不管是日常工作,还是平常学习,都会接触到一些vpn服务,但是我们如果想搭一个属于自己的vpn,该怎么做呢? 本篇文章教你如何快速的安装一个虚拟专用网络。
概述
本文主要介绍如何在centos/ubuntu上搭建属于自己的虚拟专用网络,简称wpn。用于加密传输自己本地到企业内部之间走公网部分的流量,避免流量劫持,以及公司内部远程访问的建设。
另外后续还会分享 site to site 的wpn,实现混合云之间的通信。实现公司内部的虚拟专线。
目前为止该roles 支持以下主要功能:
- 自定义服务器域名或IP
- 一键接入LDAP
- tunnel-split
- site to site
备注: strongswan 不支持直接通过LDAP认证,中间需要radius来作桥梁。
要求
一般工具软件列表:
- centos7.x
- ansible 2.4
- aliasmee-strongswan-roles
高级设置软件列表:
- freeradius
- openldap
安装
- 新建主yml文件,名字:install_strongswan,内容如下:
---
# 本剧本用于安装strongswan
- hosts: my-vpn
vars_files:
- vars/main.yml
roles:
- role: aliasmee.strongswan
注意:my-vpn是我的目标主机!
2.根据自己的环境修改 vars/main.yml
---
# StrongsWan Version - https://strongswan.org/
strongswan_version: 5.7.2
# CA Cert info
vpn_liftid: "{{ ipify_public_ip }}" # Support FQDN or IP address,eg: 110.23.3.3 or v.example.com
dn_prefix: "C=cn, O=example"
ca_dn_info: "{{dn_prefix}}, CN=VPN CA"
server_dn_info: "{{dn_prefix}}"
client_dn_info: "{{dn_prefix}}, CN=VPN Client"
ca_lifetime: 3650 # ca cert validity period (Unit: Day)
server_lifetime: 1200 # server cert validity period (Unit: Day)
# Strongswan settings
client_dhcp_ip: 10.28.0.0/24 # Vip allocated after the client dials
client_dhcp_dns: 8.8.8.8 # Assigned to the client
client_auth: eap-mschapv2 # Support method: [eap-mschapv2, eap-radius], Default eap-mschapv2;
client_tunnel_range: 0.0.0.0/0 # Only these flows accors this tunnel-> tunnel-slpit
# Temp vpn test user (/etc/ipsec.secrets)
username: testUserOnePla4
password: testOnePassPla4
# Strongswan combine freeradius configure
enabled_radius: no # If you want to use ldap authentication, please set to yes.
radius_port: 1812
radius_secret: testing123
radius_ip: 127.0.0.1
# Other info
download_path: '/tmp'
download_dir: /tmp
install_dir: /opt
cert_path: "{{download_dir}}/certs"
extra_path: "{{install_dir}}/strongswan-{{strongswan_version}}/sbin"
# Strongswan config compile config list
config_list:
- "--prefix={{install_dir}}/strongswan-{{strongswan_version}}"
- "--enable-eap-identity"
- "--enable-eap-md5"
- "--enable-eap-mschapv2"
- "--enable-eap-tls"
- "--enable-eap-ttls"
- "--enable-eap-peap"
- "--enable-eap-tnc"
- "--enable-eap-dynamic"
- "--enable-eap-radius"
- "--enable-xauth-eap"
- "--enable-xauth-pam"
- "--enable-dhcp"
- "--enable-openssl"
- "--enable-addrblock"
- "--enable-unity"
- "--enable-certexpire"
- "--enable-radattr"
- "--enable-swanctl"
- "--enable-openssl"
- "--disable-gmp"
create_path:
- "{{install_dir}}"
- "{{download_dir}}/temp"
- "{{cert_path}}"
# Read ca cert content
view_certificate: False # If you want to test vpn, please install remote private ca to local pc.
3.导出私有CA证书文件到本地
修改vars/main.yml, 将view_certificate 设为True。最后用echo 将stdout的内容存入本地。如果 需要导入到客户端, 请参考下方的链接。
4.配置
- windows 用户:支持Win7+,最后Win10.
- Mac & IOS用户:推荐使用Apple Configurator 2配置导出以mobileconfig为后缀的文件,直接导入设备中即可
- Android: 下载strongswan客户端
5.如果strongSwan使用ldap认证的话,需要修改配置文件/opt/strongswan-5.7.2/etc/ipsec.conf,单独为win客户端新增一个conn,
# Winodws client not support tunnel-split
conn windows10
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=/opt/strongswan-5.7.2/etc/ipsec.d/certs/server.cert.pem
right=%any
rightauth=eap-radius
rightsourceip=10.28.0.0/24
rightdns=8.8.8.8
rightsendcert=never
eap_identity=%any
auto=add
注意:ldap认证后,win客户端设置那里需要选择认证方式为peap。另外由于win10不支持隧道分离,so上面的leftsubnet配置为0.0.0.0。还有一个就是eap-radius之后,ike不支持mob2048了,换了1024可以…
win客户端连接报错modp2048: received proposals unacceptable
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
11[IKE] 1.1.1.1 is initiating an IKE_SA
11[IKE] received MS-Negotiation Discovery Capable vendor ID
11[IKE] received Vid-Initial-Contact vendor ID
11[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
11[IKE] local host is behind NAT, sending keep alives
11[IKE] remote host is behind NAT
11[IKE] received proposals unacceptable
总结
支持幂等部署哈。有问题可以及时提issue。