setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
conn myvpn
keyexchange=ikev1
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
right=VPN服务器IP
编辑/etc/strongswan/ipsec.secrets文件
: PSK "你的PSK"
配置 xl2tpd
编辑/etc/xl2tpd/xl2tpd.conf文件
[lac myvpn]
lns = VPN服务的IP
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd.client
length bit = yes
编辑/etc/ppp/options.xl2tpd.client文件
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name 你的帐户
password 你的密码
chmod 600 /etc/ppp/options.l2tpd.client
至此 VPN 客户端配置已完成。按照下面的步骤进行连接。
创建xl2tpd控制文件
mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control
启动脚本vpnc.sh
#!/bin/bash
SUDO=''
if [ "$USER" != "root" ]
then
SUDO='sudo'
fi
$SUDO systemctl restart strongswan.service
$SUDO systemctl restart xl2tpd.service
sleep 1
$SUDO strongswan up myvpn
$SUDO tee /var/run/xl2tpd/l2tp-control > /dev/null <<< "c myvpn"
while ! $(ip route | grep -i ppp0 &>/dev/null)
do
sleep 1
done
ip link | grep -i ppp0
# 检查你现有的默认路由 ip route 在输出中查找以下行: default via X.X.X.X ...。记下这个网关IP # 并且在下面的两个命令中使用。
$SUDO route add 你的VPN服务器IP gw x.x.x.x
# 如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你的本地电脑的公有 IP,以避免
# SSH 会话被断开 (替换为实际值):
$SUDO route add 你的本地电脑的公有IP gw x.x.x.x
$SUDO route add default dev ppp0
ip route | grep -i ppp0
ip address | grep -i ppp0
# 检查 VPN 是否正常工作,以上命令应该返回 你的 VPN 服务器 IP。
wget -qO- http://ipv4.icanhazip.com; echo
停止脚本 vpnd.sh
#!/bin/bash
SUDO=''
if [ "$USER" != "root" ]
then
SUDO='sudo'
fi
$SUDO route del default dev ppp0
# 删除掉VPN服务器IP 和 本地电脑公网IP
$SUDO ip route del x.x.x.x
$SUDO ip route del x.x.x.x
$SUDO tee /var/run/xl2tpd/l2tp-control > /dev/null <<< "d vultr"
$SUDO strongswan down myvpn
ip link | grep -i ppp0
ip route | grep -i ppp0
$SUDO systemctl stop strongswan.service
$SUDO systemctl stop xl2tpd.service
启动脚本命令,测试一下VPN服务器内网地址是否连通:
[root@iz2ze7tgu9zb2gr6av1tysz vpn]# ping 172.17.120.102
PING 172.17.120.102 (172.17.120.102) 56(84) bytes of data.
64 bytes from 172.17.120.102: icmp_seq=1 ttl=63 time=1.96 ms
64 bytes from 172.17.120.102: icmp_seq=2 ttl=63 time=2.01 ms
64 bytes from 172.17.120.102: icmp_seq=3 ttl=63 time=1.92 ms
64 bytes from 172.17.120.102: icmp_seq=4 ttl=63 time=1.94 ms
^C
--- 172.17.120.102 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 1.926/1.961/2.010/0.062 ms
启动脚本命令,以上命令可以ping通,说明安装配置成功。
知识补充
内网定义
内网IP有3种:
- 第一种10.0.0.0~10.255.255.255
- 第二种172.16.0.0~172.31.255.255
- 第三种192.168.0.0~192.168.255.255
相关端口
PPTP |
1723 |
L2TP |
UDP:500 (isakmp) UDP:4500 (nat-t) UDP:1701 (l2tp) |
IPSEC/L2TP方式的VPN基础
参考:https://blog.52itstyle.com/archives/2457/#%E7%9F%A5%E8%AF%86%E8%A1%A5%E5%85%85
参考文档
setup-ipsec-vpn:https://github.com/hwdsl2/setup-ipsec-vpn
setup-ipsec-vpn:https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/c