对于码农来说,Google上搜索,stackoverflow上提问,twitter上交流,这样的国际化开放平台才是码农成长的空间。但是,目前遇到的一些现实的困难,无可避免的带来一些麻烦,不过这难不倒我们。

让我们来梳理一下需求,

  • 移动设备有随时随地访问海外的需求,特别是Twitter,必须iPhone/Android都支持
  • 电脑有访问海外的需求,例如Google IO 2013的直播,WWDC录像,都在Youtube
  • 电脑想访问都要先拨号后使用,且拨号以后访问国内网站速度慢,需实现策略路由
  • 访问速度要快,不能打开个网页像蜗牛

这样,

  • 我们需要一个VPN
  • 速度要快
  • 实现策略路由

VPN选型

  • OpenVPN iOS设备上需要安装专门的软件,证书导入复杂–放弃
  • PPTP VPN 安全性和NAT穿透性差,我的工作和生活环境有两个路由,还有自建NAT的情况,使用体验慢,效果差-放弃
  • L2TP IPSec VPN IPSec属于高强度加密,L2TP走UDP,NAT穿透好,只要不封闭目的端的指定端口,一般不会出现墙的情况

所以我选择了 L2TP IPSec VPN来解决我的问题

Linode在东京,国内访问速度在 250毫秒左右,速度属于比较快的国外VPS服务器了,我选择的主机操作系统是Ubuntu 12.04 LTS,属于比较常用的操作系统。

Ubuntu上的安装过程就比较简单了:

sudo apt-get install openswan xl2tpd

抱歉,为了基本的安全原因,我的Ubuntu 运行在非root用户下,linode的ubuntu运行在root下,需要进行一下改造,如何改造另文描述


Linode Ubuntu IPSec 提示是否是有X.509证书


Linode Ubuntu IPSec X.509证书 导入还是创建,选择创建


Linode Ubuntu IPSec X.509是否使用自签名,选择使用自签名


Linode Ubuntu IPSec 安装完成

seaman@li600-18:~$ sudo apt-get install openswan xl2tpd
[sudo] password for seaman:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
openswan-modules-source openswan-modules-dkms openswan-doc
The following NEW packages will be installed:
openswan xl2tpd
0 upgraded, 2 newly installed, 0 to remove and 31 not upgraded.
Need to get 1,177 kB of archives.
After this operation, 2,940 kB of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu/ precise/universe openswan amd64 1:2.6.37-1 [1,103 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu/ precise/universe xl2tpd amd64 1.3.1+dfsg-1 [74.1 kB]
Fetched 1,177 kB in 3s (387 kB/s)
Preconfiguring packages ...
Selecting previously unselected package openswan.
(Reading database ... 21184 files and directories currently installed.)
Unpacking openswan (from .../openswan_1%3a2.6.37-1_amd64.deb) ...
Selecting previously unselected package xl2tpd.
Unpacking xl2tpd (from .../xl2tpd_1.3.1+dfsg-1_amd64.deb) ...
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Setting up openswan (1:2.6.37-1) ...
Generating a 2048 bit RSA private key
....................+++
.............+++
writing new private key to '/etc/ipsec.d/private/li600-18Key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (e.g. server FQDN or YOUR name) []:Email Address []:Successfully created x509 certificate.
ipsec_setup: Starting Openswan IPsec U2.6.37/K3.9.3-x86_64-linode33...
Setting up xl2tpd (1.3.1+dfsg-1) ...
Starting xl2tpd: xl2tpd.

编辑/etc/ipsec.conf,拷贝粘贴即可,注意left服务器IP地址,需要改成您的:

seaman@li600-18:~$ sudo vi /etc/ipsec.conf
[sudo] password for seaman:
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
dpddelay=40
dpdtimeout=130
dpdaction=clear
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=106.186.178.35
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

修改/etc/ipsec.secrets 设置IPSec握手时的Machine Authentication – Shared Secret

seaman@li600-18:~$ sudo vi /etc/ipsec.secrets
[sudo] password for seaman:
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
# this file is managed with debconf and will contain the automatically created RSA keys
# include /var/lib/openswan/ipsec.secrets.inc
106.186.178.35 %any: PSK "password"

编辑/etc/xl2tpd/xl2tpd.conf ,配置监听端口和监听服务

seaman@li600-18:~$ sudo vi /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

新建xl2tpd的配置文件,用户拨叫后,服务器的处理流程,这里debug开启后可以在日志中看到详细记录

seaman@li600-18:~$ sudo vi /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

编辑一个密码文件,配置用户名和密码 /etc/ppp.chap-secrets 记得红色字部分换成自己的。这里的l2tpd必须和options文件中的name字段一致。

seaman@li600-18:~$ sudo vi /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
seaman l2tpd password *

最后,配置一下端口转发,防火墙的规则

seaman@li600-18:~$ sudo vi /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
iptables --table nat --append POSTROUTING --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart
exit 0

重启相关服务

seaman@li600-18:~$ sudo service ipsec restart
seaman@li600-18:~$ sudo service xl2tpd restart

重启相关服务的日志,如果是这样的日志,那就是正确的:

Jul 15 00:13:19 li600-18 ipsec_setup: Stopping Openswan IPsec...
Jul 15 00:13:20 li600-18 ipsec_setup: ...Openswan IPsec stopped
Jul 15 00:13:20 li600-18 ipsec_setup: Starting Openswan IPsec U2.6.37/K3.9.3-x86_64-linode33...
Jul 15 00:13:20 li600-18 ipsec_setup: Using NETKEY(XFRM) stack
Jul 15 00:13:20 li600-18 ipsec_setup: ...Openswan IPsec started
Jul 15 00:13:20 li600-18 pluto: adjusting ipsec.d to /etc/ipsec.d
Jul 15 00:13:20 li600-18 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Jul 15 00:13:21 li600-18 ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
Jul 15 00:13:21 li600-18 ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
Jul 15 00:13:52 li600-18 xl2tpd[4400]: death_handler: Fatal signal 15 received
Jul 15 00:13:53 li600-18 xl2tpd[5291]: Enabling IPsec SAref processing for L2TP transport mode SAs
Jul 15 00:13:53 li600-18 xl2tpd[5291]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
Jul 15 00:13:53 li600-18 xl2tpd[5291]: setsockopt recvref[30]: Protocol not available
Jul 15 00:13:53 li600-18 xl2tpd[5291]: This binary does not support kernel L2TP.
Jul 15 00:13:53 li600-18 xl2tpd[5292]: xl2tpd version xl2tpd-1.3.1 started on li600-18 PID:5292
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Forked by Scott Balmos and David Stipp, (C) 2001
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Inherited by Jeff McAdams, (C) 2002
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Listening on IP address 0.0.0.0, port 1701

最后我会重启服务器,测试一遍是否开机自启,是否iptables配置正确,是否无需人工干预,养成这个好习惯,收益一辈子。

seaman@li600-18:~$ sudo reboot

正确完整的连接服务器日志如下:

Jul 15 00:22:04 li600-18 xl2tpd[5788]: control_finish: Peer requested tunnel 20 twice, ignoring second one.
Jul 15 00:22:05 li600-18 xl2tpd[5788]: Connection established to 124.126.164.85, 65314. Local: 54863, Remote: 20 (ref=0/0). LNS session is 'default'
Jul 15 00:22:05 li600-18 xl2tpd[5788]: start_pppd: I'm running:
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/usr/sbin/pppd"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "passive"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "nodetach"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "10.1.2.1:10.1.2.2"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "refuse-pap"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "refuse-chap"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "auth"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "debug"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "file"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/etc/ppp/options.xl2tpd"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "ipparam"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "124.126.164.85"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/dev/pts/1"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: Call established with 124.126.*.*, Local: 33517, Remote: 8892, Serial: 1
Jul 15 00:22:05 li600-18 pppd[5836]: pppd 2.4.5 started by root, uid 0
Jul 15 00:22:05 li600-18 pppd[5836]: using channel 1
Jul 15 00:22:05 li600-18 pppd[5836]: Using interface ppp0
Jul 15 00:22:05 li600-18 pppd[5836]: Connect: ppp0 /dev/pts/1
Jul 15 00:22:05 li600-18 pppd[5836]: sent [LCP ConfReq id=0x1 ]
Jul 15 00:22:05 li600-18 pppd[5836]: rcvd [LCP ConfAck id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ConfAck id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ConfAck id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP EchoReq id=0x0 magic=0x6008c32e]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [CHAP Challenge id=0xde , name = "l2tpd"]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP EchoReq id=0x0 magic=0x750875db]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP EchoRep id=0x0 magic=0x6008c32e]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP EchoRep id=0x0 magic=0x750875db]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [CHAP Response id=0xde , name = "seaman"]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [CHAP Success id=0xde "S=9FDDBC3C524C2C4A504DD75725A4BE1AFCDC033B M=Access granted"]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [CCP ConfReq id=0x1 <deflate(old#) 15> ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPCP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfNak id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPV6CP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 16 10 9f ff fe d1 fa 47]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f]
Jul 15 00:22:08 li600-18 pppd[5836]: Protocol-Reject for 'Compression Control Protocol' (0x80fd) received
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPCP ConfRej id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfReq id=0x2 ]
Jul 15 00:22:09 li600-18 pppd[5836]: rcvd [IPCP ConfReq id=0x2 ]
Jul 15 00:22:09 li600-18 pppd[5836]: sent [IPCP ConfAck id=0x2 ]
Jul 15 00:22:09 li600-18 pppd[5836]: rcvd [IPCP ConfAck id=0x2 ]
Jul 15 00:22:09 li600-18 pppd[5836]: Cannot determine ethernet address for proxy ARP
Jul 15 00:22:09 li600-18 pppd[5836]: local IP address 10.1.2.1
Jul 15 00:22:09 li600-18 pppd[5836]: remote IP address 10.1.2.2
Jul 15 00:22:09 li600-18 pppd[5836]: Script /etc/ppp/ip-up started (pid 5843)
Jul 15 00:22:09 li600-18 pppd[5836]: Script /etc/ppp/ip-up finished (pid 5843), status = 0x0
Jul 15 00:22:09 li600-18 kernel: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
Jul 15 00:22:10 li600-18 ntpd[2533]: Listen normally on 9 ppp0 10.1.2.1 UDP 123
Jul 15 00:22:10 li600-18 ntpd[2533]: peers refreshed
Jul 15 00:22:10 li600-18 ntpd[2533]: new interface(s) found: waking up resolver

服务器的配置到此结束,这样一个完整的IPSec+L2TP VPN就建立起来了,客户端部分怎么配置呢?请看(二)

FAQ:如下的错误如何处理
Jul 15 00:18:58 li600-18 pppd[5800]: The remote system is required to authenticate itself
Jul 15 00:18:58 li600-18 pppd[5800]: but I couldn’t find any suitable secret (password) for it to use to do so.

基本的原因是 /etc/ppp/chap-secrets 不正确,常见的错误有:
1.ipaddress那个*号没填
2.server应该是option.xl2tpd里面制定的那个name字段,是否少些一个d,例如写成xl2tp而不是xl2tpd

更好排版的版本:http://www.seaman.be/view/【详细贴】ubuntu-linode搭建海外策略路由vpn-ipsecl2tp(一).html

【详细贴】Ubuntu Linode搭建海外策略路由VPN IPSec+L2TP(一)的更多相关文章

  1. Ubuntu系统搭建PPTP,VPN

    1.先安装pptp apt-get install pptpd 2.打开pptp的DNS vim /etc/ppp/option.pptpd 去掉下面两行内容前的# ms-dns 8.8.8.8 ms ...

  2. 如何在Ubuntu下搭建tftp服务器

    远程桌面连接工具   今天开始调试arm的板子,要通过tftp下载到板子上,所以又要配置tftp服务器,真的烦死了… (本人酷爱装系统,所以经常都要搞配置) 因为之前已经在Ubuntu下搭建过很多次t ...

  3. 在ubuntu上搭建开发环境3---解决Y470一键系统重装之后恢复ubuntu引导启动的方法

    2015/08/18 将知识.常用的操作整理出来一定要完整,注意细节. 就像下面是再2015.04.27时候整理的,当时确实实验成功了,但是可能忘记记下具体的细节,尤其是3.4.5.6步骤中的关于盘符 ...

  4. Ubuntu server 搭建Git server

    Ubuntu server 搭建Git server,git相比svn,最主要就是分布式了,每个客户端用户的本地都是一个版本管理控制器. Ubuntu server 版本为12.04 搭建步骤如下: ...

  5. Ubuntu上搭建Hadoop环境(单机模式+伪分布模式) (转载)

    Hadoop在处理海量数据分析方面具有独天优势.今天花了在自己的Linux上搭建了伪分布模式,期间经历很多曲折,现在将经验总结如下. 首先,了解Hadoop的三种安装模式: 1. 单机模式. 单机模式 ...

  6. Ubuntu server 搭建Git server【转】

    转自:http://www.cnblogs.com/candle806/p/4064610.html Ubuntu server 搭建Git server,git相比svn,最主要就是分布式了,每个客 ...

  7. ubuntu下搭建android开发环境之超顺畅模拟器

    如果说android系统的卡,像耳边蚊子让人抓狂,那么android模拟器的卡,那就像午睡时的苍蝇.大概就是一样的恶心~~ 那么,这样的问题对于开发者肯定忍无可忍,我也一样,虽然我还没有入门,但我也一 ...

  8. Ubuntu环境搭建svn服务器

    记录一次使用Ubuntu环境搭建svn服务器的详细步骤 一.查看是否已经安装svn 命令:svn如果显示以下信息,说明已安装   二.卸载已安装的svn 命令:sudo apt-get remove ...

  9. 【转】Ubuntu环境搭建svn服务器

    记录一次使用Ubuntu环境搭建svn服务器的详细步骤 一.查看是否已经安装svn 命令:svn如果显示以下信息,说明已安装 二.卸载已安装的svn 命令:sudo apt-get remove -- ...

随机推荐

  1. 微软不也是从Altair Basic这丑小鸭长成白天鹅吗?

    微软不也是从Altair Basic这丑小鸭长成白天鹅吗? February 2015 如果你想要弄清楚初创企业是怎么一回事的话,其中一个非常有价值的尝试是去研究下那些获得巨大成功的公司,去分析下为什 ...

  2. JS时间戳比较大小:对于一组时间戳(开始时间~结束时间)和另一组时间戳进行比较,用于判断被比较时间戳组是否在要求范围内

    /* *JS时间戳比较大小:对于一组时间戳(开始时间~结束时间)和另一组时间戳进行比较,用于判断被比较时间戳组是否在要求范围内 *@param date1 date2(形如:'2015-01-01'类 ...

  3. 安卓CTS官方文档之兼容性测试套件简介-attach

    官方英文文档原文:https://source.android.com/compatibility/cts-intro.html Compatibility Test Suite  兼容性测试套件 H ...

  4. 全局scope与Isolate scope通信

    AngularJS 全局scope与Isolate scope通信 在项目开发时,全局scope 和 directive本地scope使用范围不够清晰,全局scope与directive本地scope ...

  5. Phpstorm配置phpunit对php进行单元测试

    在 phpstorm 中配置 php 项目的单元测试,项目使用 Composer 进行管理,为了避免在项目中直接引入 phpunit 相关代码包,使项目的 vendor 目录变得臃肿,这里采用全局安装 ...

  6. 使用Windows2003的IIS发布网站 - 进阶者系列 - 学习者系列文章

    本系列文章目录:http://www.cnblogs.com/lzhdim/category/277150.html Windows 2003是一款不错的Windows服务器版本.在刚工作的前些年里, ...

  7. Android AES加密算法,现在实际上

    昨天,老板让我来看看android加密算法.于是在网上找了找,发现AES加密算法.(当然,MD5,BASE64什么http://snowolf.iteye.com/blog/379860这篇文章列举了 ...

  8. android gps开发必备资料(含测试demo下载)

    入门资料参考: How accurate is Android GPS? Part 1: Understanding Location Data How accurate is Android GPS ...

  9. Metadata是.NET平台的核心灵魂--(转载)

    (转载)Metadata是.NET平台的核心灵魂 July 7th, 2010 jzli Leave a comment Go to comments 网友来信:李老师,您好!我参加过你去年到我们公司 ...

  10. WebActivator的实现原理详解

    WebActivator的实现原理详解 文章内容 上篇文章,我们分析如何动态注册HttpModule的实现,本篇我们来分析一下通过上篇代码原理实现的WebActivator类库,WebActivato ...