Skip to content

Instantly share code, notes, and snippets.

@ihciah

ihciah/README.MD

Last active December 6, 2023 01:42
Show Gist options
  • Star 14 You must be signed in to star a gist
  • Fork 6 You must be signed in to fork a gist
  • Save ihciah/883068c5d1beb499a016 to your computer and use it in GitHub Desktop.
Save ihciah/883068c5d1beb499a016 to your computer and use it in GitHub Desktop.
Download ZIP
科学搭建国内VPN转发服务器(国内VPN中转)
Raw
README.MD

科学搭建国内VPN转发服务器

简介

  • 简单拓扑结构:国内-(ocserv)-国内中转服务器-(shadowvpn)-国外服务器
  • 实验环境:用户终端为iPhone,中转服务器及国外服务器均为Ubuntu 14.04

搭建过程

  • 搭建Ocserv

    • 打开ftp://ftp.infradead.org/pub/ocserv/找到最新版本并下载、解压
    • 安装依赖:
    sudo apt-get install build-essential pkg-config libgnutls28-dev libreadline-dev libseccomp-dev libwrap0-dev libnl-nf-3-dev liblz4-dev
    • 配置、编译并安装Ocserv
    cd ocserv-0.10.9
./configure
make
sudo make install

    • 配置Ocserv

      • 准备证书
      apt-get install gnutls-bin
cd ~
mkdir certificates
cd certificates

      vi ca.tmpl并写入:

      cn = "YOUR CN NAME"
organization = "YOUR ORG NAME"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key

      生成CA密钥:

      certtool --generate-privkey --outfile ca-key.pem

      生成CA证书:

      certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

      生成服务器证书:

      vi server.tmpl

      并写入:

      cn = "YOUR CN NAME"
organization = "YOUR ORG NAME"
expiration_days = 3650
signing_key
encryption_key
tls_www_server

      生成Server密钥:

      certtool --generate-privkey --outfile server-key.pem

      生成Server证书:

      certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

      将生成的证书移动到合适的地方:

      sudo cp ca-cert.pem /etc/ssl/private/my-ca-cert.pem
sudo cp server-cert.pem /etc/ssl/private/my-server-cert.pem
sudo cp server-key.pem /etc/ssl/private/my-server-key.pem
      • 准备配置文件
      sudo mkdir /etc/ocserv
cd ~/ocserv-0.10.9
sudo cp doc/sample.config /etc/ocserv/ocserv.conf

      /etc/ocserv/ocserv.conf并修改以下字段:

      auth = "plain[/etc/ocserv/ocpasswd]"
tcp-port = 9000
udp-port = 9001
try-mtu-discovery = true
cert-user-oid = 2.5.4.3
server-cert = /etc/ssl/private/my-server-cert.pem
server-key = /etc/ssl/private/my-server-key.pem
dns = 8.8.8.8
dns = 8.8.4.4
cisco-client-compat = true
注释掉所有route

    • 配置转发 sudo vi /etc/ufw/sysctl.conf并确保net/ipv4/ip_forward=1 sudo vi /etc/default/ufw并确保DEFAULT_FORWARD_POLICY="ACCEPT" sudo sysctl -p来使sysctl设置生效

    • 测试

      sudo ocpasswd -c /etc/ocserv/ocpasswd YOUR_USERNAME

      键入两次输入你要设置的密码

      sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE配置NAT

      此时使用你的ip、端口、用户名、密码应该已经可以使用户端设备连接国内网络

    • 配置自动启动和证书登录

      cd /etc/init.d
ln -s /lib/init/upstart-job ocserv

cd /etc/init
vi  ocserv.conf

      并写入:

      #!upstart
description "OpenConnect Server"

start on runlevel [2345]
stop on runlevel [06]

respawn
respawn limit 20 5

script
    exec start-stop-daemon --start --pidfile /var/run/ocserv.pid --exec /usr/local/sbin/ocserv -- -f >> /dev/null 2>&1
end script

      这样,我们就可以使用service ocserv startservice ocserv stop来控制服务了 创建客户端证书:

      cd ~/certificates/
vi user.tmpl

      并写入:

      cn = "YOUR CN NAME"
unit = "YOUR UNIT NAME"
expiration_days = 365
signing_key
tls_www_client

      certtool --generate-privkey --outfile user-key.pem
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile user.p12 --outder

      并输入证书名和密码,密码可以为空 vi /etc/ocserv/ocserv.conf并修改:

      #注释原来的auth方式
auth = "certificate"

#确保本行为注释状态
#listen-clear-file = /var/run/ocserv-conn.socket

#启用证书验证
ca-cert = /etc/ssl/private/my-ca-cert.pem

      重启Ocserv并导入证书,应该已经可以正确访问国内站

  • 搭建shadowvpn

    apt-get update
apt-get install build-essential automake libtool git
git clone https://github.com/ihciah/ShadowVPN.git
cd ShadowVPN
git submodule update --init
./autogen.sh
./configure --enable-static --sysconfdir=/etc
make && make install

    服务端修改etc/shadowvpn/server.confshadowvpn -c /etc/shadowvpn/server.conf -s start来启动服务

    客户端修改etc/shadowvpn/client.confshadowvpn -c /etc/shadowvpn/client.conf -s start来启动服务

    注意客户端一定要注释掉etc/shadowvpn/client.conf中配置路由的语句

  • 配置转发

    echo "200 ihc" >> /etc/iproute2/rt_tables
ip route add default dev tun0 table ihc
iptables -A PREROUTING -t mangle -s 192.168.0.0/16 -j MARK --set-mark 3  
ip rule add fwmark 3 table ihc  
ip rule add from 192.168.0.0/16 table ihc
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to-source 10.7.0.2

    vi ~/forward.sh并编辑:

    #!/bin/bash
shadowvpn -c /etc/shadowvpn/client.conf -s start
ip route add default dev tun0 table ihc
iptables -A PREROUTING -t mangle -s 192.168.0.0/16 -j MARK --set-mark 3
sleep 1
ip rule add fwmark 3 table ihc
sleep 1
ip rule add from 192.168.0.0/16 table ihc
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to-source 10.7.0.2
sleep 1
ip route flush cache
service ocserv start

    其中tun0是你配置的shadowvpn的设备名,默认即tun0,ip_addr为10.7.0.2

    192.168.0.0/16为Ocserv网段,默认即此网段

    开机自动启动本脚本即可

    此时应该可以将所有流量导入国外主机

    如果你想添加智能分流,你可以直接添加路由至条件路由表

  • 本文参考:

    使用ocserv搭建 Cisco Anyconnect 服务器

    VPN traffic redirect to another VPN tunnel

@xiaolanchuan
Copy link

您好 可以发下shadowvpn客户端和服务端的完整命令配置吗

@xiaolanchuan
Copy link

国内服务器是启动shadowvpn客户端吗?

@tavimori
Copy link

您好,碰巧我的方案和你一样。现在浙江电信anyconnect干扰的超严重,想问一下有没有解决办法。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment