VPN服务搭建

VPN 服务搭建

服务端配置及部署

1.下载strongswan docker镜像

docker pull stanback/alpine-strongswan-vpn

2.从github拉取证书生成脚本

git clone https://github.com/stanback/alpine-strongswan-vpn.git ~/vpn-git

3.修改配置文件

  • 修改generate_certs.sh 文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
CA_CN=yuanjianxin.com # 主域名
SERVER_CN=vpn.yuanjianxin.com # vpn服务器域名
SERVER_SAN=vpn.yuanjianxin.com # SAN服务器域名
CLIENT_CN="jianxin@yuanjianxin.com" # 客户端标识

CONFIG_DIR=$PWD/config/ipsec.d
IPSEC="docker run -it --rm=true -v $CONFIG_DIR:/etc/ipsec.d stanback/alpine-strongswan-vpn"

mkdir -p $CONFIG_DIR/aacerts \
$CONFIG_DIR/acerts \
$CONFIG_DIR/cacerts \
$CONFIG_DIR/certs \
$CONFIG_DIR/crls \
$CONFIG_DIR/ocspcerts \
$CONFIG_DIR/private

eval $IPSEC pki --gen --outform pem > $CONFIG_DIR/private/caKey.pem

# 添加lifetime 指定证书有效期天数
eval $IPSEC pki --self --in /etc/ipsec.d/private/caKey.pem --dn \"C=$C, O=$O, CN=$CA_CN\" --ca --lifetime 36500 --outform pem > $CONFIG_DIR/cacerts/caCert.pem

eval $IPSEC pki --gen --outform pem > $CONFIG_DIR/private/serverKey.pem
eval $IPSEC pki --issue --in /etc/ipsec.d/private/serverKey.pem --type priv --cacert /etc/ipsec.d/cacerts/caCert.pem --cakey /etc/ipsec.d/private/caKey.pem --dn \"C=$C, O=$O, CN=$SERVER_CN\" --san=\"$SERVER_SAN\" --flag serverAuth --flag ikeIntermediate --outform pem > $CONFIG_DIR/certs/serverCert.pem

eval $IPSEC pki --gen --outform pem > $CONFIG_DIR/private/clientKey.pem
eval $IPSEC pki --issue --lifetime 3650 --in /etc/ipsec.d/private/clientKey.pem --type priv --cacert /etc/ipsec.d/cacerts/caCert.pem --cakey /etc/ipsec.d/private/caKey.pem --dn \"C=$C, O=$O, CN=$CLIENT_CN\" --san=\"$CLIENT_CN\" --outform pem > $CONFIG_DIR/certs/clientCert.pem
openssl pkcs12 -export -inkey $CONFIG_DIR/private/clientKey.pem -in $CONFIG_DIR/certs/clientCert.pem -name \"$CLIENT_CN\" -certfile $CONFIG_DIR/cacerts/caCert.pem -caname \"$CA_CN\" -out $CONFIG_DIR/clientCert.p12
  • 执行脚本 ~/vpn-git/generate_certs.sh
  • 输入证书密钥,比如 123456

  • 修改~/vpn-git/config/ipsec.conf 为以下内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
config setup
uniqueids=no

conn %default
compress = yes
esp = aes256-sha256,aes256-sha1,3des-sha1!
ike = aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp2048,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
keyexchange = ike
keyingtries = 1
leftdns = 8.8.8.8,8.8.4.4
rightdns = 8.8.8.8,8.8.4.4

conn ikev2-eap
leftca = "C=US, O=Yue, CN=yuanjianxin.com"
leftcert = serverCert.pem
leftsendcert = always
rightsendcert = never
leftid = @vpn.yuanjianxin.com
left = %any
right = %any
leftauth = pubkey
rightauth = eap-mschapv2
leftfirewall = yes
leftsubnet = 0.0.0.0/0
rightsourceip = 10.1.0.0/16
fragmentation = yes
rekey = no
eap_identity=%any
auto = add
  • 修改~/vpn-git/config/ipsec.secrets 为以下内容:
1
2
3
4
5
6
7
8
9
#: RSA serverKey.pem
#carol : EAP "Ar3etTnp01qlpOgb"
#使用证书验证时的服务器端私钥
#格式 : RSA <private key file> [ <passphrase> | %prompt ]
: RSA serverKey.pem

#XAUTH 方式, 只适用于 IKEv1
#格式 [ <servername> ] <username> : XAUTH "<password>"
jianxin : XAUTH "123456"
  • 修改~/vpn-git/config/strongswan.conf 为以下内容:
1
2
3
4
charon {
dns1 = 8.8.8.8
dns2 = 8.8.4.4
}

4.设置端口转发

1
2
3
4
sudo sysctl net.ipv4.ip_forward=1
sudo sysctl net.ipv6.conf.all.forwarding=1
sudo sysctl net.ipv6.conf.all.proxy_ndp=1
sudo iptables -A FORWARD -j ACCEPT

5.开启防火墙

1
2
3
4
5
6
7
8
9
10
11
12
13
14
sudo firewalld
sudo firewall-cmd --add-port=500/udp --permanent
sudo firewall-cmd --add-port=4500/udp --permanent

#启用ip伪装
sudo firewall-cmd --permanen --add-rich-rule='rule family="ipv4" source address="10.1.0.0/16" masquerade'

#添加 nat 转发
sudo firewall-cmd --permanen --add-rich-rule='rule family="ipv4" source address="10.1.0.0/16" forward-port port="4500" protocol="udp" to-port="4500"'
sudo firewall-cmd --permanen --add-rich-rule='rule family="ipv4" source address="10.1.0.0/16" forward-port port="500" protocol="udp" to-port="500"'
# 重启防火墙
sudo firewall-cmd --reload
# 查看防火墙设置
sudo firewall-cmd --list-all

6.设置云服务器安全组策略,打开500/4500 UDP端口

7.在~/vpn-git/config下编写docker-compose.yml文件,内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
version: '2'
services:
strongswan-service:
image: stanback/alpine-strongswan-vpn
network_mode: host
cap_add:
- NET_ADMIN
volumes:
- ./strongswan.conf:/etc/strongswan.conf
- ./ipsec.conf:/etc/ipsec.conf
- ./ipsec.secrets:/etc/ipsec.secrets
- ./ipsec.d:/etc/ipsec.d

8.启动vpn服务

docker-compose up -d

客户端配置

1.下载证书

  • 下载客户端证书 ~/vpn-git/config/ipsec.d/clientCert.p12
  • 下载CA 证书 ~/vpn-git/config/ipsec.d/cacerts/caCert.pem

2.导入证书到系统

3.配置vpn链接

1
2
3
4
5
6
类型:IKEv2
服务器:vpn.yuanjianxin.com
远程ID:vpn.yuanjianxin.com
用户鉴定:用户名
用户名:jianxin # ipsec.secrets文件中配置的用户名
密码:123456 # ipsec.secrets文件中配置的密码