1
0
mirror of synced 2024-11-29 08:06:04 +03:00

Improve Linux client instructions

[ci skip]
This commit is contained in:
hwdsl2 2016-10-20 01:20:17 -05:00
parent 2e7913bd44
commit 5193d199ca
2 changed files with 281 additions and 32 deletions

View File

@ -150,40 +150,165 @@ VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可
## Windows Phone ## Windows Phone
Windows Phone 8.1 和更新版本的用户可以尝试<a href="http://forums.windowscentral.com/windows-phone-8-1-preview-developers/301521-tutorials-windows-phone-8-1-support-l2tp-ipsec-vpn-now.html" target="_blank">这个教程</a>。请注意,该平台的 IPsec/L2TP 支持可能有一些问题。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 Windows Phone 8.1 及以上版本用户可以尝试按照 <a href="http://forums.windowscentral.com/windows-phone-8-1-preview-developers/301521-tutorials-windows-phone-8-1-support-l2tp-ipsec-vpn-now.html" target="_blank">这个教程</a> 的步骤操作。最后你可以到 <a href="https://www.ipchicken.com" target="_blank">这里</a> 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
## Linux ## Linux
### Ubuntu & Debian ### Ubuntu & Debian
按照 <a href="http://www.jasonernst.com/2016/06/21/l2tp-ipsec-vpn-on-ubuntu-16-04/" target="_blank">这个教程</a> 的步骤操作。需要更正以下项: 注: 以下步骤是在 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c) 基础上修改。
这些命令必须在你的 VPN 客户端电脑上使用 `root` 账户运行。
1. 在文件 `xl2tpd.conf` 中,删除这一行 `# your vpn server goes here` 要配置 VPN 客户端,首先安装以下软件包:
1. 在文件 `options.l2tpd.client` 中,将 `require-mschap-v2` 换成 `require-chap`
1. 替换 `sudo echo "c XXX-YOUR-CONNECTION-NAME-XXX <user> <pass>" > /var/run/xl2tpd/l2tp-control` 为:
``` ```
echo "c XXX-YOUR-CONNECTION-NAME-XXX <user> <pass>" | sudo tee /var/run/xl2tpd/l2tp-control apt-get update
apt-get install strongswan xl2tpd
``` ```
1. 替换最后一个命令 `sudo route add -net default gw <vpn server local ip>` 创建 VPN 变量 (替换为你自己的值)
``` ```
sudo route add default dev ppp0 VPN_SERVER_IP='YOUR_VPN_SERVER_IP'
VPN_IPSEC_PSK='YOUR_IPSEC_PSK'
``` ```
如果遇到错误,请检查 `ifconfig` 的输出并将上面的 `ppp0` 换成 `ppp1`,等等。 配置 strongSwan
```
cat > /etc/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file
连接成功后,检查 VPN 是否正常工作: # basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
conn myvpn
keyexchange=ikev1
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
right=$VPN_SERVER_IP
EOF
cat > /etc/ipsec.secrets <<EOF
: PSK "$VPN_IPSEC_PSK"
EOF
chmod 600 /etc/ipsec.secrets
```
配置 xl2tpd
```
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac myvpn]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
EOF
cat > /etc/ppp/options.l2tpd.client <<EOF
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
EOF
```
至此 VPN 客户端配置已完成。按照下面的步骤进行连接。
创建 xl2tpd 控制文件:
```
mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control
```
重启服务:
```
service strongswan restart
service xl2tpd restart
```
开始 IPsec 连接:
```
ipsec up myvpn
```
开始 L2TP 连接 (替换为你自己的 VPN 用户名和密码):
```
echo "c myvpn <username> <password>" > /var/run/xl2tpd/l2tp-control
```
运行 `ifconfig` 并且检查输出。现在你应该看到一个新的网络接口 `ppp0`
检查你现有的默认路由:
```
ip route
```
在输出中查找以下行: `default via X.X.X.X ...`。记下这个网关 IP并且在下面的命令中使用。
从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值):
```
route add YOUR_VPN_SERVER_IP gw X.X.X.X
```
如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP以避免 SSH 会话被断开 (替换为你自己的值,可以在 https://www.ipchicken.com 获取):
```
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
```
添加一个新的默认路由,并且开始通过 VPN 服务器发送数据:
```
route add default dev ppp0
```
至此 VPN 连接已成功完成。检查 VPN 是否正常工作:
``` ```
wget -qO- http://whatismyip.akamai.com; echo wget -qO- http://whatismyip.akamai.com; echo
``` ```
以上命令应该返回 `你的 VPN 服务器 IP` 以上命令应该返回 `你的 VPN 服务器 IP`
要停止通过 VPN 服务器发送数据: 要停止通过 VPN 服务器发送数据:
``` ```
sudo route del default dev ppp0 route del default dev ppp0
```
要断开连接:
```
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
ipsec down myvpn
``` ```
### CentOS & Fedora ### CentOS & Fedora
@ -191,7 +316,7 @@ sudo route del default dev ppp0
参照上面的 Ubuntu/Debian 部分,并进行以下改动: 参照上面的 Ubuntu/Debian 部分,并进行以下改动:
1. 使用 `yum` 而不是 `apt-get` 命令来安装软件包。 1. 使用 `yum` 而不是 `apt-get` 命令来安装软件包。
1. 在这些系统中,`ipsec` 命令已经被重命名为 `strongswan`。 1. `ipsec up``ipsec down` 命令分别替换为 `strongswan up``strongswan down`。
1. 文件 `ipsec.conf``ipsec.secrets` 应该保存在 `/etc/strongswan` 目录中。 1. 文件 `ipsec.conf``ipsec.secrets` 应该保存在 `/etc/strongswan` 目录中。
### Other Linux ### Other Linux

View File

@ -150,31 +150,149 @@ Once connected, you will see a VPN icon overlay on the network status icon. You
## Windows Phone ## Windows Phone
Users with Windows Phone 8.1 and newer, try <a href="http://forums.windowscentral.com/windows-phone-8-1-preview-developers/301521-tutorials-windows-phone-8-1-support-l2tp-ipsec-vpn-now.html" target="_blank">this tutorial</a>. Please note that IPsec/L2TP support on this platform may have some issues. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`". Users with Windows Phone 8.1 and above, try <a href="http://forums.windowscentral.com/windows-phone-8-1-preview-developers/301521-tutorials-windows-phone-8-1-support-l2tp-ipsec-vpn-now.html" target="_blank">this tutorial</a>. You can verify that your traffic is being routed properly by <a href="https://encrypted.google.com/search?q=my+ip" target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
## Linux ## Linux
### Ubuntu & Debian ### Ubuntu & Debian
Follow the steps in <a href="http://www.jasonernst.com/2016/06/21/l2tp-ipsec-vpn-on-ubuntu-16-04/" target="_blank">this tutorial</a>. Some corrections are required: Note: Instructions below are adapted from [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c).
Commands must be run as `root` on your VPN client computer.
1. In `xl2tpd.conf`, remove the line `# your vpn server goes here`. To set up the VPN client, first install the following packages:
1. In `options.l2tpd.client`, replace `require-mschap-v2` with `require-chap`.
1. Replace `sudo echo "c XXX-YOUR-CONNECTION-NAME-XXX <user> <pass>" > /var/run/xl2tpd/l2tp-control` with:
``` ```
echo "c XXX-YOUR-CONNECTION-NAME-XXX <user> <pass>" | sudo tee /var/run/xl2tpd/l2tp-control apt-get update
apt-get install strongswan xl2tpd
``` ```
1. Replace the last command `sudo route add -net default gw <vpn server local ip>` with: Create VPN variables (replace with actual values):
``` ```
sudo route add default dev ppp0 VPN_SERVER_IP='YOUR_VPN_SERVER_IP'
VPN_IPSEC_PSK='YOUR_IPSEC_PSK'
``` ```
If there is an error, check the output of `ifconfig` and replace `ppp0` above with `ppp1`, etc. Configure strongSwan:
```
cat > /etc/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file
Once connected, verify that your traffic is being routed properly: # basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
conn myvpn
keyexchange=ikev1
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
right=$VPN_SERVER_IP
EOF
cat > /etc/ipsec.secrets <<EOF
: PSK "$VPN_IPSEC_PSK"
EOF
chmod 600 /etc/ipsec.secrets
```
Configure xl2tpd:
```
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac myvpn]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
EOF
cat > /etc/ppp/options.l2tpd.client <<EOF
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
EOF
```
The VPN client setup is now complete. Follow the steps below to connect.
Create xl2tpd control file:
```
mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control
```
Restart services:
```
service strongswan restart
service xl2tpd restart
```
Start the IPsec connection:
```
ipsec up myvpn
```
Start the L2TP connection (replace with your actual VPN username and password):
```
echo "c myvpn <username> <password>" > /var/run/xl2tpd/l2tp-control
```
Run `ifconfig` and check the output. You should now see a new interface `ppp0`.
Check your existing default route:
```
ip route
```
Find this line in the output: `default via X.X.X.X ...`. Write down this gateway IP for use in the commands below.
Exclude your VPN server's IP from the new default route (replace with actual value):
```
route add YOUR_VPN_SERVER_IP gw X.X.X.X
```
If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value, found by searching "my ip" on Google):
```
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
```
Add a new default route to start routing traffic via the VPN server
```
route add default dev ppp0
```
The VPN connection is now complete. Verify that your traffic is being routed properly:
``` ```
wget -qO- http://whatismyip.akamai.com; echo wget -qO- http://whatismyip.akamai.com; echo
``` ```
@ -183,7 +301,13 @@ The above command should return `Your VPN Server IP`.
To stop routing traffic via the VPN server: To stop routing traffic via the VPN server:
``` ```
sudo route del default dev ppp0 route del default dev ppp0
```
To disconnect:
```
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
ipsec down myvpn
``` ```
### CentOS & Fedora ### CentOS & Fedora
@ -191,7 +315,7 @@ sudo route del default dev ppp0
Refer to the Ubuntu/Debian section above, with these changes: Refer to the Ubuntu/Debian section above, with these changes:
1. Use `yum` instead of `apt-get` to install packages. 1. Use `yum` instead of `apt-get` to install packages.
1. In these systems, the `ipsec` command has been renamed to `strongswan`. 1. Replace `ipsec up` and `ipsec down` with `strongswan up` and `strongswan down`, respectively.
1. The files `ipsec.conf` and `ipsec.secrets` should be saved under `/etc/strongswan`. 1. The files `ipsec.conf` and `ipsec.secrets` should be saved under `/etc/strongswan`.
### Other Linux ### Other Linux