VPN服务搭建

发表于 | 分类于 | 阅读次数 |
字数统计 883 | 阅读时长 4

VPN 服务搭建

服务端配置及部署

1.下载strongswan docker镜像

docker pull stanback/alpine-strongswan-vpn

2.从github拉取证书生成脚本

git clone https://github.com/stanback/alpine-strongswan-vpn.git ~/vpn-git

3.修改配置文件

  • 修改generate_certs.sh 文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
CA_CN=yuanjianxin.com # 主域名
SERVER_CN=vpn.yuanjianxin.com # vpn服务器域名
SERVER_SAN=vpn.yuanjianxin.com # SAN服务器域名
CLIENT_CN="jianxin@yuanjianxin.com" # 客户端标识

CONFIG_DIR=$PWD/config/ipsec.d
IPSEC="docker run -it --rm=true -v $CONFIG_DIR:/etc/ipsec.d stanback/alpine-strongswan-vpn"

mkdir -p $CONFIG_DIR/aacerts \
         $CONFIG_DIR/acerts \
         $CONFIG_DIR/cacerts \
         $CONFIG_DIR/certs \
         $CONFIG_DIR/crls \
         $CONFIG_DIR/ocspcerts \
         $CONFIG_DIR/private

eval $IPSEC pki --gen --outform pem > $CONFIG_DIR/private/caKey.pem

# 添加lifetime 指定证书有效期天数
eval $IPSEC pki --self --in /etc/ipsec.d/private/caKey.pem --dn \"C=$C, O=$O, CN=$CA_CN\" --ca --lifetime 36500 --outform pem > $CONFIG_DIR/cacerts/caCert.pem

eval $IPSEC pki --gen --outform pem > $CONFIG_DIR/private/serverKey.pem
eval $IPSEC pki --issue --in /etc/ipsec.d/private/serverKey.pem --type priv --cacert /etc/ipsec.d/cacerts/caCert.pem --cakey /etc/ipsec.d/private/caKey.pem --dn \"C=$C, O=$O, CN=$SERVER_CN\" --san=\"$SERVER_SAN\" --flag serverAuth --flag ikeIntermediate --outform pem > $CONFIG_DIR/certs/serverCert.pem

eval $IPSEC pki --gen --outform pem > $CONFIG_DIR/private/clientKey.pem
eval $IPSEC pki --issue --lifetime 3650 --in /etc/ipsec.d/private/clientKey.pem --type priv --cacert /etc/ipsec.d/cacerts/caCert.pem --cakey /etc/ipsec.d/private/caKey.pem --dn \"C=$C, O=$O, CN=$CLIENT_CN\" --san=\"$CLIENT_CN\" --outform pem > $CONFIG_DIR/certs/clientCert.pem
openssl pkcs12 -export -inkey $CONFIG_DIR/private/clientKey.pem -in $CONFIG_DIR/certs/clientCert.pem -name \"$CLIENT_CN\" -certfile $CONFIG_DIR/cacerts/caCert.pem -caname \"$CA_CN\" -out $CONFIG_DIR/clientCert.p12
  • 执行脚本 ~/vpn-git/generate_certs.sh

  • 输入证书密钥,比如 123456

  • 修改~/vpn-git/config/ipsec.conf 为以下内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
config setup
    uniqueids=no

conn %default
    compress = yes
    esp = aes256-sha256,aes256-sha1,3des-sha1!
    ike = aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp2048,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
    keyexchange = ike
    keyingtries = 1
    leftdns = 8.8.8.8,8.8.4.4
    rightdns = 8.8.8.8,8.8.4.4

conn ikev2-eap
    leftca = "C=US, O=Yue, CN=yuanjianxin.com"
    leftcert = serverCert.pem
    leftsendcert = always
    rightsendcert = never
    leftid = @vpn.yuanjianxin.com
    left = %any
    right = %any
    leftauth = pubkey
    rightauth = eap-mschapv2
    leftfirewall = yes
    leftsubnet = 0.0.0.0/0
    rightsourceip = 10.1.0.0/16
    fragmentation = yes
    rekey = no
    eap_identity=%any
    auto = add
  • 修改~/vpn-git/config/ipsec.secrets 为以下内容:
1
2
3
4
5
6
7
8
9
#: RSA serverKey.pem
#carol : EAP "Ar3etTnp01qlpOgb"
#使用证书验证时的服务器端私钥
#格式 : RSA <private key file> [ <passphrase> | %prompt ]
: RSA serverKey.pem

#XAUTH 方式, 只适用于 IKEv1
#格式 [ <servername> ] <username> : XAUTH "<password>"
jianxin : XAUTH "123456"
  • 修改~/vpn-git/config/strongswan.conf 为以下内容:
1
2
3
4
charon {
  dns1 = 8.8.8.8
  dns2 = 8.8.4.4
}

4.设置端口转发

1
2
3
4
sudo sysctl net.ipv4.ip_forward=1
sudo sysctl net.ipv6.conf.all.forwarding=1
sudo sysctl net.ipv6.conf.all.proxy_ndp=1
sudo iptables -A FORWARD -j ACCEPT

5.开启防火墙

1
2
3
4
5
6
7
8
9
10
11
12
13
14
sudo firewalld
sudo firewall-cmd --add-port=500/udp --permanent
sudo firewall-cmd --add-port=4500/udp --permanent

#启用ip伪装
sudo firewall-cmd --permanen --add-rich-rule='rule family="ipv4" source address="10.1.0.0/16" masquerade'

#添加 nat 转发
sudo firewall-cmd --permanen --add-rich-rule='rule family="ipv4" source address="10.1.0.0/16" forward-port port="4500" protocol="udp" to-port="4500"'
sudo firewall-cmd --permanen --add-rich-rule='rule family="ipv4" source address="10.1.0.0/16" forward-port port="500" protocol="udp" to-port="500"'
# 重启防火墙
sudo firewall-cmd --reload
# 查看防火墙设置
sudo firewall-cmd --list-all

6.设置云服务器安全组策略,打开500/4500 UDP端口

7.在~/vpn-git/config下编写docker-compose.yml文件,内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
version: '2'
services:
  strongswan-service:
    image: stanback/alpine-strongswan-vpn
    network_mode: host
    cap_add:
      - NET_ADMIN
    volumes:
      - ./strongswan.conf:/etc/strongswan.conf
      - ./ipsec.conf:/etc/ipsec.conf
      - ./ipsec.secrets:/etc/ipsec.secrets
      - ./ipsec.d:/etc/ipsec.d

8.启动vpn服务

docker-compose up -d

客户端配置

1.下载证书

  • 下载客户端证书 ~/vpn-git/config/ipsec.d/clientCert.p12
  • 下载CA 证书 ~/vpn-git/config/ipsec.d/cacerts/caCert.pem

2.导入证书到系统

3.配置vpn链接

1
2
3
4
5
6
类型:IKEv2
服务器:vpn.yuanjianxin.com
远程ID:vpn.yuanjianxin.com
用户鉴定:用户名
用户名:jianxin # ipsec.secrets文件中配置的用户名
密码:123456 # ipsec.secrets文件中配置的密码