对于码农来说,Google上搜索,stackoverflow上提问,twitter上交流,这样的国际化开放平台才是码农成长的空间。但是,目前遇到的一些现实的困难,无可避免的带来一些麻烦,不过这难不倒我们。

让我们来梳理一下需求,

  • 移动设备有随时随地访问海外的需求,特别是Twitter,必须iPhone/Android都支持
  • 电脑有访问海外的需求,例如Google IO 2013的直播,WWDC录像,都在Youtube
  • 电脑想访问都要先拨号后使用,且拨号以后访问国内网站速度慢,需实现策略路由
  • 访问速度要快,不能打开个网页像蜗牛

这样,

  • 我们需要一个VPN
  • 速度要快
  • 实现策略路由

VPN选型

  • OpenVPN iOS设备上需要安装专门的软件,证书导入复杂–放弃
  • PPTP VPN 安全性和NAT穿透性差,我的工作和生活环境有两个路由,还有自建NAT的情况,使用体验慢,效果差-放弃
  • L2TP IPSec VPN IPSec属于高强度加密,L2TP走UDP,NAT穿透好,只要不封闭目的端的指定端口,一般不会出现墙的情况

所以我选择了 L2TP IPSec VPN来解决我的问题

Linode在东京,国内访问速度在 250毫秒左右,速度属于比较快的国外VPS服务器了,我选择的主机操作系统是Ubuntu 12.04 LTS,属于比较常用的操作系统。

Ubuntu上的安装过程就比较简单了:

  1. sudo apt-get install openswan xl2tpd

抱歉,为了基本的安全原因,我的Ubuntu 运行在非root用户下,linode的ubuntu运行在root下,需要进行一下改造,如何改造另文描述


Linode Ubuntu IPSec 提示是否是有X.509证书


Linode Ubuntu IPSec X.509证书 导入还是创建,选择创建


Linode Ubuntu IPSec X.509是否使用自签名,选择使用自签名


Linode Ubuntu IPSec 安装完成

  1. seaman@li600-18:~$ sudo apt-get install openswan xl2tpd
  2. [sudo] password for seaman:
  3. Reading package lists... Done
  4. Building dependency tree
  5. Reading state information... Done
  6. Suggested packages:
  7. openswan-modules-source openswan-modules-dkms openswan-doc
  8. The following NEW packages will be installed:
  9. openswan xl2tpd
  10. 0 upgraded, 2 newly installed, 0 to remove and 31 not upgraded.
  11. Need to get 1,177 kB of archives.
  12. After this operation, 2,940 kB of additional disk space will be used.
  13. Get:1 http://us.archive.ubuntu.com/ubuntu/ precise/universe openswan amd64 1:2.6.37-1 [1,103 kB]
  14. Get:2 http://us.archive.ubuntu.com/ubuntu/ precise/universe xl2tpd amd64 1.3.1+dfsg-1 [74.1 kB]
  15. Fetched 1,177 kB in 3s (387 kB/s)
  16. Preconfiguring packages ...
  17. Selecting previously unselected package openswan.
  18. (Reading database ... 21184 files and directories currently installed.)
  19. Unpacking openswan (from .../openswan_1%3a2.6.37-1_amd64.deb) ...
  20. Selecting previously unselected package xl2tpd.
  21. Unpacking xl2tpd (from .../xl2tpd_1.3.1+dfsg-1_amd64.deb) ...
  22. Processing triggers for ureadahead ...
  23. Processing triggers for man-db ...
  24. Setting up openswan (1:2.6.37-1) ...
  25. Generating a 2048 bit RSA private key
  26. ....................+++
  27. .............+++
  28. writing new private key to '/etc/ipsec.d/private/li600-18Key.pem'
  29. -----
  30. You are about to be asked to enter information that will be incorporated
  31. into your certificate request.
  32. What you are about to enter is what is called a Distinguished Name or a DN.
  33. There are quite a few fields but you can leave some blank
  34. For some fields there will be a default value,
  35. If you enter '.', the field will be left blank.
  36. -----
  37. Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (e.g. server FQDN or YOUR name) []:Email Address []:Successfully created x509 certificate.
  38. ipsec_setup: Starting Openswan IPsec U2.6.37/K3.9.3-x86_64-linode33...
  39. Setting up xl2tpd (1.3.1+dfsg-1) ...
  40. Starting xl2tpd: xl2tpd.

编辑/etc/ipsec.conf,拷贝粘贴即可,注意left服务器IP地址,需要改成您的:

  1. seaman@li600-18:~$ sudo vi /etc/ipsec.conf
  2. [sudo] password for seaman:
  3. version 2.0
  4. config setup
  5. nat_traversal=yes
  6. virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
  7. oe=off
  8. protostack=netkey
  9. conn L2TP-PSK-NAT
  10. dpddelay=40
  11. dpdtimeout=130
  12. dpdaction=clear
  13. rightsubnet=vhost:%priv
  14. also=L2TP-PSK-noNAT
  15. conn L2TP-PSK-noNAT
  16. authby=secret
  17. pfs=no
  18. auto=add
  19. keyingtries=3
  20. rekey=no
  21. ikelifetime=8h
  22. keylife=1h
  23. type=transport
  24. left=106.186.178.35
  25. leftprotoport=17/1701
  26. right=%any
  27. rightprotoport=17/%any

修改/etc/ipsec.secrets 设置IPSec握手时的Machine Authentication – Shared Secret

  1. seaman@li600-18:~$ sudo vi /etc/ipsec.secrets
  2. [sudo] password for seaman:
  3. # This file holds shared secrets or RSA private keys for inter-Pluto
  4. # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
  5. # RSA private key for this host, authenticating it to any other host
  6. # which knows the public part. Suitable public keys, for ipsec.conf, DNS,
  7. # or configuration of other implementations, can be extracted conveniently
  8. # with "ipsec showhostkey".
  9. # this file is managed with debconf and will contain the automatically created RSA keys
  10. # include /var/lib/openswan/ipsec.secrets.inc
  11. 106.186.178.35 %any: PSK "password"

编辑/etc/xl2tpd/xl2tpd.conf ,配置监听端口和监听服务

  1. seaman@li600-18:~$ sudo vi /etc/xl2tpd/xl2tpd.conf
  2. [global]
  3. ipsec saref = yes
  4. [lns default]
  5. ip range = 10.1.2.2-10.1.2.255
  6. local ip = 10.1.2.1
  7. ;require chap = yes
  8. refuse chap = yes
  9. refuse pap = yes
  10. require authentication = yes
  11. ppp debug = yes
  12. pppoptfile = /etc/ppp/options.xl2tpd
  13. length bit = yes

新建xl2tpd的配置文件,用户拨叫后,服务器的处理流程,这里debug开启后可以在日志中看到详细记录

  1. seaman@li600-18:~$ sudo vi /etc/ppp/options.xl2tpd
  2. require-mschap-v2
  3. ms-dns 8.8.8.8
  4. asyncmap 0
  5. auth
  6. crtscts
  7. lock
  8. hide-password
  9. modem
  10. debug
  11. name l2tpd
  12. proxyarp
  13. lcp-echo-interval 30
  14. lcp-echo-failure 4

编辑一个密码文件,配置用户名和密码 /etc/ppp.chap-secrets 记得红色字部分换成自己的。这里的l2tpd必须和options文件中的name字段一致。

  1. seaman@li600-18:~$ sudo vi /etc/ppp/chap-secrets
  2. # Secrets for authentication using CHAP
  3. # client server secret IP addresses
  4. seaman l2tpd password *

最后,配置一下端口转发,防火墙的规则

  1. seaman@li600-18:~$ sudo vi /etc/rc.local
  2. #!/bin/sh -e
  3. #
  4. # rc.local
  5. #
  6. # This script is executed at the end of each multiuser runlevel.
  7. # Make sure that the script will "exit 0" on success or any other
  8. # value on error.
  9. #
  10. # In order to enable or disable this script just change the execution
  11. # bits.
  12. #
  13. # By default this script does nothing.
  14. iptables --table nat --append POSTROUTING --jump MASQUERADE
  15. echo 1 > /proc/sys/net/ipv4/ip_forward
  16. for each in /proc/sys/net/ipv4/conf/*
  17. do
  18. echo 0 > $each/accept_redirects
  19. echo 0 > $each/send_redirects
  20. done
  21. /etc/init.d/ipsec restart
  22. exit 0

重启相关服务

  1. seaman@li600-18:~$ sudo service ipsec restart
  2. seaman@li600-18:~$ sudo service xl2tpd restart

重启相关服务的日志,如果是这样的日志,那就是正确的:

  1. Jul 15 00:13:19 li600-18 ipsec_setup: Stopping Openswan IPsec...
  2. Jul 15 00:13:20 li600-18 ipsec_setup: ...Openswan IPsec stopped
  3. Jul 15 00:13:20 li600-18 ipsec_setup: Starting Openswan IPsec U2.6.37/K3.9.3-x86_64-linode33...
  4. Jul 15 00:13:20 li600-18 ipsec_setup: Using NETKEY(XFRM) stack
  5. Jul 15 00:13:20 li600-18 ipsec_setup: ...Openswan IPsec started
  6. Jul 15 00:13:20 li600-18 pluto: adjusting ipsec.d to /etc/ipsec.d
  7. Jul 15 00:13:20 li600-18 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
  8. Jul 15 00:13:21 li600-18 ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
  9. Jul 15 00:13:21 li600-18 ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
  10. Jul 15 00:13:52 li600-18 xl2tpd[4400]: death_handler: Fatal signal 15 received
  11. Jul 15 00:13:53 li600-18 xl2tpd[5291]: Enabling IPsec SAref processing for L2TP transport mode SAs
  12. Jul 15 00:13:53 li600-18 xl2tpd[5291]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
  13. Jul 15 00:13:53 li600-18 xl2tpd[5291]: setsockopt recvref[30]: Protocol not available
  14. Jul 15 00:13:53 li600-18 xl2tpd[5291]: This binary does not support kernel L2TP.
  15. Jul 15 00:13:53 li600-18 xl2tpd[5292]: xl2tpd version xl2tpd-1.3.1 started on li600-18 PID:5292
  16. Jul 15 00:13:53 li600-18 xl2tpd[5292]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
  17. Jul 15 00:13:53 li600-18 xl2tpd[5292]: Forked by Scott Balmos and David Stipp, (C) 2001
  18. Jul 15 00:13:53 li600-18 xl2tpd[5292]: Inherited by Jeff McAdams, (C) 2002
  19. Jul 15 00:13:53 li600-18 xl2tpd[5292]: Forked again by Xelerance (www.xelerance.com) (C) 2006
  20. Jul 15 00:13:53 li600-18 xl2tpd[5292]: Listening on IP address 0.0.0.0, port 1701

最后我会重启服务器,测试一遍是否开机自启,是否iptables配置正确,是否无需人工干预,养成这个好习惯,收益一辈子。

  1. seaman@li600-18:~$ sudo reboot

正确完整的连接服务器日志如下:

  1. Jul 15 00:22:04 li600-18 xl2tpd[5788]: control_finish: Peer requested tunnel 20 twice, ignoring second one.
  2. Jul 15 00:22:05 li600-18 xl2tpd[5788]: Connection established to 124.126.164.85, 65314. Local: 54863, Remote: 20 (ref=0/0). LNS session is 'default'
  3. Jul 15 00:22:05 li600-18 xl2tpd[5788]: start_pppd: I'm running:
  4. Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/usr/sbin/pppd"
  5. Jul 15 00:22:05 li600-18 xl2tpd[5788]: "passive"
  6. Jul 15 00:22:05 li600-18 xl2tpd[5788]: "nodetach"
  7. Jul 15 00:22:05 li600-18 xl2tpd[5788]: "10.1.2.1:10.1.2.2"
  8. Jul 15 00:22:05 li600-18 xl2tpd[5788]: "refuse-pap"
  9. Jul 15 00:22:05 li600-18 xl2tpd[5788]: "refuse-chap"
  10. Jul 15 00:22:05 li600-18 xl2tpd[5788]: "auth"
  11. Jul 15 00:22:05 li600-18 xl2tpd[5788]: "debug"
  12. Jul 15 00:22:05 li600-18 xl2tpd[5788]: "file"
  13. Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/etc/ppp/options.xl2tpd"
  14. Jul 15 00:22:05 li600-18 xl2tpd[5788]: "ipparam"
  15. Jul 15 00:22:05 li600-18 xl2tpd[5788]: "124.126.164.85"
  16. Jul 15 00:22:05 li600-18 xl2tpd[5788]: "/dev/pts/1"
  17. Jul 15 00:22:05 li600-18 xl2tpd[5788]: Call established with 124.126.*.*, Local: 33517, Remote: 8892, Serial: 1
  18. Jul 15 00:22:05 li600-18 pppd[5836]: pppd 2.4.5 started by root, uid 0
  19. Jul 15 00:22:05 li600-18 pppd[5836]: using channel 1
  20. Jul 15 00:22:05 li600-18 pppd[5836]: Using interface ppp0
  21. Jul 15 00:22:05 li600-18 pppd[5836]: Connect: ppp0 /dev/pts/1
  22. Jul 15 00:22:05 li600-18 pppd[5836]: sent [LCP ConfReq id=0x1 ]
  23. Jul 15 00:22:05 li600-18 pppd[5836]: rcvd [LCP ConfAck id=0x1 ]
  24. Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ConfReq id=0x1 ]
  25. Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ConfReq id=0x1 ]
  26. Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ConfAck id=0x1 ]
  27. Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ConfAck id=0x1 ]
  28. Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP EchoReq id=0x0 magic=0x6008c32e]
  29. Jul 15 00:22:08 li600-18 pppd[5836]: sent [CHAP Challenge id=0xde , name = "l2tpd"]
  30. Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP EchoReq id=0x0 magic=0x750875db]
  31. Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP EchoRep id=0x0 magic=0x6008c32e]
  32. Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP EchoRep id=0x0 magic=0x750875db]
  33. Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [CHAP Response id=0xde , name = "seaman"]
  34. Jul 15 00:22:08 li600-18 pppd[5836]: sent [CHAP Success id=0xde "S=9FDDBC3C524C2C4A504DD75725A4BE1AFCDC033B M=Access granted"]
  35. Jul 15 00:22:08 li600-18 pppd[5836]: sent [CCP ConfReq id=0x1 <deflate(old#) 15> ]
  36. Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfReq id=0x1 ]
  37. Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPCP ConfReq id=0x1 ]
  38. Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfNak id=0x1 ]
  39. Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPV6CP ConfReq id=0x1 ]
  40. Jul 15 00:22:08 li600-18 pppd[5836]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
  41. Jul 15 00:22:08 li600-18 pppd[5836]: sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 16 10 9f ff fe d1 fa 47]
  42. Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f]
  43. Jul 15 00:22:08 li600-18 pppd[5836]: Protocol-Reject for 'Compression Control Protocol' (0x80fd) received
  44. Jul 15 00:22:08 li600-18 pppd[5836]: rcvd [IPCP ConfRej id=0x1 ]
  45. Jul 15 00:22:08 li600-18 pppd[5836]: sent [IPCP ConfReq id=0x2 ]
  46. Jul 15 00:22:09 li600-18 pppd[5836]: rcvd [IPCP ConfReq id=0x2 ]
  47. Jul 15 00:22:09 li600-18 pppd[5836]: sent [IPCP ConfAck id=0x2 ]
  48. Jul 15 00:22:09 li600-18 pppd[5836]: rcvd [IPCP ConfAck id=0x2 ]
  49. Jul 15 00:22:09 li600-18 pppd[5836]: Cannot determine ethernet address for proxy ARP
  50. Jul 15 00:22:09 li600-18 pppd[5836]: local IP address 10.1.2.1
  51. Jul 15 00:22:09 li600-18 pppd[5836]: remote IP address 10.1.2.2
  52. Jul 15 00:22:09 li600-18 pppd[5836]: Script /etc/ppp/ip-up started (pid 5843)
  53. Jul 15 00:22:09 li600-18 pppd[5836]: Script /etc/ppp/ip-up finished (pid 5843), status = 0x0
  54. Jul 15 00:22:09 li600-18 kernel: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
  55. Jul 15 00:22:10 li600-18 ntpd[2533]: Listen normally on 9 ppp0 10.1.2.1 UDP 123
  56. Jul 15 00:22:10 li600-18 ntpd[2533]: peers refreshed
  57. Jul 15 00:22:10 li600-18 ntpd[2533]: new interface(s) found: waking up resolver

服务器的配置到此结束,这样一个完整的IPSec+L2TP VPN就建立起来了,客户端部分怎么配置呢?请看(二)

FAQ:如下的错误如何处理
Jul 15 00:18:58 li600-18 pppd[5800]: The remote system is required to authenticate itself
Jul 15 00:18:58 li600-18 pppd[5800]: but I couldn’t find any suitable secret (password) for it to use to do so.

基本的原因是 /etc/ppp/chap-secrets 不正确,常见的错误有:
1.ipaddress那个*号没填
2.server应该是option.xl2tpd里面制定的那个name字段,是否少些一个d,例如写成xl2tp而不是xl2tpd

更好排版的版本:http://www.seaman.be/view/【详细贴】ubuntu-linode搭建海外策略路由vpn-ipsecl2tp(一).html

【详细贴】Ubuntu Linode搭建海外策略路由VPN IPSec+L2TP(一)的更多相关文章

  1. Ubuntu系统搭建PPTP,VPN

    1.先安装pptp apt-get install pptpd 2.打开pptp的DNS vim /etc/ppp/option.pptpd 去掉下面两行内容前的# ms-dns 8.8.8.8 ms ...

  2. 如何在Ubuntu下搭建tftp服务器

    远程桌面连接工具   今天开始调试arm的板子,要通过tftp下载到板子上,所以又要配置tftp服务器,真的烦死了… (本人酷爱装系统,所以经常都要搞配置) 因为之前已经在Ubuntu下搭建过很多次t ...

  3. 在ubuntu上搭建开发环境3---解决Y470一键系统重装之后恢复ubuntu引导启动的方法

    2015/08/18 将知识.常用的操作整理出来一定要完整,注意细节. 就像下面是再2015.04.27时候整理的,当时确实实验成功了,但是可能忘记记下具体的细节,尤其是3.4.5.6步骤中的关于盘符 ...

  4. Ubuntu server 搭建Git server

    Ubuntu server 搭建Git server,git相比svn,最主要就是分布式了,每个客户端用户的本地都是一个版本管理控制器. Ubuntu server 版本为12.04 搭建步骤如下: ...

  5. Ubuntu上搭建Hadoop环境(单机模式+伪分布模式) (转载)

    Hadoop在处理海量数据分析方面具有独天优势.今天花了在自己的Linux上搭建了伪分布模式,期间经历很多曲折,现在将经验总结如下. 首先,了解Hadoop的三种安装模式: 1. 单机模式. 单机模式 ...

  6. Ubuntu server 搭建Git server【转】

    转自:http://www.cnblogs.com/candle806/p/4064610.html Ubuntu server 搭建Git server,git相比svn,最主要就是分布式了,每个客 ...

  7. ubuntu下搭建android开发环境之超顺畅模拟器

    如果说android系统的卡,像耳边蚊子让人抓狂,那么android模拟器的卡,那就像午睡时的苍蝇.大概就是一样的恶心~~ 那么,这样的问题对于开发者肯定忍无可忍,我也一样,虽然我还没有入门,但我也一 ...

  8. Ubuntu环境搭建svn服务器

    记录一次使用Ubuntu环境搭建svn服务器的详细步骤 一.查看是否已经安装svn 命令:svn如果显示以下信息,说明已安装   二.卸载已安装的svn 命令:sudo apt-get remove ...

  9. 【转】Ubuntu环境搭建svn服务器

    记录一次使用Ubuntu环境搭建svn服务器的详细步骤 一.查看是否已经安装svn 命令:svn如果显示以下信息,说明已安装 二.卸载已安装的svn 命令:sudo apt-get remove -- ...

随机推荐

  1. Cocos2d-x3.0 TestCPP文件夹的注意事项

    1.不多说了,重力加速度. 2.ActionMangerTest:此Test它是由导演来展示,以获得集体诉讼经理ActionManager类别,操作控制节点. ①CrashTest:破坏demo,毁. ...

  2. python向mysql中存储JSON及Nodejs取出

    虽然把JSON数据存入mysql也是比较蛋疼,但是相比使用Nodejs嵌套处理多个mysql查询并拼接返回数据也算是没mongo时的一个折中方案了. 我使用python拼接了一个json格式的字符串, ...

  3. Visual Studio 2010 单元测试之一---普通单元测试

    原文:Visual Studio 2010 单元测试之一---普通单元测试 本文以Visual Studio 2010为例,来介绍如何在Visual Studio里面进行单元测试. 首先来介绍普通单元 ...

  4. Asterisk 未来之路3.0_0006

    原文:Asterisk 未来之路3.0_0006 Modules Asterisk 是基于模块构建的.一个模块提供某个特定的功能,它是动态的被装载.比如:信道驱动(chan_sip.so),或可以连接 ...

  5. [译]Java 垃圾回收介绍

    说明:这篇文章来翻译来自于Javapapers 的Java Garbage Collection Introduction 在Java中,对象内存空间的分配与回收是由JVM中的垃圾回收进程自动完成的. ...

  6. html5跨域数据传递(postMessage)

    在html5中有个支持跨域传递的方法postMessage,可是实现iframe之间的数据传递! 代码如下:数据发送页面 <!DOCTYPE HTML> <html lang=&qu ...

  7. solr的配置文件及其含义

    solr与.net系列课程(二)solr的配置文件及其含义    solr与.net系列课程(二)solr的配置文件及其含义  本节内容还是不会涉及到.net与数据库的内容,但是不要着急,这都是学时s ...

  8. t_sql语句得到表中所有信息

    --得到所有数据库SELECT Name FROM Master..SysDatabases ORDER BY Name --得到某一数据库的所有表SELECT Name FROM MyPhotos. ...

  9. Linux 下 Vi 配置文件 .vimrc 文件

    Linux 下 Vi 配置文件 .vimrc 文件 配置 vim 的方法是在用户主目录下建立个.vimrc文件,我一般使用root帐户,所以就在/root/下建立一个.vimrc文件:vi /root ...

  10. shell删除指定时间之前的文件

    cat delbak.sh 1 #!/bin/sh 2 location="/root/sqlbak/" 3 find $location -mtime +30 -type f | ...