IPsec VPN Server¶
Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2: https://github.com/hwdsl2/setup-ipsec-vpn
使用 Libreswan <https://libreswan.org/> 作为 IPsec 服务器,以及 xl2tpd <https://github.com/xelerance/xl2tpd> 作为 L2TP 提供者
Optional: Install WireGuard <https://github.com/hwdsl2/wireguard-install> and/or OpenVPN <https://github.com/hwdsl2/openvpn-install> on the same server.
Server¶
安装¶
备注
请为 VPN 打开 UDP 端口 500 和 4500
快速搭建 IPsec VPN 服务器:
wget https://get.vpnsetup.net -O vpn.sh && sudo sh vpn.sh
说明: Your VPN login details will be randomly generated, and displayed when finished.
Client configuration is available at:
/home/ubuntu/vpnclient.p12 (for Windows & Linux)
/home/ubuntu/vpnclient.sswan (for Android)
/home/ubuntu/vpnclient.mobileconfig (for iOS & macOS)
docker run \
--name ipsec-vpn-server \
--restart=always \
-v ikev2-vpn-data:/etc/ipsec.d \
-v /lib/modules:/lib/modules:ro \
-p 500:500/udp \
-p 4500:4500/udp \
-d --privileged \
hwdsl2/ipsec-vpn-server
卸载 VPN¶
警告: 此辅助脚本将从你的服务器中删除 IPsec VPN。所有的 VPN 配置将被永久删除,并且 Libreswan 和 xl2tpd 将被移除。此操作不可撤销:
wget https://get.vpnsetup.net/unst -O unst.sh && sudo bash unst.sh
Client¶
Ubuntu¶
安装:
sudo apt-get update
sudo apt-get install network-manager-strongswan
基于p12生成证书:
openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ca.cer
openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out client.cer
openssl pkcs12 -in vpnclient.p12 -nocerts -nodes -out client.key
sudo chown root.root ca.cer client.cer client.key
sudo chmod 600 ca.cer client.cer client.key
You can then set up and enable the VPN connection:
01. Go to Settings -> Network -> VPN. Click the + button.
02. Select IPsec/IKEv2 (strongswan).
03. Enter anything you like in the Name field.
04. In the Gateway (Server) section, enter Your VPN Server IP (or DNS name) for the Address.
05. Select the ca.cer file for the Certificate.
06. In the Client section, select Certificate(/private key) in the Authentication drop-down menu.
07. Select Certificate/private key in the Certificate drop-down menu (if exists).
08. Select the client.cer file for the Certificate (file).
09. Select the client.key file for the Private key.
10. In the Options section, check the Request an inner IP address checkbox.
11. In the Cipher proposals (Algorithms) section, check the Enable custom proposals checkbox.
12. Leave the IKE field blank.
13. Enter aes128gcm16 in the ESP field.
14. Click Add to save the VPN connection information.
15. Turn the VPN switch ON.
OS X¶
01. 打开系统偏好设置并转到网络部分。
02. 在窗口左下角单击 + 按钮。
03. 从 接口 下拉菜单选择 VPN。
04. 从 VPN 类型 下拉菜单选择 IPSec 上的 L2TP。
05. 在 服务名称 字段中输入任意内容。
06. 单击 创建。
07. 在 服务器地址 字段中输入你的 VPN 服务器 IP。
08. 在 帐户名称 字段中输入你的 VPN 用户名。
09. 单击 认证设置 按钮。
10. 在 用户认证 部分,选择 密码 单选按钮,然后输入你的 VPN 密码。
11. 在 机器认证 部分,选择 共享的密钥 单选按钮,然后输入你的 VPN IPsec PSK。
12. 保持 群组名称 字段空白。
13. 单击 好。
14. 选中 在菜单栏中显示 VPN 状态 复选框。
15. (重要) 单击 高级 按钮,并选中 通过 VPN 连接发送所有通信 复选框。
16. (重要) 单击 TCP/IP 选项卡,并在 配置 IPv6 部分中选择 仅本地链接。
17. 单击 好 关闭高级设置,然后单击 应用 保存 VPN 连接信息。
检查日志及 VPN 状态¶
重启 VPN 服务器上的相关服务:
sudo service ipsec restart
sudo service xl2tpd restart
检查 Libreswan (IPsec) 和 xl2tpd 日志是否有错误:
# Ubuntu & Debian
grep pluto /var/log/auth.log
grep xl2tpd /var/log/syslog
=>
tail -f /var/log/auth.log | grep pluto
# CentOS/RHEL, Rocky Linux, AlmaLinux, Oracle Linux & Amazon Linux 2
grep pluto /var/log/secure
grep xl2tpd /var/log/messages
检查服务状态:
检查 IPsec VPN 服务器状态:
sudo ipsec status
查看当前已建立的 VPN 连接:
sudo ipsec trafficstatus
// ===========> 检查 IPsec VPN 服务器状态 <==========
$ sudo ipsec status
000 using kernel interface: xfrm
000
000 interface lo UDP [::1]:4500
000 interface lo UDP [::1]:500
000 interface lo UDP 127.0.0.1:4500
000 interface lo UDP 127.0.0.1:500
000 interface eth0 UDP 172.31.8.176:4500
000 interface eth0 UDP 172.31.8.176:500
000 interface docker0 UDP 172.17.0.1:4500
000 interface docker0 UDP 172.17.0.1:500
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
000 pluto_version=4.11, pluto_vendorid=OE-Libreswan-4.11, audit-log=yes
000 nhelpers=-1, uniqueids=no, dnssec-enable=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept
000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=<unsupported>
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "ikev2-cp": 0.0.0.0/0===172.31.8.176[3.11.211.57,MS+S=C]---172.31.0.1...%any[%fromcert,+MC+S=C]; unrouted; eroute owner: #0
000 "ikev2-cp": oriented; my_ip=unset; their_ip=unset; mycert=3.11.211.57; my_updown=ipsec _updown;
000 "ikev2-cp": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "ikev2-cp": our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none;
000 "ikev2-cp": modecfg info: us:server, them:client, modecfg policy:push, dns:8.8.8.8, 8.8.4.4, domains:unset, cat:unset;
000 "ikev2-cp": sec_label:unset;
000 "ikev2-cp": CAs: 'CN=IKEv2 VPN CA, O=IKEv2 VPN'...'CN=IKEv2 VPN CA, O=IKEv2 VPN'
000 "ikev2-cp": ike_life: 86400s; ipsec_life: 86400s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "ikev2-cp": retransmit-interval: 500ms; retransmit-timeout: 300s; iketcp:no; iketcp-port:4500;
000 "ikev2-cp": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "ikev2-cp": policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "ikev2-cp": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "ikev2-cp": conn_prio: 0,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "ikev2-cp": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "ikev2-cp": our idtype: ID_IPV4_ADDR; our id=3.11.211.57; their idtype: %fromcert; their id=%fromcert
000 "ikev2-cp": liveness: active; dpdaction:clear; dpddelay:30s; retransmit-timeout:300s
000 "ikev2-cp": nat-traversal: encaps:yes; keepalive:20s
000 "ikev2-cp": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $3;
000 "ikev2-cp": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
000 "ikev2-cp": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "l2tp-psk": 172.31.8.176/32:UDP/1701===172.31.8.176[3.11.211.57]---172.31.0.1...%any===0.0.0.0/0:UDP/0-65535; unrouted; eroute owner: #0
000 "l2tp-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "l2tp-psk": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "l2tp-psk": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "l2tp-psk": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "l2tp-psk": sec_label:unset;
000 "l2tp-psk": ike_life: 86400s; ipsec_life: 86400s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "l2tp-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "l2tp-psk": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "l2tp-psk": policy: IKEv1+PSK+ENCRYPT+DONT_REKEY+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "l2tp-psk": conn_prio: 32,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "l2tp-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "l2tp-psk": our idtype: ID_IPV4_ADDR; our id=3.11.211.57; their idtype: %none; their id=(none)
000 "l2tp-psk": dpd: active; action:clear; delay:30s; timeout:300s
000 "l2tp-psk": nat-traversal: encaps:yes; keepalive:20s; ikev1-method:rfc+drafts
000 "l2tp-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $1;
000 "l2tp-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP2048
000 "l2tp-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk": 0.0.0.0/0===172.31.8.176[3.11.211.57,MS+XS+S=C]---172.31.0.1...%any[+MC+XC+S=C]; unrouted; eroute owner: #0
000 "xauth-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "xauth-psk": xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "xauth-psk": modecfg info: us:server, them:client, modecfg policy:pull, dns:8.8.8.8, 8.8.4.4, domains:unset, cat:unset;
000 "xauth-psk": sec_label:unset;
000 "xauth-psk": ike_life: 86400s; ipsec_life: 86400s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "xauth-psk": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "xauth-psk": initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "xauth-psk": policy: IKEv1+PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "xauth-psk": conn_prio: 0,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "xauth-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "xauth-psk": our idtype: ID_IPV4_ADDR; our id=3.11.211.57; their idtype: %none; their id=(none)
000 "xauth-psk": dpd: active; action:clear; delay:30s; timeout:300s
000 "xauth-psk": nat-traversal: encaps:yes; keepalive:20s; ikev1-method:rfc+drafts
000 "xauth-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $2;
000 "xauth-psk": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP2048
000 "xauth-psk": ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000
000 Total IPsec connections: loaded 3, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 Bare Shunt list:
000
// ===========> 查看当前已建立的 VPN 连接 <==============
$ sudo ipsec trafficstatus