ubuntu下IKEv2 VPN搭建
2023-2-21 16:131. apt-get更新
apt-get update -y
apt-get upgrade -y
2. 修改/etc/sysctl.conf 配置文件允许转发
vim /etc/sysctl.conf
去掉如下三行前面的注释
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
3. 保存后,更新配置
sysctl -f
4. 安装StrongSwan VPN
apt-get install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins libtss2-tcti-tabrmd-dev
5. 创建VPN证书
创建三个文件夹
mkdir -p /root/pki/{cacerts,certs,private}
生成根证书
pki --gen --type rsa --size 4096 --outform pem > /root/pki/private/ca-key.pem
pki --self --ca --lifetime 3650 --in /root/pki/private/ca-key.pem --type rsa --dn "CN=VPN root CA" --outform pem > /root/pki/cacerts/ca-cert.pem
生成vpn证书
pki --gen --type rsa --size 4096 --outform pem > /root/pki/private/server-key.pem
下面的ip更新成自己的server ip
pki --pub --in /root/pki/private/server-key.pem --type rsa | pki --issue --lifetime 1825 --cacert /root/pki/cacerts/ca-cert.pem --cakey /root/pki/private/ca-key.pem --dn "CN=45.58.41.152" --san 45.58.41.152 --flag serverAuth --flag ikeIntermediate --outform pem > /root/pki/certs/server-cert.pem
拷贝证书
cp -r /root/pki/* /etc/ipsec.d/
6. 配置StrongSwan VPN
备份当前配置文件
mv /etc/ipsec.conf /etc/ipsec.conf.bak
创建新文件
vim /etc/ipsec.conf
并添加如下内容,并修改里面的ip为自己服务器ip
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=45.58.41.152
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
下面是里面配置项目的英文解释
- left=%any – The %any means the server will use any network interface to receive incoming connections.
- leftid=45.58.41.152 – Specify the IP address of the VPN server.
- leftcert=server-cert.pem – Specify the name of the public certificate.
- leftsendcert=always – The always means that any remote clients will receive a copy of the server’s public certificate.
- leftsubnet=0.0.0.0/0 – It specifies the entire set of IPv4 addresses
- rightauth=eap-mschapv2 – Define the authentication method used by the client to authenticate the server.
- rightsourceip=10.10.10.0/24 – This will tell the server to assign private IP to clients from the 10.10.10.0/24 network.
- rightdns=8.8.8.8,8.8.4.4 – It specifies Google’s DNS IP address.
配置 /etc/ipsec.secrets,添加vpn用户
vim /etc/ipsec.secrets
添加如下内容 vpnusername为账号,后面双引号中的为密码
: RSA "server-key.pem"
vpnusername : EAP "securepassword"
保存后重启
systemctl restart strongswan-starter
查看服务状态
systemctl status strongswan-starter
参考连接备用
https://cloudinfrastructureservices.co.uk/setup-ikev2-vpn-server-on-ubuntu-20-04/
https://docs.strongswan.org/docs/5.9/install/install.html