Code Monkey home page Code Monkey logo

openconnect-chnroutes-setup's Introduction

Openconnect + chnroutes + ChinaDNS + Dnsmasq 实现家庭所有设备区分国内外IP翻墙

环境

国外VPS:Ubuntu 16.04。家里一台双网口的Ubuntu 16.04作为网关,下连交换机和无线AP。

配置国外VPS

安装ocserv (OpenConnect VPN Server)

下载ocserv

地址: http://www.infradead.org/ocserv/download.html

ocserv-0.11.6有bug编译不了.

wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.11.5.tar.xz
tar xvf ocserv-0.11.5.tar.xz
cd ocserv-0.11.5

安装依赖包

sudo apt-get install build-essential libgnutls28-dev libev-dev libwrap0-dev libpam0g-dev liblz4-dev libseccomp-dev libreadline-dev libnl-route-3-dev libkrb5-dev liboath-dev

编译 & 安装

./configure
make
sudo make install

检查

ocserv -v

能输出版本信息就OK

制作证书

安装所需工具

sudo apt-get install gnutls-bin

建个文件夹用来存放文件

mkdir cert
cd cert

生成的文件以后重装也会用到,可以保存一下,就不用重新做了。

创建CA证书

生成CA密钥:

certtool --generate-privkey --outfile ca-key.pem

新建CA证书模板文件ca.tmpl,填写如下内容,其中cnorganization替换为自己喜欢的名字:

cn = "My Company CA"
organization = "My Company"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key

生成CA证书:

certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

创建服务器证书

生成服务器证书密钥:

certtool --generate-privkey --outfile server-key.pem

创建服务器证书模板文件server.tmpl,填写如下内容,这里的cn必须填写之后连接VPN时使用的域名或IP,organization替换为自己喜欢的名字:

cn = "123.123.123.123"
organization = "My Company"
expiration_days = -1
signing_key
encryption_key
tls_www_server

生成服务器证书:

certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

配置ocserv

创建配置文件夹:

sudo mkdir /etc/ocserv

复制server-key.pem和server-cert.pem到配置文件夹:

cp server-key.pem /etc/ocserv/
cp server-cert.pem /etc/ocserv/

回到解压的文件夹,复制一份配置文件样本:

sudo cp doc/sample.config /etc/ocserv/ocserv.conf

创建VPN账号:

sudo ocpasswd USER_NAME

USER_NAME替换为自己要的名字. 命令行提示输入密码并确认密码.

然后修改配置文件/etc/ocserv/ocserv.conf以下参数:

auth = "plain[passwd=/etc/ocserv/ocpasswd]"

# 服务器监听的TCP端口
tcp-port = 4433

# 关闭UDP端口
#udp-port = 443

try-mtu-discovery = true

server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem

dns = 8.8.8.8
dns = 8.8.4.4

# 注释掉所有的route
#route = 10.10.10.0/255.255.255.0
#route = 192.168.0.0/255.255.0.0

cisco-client-compat = true

配置IP转发

修改/etc/sysctl.conf:

net.ipv4.ip_forward = 1

执行此命令使它立即生效:

sysctl -w net.ipv4.ip_forward=1

修改iptables:

sudo iptables -t nat -A POSTROUTING -j MASQUERADE

编辑/etc/rc.local, 在exit 0上面插入:

iptables-restore < /etc/iptables.rules

配置家里作为网关的Ubuntu

配置dnsmasq

安装dnsmasq:

sudo apt-get install dnsmasq

修改 /etc/dnsmasq.conf以下参数:

no-resolv
server=114.114.114.114
dhcp-range=192.168.0.50,192.168.0.150,12h

配置网卡参数

主机上需要用两张网卡, 一张连接外网的网卡, 和一张作为内网网关的网卡. 执行:

ifconfig

从IP地址可以判断哪张是外网网卡, 哪张是内网网卡. 外网网卡的IP地址是由上级路由器(运营商网关等)分配的, 剩下那张就是内网网卡.

假设内网网卡名字为enp2s1, 我们在/etc/network/interfaces加入它的配置:

auto enp2s1
iface enp2s1 inet static
address 192.168.0.1
netmask 255.255.255.0

重启网卡以生效:

sudo ifdown enp2s1
sudo ifup enp2s1

配置IP转发

修改/etc/sysctl.conf:

net.ipv4.ip_forward = 1

执行此命令使它立即生效:

sysctl -w net.ipv4.ip_forward=1

修改iptables:

sudo iptables -t nat -A POSTROUTING -j MASQUERADE

编辑/etc/rc.local, 在exit 0上面插入:

iptables-restore < /etc/iptables.rules

配置ChinaDNS

https://github.com/shadowsocks/ChinaDNS/releases 下载最新版

wget https://github.com/shadowsocks/ChinaDNS/releases/download/1.3.2/chinadns-1.3.2.tar.gz

解压 & 编译 & 安装:

tar xvf chinadns-1.3.2.tar.gz
cd chinadns-1.3.2
./configure
make

拷贝默认配置文件:

sudo mkdir /usr/local/chinadns
sudo cp src/chinadns /usr/local/chinadns/

获取最新的**IP列表:

curl 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | grep ipv4 | grep CN | awk -F\| '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > chnroutes.txt
sudo cp chnroutes.txt /usr/local/chinadns/

根据IP生成路由规则:

sudo sed -r -e 's;.+;ip route add & via 192.168.1.1;' -e '1s;^;#!/bin/sh\n;' chnroutes.txt | sudo tee /usr/local/bin/chnroutes > /dev/null
sudo chmod u+x,g+x /usr/local/bin/chnroutes

启动chinadns:

/usr/local/chinadns/chinadns -m -c /usr/local/chinadns/chnroutes.txt -p 5333 -s 114.114.114.114,8.8.8.8

配置Openconnect客户端

安装vpnc-script

地址: http://www.infradead.org/openconnect/vpnc-script.html

wget http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/HEAD:/vpnc-script
sudo mkdir /etc/vpnc
sudo cp vpnc-script /etc/vpnc/
sudo chmod u+x,g+x /etc/vpnc/vpnc-script

安装openconnect

地址: http://www.infradead.org/openconnect/download.html

下载 & 解压:

wget ftp://ftp.infradead.org/pub/openconnect/openconnect-7.08.tar.gz
tar xvf openconnect-7.08.tar.gz
cd openconnect-7.08

安装依赖:

sudo apt-get install libgnutls28-dev libxml2-dev

编译 & 安装:

sudo ./configure
sudo make
sudo make install
sudo ldconfig

创建文件/usr/local/bin/openconnect-start:

# copy openconnect-start to /usr/local/bin/openconnect-start
# copy rc.local to /etc/rc.local

openconnect-chnroutes-setup's People

Stargazers

Yanqing Wang avatar haruka.moe avatar avatar Felix Lu avatar avatar avatar Minjun avatar Keven Fesperman avatar avatar Minjin Chen avatar avatar Mbitz avatar NT Pte Ltd avatar trulyliu avatar pipman avatar

Watchers

James Cloos avatar pipman avatar Fengming Jiang avatar avatar

Forkers

xyz12810 hcm82 superxp wayneshow ssrv2ray vbkbmqj

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.