利用libreswan+V2Ray实现科学上网
实验背景
在云主机中(阿里云、腾讯云等),大陆地区的机器是无法科学上网的,并且好多优秀的网站、工具等无法访问或者下载速度很慢,例如下载github上的一些资源,我们可以购买VPS(例如Vultr)或者香港等地区的主机,再配合一些软件就可以实现科学上网了
我们可以使用 libreswan 搭建 ipssec
隧道实现不通地域主机内网互通,然后使用 V2Ray
作为代理工具实现科学上网
实验环境
区域 | 公网IP | 内网IP段 | 内网IP | 系统 | 内核版本 |
---|---|---|---|---|---|
北京 | 81.70.22.232 | 172.31.0.0/24 | 172.31.0.3 | CentOS7.9 | 3.10.0-1160.45.1.el7.x86_64 |
香港 | 129.226.167.89 | 10.0.0.0/24 | 10.0.0.17 | CentOS7.9 | 3.10.0-1160.45.1.el7.x86_64 |
1.安装配置libreswan
1.0 编辑环境变量文件
北京、香港区服务器操做
# 编辑文件
cat > /opt/wall_env << EOF
BJ_PUBLIC_IP=81.70.22.232
BJ_PRIVATE_IP=172.31.0.3
BJ_IP_SUBNET=172.31.0.0/24
HK_PUBLIC_IP=129.226.167.89
HK_PRIVATE_IP=10.0.0.17
HK_IP_SUBNET=10.0.0.0/24
EOF
# 加载环境变量
source /opt/wall_env
1.1 安装依赖包
北京、香港区服务器操做
yum -y install audit-libs-devel bison curl-devel fipscheck-devel flex gcc ldns-devel libcap-ng-devel libevent-devel libseccomp-devel libselinux-devel make nspr-devel nss-devel pam-devel pkgconfig systemd-devel unbound-devel xmlto
1.2 安装libreswan
北京、香港区服务器操做
yum -y install libreswan
1.3 配置内核参数
北京、香港区服务器操做
# 开启路由转发
sed -i '/^net.ipv4.ip_forward/d' /etc/sysctl.conf
cat >> /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 1
EOF
# 使配置生效
sysctl -p
1.4 启动ipsec
systemctl start ipsec && systemctl enable ipsec
查看状态
$ systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-03-29 10:38:39 CST; 14s ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Main PID: 6483 (pluto)
Status: "Startup completed."
CGroup: /system.slice/ipsec.service
└─6483 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
Mar 29 10:38:39 hk pluto[6483]: adding interface lo/lo 127.0.0.1:500
Mar 29 10:38:39 hk pluto[6483]: adding interface lo/lo 127.0.0.1:4500
Mar 29 10:38:39 hk pluto[6483]: adding interface lo/lo ::1:500
Mar 29 10:38:39 hk pluto[6483]: | setup callback for interface lo:500 fd 19
Mar 29 10:38:39 hk pluto[6483]: | setup callback for interface lo:4500 fd 18
Mar 29 10:38:39 hk pluto[6483]: | setup callback for interface lo:500 fd 17
Mar 29 10:38:39 hk pluto[6483]: | setup callback for interface eth0:4500 fd 16
Mar 29 10:38:39 hk pluto[6483]: | setup callback for interface eth0:500 fd 15
Mar 29 10:38:39 hk pluto[6483]: loading secrets from "/etc/ipsec.secrets"
Mar 29 10:38:39 hk pluto[6483]: no secrets filename matched "/etc/ipsec.d/*.secrets"
1.5 防火墙配置
香港区服务器操作
防火墙策略开放 udp 500 和 udp 4500 端口,允许北京区主机公网IP访问
1.6 验证端口连通性
北京区服务器操作
$ nmap -sU 2.2.2.2 -p 500,4500 -Pn
Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-20 21:32 CST
Nmap scan report for 2.2.2.2
Host is up.
PORT STATE SERVICE
500/udp open|filtered isakmp
4500/udp open|filtered nat-t-ike
Nmap done: 1 IP address (1 host up) scanned in 3.17 seconds
1.7 配置预共享密钥
北京、香港区服务器操做
/etc/ipsec.secrets
配置文件中有 include /etc/ipsec.d/*.secrets
,因此我们在 /etc/ipsec.d
目录下新建 *.secrets
文件
$ cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
新建 /etc/ipsec.d/vm.secrets
cat > /etc/ipsec.d/vm.secrets << EOF
# 源ip 目的ip : PSK "key"
0.0.0.0 0.0.0.0 : PSK "baidu666com"
EOF
1.8 配置ipsec连接
/etc/ipsec.conf
配置文件中有 include /etc/ipsec.d/*.conf
,因此我们在 /etc/ipsec.d
目录下新建 *.conf
文件,同时 /etc/ipsec.conf
文件中有详细的示例说明
1.8.1 配置香港区服务器
Libreswan 不使用术语 source
或 destination
。相反,它用术语 left
和 right
来代指终端(主机)。虽然大多数管理员用 left
表示本地主机,right
表示远程主机,但是这样可以在大多数情况下在两个终端上使用相同的配置。
由于我们的服务器使用的是vpc网络,采用静态nat的形式,在配置 left
和 right
时,本端的ip需要使用内网ip或 %defaultroute
。left
和 right
是两端的ip地址,而 leftid
和 rightid
为代号id。
这里我们指定北京区为 left
、香港区为 right
cat > /etc/ipsec.d/vm.conf << EOF
conn bj-vm-hk
authby=secret # 指定认证类型预共享秘钥
ike=3des-sha1 # 指定ike算法为3des-sha1
keyexchange=ike # 指定ike
phase2=esp
phase2alg=3des-sha1
compress=no # 指定是否压缩
pfs=yes # 指定是否加密
auto=start # 指定连接添加类型。start为开机自启,add为添加不主动连接
type=tunnel # 指定模式类型为隧道模式|传输模式
left=%any # 允许哪些IP可以访问!!!
leftsubnets={$BJ_IP_SUBNET} # 北京区主机内网IP段
leftid=%any
leftnexthop=%defaultroute
right=$HK_PRIVATE_IP # 这里要指定香港区主机内网IP
rightsubnets={$HK_IP_SUBNET} # 这里要指定香港区主机内网IP段
rightid=%any # 经验证,这里只能写%any、公网IP、@east或@west
rightnexthop=%defaultroute
EOF
1.8.2 配置北京区服务器
Libreswan 不使用术语 source
或 destination
。相反,它用术语 left
和 right
来代指终端(主机)。虽然大多数管理员用 left
表示本地主机,right
表示远程主机,但是这样可以在大多数情况下在两个终端上使用相同的配置。
由于我们的服务器使用的是vpc网络,采用静态nat的形式,在配置 left
和 right
时,本端的ip需要使用内网ip或 %defaultroute
。left
和 right
是两端的ip地址,而 leftid
和 rightid
为代号id。
这里我们指定香港区为本端机器,北京区为对端机器,即香港区为 left
、 北京区为 right
cat > /etc/ipsec.d/vm.conf << EOF
conn bj-vm-hk
authby=secret # 指定认证类型预共享秘钥
ike=3des-sha1 # 指定ike算法为3des-sha1
keyexchange=ike # 指定ike
phase2=esp
phase2alg=3des-sha1
compress=no # 指定是否压缩
pfs=yes # 指定是否加密
auto=start # 指定连接添加类型。start为开机自启,add为添加不主动连接
type=tunnel # 指定模式类型为隧道模式|传输模式
left=$BJ_PRIVATE_IP # 这里必须是北京区主机本机内网IP!!!
leftsubnets={$BJ_IP_SUBNET} # 北京区主机内网IP段
leftid=%any
leftnexthop=%defaultroute
right=$HK_PUBLIC_IP # 这里要指定香港区主机公网IP
rightsubnets={$HK_IP_SUBNET} # 这里要指定香港区主机内网IP段
rightid=%any # 经验 证,这里只能写%any、公网IP、@east或@west
rightnexthop=%defaultroute
EOF
1.8.3 开启ipsec日志
北京、香港区服务器操做
这里需要编辑
/etc/ipsec.conf
把日志打开,默认日志路径为/var/log/pluto.log
sed -i 's/#logfile=/logfile=/' /etc/ipsec.conf
1.8.4 重启ipsec
北京、香港区服务器操做
systemctl restart ipsec
1.8.5 验证
1.8.5.1 两端互ping
北京区服务器ping香港区服务器
$ ping -c2 $HK_PRIVATE_IP
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=46.6 ms
64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=46.6 ms
--- 10.0.0.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 46.648/46.666/46.685/0.216 ms
香港区服务器ping北京区服务器
$ ping -c2 $BJ_PRIVATE_IP
PING 172.31.0.14 (172.31.0.14) 56(84) bytes of data.
64 bytes from 172.31.0.14: icmp_seq=1 ttl=64 time=46.5 ms
64 bytes from 172.31.0.14: icmp_seq=2 ttl=64 time=46.6 ms
--- 172.31.0.14 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 46.586/46.618/46.650/0.032 ms
1.8.5.2 查看ipsec状态
提示如下即为成功
$ systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2022-03-23 21:00:37 CST; 4s ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Process: 6246 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited, status=0/SUCCESS)
Process: 6243 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)
Process: 6240 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)
Process: 6227 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)
Process: 6521 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
Process: 6518 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
Process: 6256 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
Process: 6254 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 6534 (pluto)
Status: "Startup completed."
CGroup: /system.slice/ipsec.service
└─6534 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
Mar 23 21:00:37 hk systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Mar 23 21:00:37 hk ipsec[6521]: nflog ipsec capture disabled
Mar 23 21:00:37 hk systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
1.8.5.3 查看日志
查看日志 /var/log/pluto.log
,有包的发送以及返回即为 正确
Mar 23 21:00:37.774360: "bj-vm-hk/1x1"[1] 42.193.112.127 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 23 21:00:37.825502: "bj-vm-hk/1x1"[1] 42.193.112.127 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 23 21:00:37.875013: "bj-vm-hk/1x1"[1] 42.193.112.127 #1: Peer ID is ID_IPV4_ADDR: '172.31.0.14'
Mar 23 21:00:37.875269: "bj-vm-hk/1x1"[1] 42.193.112.127 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP2048}
Mar 23 21:00:37.923920: "bj-vm-hk/1x1"[1] 42.193.112.127 #1: the peer proposed: 10.0.0.0/24:0/0 -> 172.31.0.0/24:0/0
Mar 23 21:00:37.926134: "bj-vm-hk/1x1"[1] 42.193.112.127 #2: responding to Quick Mode proposal {msgid:4323d821}
Mar 23 21:00:37.926162: "bj-vm-hk/1x1"[1] 42.193.112.127 #2: us: 10.0.0.0/24===10.0.0.3<10.0.0.3>[43.154.53.42]
Mar 23 21:00:37.926169: "bj-vm-hk/1x1"[1] 42.193.112.127 #2: them: 42.193.112.127===172.31.0.0/24
Mar 23 21:00:37.926600: "bj-vm-hk/1x1"[1] 42.193.112.127 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x33ba4428 <0xf89429e6 xfrm=3DES_CBC_0-HMAC_SHA1_96 NATOA=none NATD=42.193.112.127:4500 DPD=passive}
Mar 23 21:00:38.020561: "bj-vm-hk/1x1"[1] 42.193.112.127 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x33ba4428 <0xf89429e6 xfrm=3DES_CBC_0-HMAC_SHA1_96 NATOA=none NATD=42.193.112.127:4500 DPD=passive}
1.8.5.4 查看连接情况
可以执行命令 ipsec auto --status
查看连接情况
000 "bj-vm-hk/1x1"[1]: IKE algorithms: 3DES_CBC-HMAC_SHA1-MODP2048, 3DES_CBC-HMAC_SHA1-MODP1536
000 "bj-vm-hk/1x1"[1]: IKE algorithm newest: 3DES_CBC_192-HMAC_SHA1-MODP2048
000 "bj-vm-hk/1x1"[1]: ESP algorithms: 3DES_CBC-HMAC_SHA1_96
000 "bj-vm-hk/1x1"[1]: ESP algorithm newest: 3DES_CBC_000-HMAC_SHA1_96; pfsgroup=<Phase1>
000
000 Total IPsec connections: loaded 2, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #1: "bj-vm-hk/1x1"[1] 42.193.112.127:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3143s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #2: "bj-vm-hk/1x1"[1] 42.193.112.127:4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28343s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set
000 #2: "bj-vm-hk/1x1"[1] 42.193.112.127 esp.33ba4428@42.193.112.127 esp.f89429e6@10.0.0.3 tun.0@42.193.112.127 tun.0@10.0.0.3 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
000
000 Bare Shunt list:
000