Linux VPN服务器_重庆幸运农场开到晚上几点

时间:2016-01-08 16:44来源:quericy Eden*的博客 作者:Linux先生 举报 点击:
花了点时间将上次的Ubuntu、CentOS搭建IPSec/IKEv2 VPN服务器全攻略整理成了一份一键安装的脚本。适用于WindowsPhone,iOS,Android和PC设备。有需要的童鞋可以拿来食用~~~~CetnOS测试了下貌似没什么问题,重庆幸运农场开到晚上几点:Ubuntu的手里暂时没有空闲vps就没试了,其实也差不多的,欢迎测试

本文地址:http://www.kooct.com/install/soft/2016/0102/4279.html
文章摘要:Linux VPN服务器,公尺南昌起义当头一棒,性爱片锁匙扣诗圣。

VPN的英文全称是 “Virtual Private Network”,中文名叫“虚拟专用网络”。VPN可以通过特殊加密的通讯协议连接到Internet上,在位于不同地方的两个或多个内部网之间建立 一条专有的通讯线路。他能提供的功能包括:防火墙功能、认证、加密、隧道化等。

【安装】


用法很简单:
总结成一句话就是:除了类型要选对以外,其他的一路回车就好了

具体如下:
1.下载脚本:

  wget http://www.kooct.com/236/quericy/one-key-ikev2-vpn/master/one-key-ikev2.sh

2.运行(如果有需要使用自己已有的根证书,请将私钥命名为ca.cert,将根证书命名为ca.cert.pem,放到脚本的相同目录下再运行该脚本,没有证书的话将自动生成自签名证书咯):

  chmod +x one-key-ikev2.sh
  bash one-key-ikev2.sh

3.等待自动配置部分内容后,选择vps类型(OpenVZ还是Xen、KVM),选错将无法成功连接,请务必核实服务器的类型。输入服务器ip或者绑定的域名(连接vpn时服务器地址将需要与此保持一致),以及证书的相关信息(C,O,CN),使用自己的根证书的话,C,O,CN的值需要与根证书一致,为空将使用默认值(default value),确认无误后按任意键继续

4.输入两次pkcs12证书的密码(可以为空)
input_cert_password
5.看到install success字样即表示安装成功。默认用户名密码将以黄字显示,可根据提示自行修改文件中的用户名密码。

6.将提示信息中的证书文件ca.cert.pem拷贝到客户端,修改后缀名为.cer后导入。ios设备使用Ikev1无需导入证书,而是需要在连接时输入共享密钥,共享密钥即是提示信息中的黄字PSK.
ikev2_VPN_install

PS:

服务器重启后默认ipsec不会自启动,请自行添加,或使用命令手动开启:

  ipsec start

连上服务器后无法链接外网:

  vim /etc/sysctl.conf

修改net.ipv4.ip_forward=1后保存并关闭文件 然后使用以下指令刷新sysctl:

  sysctl -p

如遇报错信息,请重新打开/etc/syctl并将报错的那些代码用#号注释,保存后再刷新sysctl直至不会报错为止。

PS2:

脚本代码可访问github查看和下载:
GitHub

如需Debian系统的IKEV2一键安装脚本,可参考magic282童鞋的一键脚本:
http://www.kooct.com/345/magic282/One-Key-L2TP-IKEV2-Setup
 

PS3:

bash脚本源码


#! /bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
#===============================================================================================
#   System Required:  CentOS6.x (32bit/64bit) or Ubuntu
#   Description:  Install IKEV2 VPN for CentOS and Ubuntu
#   Author: quericy
#   Intro:  http://www.kooct.com/227/blog/699
#===============================================================================================

clear
echo "#############################################################"
echo "# Install IKEV2 VPN for CentOS6.x (32bit/64bit) or Ubuntu"
echo "# Intro: http://www.kooct.com/157/blog/699"
echo "#"
echo "# Author:quericy"
echo "#"
echo "#############################################################"
echo ""

# Install IKEV2
function install_ikev2(){
rootness
disable_selinux
get_my_ip
get_system
yum_install
pre_install
download_files
setup_strongswan
get_key
configure_ipsec
configure_strongswan
configure_secrets
iptables_set
ipsec start
success_info
}

# Make sure only root can run our script
function rootness(){
if [[ $EUID -ne 0 ]]; then
echo "Error:This script must be run as root!" 1>&2
exit 1
fi
}

# Disable selinux
function disable_selinux(){
if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
fi
}

# Get IP address of the server
function get_my_ip(){
echo "Preparing, Please wait a moment..."
IP=`curl -s checkip.dyndns.com | cut -d' ' -f 6  | cut -d'<' -f 1`
if [ -z $IP ]; then
IP=`curl -s ifconfig.me/ip`
fi
}

# Ubuntu or CentOS
function get_system(){
get_system_str=`cat /etc/issue`
echo "$get_system_str" |grep -q "CentOS"
if  [ $? -eq 0 ]
then
system_str="0"
else
echo "$get_system_str" |grep -q "Ubuntu"
if [ $? -eq 0 ]
then
system_str="1"
else
echo "This Script must be running at the CentOS or Ubuntu!"
exit 1
fi
fi

}

# Pre-installation settings
function pre_install(){
echo "#############################################################"
echo "# Install IKEV2 VPN for CentOS6.x (32bit/64bit) or Ubuntu"
echo "# Intro: http://www.kooct.com/988/blog/699"
echo "#"
echo "# Author:quericy"
echo "#"
echo "#############################################################"
echo ""
echo "please choose the type of your VPS(Xen、KVM: 1  ,  OpenVZ: 2):"
read -p "your choice(1 or 2):" os_choice
if [ "$os_choice" = "1" ]; then
os="1"
os_str="Xen、KVM"
else
if [ "$os_choice" = "2" ]; then
os="2"
os_str="OpenVZ"
else
echo "wrong choice!"
exit 1
fi
fi
echo "please input the ip (or domain) of your VPS:"
read -p "ip or domain(default_vale:${IP}):" vps_ip
if [ "$vps_ip" = "" ]; then
vps_ip=$IP
fi
echo "please input the cert country(C):"
read -p "C(default value:com):" my_cert_c
if [ "$my_cert_c" = "" ]; then
my_cert_c="com"
fi
echo "please input the cert organization(O):"
read -p "O(default value:myvpn):" my_cert_o
if [ "$my_cert_o" = "" ]; then
my_cert_o="myvpn"
fi
echo "please input the cert common name(CN):"
read -p "CN(default value:VPN CA):" my_cert_cn
if [ "$my_cert_cn" = "" ]; then
my_cert_cn="VPN CA"
fi
echo "####################################"
get_char(){
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
echo "Please confirm the information:"
echo ""
echo -e "the type of your server: [\033[32;1m$os_str\033[0m]"
echo -e "the ip(or domain) of your server: [\033[32;1m$vps_ip\033[0m]"
echo -e "the cert_info:[\033[32;1mC=${my_cert_c}, O=${my_cert_o}\033[0m]"
echo ""
echo "Press any key to start...or Press Ctrl+C to cancel"
char=`get_char`
#Current folder
cur_dir=`pwd`
cd $cur_dir
}

#install necessary lib
function yum_install(){
if [ "$system_str" = "0" ]; then
yum -y update
yum -y install pam-devel openssl-devel make gcc
else
apt-get -y update
apt-get -y install libpam0g-dev libssl-dev make gcc
fi
}

# Download strongswan
function download_files(){
if [ -f strongswan.tar.gz ];then
echo -e "strongswan.tar.gz [\033[32;1mfound\033[0m]"
else
if ! wget http://www.kooct.com/626/strongswan.tar.gz;then
echo "Failed to download strongswan.tar.gz"
exit 1
fi
fi
tar xzf strongswan.tar.gz
if [ $? -eq 0 ];then
cd $cur_dir/strongswan-*/
else
echo ""
echo "Unzip strongswan.tar.gz failed! Please visit http://www.kooct.com/981/blog/699 and contact."
exit 1
fi
}

# configure and install strongswan
function setup_strongswan(){
if [ "$os" = "1" ]; then
./configure  --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap  \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap  \
--enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock --enable-unity  \
--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp

else
./configure  --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap  \
--enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap  \
--enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock --enable-unity  \
--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec

fi
make; make install
}

# configure cert and key
function get_key(){
cd $cur_dir
if [ -f ca.pem ];then
echo -e "ca.pem [\033[32;1mfound\033[0m]"
else
echo -e "ca.pem [\033[32;1mauto create\032[0m]"
echo "auto create ca.pem ..."
ipsec pki --gen --outform pem > ca.pem
fi

if [ -f ca.cert.pem ];then
echo -e "ca.cert.pem [\033[32;1mfound\033[0m]"
else
echo -e "ca.cert.pem [\032[33;1mauto create\032[0m]"
echo "auto create ca.cert.pem ..."
ipsec pki --self --in ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${my_cert_cn}" --ca --outform pem >ca.cert.pem
fi
if [ ! -d my_key ];then
mkdir my_key
fi
mv ca.pem my_key/ca.pem
mv ca.cert.pem my_key/ca.cert.pem
cd my_key
ipsec pki --gen --outform pem > server.pem
ipsec pki --pub --in server.pem | ipsec pki --issue --cacert ca.cert.pem \
--cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=${vps_ip}" \
--san="${vps_ip}" --flag serverAuth --flag ikeIntermediate \
--outform pem > server.cert.pem
ipsec pki --gen --outform pem > client.pem
ipsec pki --pub --in client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=${my_cert_c}, O=${my_cert_o}, CN=VPN Client" --outform pem > client.cert.pem
echo "configure the pkcs12 cert password(Can be empty):"
openssl pkcs12 -export -inkey client.pem -in client.cert.pem -name "client" -certfile ca.cert.pem -caname "${my_cert_cn}"  -out client.cert.p12
echo "####################################"
get_char(){
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
echo "Press any key to install ikev2 VPN cert"
cp -r ca.cert.pem /usr/local/etc/ipsec.d/cacerts/
cp -r server.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r server.pem /usr/local/etc/ipsec.d/private/
cp -r client.cert.pem /usr/local/etc/ipsec.d/certs/
cp -r client.pem  /usr/local/etc/ipsec.d/private/

}

# configure the ipsec.conf
function configure_ipsec(){
 cat > /usr/local/etc/ipsec.conf<<-EOF
config setup
uniqueids=never

conn iOS_cert
keyexchange=ikev1
fragmentation=yes
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightauth2=xauth
rightsourceip=10.31.2.0/24
rightcert=client.cert.pem
auto=add

conn android_xauth_psk
keyexchange=ikev1
left=%defaultroute
leftauth=psk
leftsubnet=0.0.0.0/0
right=%any
rightauth=psk
rightauth2=xauth
rightsourceip=10.31.2.0/24
auto=add

conn networkmanager-strongswan
keyexchange=ikev2
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=pubkey
rightsourceip=10.31.2.0/24
rightcert=client.cert.pem
auto=add

conn windows7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
left=%defaultroute
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
right=%any
rightauth=eap-mschapv2
rightsourceip=10.31.2.0/24
rightsendcert=never
eap_identity=%any
auto=add

EOF
}

# configure the strongswan.conf
function configure_strongswan(){
 cat > /usr/local/etc/strongswan.conf<<-EOF
 charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
include strongswan.d/*.conf
EOF
}

# configure the ipsec.secrets
function configure_secrets(){
cat > /usr/local/etc/ipsec.secrets<<-EOF
: RSA server.pem
: PSK "myPSKkey"
: XAUTH "myXAUTHPass"
myUserName %any : EAP "myUserPass"
EOF
}

# iptables set
function iptables_set(){
sysctl -w net.ipv4.ip_forward=1
if [ "$os" = "1" ]; then
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.31.0.0/24  -j ACCEPT
iptables -A FORWARD -s 10.31.1.0/24  -j ACCEPT
iptables -A FORWARD -s 10.31.2.0/24  -j ACCEPT
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o eth0 -j MASQUERADE
else
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.31.0.0/24  -j ACCEPT
iptables -A FORWARD -s 10.31.1.0/24  -j ACCEPT
iptables -A FORWARD -s 10.31.2.0/24  -j ACCEPT
iptables -A INPUT -i venet0 -p esp -j ACCEPT
iptables -A INPUT -i venet0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i venet0 -p tcp --dport 500 -j ACCEPT
iptables -A INPUT -i venet0 -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i venet0 -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i venet0 -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.31.0.0/24 -o venet0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.1.0/24 -o venet0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o venet0 -j MASQUERADE
fi
if [ "$system_str" = "0" ]; then
service iptables save
else
iptables-save > /etc/iptables.rules
cat > /etc/network/if-up.d/iptables<<EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
EOF
chmod +x /etc/network/if-up.d/iptables
fi
}

# echo the success info
function success_info(){
echo "#############################################################"
echo -e "#"
echo -e "# [\033[32;1mInstall Successful\033[0m]"
echo -e "# There is the default login info of your VPN"
echo -e "# UserName:\033[33;1m myUserName\033[0m"
echo -e "# PassWord:\033[33;1m myUserPass\033[0m"
echo -e "# PSK:\033[33;1m myPSKkey\033[0m"
echo -e "# you can change UserName and PassWord in\033[32;1m /usr/local/etc/ipsec.secrets\033[0m"
echo -e "# you must copy the cert \033[32;1m ${cur_dir}/my_key/ca.cert.pem \033[0m to the client and install it."
echo -e "#"
echo -e "#############################################################"
echo -e ""
}

# Initialization step
install_ikev2

 

推荐内容
qq农场守护者哪里买 幸运农场走势 时时彩投注技巧包赢 幸运农场三连中秘籍 幸运农场胆拖
3d杀号技巧 幸运农场有技巧没 幸运农场logo 时时彩幸运农场攻略 重庆彩票幸运农场开奖结果走势图百度
开心农场游戏机报价 幸运农场开 重庆时时彩现场直播 重庆幸运农场15码 排列3和值走势图
幸运农场app 重庆幸运农场网上投注 重庆时时彩开奖号码 幸运飞艇全天计划 渝彩幸运农场
大乐透开奖结果直播 世界杯外围投注 赌博默示录电影版 快乐12走势图 快3开奖直播
七星彩彩票论坛 百家乐开户 北京快乐8官网 江苏11选5开奖爱彩人 平刷王北京赛车官网
天才麻将少女全国篇 德州扑克玩法 j江西11选5走势图 充气仿真娃娃多少钱 香港六合彩图库资料
南国彩票七星彩图规 北京赛车pk10官网 捕鱼游戏下载 排列5杀号定胆 七乐彩走势图带坐标