Skip to content
Permalink
Browse files

migrate post

  • Loading branch information
9ft committed Mar 25, 2019
1 parent 69451ac commit c1be0713d341c437b4f319e1a15520359951d335
Showing with 1,966 additions and 9 deletions.
  1. +2 −0 .gitattributes
  2. +1 −0 .gitignore
  3. +6 −0 content/post/2007-01-01-hello-world.md
  4. +311 −0 content/post/2015-10-12-build-v.md
  5. +78 −0 content/post/2015-10-13-deploy-ss.md
  6. +86 −0 content/post/2015-10-14-ubuntu-install.md
  7. +8 −0 content/post/2015-10-17-sublime-config.md
  8. +13 −0 content/post/2015-10-18-git-win-ssh.md
  9. +41 −0 content/post/2015-10-22-linux-x-window.md
  10. +51 −0 content/post/2015-10-24-cuda-helloworld.md
  11. +16 −0 content/post/2015-11-30-ubuntu-lamp.md
  12. +245 −0 content/post/2016-05-04-jekyll-nginx.md
  13. +135 −0 content/post/2016-05-05-ubuntu-lnmp.md
  14. +36 −0 content/post/2016-05-30-vs-remote-debug-err.md
  15. +32 −0 content/post/2016-05-31-vs-cuda.md
  16. +26 −0 content/post/2016-08-23-mac-terminal.md
  17. +50 −0 content/post/2016-08-23-mac-vim.md
  18. +49 −0 content/post/2016-08-25-music-player.md
  19. +28 −0 content/post/2016-08-25-node-forever.md
  20. +32 −0 content/post/2016-08-25-ubuntu-hostname.md
  21. +5 −5 content/post/2016-08-26-tjunet.md
  22. +96 −0 content/post/2016-08-30-nginx-https.md
  23. +49 −0 content/post/2016-09-10-k640e.md
  24. +1 −1 content/post/2016-09-27-macosx86.md
  25. +32 −0 content/post/2016-11-23-macos-ntfs.md
  26. +106 −0 content/post/2016-11-27-bingwallpaper.md
  27. +41 −0 content/post/2016-12-04-office-install.md
  28. +163 −0 content/post/2017-01-17-deploy-githttp.md
  29. +59 −0 content/post/2017-03-21-mech-keyboard.md
  30. +1 −1 content/post/2017-04-28-samba.md
  31. +82 −0 content/post/2017-05-03-supervisor.md
  32. +1 −2 content/post/2019-03-24-hugo.md
  33. +3 −0 static/img/post/2016-05-30-vs-remote-debug-err/vs-error-remote-local-1.jpg
  34. +3 −0 static/img/post/2016-05-31-vs-cuda/2016-05-31-VS2015-CUDA-1.png
  35. +3 −0 static/img/post/2016-05-31-vs-cuda/2016-05-31-VS2015-CUDA-2.png
  36. +3 −0 static/img/post/2016-08-23-mac-terminal/iterm2-with-theme.png
  37. +3 −0 static/img/post/2016-08-23-mac-terminal/mac-terminal-with-theme.png
  38. +3 −0 static/img/post/2016-08-23-mac-vim/airline.png
  39. +3 −0 static/img/post/2016-08-23-mac-vim/mac-vim.png
  40. +3 −0 static/img/post/2016-08-25-music-player/2016-08-25-my-last.fm.png
  41. +3 −0 static/img/post/2016-08-25-music-player/WinMp9.png
  42. +3 −0 static/img/post/2016-08-25-music-player/winamp-5.jpg
  43. +3 −0 static/img/post/2016-08-25-ubuntu-hostname/2016-08-25 15.09.31.png
  44. +3 −0 static/img/post/2016-08-26-tjunet/Win_Proxification_Rules.png
  45. +3 −0 static/img/post/2016-08-26-tjunet/Win_Proxifier_Proxy_Servers.png
  46. +3 −0 static/img/post/2016-08-26-tjunet/macOS_Proxification_Rules.png
  47. +3 −0 static/img/post/2016-08-26-tjunet/macOS_Proxifier_Proxy_Servers.png
  48. +3 −0 static/img/post/2016-08-26-tjunet/tjunet_price.png
  49. +3 −0 static/img/post/2016-08-30-nginx-https/canukiss.me_via_https.png
  50. +3 −0 static/img/post/2016-09-10-k640e/IMG_3964.jpg
  51. +3 −0 static/img/post/2016-09-10-k640e/IMG_3985.jpg
  52. +3 −0 static/img/post/2016-09-10-k640e/IMG_3988_memory.jpg
  53. +3 −0 static/img/post/2016-09-10-k640e/IMG_3992_HDD.jpg
  54. +3 −0 static/img/post/2016-09-10-k640e/IMG_4015_WLAN.jpg
  55. +3 −0 static/img/post/2016-09-27-macosx86/2016-09-02.1.30.31.png
  56. +3 −0 static/img/post/2016-12-04-office-install/office_after.png
  57. +3 −0 static/img/post/2016-12-04-office-install/office_before.jpg
  58. +3 −0 static/img/post/2017-03-21-mech-keyboard/IMG20150515143414.jpg
  59. +3 −0 static/img/post/2017-03-21-mech-keyboard/IMG_2467.jpg
  60. +3 −0 static/img/post/2017-03-21-mech-keyboard/IMG_6257.jpg
@@ -0,0 +1,2 @@
*.png filter=lfs diff=lfs merge=lfs -text
*.jpg filter=lfs diff=lfs merge=lfs -text
@@ -0,0 +1 @@
/public
@@ -0,0 +1,6 @@
---
slug: hello-world
title: First Post
date: 2007-01-01T08:00:00+0800
---
First Post
@@ -0,0 +1,311 @@
---
slug: deploy-v
title: v_p_n 架设
date: 2015-10-12T08:00:00+0800
---
搭建V_P_N.

# 架构

- 使用 `Openswan` 作为 `IPsec` 服务器.
- 使用 `xl2tpd` 提供 `L2TP` 支持.
- 使用 `ppp` 提供用户认证.

# 环境

- Linode
- Ubuntu 14.04 64-bit

# 安装

```shell
sudo apt-get install openswan xl2tpd ppp lsof
# 安装软件包, 会有设置向导, 全部 Enter 使用默认设置.
```

# 配置

## 防火墙 `iptables``sysctl` 的设置

```shell
sudo iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
#%SERVERIP% 替换成你的服务器 IP; eth+ 通配符
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
sysctl -p
# 应用设置
```

## 添加自启

`rc.local` 中添加:

```conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
```

## 配置 `Openswan (IPSEC)`

### 配置 `ipsec.conf`

`/etc/ipsec.conf` 中修改:

```conf
left=%SERVERIP%
protostack=netkey
```

`/etc/ipsec.conf` 完整文件:

```conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack t o use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=add
conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.
pfs=no
#Disable pfs
auto=add
#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
keyingtries=3
#Only negotiate a conn. 3 times.
ikelifetime=8h
keylife=1h
ike=aes256-sha1;modp1024!
phase2alg=aes256-sha1;modp1024
# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.
type=transport
#because we use l2tp as tunnel protocol
left=%SERVERIP%
#fill in server IP above
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.
```


### 修改 `ipsec.secrets`

- 获取服务器 IP:

```shell
curl http://ip.mtak.nl
```

- 生成随机密匙:

```shell
openssl rand -hex 30
```

### `IPSec` 握手时的 `Shared Secret`

`/etc/ipsec.secrets` 修改为:

```conf
%SERVERIP% %any: PSK "%Shared Secret%"
```

### 验证 `IPSec`

验证 `IPSec` 是否正常工作

```shell
ipsec verify
```

### 遇到问题

#### 问题1 `NETKEY: Testing XFRM related proc values [FAILED]`

`NETKEY: Testing XFRM related proc values [FAILED]`

应该是忘记修改网络策略, 解决方法:

```shell
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
```

#### 问题2 `Hardware RNG detected, testing if used properly [FAILED]`

`Hardware RNG detected, testing if used properly [FAILED]`

解决方法:

```
sudo apt-get install rng-tools
```

再次验证 `IPSec` 是否正常工作, `ipsec verify`, 已经正常.

## 配置 `xl2tpd`

### 配置 `xl2tpd.conf`

`/etc/xl2tpd/xl2tpd.conf` 修改成:

```conf
[global]
ipsec saref = yes
saref refinfo = 30
;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes
[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
```

### 用户认证

编辑 `/etc/xl2tpd/xl2tpd.conf`:

```conf
# 增加这一行:
unix authentication = yes
# 删除这一行:
refuse pap = yes
```

更改 `/etc/pam.d/ppp` 成:

```conf
auth required pam_nologin.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
```

修改 `/etc/ppp/options.xl2tpd`:

```conf
login
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
```

# 使用

## 增加用户

修改 `/etc/ppp/chap-secrets`:

```conf
# Secrets for authentication using CHAP
# client server secret IP addresses
user1 l2tpd pass1 *
user2 l2tpd pass2 *
```

## 重启服务

```shell
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
```

## 查看错误日志

```shell
cat /var/log/syslog
cat /var/log/auth.log
```

# Enjoy!

[1]:http://phyng.com/digitalocean-ubuntu-vpn.html "digitalocean ubuntu vpn"
[2]:http://blog.fengqijun.me/vpn/2015/03/08/l2tp-ipsec-vpn-on-ubuntu-14/ "在Ubuntu 14.04上建立L2TP/IPSec VPN"

0 comments on commit c1be071

Please sign in to comment.
You can’t perform that action at this time.