浏览量: 9,371
本文介绍使用 StrongSwan 搭建 VPN 的过程,适合有一定 linux 基础的用户。
本文使用的服务器
1CPU,1G, 优惠码
CentOS 8.3
StrongSwan 5.8.2
StrongSwan 简介
StrongSwan 是基于 OpenSource IPsec 的 VPN 解决方案,官方网站:https://www.strongswan.org/ ,如果无法访问请使用科学上网,原因你懂的。
本文描述从一个初始系统开始逐步完成搭梯的过程。
一,准备阶段
以 root 用户登录
安装 epel 源
更新系统
安装必备软件
dnf install nano wget nginx certbot iptables - services crontab
#nginx开机启动
systemctl enable nginx
#启动nginx
systemctl restart nginx
二,申请 ssl 证书
StrongSwan IPsec IKEv2 连接需要用到服务器证书,用于验证服务器身份。由于自签发证书不受操作系统信任,我们需要申请 Let’s Encrypt 免费证书。
#在web根目录创建临时目录
mkdir - p / usr / share / nginx / html / .well - known / acme - challenge
#--webroot 参数:指定使用临时目录的方式. -w 参数:指定后面-d 域名所在的根目录, 如果一次申请多个域的, 可以附加更多 -w...-d... 这段.
certbot certonly -- webroot -- email xxx @ xxx .com - w / usr / share / nginx / html - d xx .xxx .com
三,安装 strongswan
dnf install strongswan
systemctl enable strongswan
systemctl restart strongswan
配置strongswan
nano / etc / strongswan / swanctl / conf .d / xx .xxx .com .conf
写入以下配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
connections {
ikev2 - eap - mschapv2 {
version = 2
unique = never
rekey_time = 0s
fragmentation = yes
dpd_delay = 60s
send_cert = always
pools = ipv4 - addrs , ipv6 - addrs
proposals = aes256 - sha256 - prfsha256 - modp2048 , aes256gcm16 - prfsha384 - modp1024 , default
local_addrs = % any
local {
certs = cert .pem
id = xx .xxx .com
}
remote {
auth = eap - mschapv2
eap_id = % any
}
children {
ikev2 - eap - mschapv2 {
local_ts = 0.0.0.0 / 0 , :: / 0
rekey_time = 0s
dpd_action = clear
esp_proposals = aes256 - sha256 , aes128 - sha1 , default
}
}
}
}
pools {
ipv4 - addrs {
addrs = 10.10.0.0 / 24
dns = 8.8.8.8 , 1.1.1.1
}
ipv6 - addrs {
addrs = fec1 :: 0 / 24
dns = 2001 : 4860 : 4860 :: 8888 , 2606 : 4700 : 4700 :: 1111
}
}
secrets {
private - xxx {
file = privkey .pem
}
eap - user1 {
id = user1
secret = "123456"
}
}
高亮部分中的 xx.xxx.com 替换为上面申请证书时用的域名, private-xxx 中的 xxx 随意,不要有符号,eap-user1 和 id = user1 中的 user1 替换为你想登录vpn使用的账号,secret = “123456” 改为你的密码。
安装证书,创建证书软链接到 strongswan 的对应目录。
ln - s / etc / letsencrypt / live / xx .xxx .com / cert .pem / etc / strongswan / swanctl / x509 / cert .pem
ln - s / etc / letsencrypt / live / xx .xxx .com / privkey .pem / etc / strongswan / swanctl / private / privkey .pem
ln - s / etc / letsencrypt / live / xx .xxx .com / chain .pem / etc / strongswan / swanctl / x509ca / ca .pem
证书安装完成
systemctl restart strongswan
开启内核转发
用下面内容替换配置文件中同名的项,如果没有则新增。
#开启内核ipv4转发
net .ipv4 .ip_forward = 1
net .ipv4 .conf .all .accept_redirects = 0
net .ipv4 .conf .all .send_redirects = 0
#开启内核ipv6转发
net .ipv6 .conf .all .forwarding = 1
重新加载配置
配置防火墙
nano / etc / sysconfig / iptables
在合适的位置添加以下规则。高亮标示部分的内容与顺序必需与下面一样。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
* nat
: PREROUTING ACCEPT [ 0 : 0 ]
: INPUT ACCEPT [ 0 : 0 ]
: POSTROUTING ACCEPT [ 0 : 0 ]
: OUTPUT ACCEPT [ 0 : 0 ]
- A POSTROUTING - s 10.10.0.0 / 24 - o eth0 - m policy -- dir out -- pol ipsec - j ACCEPT
- A POSTROUTING - s 10.10.0.0 / 24 - o eth0 - j MASQUERADE
COMMIT
* filter
: INPUT ACCEPT [ 0 : 0 ]
: FORWARD ACCEPT [ 0 : 0 ]
: OUTPUT ACCEPT [ 0 : 0 ]
- A INPUT - m state -- state RELATED , ESTABLISHED - j ACCEPT
- A INPUT - p icmp - j ACCEPT
- A INPUT - i lo - j ACCEPT
- A INPUT - p tcp - m state -- state NEW - m tcp -- dport 22 - j ACCEPT
- A INPUT - p tcp - m tcp -- dport 80 - j ACCEPT
- A INPUT - p tcp - m tcp -- dport 443 - j ACCEPT
- A INPUT - i eth0 - p ah - j ACCEPT
- A INPUT - i eth0 - p esp - j ACCEPT
- A INPUT - i eth0 - p udp - m udp -- dport 500 - j ACCEPT
- A INPUT - i eth0 - p udp - m udp -- dport 4500 - j ACCEPT
- A INPUT - j REJECT -- reject - with icmp - host - prohibited
- A FORWARD - i eth0 - m policy -- dir in -- pol ipsec - j ACCEPT
- A FORWARD - d 10.10.0.0 / 24 - o eth0 - m policy -- dir out -- pol ipsec - j ACCEPT
- A FORWARD - j REJECT -- reject - with icmp - host - prohibited
COMMIT
ctrl + w 保存,按 y,回车确认。
systemctl restart iptables
由于 Let’s Encrypt 证书只有90天有效期,为避免过期,需要启用自动续期。自动续期由定时任务完成。
写入下面红色内容,这段的意思是每天3点运行 certbot renew 命令给证书续期,如果续期成功则重启 nginx 和 strongswan 服务。
SHELL = / bin / bash
PATH = / sbin : / bin : / usr / sbin : / usr / bin
MAILTO = root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
0 3 * * * root certbot renew -- quiet -- deploy - hook "systemctl restart nginx && systemctl restart strongswan"
ctrl + w 退出,按 y,回车确认。
到此,服务端配置完成。下面设置各客户端。
四,配置客户端
Win10 客户端设置
开始 -> 设置 -> 网络和Internet -> VPN -> 添加vpn连接
IOS 客户端设置
设置 -> 通用 -> VPN -> 添加VPN配置
Android 客户端设置
需下载安装客户端程序,前往官网下载 最新版 apk 程序 。
大哥你好啊,用你的方法我认证一直出错
Waiting for verification…
Challenge failed for domain oye86.co
http-01 challenge for oye86.co
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
– The following errors were reported by the server:
Domain: oye86.co
Type: unauthorized
我Nginx 和申请证书都用 宝塔弄好了,就是后面 “安装证书,创建证书软链接到 strongswan 的对应目录。”这个目录对应不上。宝塔的在
/etc/letsencrypt/csr
/etc/letsencrypt/keys 这两文件夹里。
我应该怎么弄呢?
用的阿里云香港服务器,按照文章的配置,vpn 能轻松连上,但打开不了任何网页, 然后日志一直在心跳。Apr 3 23:20:17 13[NET] sending packet: from 172.19.255.95[4500] to 183.229.32.196[5964] (128 bytes)
Apr 3 23:20:37 14[KNL] querying policy 0.0.0.0/0 === 10.10.1.1/32 out
Apr 3 23:20:37 14[KNL] querying SAD entry with SPI 0192523f
Apr 3 23:20:38 15[KNL] querying policy 0.0.0.0/0 === 10.10.1.1/32 out
Apr 3 23:20:38 15[KNL] querying SAD entry with SPI 0192523f
Apr 3 23:20:38 15[IKE] sending keep alive to 183.229.32.196[5964]
Apr 3 23:20:58 16[KNL] querying policy 0.0.0.0/0 === 10.10.1.1/32 out
Apr 3 23:20:58 16[KNL] querying SAD entry with SPI 0192523f
Apr 3 23:20:58 16[IKE] sending keep alive to 183.229.32.196[5964]
Apr 3 23:20:59 06[KNL] querying policy 10.10.1.1/32 === 0.0.0.0/0 in
Apr 3 23:20:59 06[KNL] querying policy 10.10.1.1/32 === 0.0.0.0/0 fwd
Apr 3 23:21:18 08[KNL] querying policy 0.0.0.0/0 === 10.10.1.1/32 out
Apr 3 23:21:18 08[KNL] querying SAD entry with SPI 0192523f
Apr 3 23:21:18 08[IKE] sending keep alive to 183.229.32.196[5964]
Apr 3 23:21:18 09[KNL] querying policy 10.10.1.1/32 === 0.0.0.0/0 in
Apr 3 23:21:18 09[KNL] querying policy 10.10.1.1/32 === 0.0.0.0/0 fwd
Apr 3 23:21:18 09[IKE] sending DPD request
Apr 3 23:21:18 09[IKE] queueing IKE_DPD task
Apr 3 23:21:18 09[IKE] activating new tasks
Apr 3 23:21:18 09[IKE] activating IKE_DPD task
Apr 3 23:21:18 09[ENC] generating INFORMATIONAL request 0 [ ]
Apr 3 23:21:18 09[NET] sending packet: from 172.19.255.95[4500] to 183.229.32.196[5964] (80 bytes)
Apr 3 23:21:22 10[IKE] retransmit 1 of request with message ID 0
Apr 3 23:21:22 10[NET] sending packet: from 172.19.255.95[4500] to 183.229.32.196[5964] (80 bytes)
Apr 3 23:21:29 11[IKE] retransmit 2 of request with message ID 0
Apr 3 23:21:29 11[NET] sending packet: from 172.19.255.95[4500] to 183.229.32.196[5964] (80 bytes)
Apr 3 23:21:38 12[KNL] querying policy 0.0.0.0/0 === 10.10.1.1/32 out
Apr 3 23:21:38 12[KNL] querying SAD entry with SPI 0192523f
Apr 3 23:21:42 13[IKE] retransmit 3 of request with message ID 0
Apr 3 23:21:42 13[NET] sending packet: from 172.19.255.95[4500] to 183.229.32.196[5964] (80 bytes)
Apr 3 23:21:49 15[KNL] querying policy 0.0.0.0/0 === 10.10.1.1/32 out
Apr 3 23:21:49 15[KNL] querying SAD entry with SPI 0192523f
Apr 3 23:22:02 05[KNL] querying policy 0.0.0.0/0 === 10.10.1.1/32 out
Apr 3 23:22:02 05[KNL] querying SAD entry with SPI 0192523f
Apr 3 23:22:02 05[IKE] sending keep alive to 183.229.32.196[5964]
Apr 3 23:22:05 16[IKE] retransmit 4 of request with message ID 0
Apr 3 23:22:05 16[NET] sending packet: from 172.19.255.95[4500] to 183.229.32.196[5964] (80 bytes)
Apr 3 23:22:22 08[KNL] querying policy 0.0.0.0/0 === 10.10.1.1/32 out
Apr 3 23:22:22 08[KNL] querying SAD entry with SPI 0192523f
看看加密算法是否支持,证书是否有效,证书路径和名称是否对,防火墙设置,转发是否打开。
您好,感谢分享。
本地机器通过StrongSwan已经成功链接服务器,请问怎么设置使得本地流量通过服务器转发?
默认应该已经转发所有流量了,如果没有的话,可以添加路由规则.
怎么搞?
您好,之前按您的教程《CentOS 7 使用 Strongswan 配置 IKEv2 VPN》使用了一年,最近证书突然到期没有自动续上,连接时候“IKE 身份验证凭证不可接受”。我收到续了证书可是还是不行,请问怎么解决呢?
续期成功了就重启strongswan 服务。
试过了,不行。搞了还久不知道什么原因,就差重装strongswan了
无法建立计算机与VPN服务器之间的网络连接,因为远程服务器未响应。这可能是因为未将计算机与远程服务器之间的某种网络设备(如防火墙、NAT、路由器等)配置为允许VPN连接。请与管理员或服务提供商联系以确定哪种设备可能产生此问题
检查防火墙设置,云服务器的安全策略。
查到问题了,重新设置一下ca证书就行了。文章里已经改过来了。
怎么搞?
我发现Let’s Encrypt Authority X3变成 R3了,是不是这个问题?怎么解决证书验证?
吐了,果然是Let’s Encrypt Authority X3变成 R3了,搞了几个月终于解决了。
你之前的教程下载 #下载 letsencrype 中间证书的代码
wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O /etc/strongswan/ipsec.d/cacerts/lets-encrypt-x3-cross-signed.pem
现在要改为
wget https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem -O /etc/strongswan/ipsec.d/cacerts/lets-encrypt-r3-cross-signed.pem
果真是这个问题,中间证书变了