Create a gist now

Instantly share code, notes, and snippets.

@ihciah /README.MD
Last active Apr 18, 2018

What would you like to do?
科学搭建国内VPN转发服务器(国内VPN中转)

科学搭建国内VPN转发服务器

简介

  • 简单拓扑结构:国内-(ocserv)-国内中转服务器-(shadowvpn)-国外服务器
  • 实验环境:用户终端为iPhone,中转服务器及国外服务器均为Ubuntu 14.04

搭建过程

  • 搭建Ocserv

    • 打开ftp://ftp.infradead.org/pub/ocserv/找到最新版本并下载、解压
    • 安装依赖:
    sudo apt-get install build-essential pkg-config libgnutls28-dev libreadline-dev libseccomp-dev libwrap0-dev libnl-nf-3-dev liblz4-dev
    
    • 配置、编译并安装Ocserv
    cd ocserv-0.10.9
    ./configure
    make
    sudo make install
    
    • 配置Ocserv

      • 准备证书
      apt-get install gnutls-bin
      cd ~
      mkdir certificates
      cd certificates
      

      vi ca.tmpl并写入:

      cn = "YOUR CN NAME"
      organization = "YOUR ORG NAME"
      serial = 1
      expiration_days = 3650
      ca
      signing_key
      cert_signing_key
      crl_signing_key
      

      生成CA密钥:

      certtool --generate-privkey --outfile ca-key.pem
      

      生成CA证书:

      certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
      

      生成服务器证书:

      vi server.tmpl
      

      并写入:

      cn = "YOUR CN NAME"
      organization = "YOUR ORG NAME"
      expiration_days = 3650
      signing_key
      encryption_key
      tls_www_server
      

      生成Server密钥:

      certtool --generate-privkey --outfile server-key.pem
      

      生成Server证书:

      certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
      

      将生成的证书移动到合适的地方:

      sudo cp ca-cert.pem /etc/ssl/private/my-ca-cert.pem
      sudo cp server-cert.pem /etc/ssl/private/my-server-cert.pem
      sudo cp server-key.pem /etc/ssl/private/my-server-key.pem
      
      • 准备配置文件
      sudo mkdir /etc/ocserv
      cd ~/ocserv-0.10.9
      sudo cp doc/sample.config /etc/ocserv/ocserv.conf
      

      /etc/ocserv/ocserv.conf并修改以下字段:

      auth = "plain[/etc/ocserv/ocpasswd]"
      tcp-port = 9000
      udp-port = 9001
      try-mtu-discovery = true
      cert-user-oid = 2.5.4.3
      server-cert = /etc/ssl/private/my-server-cert.pem
      server-key = /etc/ssl/private/my-server-key.pem
      dns = 8.8.8.8
      dns = 8.8.4.4
      cisco-client-compat = true
      注释掉所有route
      
    • 配置转发 sudo vi /etc/ufw/sysctl.conf并确保net/ipv4/ip_forward=1 sudo vi /etc/default/ufw并确保DEFAULT_FORWARD_POLICY="ACCEPT" sudo sysctl -p来使sysctl设置生效

    • 测试

      sudo ocpasswd -c /etc/ocserv/ocpasswd YOUR_USERNAME
      

      键入两次输入你要设置的密码

      sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE配置NAT

      此时使用你的ip、端口、用户名、密码应该已经可以使用户端设备连接国内网络

    • 配置自动启动和证书登录

      cd /etc/init.d
      ln -s /lib/init/upstart-job ocserv
      
      cd /etc/init
      vi  ocserv.conf
      

      并写入:

      #!upstart
      description "OpenConnect Server"
      
      start on runlevel [2345]
      stop on runlevel [06]
      
      respawn
      respawn limit 20 5
      
      script
          exec start-stop-daemon --start --pidfile /var/run/ocserv.pid --exec /usr/local/sbin/ocserv -- -f >> /dev/null 2>&1
      end script
      

      这样,我们就可以使用service ocserv startservice ocserv stop来控制服务了 创建客户端证书:

      cd ~/certificates/
      vi user.tmpl
      

      并写入:

      cn = "YOUR CN NAME"
      unit = "YOUR UNIT NAME"
      expiration_days = 365
      signing_key
      tls_www_client
      
      certtool --generate-privkey --outfile user-key.pem
      certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
      certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile user.p12 --outder
      

      并输入证书名和密码,密码可以为空 vi /etc/ocserv/ocserv.conf并修改:

      #注释原来的auth方式
      auth = "certificate"
      
      #确保本行为注释状态
      #listen-clear-file = /var/run/ocserv-conn.socket
      
      #启用证书验证
      ca-cert = /etc/ssl/private/my-ca-cert.pem
      

      重启Ocserv并导入证书,应该已经可以正确访问国内站

  • 搭建shadowvpn

    apt-get update
    apt-get install build-essential automake libtool git
    git clone https://github.com/ihciah/ShadowVPN.git
    cd ShadowVPN
    git submodule update --init
    ./autogen.sh
    ./configure --enable-static --sysconfdir=/etc
    make && make install
    

    服务端修改etc/shadowvpn/server.confshadowvpn -c /etc/shadowvpn/server.conf -s start来启动服务

    客户端修改etc/shadowvpn/client.confshadowvpn -c /etc/shadowvpn/client.conf -s start来启动服务

    注意客户端一定要注释掉etc/shadowvpn/client.conf中配置路由的语句

  • 配置转发

    echo "200 ihc" >> /etc/iproute2/rt_tables
    ip route add default dev tun0 table ihc
    iptables -A PREROUTING -t mangle -s 192.168.0.0/16 -j MARK --set-mark 3  
    ip rule add fwmark 3 table ihc  
    ip rule add from 192.168.0.0/16 table ihc
    iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to-source 10.7.0.2
    

    vi ~/forward.sh并编辑:

    #!/bin/bash
    shadowvpn -c /etc/shadowvpn/client.conf -s start
    ip route add default dev tun0 table ihc
    iptables -A PREROUTING -t mangle -s 192.168.0.0/16 -j MARK --set-mark 3
    sleep 1
    ip rule add fwmark 3 table ihc
    sleep 1
    ip rule add from 192.168.0.0/16 table ihc
    iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to-source 10.7.0.2
    sleep 1
    ip route flush cache
    service ocserv start
    

    其中tun0是你配置的shadowvpn的设备名,默认即tun0,ip_addr为10.7.0.2

    192.168.0.0/16为Ocserv网段,默认即此网段

    开机自动启动本脚本即可

    此时应该可以将所有流量导入国外主机

    如果你想添加智能分流,你可以直接添加路由至条件路由表

  • 本文参考:

    使用ocserv搭建 Cisco Anyconnect 服务器

    VPN traffic redirect to another VPN tunnel

@xiaolanchuan

This comment has been minimized.

Show comment Hide comment
@xiaolanchuan

xiaolanchuan Mar 7, 2016

您好 可以发下shadowvpn客户端和服务端的完整命令配置吗

您好 可以发下shadowvpn客户端和服务端的完整命令配置吗

@xiaolanchuan

This comment has been minimized.

Show comment Hide comment
@xiaolanchuan

xiaolanchuan Mar 7, 2016

国内服务器是启动shadowvpn客户端吗?

国内服务器是启动shadowvpn客户端吗?

@tavimori

This comment has been minimized.

Show comment Hide comment
@tavimori

tavimori Aug 22, 2016

您好,碰巧我的方案和你一样。现在浙江电信anyconnect干扰的超严重,想问一下有没有解决办法。

您好,碰巧我的方案和你一样。现在浙江电信anyconnect干扰的超严重,想问一下有没有解决办法。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment