• 当前位置: 主页 > Linux安装教程 > 软件安装 >

    Linux VPN服务器_CentOS/Ubuntu一键安装IPSEC/IKEV2 VPN服务器

    时间:2016-01-08 16:44来源:quericy Eden*的博客 作者:Linux先生 举报 点击:
    花了点时间将上次的Ubuntu、CentOS搭建IPSec/IKEv2 VPN服务器全攻略整理成了一份一键安装的脚本。适用于WindowsPhone,iOS,Android和PC设备。有需要的童鞋可以拿来食用~~~~CetnOS测试了下貌似没什么问题,Ubuntu的手里暂时没有空闲vps就没试了,其实也差不多的,欢迎测试

    VPN的英文全称是 “Virtual Private Network”,中文名叫“虚拟专用网络”。VPN可以通过特殊加密的通讯协议连接到Internet上,在位于不同地方的两个或多个内部网之间建立 一条专有的通讯线路。他能提供的功能包括:防火墙功能、认证、加密、隧道化等。

    【安装】


    用法很简单:
    总结成一句话就是:除了类型要选对以外,其他的一路回车就好了

    具体如下:
    1.下载脚本:

      wget https://raw.githubusercontent.com/quericy/one-key-ikev2-vpn/master/one-key-ikev2.sh

    2.运行(如果有需要使用自己已有的根证书,请将私钥命名为ca.cert,将根证书命名为ca.cert.pem,放到脚本的相同目录下再运行该脚本,没有证书的话将自动生成自签名证书咯):

      chmod +x one-key-ikev2.sh
      bash one-key-ikev2.sh

    3.等待自动配置部分内容后,选择vps类型(OpenVZ还是Xen、KVM),选错将无法成功连接,请务必核实服务器的类型。输入服务器ip或者绑定的域名(连接vpn时服务器地址将需要与此保持一致),以及证书的相关信息(C,O,CN),使用自己的根证书的话,C,O,CN的值需要与根证书一致,为空将使用默认值(default value),确认无误后按任意键继续

    4.输入两次pkcs12证书的密码(可以为空)
    input_cert_password
    5.看到install success字样即表示安装成功。默认用户名密码将以黄字显示,可根据提示自行修改文件中的用户名密码。

    6.将提示信息中的证书文件ca.cert.pem拷贝到客户端,修改后缀名为.cer后导入。ios设备使用Ikev1无需导入证书,而是需要在连接时输入共享密钥,共享密钥即是提示信息中的黄字PSK.
    ikev2_VPN_install

    PS:

    服务器重启后默认ipsec不会自启动,请自行添加,或使用命令手动开启:

      ipsec start

    连上服务器后无法链接外网:

      vim /etc/sysctl.conf

    修改net.ipv4.ip_forward=1后保存并关闭文件 然后使用以下指令刷新sysctl:

      sysctl -p

    如遇报错信息,请重新打开/etc/syctl并将报错的那些代码用#号注释,保存后再刷新sysctl直至不会报错为止。

    PS2:

    脚本代码可访问github查看和下载:
    GitHub

    如需Debian系统的IKEV2一键安装脚本,可参考magic282童鞋的一键脚本:
    https://github.com/magic282/One-Key-L2TP-IKEV2-Setup
     

    PS3:

    bash脚本源码


    #! /bin/bash
    PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
    export PATH
    #===============================================================================================
    #   System Required:  CentOS6.x (32bit/64bit) or Ubuntu
    #   Description:  Install IKEV2 VPN for CentOS and Ubuntu
    #   Author: quericy
    #   Intro:  http://quericy.me/blog/699
    #===============================================================================================

    clear
    echo "#############################################################"
    echo "# Install IKEV2 VPN for CentOS6.x (32bit/64bit) or Ubuntu"
    echo "# Intro: http://quericy.me/blog/699"
    echo "#"
    echo "# Author:quericy"
    echo "#"
    echo "#############################################################"
    echo ""

    # Install IKEV2
    function install_ikev2(){
    rootness
    disable_selinux
    get_my_ip
    get_system
    yum_install
    pre_install
    download_files
    setup_strongswan
    get_key
    configure_ipsec
    configure_strongswan
    configure_secrets
    iptables_set
    ipsec start
    success_info
    }

    # Make sure only root can run our script
    function rootness(){
    if [[ $EUID -ne 0 ]]; then
    echo "Error:This script must be run as root!" 1>&2
    exit 1
    fi
    }

    # Disable selinux
    function disable_selinux(){
    if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then
    sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
    setenforce 0
    fi
    }

    # Get IP address of the server
    function get_my_ip(){
    echo "Preparing, Please wait a moment..."
    IP=`curl -s checkip.dyndns.com | cut -d' ' -f 6  | cut -d'<' -f 1`
    if [ -z $IP ]; then
    IP=`curl -s ifconfig.me/ip`
    fi
    }

    # Ubuntu or CentOS
    function get_system(){
    get_system_str=`cat /etc/issue`
    echo "$get_system_str" |grep -q "CentOS"
    if  [ $? -eq 0 ]
    then
    system_str="0"
    else
    echo "$get_system_str" |grep -q "Ubuntu"
    if [ $? -eq 0 ]
    then
    system_str="1"
    else
    echo "This Script must be running at the CentOS or Ubuntu!"
    exit 1
    fi
    fi

    }

    # Pre-installation settings
    function pre_install(){
    echo "#############################################################"
    echo "# Install IKEV2 VPN for CentOS6.x (32bit/64bit) or Ubuntu"
    echo "# Intro: http://quericy.me/blog/699"
    echo "#"
    echo "# Author:quericy"
    echo "#"
    echo "#############################################################"
    echo ""
    echo "please choose the type of your VPS(Xen、KVM: 1  ,  OpenVZ: 2):"
    read -p "your choice(1 or 2):" os_choice
    if [ "$os_choice" = "1" ]; then
    os="1"
    os_str="Xen、KVM"
    else
    if [ "$os_choice" = "2" ]; then
    os="2"
    os_str="OpenVZ"
    else
    echo "wrong choice!"
    exit 1
    fi
    fi
    echo "please input the ip (or domain) of your VPS:"
    read -p "ip or domain(default_vale:${IP}):" vps_ip
    if [ "$vps_ip" = "" ]; then
    vps_ip=$IP
    fi
    echo "please input the cert country(C):"
    read -p "C(default value:com):" my_cert_c
    if [ "$my_cert_c" = "" ]; then
    my_cert_c="com"
    fi
    echo "please input the cert organization(O):"
    read -p "O(default value:myvpn):" my_cert_o
    if [ "$my_cert_o" = "" ]; then
    my_cert_o="myvpn"
    fi
    echo "please input the cert common name(CN):"
    read -p "CN(default value:VPN CA):" my_cert_cn
    if [ "$my_cert_cn" = "" ]; then
    my_cert_cn="VPN CA"
    fi
    echo "####################################"
    get_char(){
    SAVEDSTTY=`stty -g`
    stty -echo
    stty cbreak
    dd if=/dev/tty bs=1 count=1 2> /dev/null
    stty -raw
    stty echo
    stty $SAVEDSTTY
    }
    echo "Please confirm the information:"
    echo ""
    echo -e "the type of your server: [\033[32;1m$os_str\033[0m]"
    echo -e "the ip(or domain) of your server: [\033[32;1m$vps_ip\033[0m]"
    echo -e "the cert_info:[\033[32;1mC=${my_cert_c}, O=${my_cert_o}\033[0m]"
    echo ""
    echo "Press any key to start...or Press Ctrl+C to cancel"
    char=`get_char`
    #Current folder
    cur_dir=`pwd`
    cd $cur_dir
    }

    #install necessary lib
    function yum_install(){
    if [ "$system_str" = "0" ]; then
    yum -y update
    yum -y install pam-devel openssl-devel make gcc
    else
    apt-get -y update
    apt-get -y install libpam0g-dev libssl-dev make gcc
    fi
    }

    # Download strongswan
    function download_files(){
    if [ -f strongswan.tar.gz ];then
    echo -e "strongswan.tar.gz [\033[32;1mfound\033[0m]"
    else
    if ! wget http://download.strongswan.org/strongswan.tar.gz;then
    echo "Failed to download strongswan.tar.gz"
    exit 1
    fi
    fi
    tar xzf strongswan.tar.gz
    if [ $? -eq 0 ];then
    cd $cur_dir/strongswan-*/
    else
    echo ""
    echo "Unzip strongswan.tar.gz failed! Please visit http://quericy.me/blog/699 and contact."
    exit 1
    fi
    }

    # configure and install strongswan
    function setup_strongswan(){
    if [ "$os" = "1" ]; then
    ./configure  --enable-eap-identity --enable-eap-md5 \
    --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap  \
    --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap  \
    --enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock --enable-unity  \
    --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp

    else
    ./configure  --enable-eap-identity --enable-eap-md5 \
    --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap  \
    --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap  \
    --enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock --enable-unity  \
    --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec

    fi
    make; make install
    }

    # configure cert and key
    function get_key(){
    cd $cur_dir
    if [ -f ca.pem ];then
    echo -e "ca.pem [\033[32;1mfound\033[0m]"
    else
    echo -e "ca.pem [\033[32;1mauto create\032[0m]"
    echo "auto create ca.pem ..."
    ipsec pki --gen --outform pem > ca.pem
    fi

    if [ -f ca.cert.pem ];then
    echo -e "ca.cert.pem [\033[32;1mfound\033[0m]"
    else
    echo -e "ca.cert.pem [\032[33;1mauto create\032[0m]"
    echo "auto create ca.cert.pem ..."
    ipsec pki --self --in ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${my_cert_cn}" --ca --outform pem >ca.cert.pem
    fi
    if [ ! -d my_key ];then
    mkdir my_key
    fi
    mv ca.pem my_key/ca.pem
    mv ca.cert.pem my_key/ca.cert.pem
    cd my_key
    ipsec pki --gen --outform pem > server.pem
    ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \
    --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${vps_ip}" \
    --san="${vps_ip}" --flag serverAuth --flag ikeIntermediate \
    --outform pem > server.cert.pem
    ipsec pki --gen --outform pem > client.pem
    ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=VPN Client" --outform pem > client.cert.pem
    echo "configure the pkcs12 cert password(Can be empty):"
    openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "${my_cert_cn}"  -out client.cert.p12
    echo "####################################"
    get_char(){
    SAVEDSTTY=`stty -g`
    stty -echo
    stty cbreak
    dd if=/dev/tty bs=1 count=1 2> /dev/null
    stty -raw
    stty echo
    stty $SAVEDSTTY
    }
    echo "Press any key to install ikev2 VPN cert"
    cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
    cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
    cp -r server.pem /usr/local/etc/ipsec.d/private/
    cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
    cp -r client.pem  /usr/local/etc/ipsec.d/private/

    }

    # configure the ipsec.conf
    function configure_ipsec(){
     cat > /usr/local/etc/ipsec.conf<<-EOF
    config setup
    uniqueids=never

    conn iOS_cert
    keyexchange=ikev1
    fragmentation=yes
    left=%defaultroute
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftcert=server.cert.pem
    right=%any
    rightauth=pubkey
    rightauth2=xauth
    rightsourceip=10.31.2.0/24
    rightcert=client.cert.pem
    auto=add

    conn android_xauth_psk
    keyexchange=ikev1
    left=%defaultroute
    leftauth=psk
    leftsubnet=0.0.0.0/0
    right=%any
    rightauth=psk
    rightauth2=xauth
    rightsourceip=10.31.2.0/24
    auto=add

    conn networkmanager-strongswan
    keyexchange=ikev2
    left=%defaultroute
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftcert=server.cert.pem
    right=%any
    rightauth=pubkey
    rightsourceip=10.31.2.0/24
    rightcert=client.cert.pem
    auto=add

    conn windows7
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    rekey=no
    left=%defaultroute
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftcert=server.cert.pem
    right=%any
    rightauth=eap-mschapv2
    rightsourceip=10.31.2.0/24
    rightsendcert=never
    eap_identity=%any
    auto=add

    EOF
    }

    # configure the strongswan.conf
    function configure_strongswan(){
     cat > /usr/local/etc/strongswan.conf<<-EOF
     charon {
    load_modular = yes
    duplicheck.enable = no
    compress = yes
    plugins {
    include strongswan.d/charon/*.conf
    }
    dns1 = 8.8.8.8
    dns2 = 8.8.4.4
    nbns1 = 8.8.8.8
    nbns2 = 8.8.4.4
    }
    include strongswan.d/*.conf
    EOF
    }

    # configure the ipsec.secrets
    function configure_secrets(){
    cat > /usr/local/etc/ipsec.secrets<<-EOF
    : RSA server.pem
    : PSK "myPSKkey"
    : XAUTH "myXAUTHPass"
    myUserName %any : EAP "myUserPass"
    EOF
    }

    # iptables set
    function iptables_set(){
    sysctl -w net.ipv4.ip_forward=1
    if [ "$os" = "1" ]; then
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -s 10.31.0.0/24  -j ACCEPT
    iptables -A FORWARD -s 10.31.1.0/24  -j ACCEPT
    iptables -A FORWARD -s 10.31.2.0/24  -j ACCEPT
    iptables -A INPUT -i eth0 -p esp -j ACCEPT
    iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT
    iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
    iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
    iptables -A FORWARD -j REJECT
    iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o eth0 -j MASQUERADE
    iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o eth0 -j MASQUERADE
    iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o eth0 -j MASQUERADE
    else
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -s 10.31.0.0/24  -j ACCEPT
    iptables -A FORWARD -s 10.31.1.0/24  -j ACCEPT
    iptables -A FORWARD -s 10.31.2.0/24  -j ACCEPT
    iptables -A INPUT -i venet0 -p esp -j ACCEPT
    iptables -A INPUT -i venet0 -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -i venet0 -p tcp --dport 500 -j ACCEPT
    iptables -A INPUT -i venet0 -p udp --dport 4500 -j ACCEPT
    iptables -A INPUT -i venet0 -p udp --dport 1701 -j ACCEPT
    iptables -A INPUT -i venet0 -p tcp --dport 1723 -j ACCEPT
    iptables -A FORWARD -j REJECT
    iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o venet0 -j MASQUERADE
    iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o venet0 -j MASQUERADE
    iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o venet0 -j MASQUERADE
    fi
    if [ "$system_str" = "0" ]; then
    service iptables save
    else
    iptables-save > /etc/iptables.rules
    cat > /etc/network/if-up.d/iptables<<EOF
    #!/bin/sh
    iptables-restore < /etc/iptables.rules
    EOF
    chmod +x /etc/network/if-up.d/iptables
    fi
    }

    # echo the success info
    function success_info(){
    echo "#############################################################"
    echo -e "#"
    echo -e "# [\033[32;1mInstall Successful\033[0m]"
    echo -e "# There is the default login info of your VPN"
    echo -e "# UserName:\033[33;1m myUserName\033[0m"
    echo -e "# PassWord:\033[33;1m myUserPass\033[0m"
    echo -e "# PSK:\033[33;1m myPSKkey\033[0m"
    echo -e "# you can change UserName and PassWord in\033[32;1m /usr/local/etc/ipsec.secrets\033[0m"
    echo -e "# you must copy the cert \033[32;1m ${cur_dir}/my_key/ca.cert.pem \033[0m to the client and install it."
    echo -e "#"
    echo -e "#############################################################"
    echo -e ""
    }

    # Initialization step
    install_ikev2

     

    推荐内容