transport mode SAs Jul 15 00:13:53 li600-18 xl2tpd[5291]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes Jul 15 00:13:53 li600-18 xl2tpd[5291]: setsockopt recvref[30]: Protocol not available Jul 15 00:13:53 li600-18 xl2tpd[5291]: This binary does not support kernel L2TP. Jul 15 00:13:53 li600-18 xl2tpd[5292]: xl2tpd version xl2tpd-1.3.1 started on li600-18 PID:5292 Jul 15 00:13:53 li600-18 xl2tpd[5292]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. Jul 15 00:13:53 li600-18 xl2tpd[5292]: Forked by Scott Balmos and David Stipp, (C) 2001 Jul 15 00:13:53 li600-18 xl2tpd[5292]: Inherited by Jeff McAdams, (C) 2002 Jul 15 00:13:53 li600-18 xl2tpd[5292]: Forked again by Xelerance (www.xelerance.com) (C) 2006 Jul 15 00:13:53 li600-18 xl2tpd[5292]: Listening on IP address 0.0.0.0, port 1701
最后我会重启服务器,测试一遍是否开机自启,是否iptables配置正确,是否无需人工干预,养成这个好习惯,收益一辈子。
seaman@li600-18:~$ sudo reboot
正确完整的连接服务器日志如下:
Jul 15 00:22:04 li600-18 xl2tpd[5788]: control_finish: Peer requested tunnel 20 twice, ignoring second one. Jul 15 00:22:05 li600-18 xl2tpd[5788]: Connection established to 124.126.164.85, 65314. Local: 54863, Remote: 20 (ref=0/0). LNS session is 'default' Jul 15 00:22:05 li600-18 xl2tpd[5788]: start_pppd: I'm running: Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/usr/sbin/pppd" Jul 15 00:22:05 li600-18 xl2tpd[5788]: "passive" Jul 15 00:22:05 li600-18 xl2tpd[5788]: "nodetach" Jul 15 00:22:05 li600-18 xl2tpd[5788]: "10.1.2.1:10.1.2.2" Jul 15 00:22:05 li600-18 xl2tpd[5788]: "refuse-pap" Jul 15 00:22:05 li600-18 xl2tpd[5788]: "refuse-chap" Jul 15 00:22:05 li600-18 xl2tpd[5788]: "auth" Jul 15 00:22:05 li600-18 xl2tpd[5788]: "debug" Jul 15 00:22:05 li600-18 xl2tpd[5788]: "file" Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/etc/ppp/options.xl2tpd" Jul 15 00:22:05 li600-18 xl2tpd[5788]: "ipparam" Jul 15 00:22:05 li600-18 xl2tpd[5788]: "124.126.164.85" Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/dev/pts/1" Jul 15 00:22:05 li600-18 xl2tpd[5788]: Call established with 124.126.*.*, Local: 33517, Remote: 8892, Serial: 1 Jul 15 00:22:05 li600-18 pppd[5836]: pppd 2.4.5 started by root, uid 0 Jul 15 00:22:05 li600-18 pppd[5836]: using channel 1 Jul 15 00:22:05 li600-18 pppd[5836]: Using interface ppp0 Jul 15 00:22:05 li600-18 pppd[5836]: Connect: ppp0 /dev/pts/1 Jul 15 00:22:05 li600-18 pppd[5836]: sent [LCP ConfReq id=0x1 ] Jul 15 00:22:05 li600-18 pppd[5836]: rcvd [LCP ConfAck id=0x1 ] Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ConfReq id=0x1 ] Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ConfReq id=0x1 ] Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ConfAck id=0x1 ] Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ConfAck id=0x1 ] Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP EchoReq id=0x0 magic=0x6008c32e] Jul 15 00:22:08 li600-18 pppd[5836]: sent [CHAP Challenge id=0xde , name = "l2tpd"] Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP EchoReq id=0x0 magic=0x750875db] Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP EchoRep id=0x0 magic=0x6008c32e] Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP EchoRep id=0x0 magic=0x750875db] Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [CHAP Response id=0xde , name = "seaman"] Jul 15 00:22:08 li600-18 pppd[5836]: sent [CHAP Success id=0xde "S=9FDDBC3C524C2C4A504DD75725A4BE1AFCDC033B M=Access granted"] Jul 15 00:22:08 li600-18 pppd[5836]: sent [CCP ConfReq id=0x1 <deflate(old#) 15> ] Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfReq id=0x1 ] Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPCP ConfReq id=0x1 ] Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfNak id=0x1 ] Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPV6CP ConfReq id=0x1 ] Jul 15 00:22:08 li600-18 pppd[5836]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 16 10 9f ff fe d1 fa 47] Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f] Jul 15 00:22:08 li600-18 pppd[5836]: Protocol-Reject for 'Compression Control Protocol' (0x80fd) received Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPCP ConfRej id=0x1 ] Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfReq id=0x2 ] Jul 15 00:22:09 li600-18 pppd[5836]: rcvd [IPCP ConfReq id=0x2 ] Jul 15 00:22:09 li600-18 pppd[5836]: sent [IPCP ConfAck id=0x2 ] Jul 15 00:22:09 li600-18 pppd[5836]: rcvd [IPCP ConfAck id=0x2 ] Jul 15 00:22:09 li600-18 pppd[5836]: Cannot determine ethernet address for proxy ARP Jul 15 00:22:09 li600-18 pppd[5836]: local IP address 10.1.2.1 Jul 15 00:22:09 li600-18 pppd[5836]: remote IP address 10.1.2.2 Jul 15 00:22:09 li600-18 pppd[5836]: Script /etc/ppp/ip-up started (pid 5843) Jul 15 00:22:09 li600-18 pppd[5836]: Script /etc/ppp/ip-up finished (pid 5843), status = 0x0 Jul 15 00:22:09 li600-18 kernel: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead. Jul 15 00:22:10 li600-18 ntpd[2533]: Listen normally on 9 ppp0 10.1.2.1 UDP 123 Jul 15 00:22:10 li600-18 ntpd[2533]: peers refreshed Jul 15 00:22:10 li600-18 ntpd[2533]: new interface(s) found: waking up resolver
服务器的配置到此结束,这样一个完整的IPSec+L2TP VPN就建立起来了,客户端部分怎么配置呢?请看(二)
FAQ:如下的错误如何处理
Jul 15 00:18:58 li600-18 pppd[5800]: The remote system is required to authenticate itself
Jul 15 00:18:58 li600-18 pppd[5800]: but I couldn’t find any suitable secret (password) for it to use to do so.基本的原因是 /etc/ppp/chap-secrets 不正确,常见的错误有:
1.ipaddress那个*号没填
2.server应该是option.xl2tpd里面制定的那个name字段,是否少些一个d,例如写成xl2tp而不是xl2tpd更好排版的版本:http://www.seaman.be/view/【详细贴】ubuntu-linode搭建海外策略路由vpn-ipsecl2tp(一).html