利用Haproxy使Ocserv和HTTPS工作在同一端口

#/etc/haproxy/haproxy.cfg frontend https-in bind *:443 tcp-request inspect-delay 3s tcp-request content accept if { req.ssl_hello_type 1 } acl tls req.ssl_hello_type 1 acl has_sni req.ssl_sni -m found use_backend ocserv if tls { req.ssl_sni -i [ocserv domain] } use_backend https-out if tls { req.ssl_sni -i [domian] } backend ocserv mode tcp option ssl-hello-chk server server-vpn 127.0.0.1:999 send-proxy-v2 # ocserv工作在本地999端口 backend https-out server server-web 127.0.0.1:4443 check #https工作在本地4443端口 #/etc/ocserv/ocserv.conf listen-proxy-proto = true 参考 HAProxy forwarding to HTTPS sites »

使用strongSwan搭建IKEv2

编译安装 strongSwan.使用了5.5.1版本,最新是5.6.1不过不知道为什么无法连接 wget https://download.strongswan.org/strongswan-5.5.1.tar.gz tar zxvf strongswan-5.5.1tar.gz cd strongswan-5.5.1 ./configure \ --prefix=/usr \ --sysconfdir=/etc \ --enable-openssl \ --enable-nat-transport \ --disable-mysql \ --disable-ldap \ --disable-static \ --enable-shared \ --enable-md4 \ --enable-eap-mschapv2 \ --enable-eap-aka \ --enable-eap-aka-3gpp2 \ --enable-eap-gtc \ --enable-eap-identity \ --enable-eap-md5 \ --enable-eap-peap \ --enable-eap-radius \ --enable-eap-sim \ --enable-eap-sim-file \ --enable-eap-simaka-pseudonym \ --enable-eap-simaka-reauth \ --enable-eap-simaka-sql \ --enable-eap-tls \ --enable-eap-tnc \ --enable-eap-ttls make make install ==如果提示==configure: error: OpenSSL libcrypto not found需要手动安装 »

Author image 月杪 on #VPN,

Debian下搭建Shadowvpn服务端

Shadowvpn衍生自libsodium,主要是为低端硬件编写的,比如一些路由器. 但是也能当做vps之间的传输工具(比如国内跳板?) 而Github上的项目更新到2.0后安装说明没有得到及时更新…前几天按照旧的说明始终不行 目前的安装流程是这样的: 安装编译依赖 apt-get install build-essential automake libtool git 从github得到源码并安装 git clone https://github.com/moonagic/ShadowVPN.git cd ShadowVPN git submodule update --init --recursive ./autogen.sh ./configure --enable-static --sysconfdir=/etc make sudo make install 然后就可以修改/etc/shadowvpn下的配置文件然后启动shadowvpn了 shadowvpn -c /etc/shadowvpn/server.conf -s start »

Author image 月杪 on #VPN,

Debian下通过racoon搭建Cisco Ipsec VPN

apt-ge install racoon 安装好后编辑/etc/racoon/racoon.conf log info; path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; listen { isakmp 9.9.9.9 [500]; #监听的端口和地址 isakmp_natt 9.9.9.9 [4500]; #监听的端口和地址 } remote anonymous { exchange_mode main,aggressive; doi ipsec_doi; nat_traversal on; proposal_check obey; generate_policy unique; ike_frag on; passive on; dpd_delay = 30; dpd_retry = 30; dpd_maxfail = 800; mode_cfg = on; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method xauth_psk_server; dh_group 2; lifetime time 12 hour; } } timer { natt_keepalive 20 sec; } sainfo anonymous { lifetime time 12 hour ; encryption_algorithm aes,3des,des; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate; } mode_cfg { dns4 8. »

Author image 月杪 on #VPN,