一键构建 IKEv2 VPN 服务器

写在前面

大概 6 年前,写了个博客,记录了如何使用一个脚本,基于 strongswan 构建 IPSec 的 VPN 服务器。时过镜迁,这个脚本构建出来的 VPN 竟然无法工作。客户端可以成功登录 VPN,但无法上网。

痛定思痛,参考 How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 22.04,编写了一个脚本,用来构建一个 IKEv2 VPN 服务器。

下面进入正文。

构建 IKEv2 VPN 服务器

你需要先有一个虚拟主机,安装好 ubuntu 22.04 操作系统,下面的步骤都在这个系统上验证通过。至于如何拥有一个虚拟主机,不在本文讨论范围。

依次执行以下脚本,根据提示,安装 strongswan 服务器,以及添加 VPN 账户。

$ cd ~
$ wget https://raw.githubusercontent.com/kamidox/One-Key-L2TP-IKEV2-Setup/master/IKEv2_setup.sh
$ sudo chmod a+x IKEv2_setup.sh
$ sudo ./IKEv2_setup.sh

遇到下面提示,先选 1 安装软件。再选 2,添加用户名和密码。步骤 1 安装完软件,还会自动完成 strongswan 配置以及防火墙配置。你可以打开脚本一看究竟。

echo "#################################"
echo "What do you want to do:"
echo "1) Setup IKEv2 server"
echo "2) Add an account"
echo "#################################"

验证 VPN 服务器

主要有几个步骤。首先,安装 VPN 服务器的 ca 证书。其次,创建 VPN 连接。

参阅 Step 7 — Testing the VPN Connection on Windows, macOS, Ubuntu, iOS, and Android

简述如下。

在服务器上运行下面脚本显示 ca 证书的内容。

cat /etc/ipsec.d/cacerts/ca-cert.pem

-----BEGIN CERTIFICATE-----
MIIFNDCCAxygAwIBAgIIHCsidG5mXzgwDQYJKoZIhvcNAQEMBQAwODELMAkGA1UE

. . .

H2YUdz8XNHrJHvMQKWFpi0rlEcMs+MSXPFWE3Q7UbaZJ/h8wpSldSUbQRUlphExJ
dJ4PX+MUJO/vjG1/ie6Kh25xbBAc3qNq8siiJZDwrg6vjEK7eiZ1rA==
-----END CERTIFICATE-----

把证书内容(包含 -----BEGIN CERTIFICATE----- 和 -----END CERTIFICATE-----)保存在客户端电脑上,保存成一个 .pem 文件。然后按照以下步骤来安装证书。

Connecting from macOS

Follow these steps to import the certificate:

  • Double-click the certificate file. Keychain Access will pop up with a dialog that says “Keychain Access is trying to modify the system keychain. Enter your password to allow this.”
  • Enter your password, then click on Modify Keychain
  • Double-click the newly imported VPN certificate. This brings up a small properties window where you can specify the trust levels. Set IP Security (IPSec) to Always Trust and you’ll be prompted for your password again. This setting saves automatically after entering the password.

Now that the certificate is imported and trusted, configure the VPN connection with these steps:

  • Go to System Preferences and choose Network.
  • Click on the small “plus” button on the lower-left of the list of networks.
  • In the popup that appears, set Interface to VPN, set the VPN Type to IKEv2, and give the connection a name.
  • In the Server and Remote ID field, enter the server’s domain name or IP address. Leave the Local ID blank.
  • Click on Authentication Settings, select Username, and enter your username and password you configured for your VPN user. Then click OK.
  • Finally, click on Connect to connect to the VPN. You should now be connected to the VPN.

Connecting from iOS

To configure the VPN connection on an iOS device, follow these steps:

  • Send yourself an email with the root certificate attached.
  • Open the email on your iOS device and tap on the attached certificate file, then tap Install and enter your passcode. Once it installs, tap Done. 这一步骤,可以先把 .pem 证书文件保存到 iCloud 文件里,然后再点击这个文件,就可以安装了。
  • Go to Settings, General, VPN and tap Add VPN Configuration. This will bring up the VPN connection configuration screen.
  • Tap on Type and select IKEv2.
  • In the Description field, enter a short name for the VPN connection. This could be anything you like.
  • In the Server and Remote ID field, enter the server’s domain name or IP address. The Local ID field can be left blank.
  • Enter your username and password in the Authentication section, then tap Done.
  • Select the VPN connection that you just created, tap the switch on the top of the page, and you’ll be connected.

FAQ

IKE received proposals unacceptable

遇到过一个问题,一个 macOS Sonoma 版本,无法连接 VPN,但其他客户端,包括 iOS 手机,另外的一台 macOS 都可以。

从 VPN 服务器,看到的错误如下:

$ tail -f /var/log/syslog

Mar 24 13:59:36 ingrid-common charon: 08[IKE] received proposals unacceptable
Mar 24 13:59:36 ingrid-common charon: 08[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

在客户端,看到的就是一闪而过的错误,没有任何提示。通过 Console 可以看到,”NoProposalChosen” 的错误。

根本原因,是 VPN 客户端选择的算法,服务器不支持。说见这篇文章

解决方案,在 /etc/ipsec.conf 文件里,在 ike 字段,增加 aes256-sha1-modp2048,aes256-sha256-modp2048,这样增加了算法支持即可。

Enjoy ~

(完)


Post by Joey Huang under tools on 2022-06-01(Wednesday) 23:22. Tags: tools,


Powered by Pelican and Zurb Foundation. Theme by Kenton Hamaluik.