Create a gist now

Instantly share code, notes, and snippets.

@ihciah /README.MD
Last active May 3, 2017

What would you like to do?
科学搭建国内VPN转发服务器(国内VPN中转)

科学搭建国内VPN转发服务器

简介

  • 简单拓扑结构:国内-(ocserv)-国内中转服务器-(shadowvpn)-国外服务器
  • 实验环境:用户终端为iPhone,中转服务器及国外服务器均为Ubuntu 14.04

搭建过程

  • 搭建Ocserv

    • 打开ftp://ftp.infradead.org/pub/ocserv/找到最新版本并下载、解压
    • 安装依赖:
    sudo apt-get install build-essential pkg-config libgnutls28-dev libreadline-dev libseccomp-dev libwrap0-dev libnl-nf-3-dev liblz4-dev
    
    • 配置、编译并安装Ocserv
    cd ocserv-0.10.9
    ./configure
    make
    sudo make install
    
    • 配置Ocserv

      • 准备证书
      apt-get install gnutls-bin
      cd ~
      mkdir certificates
      cd certificates
      

      vi ca.tmpl并写入:

      cn = "YOUR CN NAME"
      organization = "YOUR ORG NAME"
      serial = 1
      expiration_days = 3650
      ca
      signing_key
      cert_signing_key
      crl_signing_key
      

      生成CA密钥:

      certtool --generate-privkey --outfile ca-key.pem
      

      生成CA证书:

      certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
      

      生成服务器证书:

      vi server.tmpl
      

      并写入:

      cn = "YOUR CN NAME"
      organization = "YOUR ORG NAME"
      expiration_days = 3650
      signing_key
      encryption_key
      tls_www_server
      

      生成Server密钥:

      certtool --generate-privkey --outfile server-key.pem
      

      生成Server证书:

      certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
      

      将生成的证书移动到合适的地方:

      sudo cp ca-cert.pem /etc/ssl/private/my-ca-cert.pem
      sudo cp server-cert.pem /etc/ssl/private/my-server-cert.pem
      sudo cp server-key.pem /etc/ssl/private/my-server-key.pem
      
      • 准备配置文件
      sudo mkdir /etc/ocserv
      cd ~/ocserv-0.10.9
      sudo cp doc/sample.config /etc/ocserv/ocserv.conf
      

      /etc/ocserv/ocserv.conf并修改以下字段:

      auth = "plain[/etc/ocserv/ocpasswd]"
      tcp-port = 9000
      udp-port = 9001
      try-mtu-discovery = true
      cert-user-oid = 2.5.4.3
      server-cert = /etc/ssl/private/my-server-cert.pem
      server-key = /etc/ssl/private/my-server-key.pem
      dns = 8.8.8.8
      dns = 8.8.4.4
      cisco-client-compat = true
      注释掉所有route
      
    • 配置转发 sudo vi /etc/ufw/sysctl.conf并确保net/ipv4/ip_forward=1 sudo vi /etc/default/ufw并确保DEFAULT_FORWARD_POLICY="ACCEPT" sudo sysctl -p来使sysctl设置生效

    • 测试

      sudo ocpasswd -c /etc/ocserv/ocpasswd YOUR_USERNAME
      

      键入两次输入你要设置的密码

      sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE配置NAT

      此时使用你的ip、端口、用户名、密码应该已经可以使用户端设备连接国内网络

    • 配置自动启动和证书登录

      cd /etc/init.d
      ln -s /lib/init/upstart-job ocserv
      
      cd /etc/init
      vi  ocserv.conf
      

      并写入:

      #!upstart
      description "OpenConnect Server"
      
      start on runlevel [2345]
      stop on runlevel [06]
      
      respawn
      respawn limit 20 5
      
      script
          exec start-stop-daemon --start --pidfile /var/run/ocserv.pid --exec /usr/local/sbin/ocserv -- -f >> /dev/null 2>&1
      end script
      

      这样,我们就可以使用service ocserv startservice ocserv stop来控制服务了 创建客户端证书:

      cd ~/certificates/
      vi user.tmpl
      

      并写入:

      cn = "YOUR CN NAME"
      unit = "YOUR UNIT NAME"
      expiration_days = 365
      signing_key
      tls_www_client
      
      certtool --generate-privkey --outfile user-key.pem
      certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
      certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile user.p12 --outder
      

      并输入证书名和密码,密码可以为空 vi /etc/ocserv/ocserv.conf并修改:

      #注释原来的auth方式
      auth = "certificate"
      
      #确保本行为注释状态
      #listen-clear-file = /var/run/ocserv-conn.socket
      
      #启用证书验证
      ca-cert = /etc/ssl/private/my-ca-cert.pem
      

      重启Ocserv并导入证书,应该已经可以正确访问国内站

  • 搭建shadowvpn

    apt-get update
    apt-get install build-essential automake libtool git
    git clone https://github.com/ihciah/ShadowVPN.git
    cd ShadowVPN
    git submodule update --init
    ./autogen.sh
    ./configure --enable-static --sysconfdir=/etc
    make && make install
    

    服务端修改etc/shadowvpn/server.confshadowvpn -c /etc/shadowvpn/server.conf -s start来启动服务

    客户端修改etc/shadowvpn/client.confshadowvpn -c /etc/shadowvpn/client.conf -s start来启动服务

    注意客户端一定要注释掉etc/shadowvpn/client.conf中配置路由的语句

  • 配置转发

    echo "200 ihc" >> /etc/iproute2/rt_tables
    ip route add default dev tun0 table ihc
    iptables -A PREROUTING -t mangle -s 192.168.0.0/16 -j MARK --set-mark 3  
    ip rule add fwmark 3 table ihc  
    ip rule add from 192.168.0.0/16 table ihc
    iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to-source 10.7.0.2
    

    vi ~/forward.sh并编辑:

    #!/bin/bash
    shadowvpn -c /etc/shadowvpn/client.conf -s start
    ip route add default dev tun0 table ihc
    iptables -A PREROUTING -t mangle -s 192.168.0.0/16 -j MARK --set-mark 3
    sleep 1
    ip rule add fwmark 3 table ihc
    sleep 1
    ip rule add from 192.168.0.0/16 table ihc
    iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to-source 10.7.0.2
    sleep 1
    ip route flush cache
    service ocserv start
    

    其中tun0是你配置的shadowvpn的设备名,默认即tun0,ip_addr为10.7.0.2

    192.168.0.0/16为Ocserv网段,默认即此网段

    开机自动启动本脚本即可

    此时应该可以将所有流量导入国外主机

    如果你想添加智能分流,你可以直接添加路由至条件路由表

  • 本文参考:

    使用ocserv搭建 Cisco Anyconnect 服务器

    VPN traffic redirect to another VPN tunnel

您好 可以发下shadowvpn客户端和服务端的完整命令配置吗

国内服务器是启动shadowvpn客户端吗?

您好,碰巧我的方案和你一样。现在浙江电信anyconnect干扰的超严重,想问一下有没有解决办法。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment