Last active
June 2, 2023 07:11
-
-
Save dzcpy/6fd524a09a985bfa602944180ab443b4 to your computer and use it in GitHub Desktop.
Setup Strongswan IKEv2 VPN server on Debian 10 with Let's Encrypt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
apt update && apt upgrade -y | |
apt install strongswan strongswan-pki libcharon-extra-plugins net-tools wget certbot -y | |
DEBIAN_FRONTEND=noninteractive apt-get -y install iptables-persistent | |
HOST_NAME="vpn.example.com" | |
read -e -i "$HOST_NAME" -p "VPN host name: " HOST_NAME | |
HOST_NAME="${input:-$HOST_NAME}" | |
LOCAL_SUBNET="172.19.240.0/20" | |
read -e -i "$LOCAL_SUBNET" -p "NAT subnet info for clients of this VPN: " LOCAL_SUBNET | |
LOCAL_SUBNET="${input:-$LOCAL_SUBNET}" | |
VPN_USER="VPN" | |
read -e -i "$VPN_USER" -p "VPN user name: " VPN_USER | |
VPN_USER="${input:-$VPN_USER}" | |
VPN_PASS="PASSWORD" | |
read -e -i "$VPN_PASS" -p "VPN password: " VPN_PASS | |
VPN_PASS="${input:-$VPN_PASS}" | |
DEFAULT_IP="$(ip -o route get to 1.1.1.1 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')" | |
DEFAULT_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" | |
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /etc/ipsec.d/cacerts/lets-encrypt-r3.pem | |
certbot certonly --standalone -d ${HOST_NAME} --rsa-key-size 2048 --staple-ocsp --agree-tos --register-unsafely-without-email | |
chmod 755 -R /etc/letsencrypt | |
ln -L -f /etc/letsencrypt/live/${HOST_NAME}/cert.pem /etc/ipsec.d/certs | |
ln -L -f /etc/letsencrypt/live/${HOST_NAME}/chain.pem /etc/ipsec.d/cacerts | |
ln -L -f /etc/letsencrypt/live/${HOST_NAME}/privkey.pem /etc/ipsec.d/private | |
cat > /etc/ipsec.secrets<<-EOF | |
${HOST_NAME} : RSA privkey.pem | |
${VPN_USER} %any : EAP "${VPN_PASS}" | |
EOF | |
cat > /etc/ipsec.conf<<-EOF | |
config setup | |
uniqueids=never | |
strictcrlpolicy=no | |
conn vpn | |
auto=add | |
compress=no | |
type=tunnel | |
keyexchange=ikev2 | |
fragmentation=yes | |
forceencaps=yes | |
dpdaction=clear | |
dpddelay=300s | |
rekey=no | |
left=%any | |
leftid=@${HOST_NAME} | |
leftcert=cert.pem | |
leftsendcert=always | |
leftsubnet=0.0.0.0/0 | |
right=%any | |
rightid=%any | |
rightauth=eap-mschapv2 | |
rightdns=1.1.1.1,8.8.8.8 | |
rightsourceip=${LOCAL_SUBNET} | |
rightsendcert=never | |
eap_identity=%identity | |
EOF | |
cat > /etc/sysctl.d/ipsec.conf<<-EOF | |
net.ipv4.ip_forward=1 | |
net.ipv6.conf.all.forwarding=1 | |
net.ipv4.conf.all.accept_redirects=0 | |
net.ipv4.conf.all.send_redirects=0 | |
net.ipv4.ip_no_pmtu_disc=1 | |
net.ipv4.conf.all.rp_filter=1 | |
EOF | |
sysctl -p /etc/sysctl.d/ipsec.conf | |
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT | |
iptables -A FORWARD -s ${LOCAL_SUBNET} -j ACCEPT | |
iptables -A INPUT -i ${DEFAULT_IFACE} -p esp -j ACCEPT | |
#iptables -A INPUT -i ${DEFAULT_IFACE} -p udp --dport 500 -j ACCEPT | |
#iptables -A INPUT -i ${DEFAULT_IFACE} -p tcp --dport 500 -j ACCEPT | |
#iptables -A INPUT -i ${DEFAULT_IFACE} -p udp --dport 4500 -j ACCEPT | |
iptables -t nat -A POSTROUTING -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -j SNAT --to-source ${DEFAULT_IP} | |
iptables-save > /etc/iptables/rules.v4 | |
ipsec restart |
Windows 客户端添加 VPN
Add-VpnConnection -Name "My VPN" -ServerAddress vpn.example.com -TunnelType IKEv2 -AuthenticationMethod EAP -EncryptionLevel Maximum -RememberCredential:$True -SplitTunnel:$False -PassThru
Set-VpnConnectionIPsecConfiguration -ConnectionName "My VPN" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup Pfs2048 -PassThru -Force
Win 10 VPN连接上了IP未变的解决办法
- 打开虚拟专用网络;
- 右键VPN拨号,选择”属性”;
- 在”网络”标签下,选择”Internet 协议(TCP/IP)”,单击”属性”;
- 单击”高级”按钮;
- 勾选“在远程网络上使用默认网关”,即可;
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
一、服务器:
ipsec stop
ipsec start --nofork --debug-more
二、Linux客户端(debian stretch):
sudo apt update && sudo apt upgrade -y
sudo apt install strongswan libcharon-extra-plugins
sudo nano /etc/ipsec.secrets
和服务器上的用户密码保持一致,格式:
{USER_NAME} : %any : EAP "{PASSWORD}"
将之前在安装服务器时生成的证书ca.cert.pem上传到客户端的
/etc/ipsec.d/cacerts/ca.cert.pem
sudo nano /etc/ipsec.conf
加入下面几行:
把
${USER_NAME}
替换为之前安装服务器时设置的用户名变量${SERVER}
是服务器的域名或IP5. 重启 ipsec
sudo ipsec restart
ipsec up vpn
三、Windows客户端
https://jingyan.baidu.com/album/fea4511ac122abf7bb91252d.html
如显示策略不匹配错误,则修改
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256
,类型DWORD
,设置为1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule
,类型DWORD,设置为
2`