对于码农来说,Google上搜索,stackoverflow上提问,twitter上交流,这样的国际化开放平台才是码农成长的空间。但是,目前遇到的一些现实的困难,无可避免的带来一些麻烦,不过这难不倒我们。

让我们来梳理一下需求,

  • 移动设备有随时随地访问海外的需求,特别是Twitter,必须iPhone/Android都支持
  • 电脑有访问海外的需求,例如Google IO 2013的直播,WWDC录像,都在Youtube
  • 电脑想访问都要先拨号后使用,且拨号以后访问国内网站速度慢,需实现策略路由
  • 访问速度要快,不能打开个网页像蜗牛

这样,

  • 我们需要一个VPN
  • 速度要快
  • 实现策略路由

VPN选型

  • OpenVPN iOS设备上需要安装专门的软件,证书导入复杂–放弃
  • PPTP VPN 安全性和NAT穿透性差,我的工作和生活环境有两个路由,还有自建NAT的情况,使用体验慢,效果差-放弃
  • L2TP IPSec VPN IPSec属于高强度加密,L2TP走UDP,NAT穿透好,只要不封闭目的端的指定端口,一般不会出现墙的情况

所以我选择了 L2TP IPSec VPN来解决我的问题

Linode在东京,国内访问速度在 250毫秒左右,速度属于比较快的国外VPS服务器了,我选择的主机操作系统是Ubuntu 12.04 LTS,属于比较常用的操作系统。

Ubuntu上的安装过程就比较简单了:

sudo apt-get install openswan xl2tpd

抱歉,为了基本的安全原因,我的Ubuntu 运行在非root用户下,linode的ubuntu运行在root下,需要进行一下改造,如何改造另文描述


Linode Ubuntu IPSec 提示是否是有X.509证书


Linode Ubuntu IPSec X.509证书 导入还是创建,选择创建


Linode Ubuntu IPSec X.509是否使用自签名,选择使用自签名


Linode Ubuntu IPSec 安装完成

seaman@li600-18:~$ sudo apt-get install openswan xl2tpd
[sudo] password for seaman:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
openswan-modules-source openswan-modules-dkms openswan-doc
The following NEW packages will be installed:
openswan xl2tpd
0 upgraded, 2 newly installed, 0 to remove and 31 not upgraded.
Need to get 1,177 kB of archives.
After this operation, 2,940 kB of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu/ precise/universe openswan amd64 1:2.6.37-1 [1,103 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu/ precise/universe xl2tpd amd64 1.3.1+dfsg-1 [74.1 kB]
Fetched 1,177 kB in 3s (387 kB/s)
Preconfiguring packages ...
Selecting previously unselected package openswan.
(Reading database ... 21184 files and directories currently installed.)
Unpacking openswan (from .../openswan_1%3a2.6.37-1_amd64.deb) ...
Selecting previously unselected package xl2tpd.
Unpacking xl2tpd (from .../xl2tpd_1.3.1+dfsg-1_amd64.deb) ...
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Setting up openswan (1:2.6.37-1) ...
Generating a 2048 bit RSA private key
....................+++
.............+++
writing new private key to '/etc/ipsec.d/private/li600-18Key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (e.g. server FQDN or YOUR name) []:Email Address []:Successfully created x509 certificate.
ipsec_setup: Starting Openswan IPsec U2.6.37/K3.9.3-x86_64-linode33...
Setting up xl2tpd (1.3.1+dfsg-1) ...
Starting xl2tpd: xl2tpd.

编辑/etc/ipsec.conf,拷贝粘贴即可,注意left服务器IP地址,需要改成您的:

seaman@li600-18:~$ sudo vi /etc/ipsec.conf
[sudo] password for seaman:
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
dpddelay=40
dpdtimeout=130
dpdaction=clear
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=106.186.178.35
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

修改/etc/ipsec.secrets 设置IPSec握手时的Machine Authentication – Shared Secret

seaman@li600-18:~$ sudo vi /etc/ipsec.secrets
[sudo] password for seaman:
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
# this file is managed with debconf and will contain the automatically created RSA keys
# include /var/lib/openswan/ipsec.secrets.inc
106.186.178.35 %any: PSK "password"

编辑/etc/xl2tpd/xl2tpd.conf ,配置监听端口和监听服务

seaman@li600-18:~$ sudo vi /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

新建xl2tpd的配置文件,用户拨叫后,服务器的处理流程,这里debug开启后可以在日志中看到详细记录

seaman@li600-18:~$ sudo vi /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

编辑一个密码文件,配置用户名和密码 /etc/ppp.chap-secrets 记得红色字部分换成自己的。这里的l2tpd必须和options文件中的name字段一致。

seaman@li600-18:~$ sudo vi /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
seaman l2tpd password *

最后,配置一下端口转发,防火墙的规则

seaman@li600-18:~$ sudo vi /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
iptables --table nat --append POSTROUTING --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart
exit 0

重启相关服务

seaman@li600-18:~$ sudo service ipsec restart
seaman@li600-18:~$ sudo service xl2tpd restart

重启相关服务的日志,如果是这样的日志,那就是正确的:

Jul 15 00:13:19 li600-18 ipsec_setup: Stopping Openswan IPsec...
Jul 15 00:13:20 li600-18 ipsec_setup: ...Openswan IPsec stopped
Jul 15 00:13:20 li600-18 ipsec_setup: Starting Openswan IPsec U2.6.37/K3.9.3-x86_64-linode33...
Jul 15 00:13:20 li600-18 ipsec_setup: Using NETKEY(XFRM) stack
Jul 15 00:13:20 li600-18 ipsec_setup: ...Openswan IPsec started
Jul 15 00:13:20 li600-18 pluto: adjusting ipsec.d to /etc/ipsec.d
Jul 15 00:13:20 li600-18 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Jul 15 00:13:21 li600-18 ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
Jul 15 00:13:21 li600-18 ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
Jul 15 00:13:52 li600-18 xl2tpd[4400]: death_handler: Fatal signal 15 received
Jul 15 00:13:53 li600-18 xl2tpd[5291]: Enabling IPsec SAref processing for L2TP transport mode SAs
Jul 15 00:13:53 li600-18 xl2tpd[5291]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
Jul 15 00:13:53 li600-18 xl2tpd[5291]: setsockopt recvref[30]: Protocol not available
Jul 15 00:13:53 li600-18 xl2tpd[5291]: This binary does not support kernel L2TP.
Jul 15 00:13:53 li600-18 xl2tpd[5292]: xl2tpd version xl2tpd-1.3.1 started on li600-18 PID:5292
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Forked by Scott Balmos and David Stipp, (C) 2001
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Inherited by Jeff McAdams, (C) 2002
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Jul 15 00:13:53 li600-18 xl2tpd[5292]: Listening on IP address 0.0.0.0, port 1701

最后我会重启服务器,测试一遍是否开机自启,是否iptables配置正确,是否无需人工干预,养成这个好习惯,收益一辈子。

seaman@li600-18:~$ sudo reboot

正确完整的连接服务器日志如下:

Jul 15 00:22:04 li600-18 xl2tpd[5788]: control_finish: Peer requested tunnel 20 twice, ignoring second one.
Jul 15 00:22:05 li600-18 xl2tpd[5788]: Connection established to 124.126.164.85, 65314. Local: 54863, Remote: 20 (ref=0/0). LNS session is 'default'
Jul 15 00:22:05 li600-18 xl2tpd[5788]: start_pppd: I'm running:
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/usr/sbin/pppd"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "passive"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "nodetach"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "10.1.2.1:10.1.2.2"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "refuse-pap"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "refuse-chap"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "auth"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "debug"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "file"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/etc/ppp/options.xl2tpd"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "ipparam"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "124.126.164.85"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/dev/pts/1"
Jul 15 00:22:05 li600-18 xl2tpd[5788]: Call established with 124.126.*.*, Local: 33517, Remote: 8892, Serial: 1
Jul 15 00:22:05 li600-18 pppd[5836]: pppd 2.4.5 started by root, uid 0
Jul 15 00:22:05 li600-18 pppd[5836]: using channel 1
Jul 15 00:22:05 li600-18 pppd[5836]: Using interface ppp0
Jul 15 00:22:05 li600-18 pppd[5836]: Connect: ppp0 /dev/pts/1
Jul 15 00:22:05 li600-18 pppd[5836]: sent [LCP ConfReq id=0x1 ]
Jul 15 00:22:05 li600-18 pppd[5836]: rcvd [LCP ConfAck id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ConfAck id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ConfAck id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP EchoReq id=0x0 magic=0x6008c32e]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [CHAP Challenge id=0xde , name = "l2tpd"]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP EchoReq id=0x0 magic=0x750875db]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP EchoRep id=0x0 magic=0x6008c32e]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP EchoRep id=0x0 magic=0x750875db]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [CHAP Response id=0xde , name = "seaman"]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [CHAP Success id=0xde "S=9FDDBC3C524C2C4A504DD75725A4BE1AFCDC033B M=Access granted"]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [CCP ConfReq id=0x1 <deflate(old#) 15> ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPCP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfNak id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPV6CP ConfReq id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 16 10 9f ff fe d1 fa 47]
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f]
Jul 15 00:22:08 li600-18 pppd[5836]: Protocol-Reject for 'Compression Control Protocol' (0x80fd) received
Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPCP ConfRej id=0x1 ]
Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfReq id=0x2 ]
Jul 15 00:22:09 li600-18 pppd[5836]: rcvd [IPCP ConfReq id=0x2 ]
Jul 15 00:22:09 li600-18 pppd[5836]: sent [IPCP ConfAck id=0x2 ]
Jul 15 00:22:09 li600-18 pppd[5836]: rcvd [IPCP ConfAck id=0x2 ]
Jul 15 00:22:09 li600-18 pppd[5836]: Cannot determine ethernet address for proxy ARP
Jul 15 00:22:09 li600-18 pppd[5836]: local IP address 10.1.2.1
Jul 15 00:22:09 li600-18 pppd[5836]: remote IP address 10.1.2.2
Jul 15 00:22:09 li600-18 pppd[5836]: Script /etc/ppp/ip-up started (pid 5843)
Jul 15 00:22:09 li600-18 pppd[5836]: Script /etc/ppp/ip-up finished (pid 5843), status = 0x0
Jul 15 00:22:09 li600-18 kernel: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
Jul 15 00:22:10 li600-18 ntpd[2533]: Listen normally on 9 ppp0 10.1.2.1 UDP 123
Jul 15 00:22:10 li600-18 ntpd[2533]: peers refreshed
Jul 15 00:22:10 li600-18 ntpd[2533]: new interface(s) found: waking up resolver

服务器的配置到此结束,这样一个完整的IPSec+L2TP VPN就建立起来了,客户端部分怎么配置呢?请看(二)

FAQ:如下的错误如何处理
Jul 15 00:18:58 li600-18 pppd[5800]: The remote system is required to authenticate itself
Jul 15 00:18:58 li600-18 pppd[5800]: but I couldn’t find any suitable secret (password) for it to use to do so.

基本的原因是 /etc/ppp/chap-secrets 不正确,常见的错误有:
1.ipaddress那个*号没填
2.server应该是option.xl2tpd里面制定的那个name字段,是否少些一个d,例如写成xl2tp而不是xl2tpd

更好排版的版本:http://www.seaman.be/view/【详细贴】ubuntu-linode搭建海外策略路由vpn-ipsecl2tp(一).html

【详细贴】Ubuntu Linode搭建海外策略路由VPN IPSec+L2TP(一)的更多相关文章

  1. Ubuntu系统搭建PPTP,VPN

    1.先安装pptp apt-get install pptpd 2.打开pptp的DNS vim /etc/ppp/option.pptpd 去掉下面两行内容前的# ms-dns 8.8.8.8 ms ...

  2. 如何在Ubuntu下搭建tftp服务器

    远程桌面连接工具   今天开始调试arm的板子,要通过tftp下载到板子上,所以又要配置tftp服务器,真的烦死了… (本人酷爱装系统,所以经常都要搞配置) 因为之前已经在Ubuntu下搭建过很多次t ...

  3. 在ubuntu上搭建开发环境3---解决Y470一键系统重装之后恢复ubuntu引导启动的方法

    2015/08/18 将知识.常用的操作整理出来一定要完整,注意细节. 就像下面是再2015.04.27时候整理的,当时确实实验成功了,但是可能忘记记下具体的细节,尤其是3.4.5.6步骤中的关于盘符 ...

  4. Ubuntu server 搭建Git server

    Ubuntu server 搭建Git server,git相比svn,最主要就是分布式了,每个客户端用户的本地都是一个版本管理控制器. Ubuntu server 版本为12.04 搭建步骤如下: ...

  5. Ubuntu上搭建Hadoop环境(单机模式+伪分布模式) (转载)

    Hadoop在处理海量数据分析方面具有独天优势.今天花了在自己的Linux上搭建了伪分布模式,期间经历很多曲折,现在将经验总结如下. 首先,了解Hadoop的三种安装模式: 1. 单机模式. 单机模式 ...

  6. Ubuntu server 搭建Git server【转】

    转自:http://www.cnblogs.com/candle806/p/4064610.html Ubuntu server 搭建Git server,git相比svn,最主要就是分布式了,每个客 ...

  7. ubuntu下搭建android开发环境之超顺畅模拟器

    如果说android系统的卡,像耳边蚊子让人抓狂,那么android模拟器的卡,那就像午睡时的苍蝇.大概就是一样的恶心~~ 那么,这样的问题对于开发者肯定忍无可忍,我也一样,虽然我还没有入门,但我也一 ...

  8. Ubuntu环境搭建svn服务器

    记录一次使用Ubuntu环境搭建svn服务器的详细步骤 一.查看是否已经安装svn 命令:svn如果显示以下信息,说明已安装   二.卸载已安装的svn 命令:sudo apt-get remove ...

  9. 【转】Ubuntu环境搭建svn服务器

    记录一次使用Ubuntu环境搭建svn服务器的详细步骤 一.查看是否已经安装svn 命令:svn如果显示以下信息,说明已安装 二.卸载已安装的svn 命令:sudo apt-get remove -- ...

随机推荐

  1. IISExpress配置文件

    ASP.NET MVC IISExpress配置文件的一个坑 现象: 昨天在处理PBS系统问题的时候意外发现两个js错误(而同样的代码在同事机器上都没有问题),如下图. 图1 图2 图3 原因分析: ...

  2. PHP 16: MySql的数据库访问

    原文:PHP 16: MySql的数据库访问 本章介绍PHP访问MySql的方法.如果你对MySQL不是很清晰,可以参看PHP 17: MySQL的简单介绍.对于数据库的操作,无非就是以下几个点: 如 ...

  3. Tomcat集群+Nginx+Redis服务搭建

    由于公司新业务突然上来了,单个Tomcat实例已经不能满足业务发展的需要了,只能通过搭建集群来解决问题了.所以就出现了下面的内容: 1.Redis保存Session信息 为了保存Session信息在集 ...

  4. Lyx输入中文与代码高亮

    如果您看了我的这个随笔:<OpenSUSE 13.2安装Texlive2014+Texmaker+Lyx> (一)LyX中文 打开Lyx直接新建开始使用,那么输入的中文会是编译失败的,疑? ...

  5. 根据当前登录域账号 获取AD用户姓名和所在OU目录

    #region 根据当前登录域账号 获取AD用户姓名和所在OU目录 /// <summary> /// 根据当前登录域账号 获取AD用户姓名和所在OU目录 返回域用户是否存在 /// &l ...

  6. ajax 请求数据

    <!doctype html> <html> <head> <meta charset="utf-8"> <title> ...

  7. 如何使用SetTimer MFC 不够具体

    转会:http://blog.csdn.net/ellor/article/details/1714741 Timer事件,即定时器事件,是在游戏编程中.常常使用的一个事件.借助它能够产生定时运行动作 ...

  8. C# 导入导出excel文件案例

    个人总结导出excel报表的案例: //导出报表 protected void btnExport_Click(object sender, EventArgs e) { List<ProOut ...

  9. 目前比较流行的Python科学计算发行版

    经常有身边的学友问到用什么Python发行版比较好? 其实目前比较流行的Python科学计算发行版,主要有这么几个: Python(x,y) GUI基于PyQt,曾经是功能最全也是最强大的,而且是Wi ...

  10. Jetbrains 系列神器

    PRODUCTS IntelliJ IDEA ReSharper WebStorm PhpStorm PyCharm RubyMine AppCode YouTrack TeamCity dotTra ...