Ubuntu 16.04上配置IKEV2 VPN Server
問題
憲法第四十條看不懂了。
解決:在憲法領土之外的Ubuntu 16.04上配置IKEV2 VPN Server
1,選擇VPN協議
打開iOS的vpn配置,你會看到如下界面:
對,這就是主流的VPN協議,Gemfield在本文中選擇的就是被主流操作系統所推薦的IKEv2協議。
2,選擇VPN Server軟體
Gemfield選擇的是StrongSwan,一個開源的IPSec daemon (沒錯,daemon進程的名字正是替代了pluto的charon,你可以搜下這兩個單詞,分別是冥王星及其衛星)。
我們還將安裝StrongSwan的EAP插件,這個插件允許你在VPN客戶端上使用用戶名密碼的方式來登陸,而不是基於證書的方式。比如在KDE的VPN設置界面,你就會看到EAP這樣的選項。
我們還需要配置一些iptables的規則,因此還需要安裝一些工具來幫助我們把這些新設置的iptables規則持久化保存下來。
gemfield@iZrj9iu3l09ajt2mi6n7pbZ:~$ sudo apt-get install strongswan strongswan-plugin-eap-mschapv2 moreutils iptables-persistent[sudo] password for gemfield:
3,安裝證書
參考CivilNet專欄Ubuntu上使用letsencrypt獲得免費的HTTPS證書,使用certbot工具。在這裡有所不同的是,certbot命令不針對任何web server(Apache、Nginx等),而是單獨要下載4個letsencrypt證書文件(不過原理都類似,比如校驗你的伺服器IP等):
$ sudo apt-get update$ sudo apt-get install software-properties-common$ sudo add-apt-repository ppa:certbot/certbot$ sudo apt-get update$ sudo apt-get install certbot $ sudo certbot certonly
一切順利的話,certbot命令會得到4個相關文件:
root@us-gemfield-org:~# ls -l /etc/letsencrypt/live/us.gemfield.org/total 4lrwxrwxrwx 1 root root 39 Sep 28 18:24 cert.pem -> ../../archive/us.gemfield.org/cert1.pemlrwxrwxrwx 1 root root 40 Sep 28 18:24 chain.pem -> ../../archive/us.gemfield.org/chain1.pemlrwxrwxrwx 1 root root 44 Sep 28 18:24 fullchain.pem -> ../../archive/us.gemfield.org/fullchain1.pemlrwxrwxrwx 1 root root 42 Sep 28 18:24 privkey.pem -> ../../archive/us.gemfield.org/privkey1.pem-rw-r--r-- 1 root root 543 Sep 28 18:24 READMEroot@us-gemfield-org:~#
拷貝其中的privkey.pem文件到/etc/ipsec.d/private/ 目錄下:
root@us-gemfield-org:~# cp /etc/letsencrypt/live/us.gemfield.org/privkey.pem /etc/ipsec.d/private/
拷貝其中的fullchain.pem文件到/etc/ipsec.d/certs/ 目錄下:
root@us-gemfield-org:~# cp /etc/letsencrypt/live/us.gemfield.org/fullchain.pem /etc/ipsec.d/certs/
4,配置StrongSwan的ipsec.conf
root@us-gemfield-org:~# cp /etc/ipsec.conf /etc/ipsec.conf.original#清空ipsec.confroot@us-gemfield-org:~# >/etc/ipsec.conf#配置ipsec.conf文件,內容如下所示root@us-gemfield-org:~# cat /etc/ipsec.confconfig setup charondebug="ike 1, knl 1, cfg 0" uniqueids=noconn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256-sha1-modp1024,3des-sha1-modp1024! esp=aes256-sha1,3des-sha1! dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@us.gemfield.org leftcert=/etc/ipsec.d/certs/fullchain.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identityroot@us-gemfield-org:~#
其中的leftid改成你自己的主機名,這個名字要和certbot時填的主機名一致。
5,配置VPN的用戶名密碼
配置/etc/ipsec.secrets文件,這裡你又會見到上文中出現過的EAP了。
#配置/etc/ipsec.secrets文件,內容如下所示root@us-gemfield-org:~# cat /etc/ipsec.secrets# This file holds shared secrets or RSA private keys for authentication.# RSA private key for this host, authenticating it to any other host# which knows the public part.us.gemfield.org : RSA "/etc/ipsec.d/private/privkey.pem"你的登錄名 %any% : EAP "你的登陸密碼"root@us-gemfield-org:~#
6,StrongSwan的systemd service
StrongSwan的systemd service名字是strongswan,如下所示:
root@us-gemfield-org:~# systemctl status strongswan● strongswan.service - strongSwan IPsec services Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled) Active: inactive (dead) since Sun 2017-10-01 00:47:26 CST; 8s ago Process: 5589 ExecStopPost=/bin/rm -f /var/run/charon.pid /var/run/starter.charon.pid (code=exited, status=0/SUCCESS) Process: 5579 ExecStop=/usr/sbin/ipsec stop (code=exited, status=0/SUCCESS) Process: 5561 ExecStart=/usr/sbin/ipsec start (code=exited, status=0/SUCCESS) Process: 5556 ExecStartPre=/bin/mkdir -p /var/lock/subsys (code=exited, status=0/SUCCESS) Main PID: 885 (code=exited, status=0/SUCCESS)Oct 01 00:47:26 us-gemfield-org systemd[1]: Starting strongSwan IPsec services...Oct 01 00:47:26 us-gemfield-org ipsec[5561]: Starting strongSwan 5.3.5 IPsec [starter]...Oct 01 00:47:26 us-gemfield-org ipsec_starter[5561]: Starting strongSwan 5.3.5 IPsec [starter]...Oct 01 00:47:26 us-gemfield-org ipsec[5561]: charon is already running (/var/run/charon.pid exists) -- skipping daemon startOct 01 00:47:26 us-gemfield-org ipsec_starter[5561]: charon is already running (/var/run/charon.pid exists) -- skipping daemon startOct 01 00:47:26 us-gemfield-org ipsec[5561]: starter is already running (/var/run/starter.charon.pid exists) -- no fork doneOct 01 00:47:26 us-gemfield-org ipsec[5579]: Stopping strongSwan IPsec...Oct 01 00:47:26 us-gemfield-org systemd[1]: Started strongSwan IPsec services.root@us-gemfield-org:~#
start、stop、restart、status等常用systemctl操作就可以用上了。
另外,如果之後再更改了/etc/ipsec.conf或者是/etc/ipsec.secerts文件,可以使用
ipsec rereadall 命令來重新載入(可能也需要重啟ipsec的daemon進程?),ipsec rereadall命令包含了諸多子步驟:
- ipsec rereadaacerts
- ipsec rereadacerts
- ipsec rereadcacerts
- ipsec rereadcrls
- ipsec rereadocspcerts
- ipsec rereadsecrets
- ipsec secrets
具體可以man一下。
7,配置iptables
#disable UFW if youve set it up, as it can conflict with the rules we need to configureroot@us-gemfield-org:~# ufw disable#Then remove any remaining firewall rules created by UFWroot@us-gemfield-org:~# iptables -P INPUT ACCEPTroot@us-gemfield-org:~# iptables -P FORWARD ACCEPTroot@us-gemfield-org:~# iptables -Froot@us-gemfield-org:~# iptables -Z#To prevent us from being locked out of the SSH session, well accept connections that are already accepted. #Well also open port 22 (or whichever port youve configured) for future SSH connections to the server.root@us-gemfield-org:~# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTroot@us-gemfield-org:~# iptables -A INPUT -p tcp --dport 22 -j ACCEPT#Well also need to accept connections on the local loopback interfaceroot@us-gemfield-org:~# iptables -A INPUT -i lo -j ACCEPT#Then well tell IPTables to accept IPSec connections#ipsec 使用udp協議,埠500和4500root@us-gemfield-org:~# iptables -A INPUT -p udp --dport 500 -j ACCEPTroot@us-gemfield-org:~# iptables -A INPUT -p udp --dport 4500 -j ACCEPT#well tell IPTables to forward ESP (Encapsulating Security Payload) traffic #so the VPN clients will be able to connect. ESP provides additional security #for our VPN packets as theyre traversing untrusted networksroot@us-gemfield-org:~# iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPTroot@us-gemfield-org:~# iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT#Our VPN server will act as a gateway between the VPN clients and the internet. #Since the VPN server will only have a single public IP address, we will need #to configure masquerading to allow the server to request data from the internet #on behalf of the clients; this will allow traffic to flow from the VPN clients #to the internet, and vice-versa.#eth0是有公網IP的網卡root@us-gemfield-org:~# iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPTroot@us-gemfield-org:~# iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE#其實,Gemfield在第一次配置完成後vpn雖然能連接上,但並不能訪問網頁 ,加了下面這條改動才好了#也就是和上面一條規則相比,去掉了 -s 10.10.10.0/24,你可以先不加試試,也可能是我第一次敲錯了字母#root@us-gemfield-org:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE#To prevent IP packet fragmentation on some clients, well tell IPTables to reduce the size of packets #by adjusting the packets maximum segment size. This prevents issues with some VPN clients.root@us-gemfield-org:~# iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360#持久化存儲,即使系統重啟後規則依然生效root@us-gemfield-org:~# netfilter-persistent saveroot@us-gemfield-org:~# netfilter-persistent reload
8,啟動系統的IP轉發功能
編輯/etc/sysctl.conf文件,更改以下幾項:
#1,First, well enable IPv4 packet forwarding.#2,Well disable Path MTU discovery to prevent packet fragmentation problems.#3,We also wont accept ICMP redirects nor send ICMP redirects to prevent man-in-the-middle attacks.root@us-gemfield-org:~# cat /etc/sysctl.conf# Uncomment the next line to enable packet forwarding for IPv4net.ipv4.ip_forward=1. . .# Do not accept ICMP redirects (prevent MITM attacks)net.ipv4.conf.all.accept_redirects = 0# Do not send ICMP redirects (we are not a router)net.ipv4.conf.all.send_redirects = 0. . .net.ipv4.ip_no_pmtu_disc = 1
9,重啟Ubuntu
10,配置iOS VPN客戶端
- 到Settings(設置),General(通用), VPN 下點擊 Add VPN Configuration(添加VPN配置);
- 點擊Type(類型) 選擇 IKEv2;
- Description (描述)輸入框輸入描述信息,隨便填;
- Server (伺服器)和Remote ID(遠程 ID)輸入框, 輸入domain名字,比如本文中的us.gemfield.org;
- Local ID(本地 ID)輸入框不填寫;
- 用戶鑒定選擇「用戶名」,用戶名和密碼就和你在上面配置的一致;
慶祝
查看IPsec連接的log就位於/var/log/auth.log文件里,如下所示:
root@us-gemfield-org:~# tail -f /var/log/auth.logOct 1 01:17:12 iZrj9iu3l09ajt2mi6n7pbZ charon: 06[IKE] 111.xxx.xxx.xxx is initiating an IKE_SAOct 1 01:17:12 iZrj9iu3l09ajt2mi6n7pbZ charon: 15[IKE] 111.xxx.xxx.xxx is initiating an IKE_SAOct 1 01:17:13 iZrj9iu3l09ajt2mi6n7pbZ charon: 02[IKE] IKE_SA ikev2-vpn[3] established between 47.88.23.197[us.gemfield.org]...111.xxx.xxx.xxx[192.168.0.108]Oct 1 01:17:13 iZrj9iu3l09ajt2mi6n7pbZ charon: 02[IKE] CHILD_SA ikev2-vpn{1} established with SPIs xxxxxxxxxx and TS 0.0.0.0/0 === 10.10.10.1/32
當你在iPhone上的VPN開關處輕輕一撥動,遠在憲法領土外的http://us.gemfield.org上的log就顯得很生動了,這是捍衛憲法第四十條款的號角。
推薦閱讀: