以下步骤完全使用于Ubuntu 14.04版本
首先安装以下所需包
sudo apt-get install openswan xl2tpd ppp lsof
!注意!Ubuntu 15.10会提示无法找到openswan包,解决办法是用喜欢的编辑器编辑以下文件,实例用vim
sudo vim /etc/apt/sources.list
在文件最后添加一行
deb http://us.archive.ubuntu.com/ubuntu precise main universe
保存后,执行下面命令
sudo apt-get update
sudo apt-get install openswan
防火墙和转发
设置允许转发数据包
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
将上面的%SERVERIP%替换成服务器IP,eth+换成服务器的网卡名。!注意!不一定所有的网卡都是eth开头的
执行下列命令允许内核转发,并且禁用ICP重定向
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf
如果有其他网络接口,执行同样的设置
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
应用以上设置
sysctl -p
保证每次开机这些设置生效
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
配置OpenSwan(IPSEC)
用编辑器打开以下文件
/etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf. version 2.0 # conforms to second version of ipsec.conf specification # basic configuration
config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
nat_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
virtual_private=%v4:10.0.0.0/,%v4:192.168.0.0/,%v4:172.16.0.0/,%v6:fd00::/,%v6:fe80::/
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
oe=off
protostack=netkey
#decide which protocol stack is going to be used. conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.
pfs=no
#Disable pfs
rekey=no
dpddelay=
dpdtimeout=
dpdaction=clear
auto=add
#start at boot
keyingtries=
#Only negotiate a conn. times.
ikelifetime=8h
keylife=1h
type=transport
#because we use l2tp as tunnel protocol
left=%SERVERIP%
leftprotoport=/%any
right=%any
rightprotoport=/%any
forceencaps=yes
#force all to be nat'ed. because of iOS
将上述%SERVERIP%换成服务器IP
共享密钥
用编辑器打开以下文件
/etc/ipsec.secrets
添加以下格式的内容
%SERVERIP% %any: PSK "69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44"
%SERVERIP%为服务器IP地址。PSK为共享密钥,可以用以下命令生成随机密钥
openssl rand -hex
验证OpenSwan(IPSEC)设置
ipsec verify
我的机器示例输出如下
Linux Openswan U2.6.37/K4.2.0--generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Hardware RNG detected, testing if used properly [FAILED] Hardware RNG is present but 'rngd' or 'clrngd' is not running.
No harware random used! Checking that pluto is running [OK]
Pluto listening for IKE on udp [OK]
Pluto listening for NAT-T on udp [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
配置xl2tpd
用编辑器编辑下述文件
/etc/xl2tpd/xl2tpd.conf
将内容替换为以下内容
[global]
ipsec saref = yes
saref refinfo = [lns default]
ip range = 172.16.1.2-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
配置PPP
编辑以下文件
/etc/ppp/options.xl2tpd
将文件内容替换为以下内容
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu
mru
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval
lcp-echo-failure
添加用户(用户认证)
编辑以下文件添加用户
/etc/ppp/chap-secrets
格式内容如下
# Secrets for authentication using CHAP
# client server secret IP addresses
alice l2tpd 0F92E5FC2414101EA *
bob l2tpd DF98F09F74C06A2F *
可以使用以下脚本自动添加用户名和密码。复制内容到本地文件。重命名为addvpnuser.sh
#this script add vpn user to /etc/ppp/chap-secret
#you must be root to run this script if [ $EUID -ne ]
then
echo "You must be root to run this script."
exit -
fi if ! getopts ":a:d:q:" opt
then
echo "Usage: ./addvpnuser.sh -a username | -d username | -q username"
echo "-a for add, -d for delete and -q for query user's password ."
exit -
fi OPTIND= while getopts ":a:d:q:" opt
do
case $opt in
a)
#add user switch is triggered. #check the username parameter is correct.
if [[ $OPTARG = -* ]]
then
echo "Option -a needs an username as a parameter."
((OPTIND--))
continue
fi #check whether the user to be added is existed.
if grep -qP "^$OPTARG\t" /etc/ppp/chap-secrets
then
echo "cannot add user '$OPTARG' because the user has already existed."
continue
fi
#get a random number less than .
n=$RANDOM
n=$(( n % )) #VPN Server Type.
TYPE="l2tpd" #get the server external IP.
IP=`wget http://ipinfo.io/ip -qO -` #get the PRE PSK key of the VPN.
PREKEY=`cat /etc/ipsec.secrets | tail - | awk '{print $4}' | cut -d\" -f2` #calculate user's password using the following algorithm.
PW=`echo -n $OPTARG$RANDOM | md5sum | cut -c$n-$(( n+ ))`
echo -e "$OPTARG\t$TYPE\t$PW\t*" >> /etc/ppp/chap-secrets #successfully added user to configure file.
#print out user information. copy and send to him.
if [ $? -eq ]
then
echo "Type: $TYPE"
#IP=`ifconfig eth0 | grep "inet addr" | awk '{print $2}' | cut -d: -f2`
echo "VPN Server IP: $IP"
echo "User: $OPTARG Password: $PW"
echo "PRE PSK KEY: $PREKEY"
echo "Done."
else
#failed to write the file.
echo "cannot write to configure file."
fi
;;
d)
#echo "-d was triggered. Parameter: $OPTARG"
#check the username parameter is correct.
if [[ $OPTARG = -* ]]
then
echo "Option -d requires an username as a parameter."
((OPTIND--))
continue
fi #check whether the user to be deleted is exist.
if ! grep -qP "^$OPTARG\t" /etc/ppp/chap-secrets
then
echo "user '$OPTARG' does not exist."
continue
fi #maybe can use $$(pid) instead
RANDOM1=$RANDOM
RANDOM2=$RANDOM #delete and overwrite file.
grep -vP "^$OPTARG\t" /etc/ppp/chap-secrets > /etc/ppp/chap-secrets$RANDOM1$RANDOM2
mv /etc/ppp/chap-secrets$RANDOM1$RANDOM2 /etc/ppp/chap-secrets #check result.
if [ $? -eq ]
then
echo "user '$OPTARG' has been successfully deleted."
else
echo "cannot write to file. Please check it."
fi
;;
q)
#check the username parameter is correct.
if [[ $OPTARG = -* ]]
then
echo "Option -q requires an username as a parameter."
((OPTIND--))
continue
fi
grep -P "^$OPTARG\t" /etc/ppp/chap-secrets | awk '{print $1, $3}' >/dev/null
;; \?)
echo "Invalid option -$OPTARG"
;;
:)
echo "Option -$OPTARG requires an username as a parameter."
;;
esac
done
保存后为文件添加可执行权限
chmod addvpnuser.sh
执行示例
#添加VPN用户
./addvpnuser.sh -a [username]
#删除VPN用户
./addvpnuser.sh -d [username]
#查询VPN用户密码
./addvpnuser.sh -q [username]
测试
执行下列命令重启IPsec和xl2tpd服务
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
防火墙
如果开启了ufw防火墙的话,则需要开放udp 500, udp 4500, udp 1701三个端口
ufw allow /udp
ufw allow /udp
ufw allow /udp
注意
配置过程中发现按照上述步骤操作,通过Android或者iOS设备可以连接到VPN服务器,但是不能连接到互联网。经过调试发现是由于Ubuntu开启了ufw(防火墙),数据包被防火墙屏蔽掉了。解决办法如下
打开以下文件
/etc/default/ufw
将下列行中的DROP替换成ACCEPT
DEFAULT_FORWARD_POLICY="DROP"
替换成
DEFAULT_FORWARD_POLICY="ACCEPT"
调试
出现无法连接或者无法联网的情况,下列命令可以帮助调试
sudo tcpdump -i ppp0
sudo tail -f /var/log/auth.log
sudo tail -f /var/log/syslog