对于码农来说,Google上搜索,stackoverflow上提问,twitter上交流,这样的国际化开放平台才是码农成长的空间。但是,目前遇到的一些现实的困难,无可避免的带来一些麻烦,不过这难不倒我们。

让我们来梳理一下需求,

  • 移动设备有随时随地访问海外的需求,特别是Twitter,必须iPhone/Android都支持
  • 电脑有访问海外的需求,例如Google IO 2013的直播,WWDC录像,都在Youtube
  • 电脑想访问都要先拨号后使用,且拨号以后访问国内网站速度慢,需实现策略路由
  • 访问速度要快,不能打开个网页像蜗牛

这样,

  • 我们需要一个VPN
  • 速度要快
  • 实现策略路由

VPN选型

  • OpenVPN iOS设备上需要安装专门的软件,证书导入复杂–放弃
  • PPTP VPN 安全性和NAT穿透性差,我的工作和生活环境有两个路由,还有自建NAT的情况,使用体验慢,效果差-放弃
  • L2TP IPSec VPN IPSec属于高强度加密,L2TP走UDP,NAT穿透好,只要不封闭目的端的指定端口,一般不会出现墙的情况

所以我选择了 L2TP IPSec VPN来解决我的问题

Linode在东京,国内访问速度在 250毫秒左右,速度属于比较快的国外VPS服务器了,我选择的主机操作系统是Ubuntu 12.04 LTS,属于比较常用的操作系统。

Ubuntu上的安装过程就比较简单了:

sudo apt-get install openswan xl2tpd

抱歉,为了基本的安全原因,我的Ubuntu 运行在非root用户下,linode的ubuntu运行在root下,需要进行一下改造,如何改造另文描述


Linode Ubuntu IPSec 提示是否是有X.509证书


Linode Ubuntu IPSec X.509证书 导入还是创建,选择创建


Linode Ubuntu IPSec X.509是否使用自签名,选择使用自签名


Linode Ubuntu IPSec 安装完成

seaman@li600-18:~$ sudo apt-get install openswan xl2tpd
[sudo] password for seaman:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
openswan-modules-source openswan-modules-dkms openswan-doc
The following NEW packages will be installed:
openswan xl2tpd
0 upgraded, 2 newly installed, 0 to remove and 31 not upgraded.
Need to get 1,177 kB of archives.
After this operation, 2,940 kB of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu/ precise/universe openswan amd64 1:2.6.37-1 [1,103 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu/ precise/universe xl2tpd amd64 1.3.1+dfsg-1 [74.1 kB]
Fetched 1,177 kB in 3s (387 kB/s)
Preconfiguring packages ...
Selecting previously unselected package openswan.
(Reading database ... 21184 files and directories currently installed.)
Unpacking openswan (from .../openswan_1%3a2.6.37-1_amd64.deb) ...
Selecting previously unselected package xl2tpd.
Unpacking xl2tpd (from .../xl2tpd_1.3.1+dfsg-1_amd64.deb) ...
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Setting up openswan (1:2.6.37-1) ...
Generating a 2048 bit RSA private key
....................+++
.............+++
writing new private key to '/etc/ipsec.d/private/li600-18Key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (e.g. server FQDN or YOUR name) []:Email Address []:Successfully created x509 certificate.
ipsec_setup: Starting Openswan IPsec U2.6.37/K3.9.3-x86_64-linode33...
Setting up xl2tpd (1.3.1+dfsg-1) ...
Starting xl2tpd: xl2tpd.

编辑/etc/ipsec.conf,拷贝粘贴即可,注意left服务器IP地址,需要改成您的:

seaman@li600-18:~$ sudo vi /etc/ipsec.conf
[sudo] password for seaman:
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
dpddelay=40
dpdtimeout=130
dpdaction=clear
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=106.186.178.35
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

修改/etc/ipsec.secrets 设置IPSec握手时的Machine Authentication – Shared Secret

seaman@li600-18:~$ sudo vi /etc/ipsec.secrets
[sudo] password for seaman:
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
# this file is managed with debconf and will contain the automatically created RSA keys
# include /var/lib/openswan/ipsec.secrets.inc
106.186.178.35 %any: PSK "password"

编辑/etc/xl2tpd/xl2tpd.conf ,配置监听端口和监听服务

seaman@li600-18:~$ sudo vi /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

新建xl2tpd的配置文件,用户拨叫后,服务器的处理流程,这里debug开启后可以在日志中看到详细记录

seaman@li600-18:~$ sudo vi /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

编辑一个密码文件,配置用户名和密码 /etc/ppp.chap-secrets 记得红色字部分换成自己的。这里的l2tpd必须和options文件中的name字段一致。

seaman@li600-18:~$ sudo vi /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
seaman l2tpd password *

最后,配置一下端口转发,防火墙的规则

seaman@li600-18:~$ sudo vi /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
iptables --table nat --append POSTROUTING --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart
exit 0

重启相关服务

seaman@li600-18:~$ sudo service ipsec restart
seaman@li600-18:~$ sudo service xl2tpd restart

重启相关服务的日志,如果是这样的日志,那就是正确的:

Jul 15 00:13:19 li600-18 ipsec_setup: Stopping Openswan IPsec...
Jul 15 00:13:20 li600-18 ipsec_setup: ...Openswan IPsec stopped
Jul 15 00:13:20 li600-18 ipsec_setup: Starting Openswan IPsec U2.6.37/K3.9.3-x86_64-linode33...
Jul 15 00:13:20 li600-18 ipsec_setup: Using NETKEY(XFRM) stack
Jul 15 00:13:20 li600-18 ipsec_setup: ...Openswan IPsec started
Jul 15 00:13:20 li600-18 pluto: adjusting ipsec.d to /etc/ipsec.d
Jul 15 00:13:20 li600-18 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Jul 15 00:13:21 li600-18 ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
Jul 15 00:13:21 li600-18 ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
Jul 15 00:13:52 li600-18 xl2tpd[4400]: death_handler: Fatal signal 15 received
Jul 15 00:13:53 li600-18 xl2tpd[5291]: Enabling IPsec SAref processing for L2TP transport mode SAs
Jul 15 00:13:53 li600-18 xl2tpd[5291]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
Jul 15 00:13:53 li600-18 xl2tpd[5291]: setsockopt recvref[30]: Protocol not available
Jul 15 00:13:53 li600-18 xl2tpd[5291]: This binary does not support kernel L2TP.
Jul 15 00:13:53 li600-18 xl2tpd[5292]: xl2tpd version xl2tpd-1.3.1 started on li600-18 PID:5292
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Forked by Scott Balmos and David Stipp, (C) 2001
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Inherited by Jeff McAdams, (C) 2002
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Listening on IP address 0.0.0.0, port 1701

最后我会重启服务器,测试一遍是否开机自启,是否iptables配置正确,是否无需人工干预,养成这个好习惯,收益一辈子。

seaman@li600-18:~$ sudo reboot

正确完整的连接服务器日志如下:

Jul 15 00:22:04 li600-18 xl2tpd[5788]: control_finish: Peer requested tunnel 20 twice, ignoring second one.
Jul 15 00:22:05 li600-18 xl2tpd[5788]: Connection established to 124.126.164.85, 65314. Local: 54863, Remote: 20 (ref=0/0). LNS session is 'default'
Jul 15 00:22:05 li600-18 xl2tpd[5788]: start_pppd: I'm running:
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/usr/sbin/pppd"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "passive"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "nodetach"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "10.1.2.1:10.1.2.2"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "refuse-pap"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "refuse-chap"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "auth"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "debug"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "file"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/etc/ppp/options.xl2tpd"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "ipparam"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "124.126.164.85"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/dev/pts/1"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: Call established with 124.126.*.*, Local: 33517, Remote: 8892, Serial: 1
Jul 15 00:22:05 li600-18 pppd[5836]: pppd 2.4.5 started by root, uid 0
Jul 15 00:22:05 li600-18 pppd[5836]: using channel 1
Jul 15 00:22:05 li600-18 pppd[5836]: Using interface ppp0
Jul 15 00:22:05 li600-18 pppd[5836]: Connect: ppp0 /dev/pts/1
Jul 15 00:22:05 li600-18 pppd[5836]: sent [LCP ConfReq id=0x1 ]
Jul 15 00:22:05 li600-18 pppd[5836]: rcvd [LCP ConfAck id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ConfAck id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ConfAck id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP EchoReq id=0x0 magic=0x6008c32e]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [CHAP Challenge id=0xde , name = "l2tpd"]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP EchoReq id=0x0 magic=0x750875db]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP EchoRep id=0x0 magic=0x6008c32e]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP EchoRep id=0x0 magic=0x750875db]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [CHAP Response id=0xde , name = "seaman"]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [CHAP Success id=0xde "S=9FDDBC3C524C2C4A504DD75725A4BE1AFCDC033B M=Access granted"]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [CCP ConfReq id=0x1 <deflate(old#) 15> ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPCP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfNak id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPV6CP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 16 10 9f ff fe d1 fa 47]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f]
Jul 15 00:22:08 li600-18 pppd[5836]: Protocol-Reject for 'Compression Control Protocol' (0x80fd) received
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPCP ConfRej id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfReq id=0x2 ]
Jul 15 00:22:09 li600-18 pppd[5836]: rcvd [IPCP ConfReq id=0x2 ]
Jul 15 00:22:09 li600-18 pppd[5836]: sent [IPCP ConfAck id=0x2 ]
Jul 15 00:22:09 li600-18 pppd[5836]: rcvd [IPCP ConfAck id=0x2 ]
Jul 15 00:22:09 li600-18 pppd[5836]: Cannot determine ethernet address for proxy ARP
Jul 15 00:22:09 li600-18 pppd[5836]: local IP address 10.1.2.1
Jul 15 00:22:09 li600-18 pppd[5836]: remote IP address 10.1.2.2
Jul 15 00:22:09 li600-18 pppd[5836]: Script /etc/ppp/ip-up started (pid 5843)
Jul 15 00:22:09 li600-18 pppd[5836]: Script /etc/ppp/ip-up finished (pid 5843), status = 0x0
Jul 15 00:22:09 li600-18 kernel: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
Jul 15 00:22:10 li600-18 ntpd[2533]: Listen normally on 9 ppp0 10.1.2.1 UDP 123
Jul 15 00:22:10 li600-18 ntpd[2533]: peers refreshed
Jul 15 00:22:10 li600-18 ntpd[2533]: new interface(s) found: waking up resolver

服务器的配置到此结束,这样一个完整的IPSec+L2TP VPN就建立起来了,客户端部分怎么配置呢?请看(二)

FAQ:如下的错误如何处理
Jul 15 00:18:58 li600-18 pppd[5800]: The remote system is required to authenticate itself
Jul 15 00:18:58 li600-18 pppd[5800]: but I couldn’t find any suitable secret (password) for it to use to do so.

基本的原因是 /etc/ppp/chap-secrets 不正确,常见的错误有:
1.ipaddress那个*号没填
2.server应该是option.xl2tpd里面制定的那个name字段,是否少些一个d,例如写成xl2tp而不是xl2tpd

更好排版的版本:http://www.seaman.be/view/【详细贴】ubuntu-linode搭建海外策略路由vpn-ipsecl2tp(一).html

【详细贴】Ubuntu Linode搭建海外策略路由VPN IPSec+L2TP(一)的更多相关文章

  1. Ubuntu系统搭建PPTP,VPN

    1.先安装pptp apt-get install pptpd 2.打开pptp的DNS vim /etc/ppp/option.pptpd 去掉下面两行内容前的# ms-dns 8.8.8.8 ms ...

  2. 如何在Ubuntu下搭建tftp服务器

    远程桌面连接工具   今天开始调试arm的板子,要通过tftp下载到板子上,所以又要配置tftp服务器,真的烦死了… (本人酷爱装系统,所以经常都要搞配置) 因为之前已经在Ubuntu下搭建过很多次t ...

  3. 在ubuntu上搭建开发环境3---解决Y470一键系统重装之后恢复ubuntu引导启动的方法

    2015/08/18 将知识.常用的操作整理出来一定要完整,注意细节. 就像下面是再2015.04.27时候整理的,当时确实实验成功了,但是可能忘记记下具体的细节,尤其是3.4.5.6步骤中的关于盘符 ...

  4. Ubuntu server 搭建Git server

    Ubuntu server 搭建Git server,git相比svn,最主要就是分布式了,每个客户端用户的本地都是一个版本管理控制器. Ubuntu server 版本为12.04 搭建步骤如下: ...

  5. Ubuntu上搭建Hadoop环境(单机模式+伪分布模式) (转载)

    Hadoop在处理海量数据分析方面具有独天优势.今天花了在自己的Linux上搭建了伪分布模式,期间经历很多曲折,现在将经验总结如下. 首先,了解Hadoop的三种安装模式: 1. 单机模式. 单机模式 ...

  6. Ubuntu server 搭建Git server【转】

    转自:http://www.cnblogs.com/candle806/p/4064610.html Ubuntu server 搭建Git server,git相比svn,最主要就是分布式了,每个客 ...

  7. ubuntu下搭建android开发环境之超顺畅模拟器

    如果说android系统的卡,像耳边蚊子让人抓狂,那么android模拟器的卡,那就像午睡时的苍蝇.大概就是一样的恶心~~ 那么,这样的问题对于开发者肯定忍无可忍,我也一样,虽然我还没有入门,但我也一 ...

  8. Ubuntu环境搭建svn服务器

    记录一次使用Ubuntu环境搭建svn服务器的详细步骤 一.查看是否已经安装svn 命令:svn如果显示以下信息,说明已安装   二.卸载已安装的svn 命令:sudo apt-get remove ...

  9. 【转】Ubuntu环境搭建svn服务器

    记录一次使用Ubuntu环境搭建svn服务器的详细步骤 一.查看是否已经安装svn 命令:svn如果显示以下信息,说明已安装 二.卸载已安装的svn 命令:sudo apt-get remove -- ...

随机推荐

  1. Linq to Sql:N层应用中的查询(上) : 返回自定义实体

    原文:Linq to Sql:N层应用中的查询(上) : 返回自定义实体 如果允许在UI层直接访问Linq to Sql的DataContext,可以省去很多问题,譬如在处理多表join的时候,我们使 ...

  2. oracle存储过程+游标处理select数据

    create or replace PROCEDURE UPDATE_RECORDCODE is cursor location_data is select * from location wher ...

  3. 防止tab页重复的去请求服务端

    直接看图吧. 左边是企业树,右边是依据企业变化的一个tab页 实现功能:1.我们希望假设选中的企业不变,我们在切换旁边五个tab页的时候,仅仅是第一次进去的时候请求server端.以下来回切换tab页 ...

  4. C#中抽象类和接口的区别

    原文:C#中抽象类和接口的区别 大家在编程时都容易把抽象类和接口搞混,下面为大家从概念上讲解抽象类和接口的区别: 一.抽象类: 含有abstract修饰符的class即为抽象类,抽象类是特殊的类,只是 ...

  5. QtNetwork说明(两)使用QT实现360的ctrl+ctrl特征

    头文字说明: <span style="font-size:18px;">#ifndef GOOGLESUGGEST_H #define GOOGLESUGGEST_H ...

  6. Scala Web 框架——Lift(一)准备工作

    [Lift]Scala Web 框架——Lift(一)准备工作 Lift 官方网站:http://liftweb.net/ 下载 http://liftweb.net/download 下载.zip压 ...

  7. 我的Android 4 学习系列之使用 Internet 资源

    目录 连接Internet资源 分析XML资源 使用Download Manager下载文件 查询Download manager 使用Account Manager 对 Google App Eng ...

  8. VS生产的编辑方法和编辑窗体

    MVC5入门学习系列⑤   检查VS生产的编辑方法和编辑窗体 前面我们一步使用强类型,然后创建Controller(控制器)的时候,VS默认已经给我们把CURD都简单的实现了.这篇的话就简单的看下它默 ...

  9. .net开发框架设计

    转WisDom .net开发框架设计   WisDom .net 框架设计 1. 为啥要弄 2014 年我已经是我们参加工作的第六年,也做过不少项目,但是发现自己没有代码积累.这里利用业余时间梳理一下 ...

  10. Binder机制,从Java到C (9. IPC通信过程)

    1.一次IPC通信過程的幾個步驟 一次通信过程简单的说有下面5个步骤,第一眼看上去,肯定不知道什么玩意,多看几遍,慢慢看,其实是能理解的. 1. Client将数据封装成Parcel. (前面已经讲过 ...