本文章没有找到对应的语言版本

一、通过Openvpn搭建基于TLS协议的vpn

  • 一键部署脚本下载:

https://github.com/angristan/openvpn-install

  • 配置文件/etc/openvpn/server.conf
port 2305
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 5 120
topology subnet
server 10.5.5.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.5.5.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
dh none
#从radius验证密码,不需要可不添加
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_e3IxyFUI3a4mnQXr.crt
key server_e3IxyFUI3a4mnQXr.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
reneg-sec 0
  • 客户端配置文件模版/etc/openvpn/client-common.txt
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote 1.1.1.1 2305
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-128-GCM
comp-lzo
key-direction 1
verb 3
#如果开启了radius验证就取消注释
#auth-user-pass
reneg-sec 86400
tls-version-min 1.2
  • 自定义不同的客户端推送不同的路由
mkdir -p /etc/openvpn/ccd

chown -R nobody:nobody /etc/openvpn/ccd/

# user1、user2为客户端连接时的用户名
cat > /etc/openvpn/ccd/user1 << EOF
push "route 172.29.77.0 255.255.255.0"
EOF

cat > /etc/openvpn/ccd/user2 << EOF
push "route 172.25.209.0 255.255.255.0"
EOF

chmod 644 /etc/openvpn/ccd/*
  • 配置iptables,内部流量通过openvpn服务端转发
iptables -t nat -A POSTROUTING -s 10.5.5.0/24 -d 172.29.77.0/24 -o eth0 -j MASQUERADE
  • 插件配置文件/etc/openvpn/radiusplugin.cnf
NAS-Identifier=OpenVpn
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=127.0.0.1
OpenVPNConfig=/etc/openvpn/server.conf
subnet=255.255.255.0
overwriteccfiles=true
nonfatalaccounting=false
server
{
        # The UDP port for radius accounting.
        acctport=1813
        # The UDP port for radius authentication.
        authport=1812
        # The name or ip address of the radius server.
        name=1xx.1xx.1xx.1xx
        # How many times should the plugin send the if there is no response?
        retry=1
        # How long should the plugin wait for a response?
        wait=3
        # The shared secret.
        sharedsecret=Rad2023
}

二、通过strongswang搭建IKEv2/IPsec协议vpn(默认端口500、4500)

  • yum安装strongswan
yum install -y epel-release
yum install -y strongswan
  • 如需修改默认端口,则添加下面配置,否则忽略
vi /etc/strongswan/strongswan.conf

charon {
    port = 500
    port_nat_t = 4500
    # 其他不变
    ...
}
  • 定义配置文件
mv /etc/strongswan/swanctl/swanctl.conf /etc/strongswan/swanctl/swanctl.conf.bk

cat > /etc/strongswan/swanctl/swanctl.conf << EOF
connections {
    iphone-connect {
        version = 2
        remote_addrs = %any
        local_addrs = 0.0.0.0
        pools = vpn_pool
        proposals = aes256-sha256-modp2048
        send_certreq = no

        local {
            auth = psk
            id = 公网ip
        }
        remote {
            auth = psk 
        }
        children {
            iphone-connect {
                local_ts = 0.0.0.0/0
                remote_ts = 0.0.0.0/0
                if_id_in = 1
                if_id_out = 1
                updown = /etc/strongswan/ipsec-updown.sh	# 网络配置脚本
                mode = tunnel
                rekey_time = 4h
                esp_proposals = aes256-sha256-modp2048
            }
        }
    }
}

pools {
    vpn_pool {
        addrs = 172.20.5.0/24	# 定义客户端的ip段
        dns = 8.8.8.8,8.8.4.4
    }
}

secrets {
    ike-iphone-connect {
        id = 公网ip
        secret = "密码"
    }
}
EOF
  • 定义客户端连接的网络配置脚本
  • 注意修改变量:VPN_SUBNET(客户端的ip段),要与/etc/strongswan/swanctl/swanctl.conf中addrs一致
vi /etc/strongswan/ipsec-updown.sh

#!/bin/bash
# /etc/strongswan/ipsec-updown.sh
# 这个脚本在 IPsec SA 建立和删除时被调用
# StrongSwan 5.x+ 版本支持
# StrongSwan 传递的环境变量:
# PLUTO_VERB: 操作类型 (up-host, up-client, down-host, down-client)
# PLUTO_CONNECTION: 连接名称
# PLUTO_PEER_CLIENT: 对端客户端 IP (如果分配了虚拟IP)

set -o nounset
set -o errexit
sysctl -w net.ipv4.ip_forward=1

VPN_SUBNET="172.20.5.0/24"

case "${PLUTO_VERB}" in
    up-client)
        echo "VPN connected: ${PLUTO_CONNECTION}, Client: ${PLUTO_PEER_CLIENT}" >&2
        
        # 创建 XFRM 接口(如果不存在)
        if ! ip link show ipsec0 2>/dev/null; then
            ip link add ipsec0 type xfrm if_id 1
            ip link set ipsec0 up
        fi
        
        # 添加客户端子网路由
        ip route add $VPN_SUBNET dev ipsec0 2>/dev/null || true
        
        # 获取默认网口
        INTERFACE=$(ip route | grep '^default' | awk '{print $5}')

        # 设置 iptables 规则
        iptables -A FORWARD -s $VPN_SUBNET -j ACCEPT 2>/dev/null || true
        iptables -t nat -A POSTROUTING -s $VPN_SUBNET -o $INTERFACE -j MASQUERADE 2>/dev/null || true
        ;;
        
    down-client)
        echo "VPN disconnected: ${PLUTO_CONNECTION}" >&2
        
        # 删除路由
        ip route del $VPN_SUBNET dev ipsec0 2>/dev/null || true

        # 获取默认网口
        INTERFACE=$(ip route | grep '^default' | awk '{print $5}')
        
        # 清理 iptables 规则
        iptables -D FORWARD -s $VPN_SUBNET -j ACCEPT 2>/dev/null || true
        iptables -t nat -D POSTROUTING -s $VPN_SUBNET -o $INTERFACE -j MASQUERADE 2>/dev/null || true
        ;;
        
    up-host)
        echo "Host connection established: ${PLUTO_CONNECTION}" >&2
        ;;
        
    down-host)
        echo "Host connection terminated: ${PLUTO_CONNECTION}" >&2
        ;;
        
    *)
        echo "Unknown verb: ${PLUTO_VERB}" >&2
        exit 1
        ;;
esac

exit 0
  • 启动服务并配置开机自启动
chmod +x /etc/strongswan/ipsec-updown.sh
systemctl enable strongswan --now