OpenWRT 安裝 Strongswan 並架設IKEv2之mschapv2 VPN

我有點懶得排版 就先記錄 之後再考慮整理

1.安裝相關套件

opkg update

opkg install curl strongswan-defaultstrongswan-pki ipset strongswan-mod-openssl strongswan-mod-curlstrongswan-mod-dhcp strongswan-mod-eap-tls strongswan-mod-eap-identitystrongswan-mod-kernel-libipsec kmod-tun openssl-utilstrongswan-mod-test-vectors strongswan-mod-farp

2.修改/etc/config/network新增訂一ipsec介面

config interface 'ipsec'option ifname         'ipsec0'option proto            'none'option defaultroute '0'option peerdns                '0'option ipv6              '0'

3.修改/etc/firewall.user新增規則

iptables -I INPUT   -m policy --dir in  --pol ipsec --proto esp -j ACCEPTiptables -I FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPTiptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPTiptables -I OUTPUT  -m policy --dir out --pol ipsec --proto esp -j ACCEPT

4.修改/etc/config/firewall新增zone、forwarding、rules

Zone區

config zone	option name		'vpn'	list network		'ipsec'	option input		'ACCEPT'	option output		'ACCEPT'	option forward		'ACCEPT'	option masq		'1'	option mtu_fix		'1'

Forwarding區

config forwarding	option src		'vpn'	option dest		'lan'config forwarding	option src		'lan'	option dest		'vpn'config forwarding	option src		'vpn'	option dest		'wan'

Rule區

config rule	option name		'IPSec-ESP'	option src		'wan'	option proto		'esp'	option target		'ACCEPT'config rule	option name		'IPSec-IKE'	option src		'wan'	option dest_port	'500'	option proto		'udp'	option target		'ACCEPT'config rule	option name		'IPSec-NAT-T'	option src		'wan'	option dest_port	'4500'	option proto		'udp'	option target		'ACCEPT'config rule	option name		'IPSec-Auth-Header'	option src		'wan'	option proto		'ah'	option target		'ACCEPT'config rule	option name		'Allow-Ping-From-VPN'	option src		'vpn'	option proto		'igmp'	option icmp_type	'echo-request'	option family		'ipv4'	option target		'ACCEPT'config rule	option name		'Allow-Ping-To-VPN'	option dest		'vpn'	option proto		'igmp'	option icmp_type	'echo-request'	option family		'ipv4'	option target		'ACCEPT'

5.用下方取代/etc/init.d/ipsec內容

#!/bin/sh /etc/rc.common# ipsec init scriptSTART=90STOP=10USE_PROCD=1PROG=/usr/lib/ipsec/starterservice_running() {	ipsec status > /dev/null 2>&1}reload_service() {	running && {		ipsec rereadall		ipsec reload		return	}	start}check_ipsec_interface() {	procd_add_interface_trigger "interface.*" "ipsec0" /etc/init.d/ipsec  reload}service_triggers() {	procd_add_reload_trigger "ipsec"	check_ipsec_interface}start_service() {	procd_open_instance	procd_set_param command $PROG --daemon charon --nofork	procd_set_param respawn	procd_close_instance}

6.修改/etc/ipsec.secrets

# /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA host-vpn.der<帳號> : EAP "<密碼>"

7.修改/etc/ipsec.conf內容置換

# ipsec.conf - strongSwan IPsec configuration file# basic configurationconfig setup	strictcrlpolicy = no	uniqueids = no# Add connections here.conn default	keyexchange = ikev2	ike = aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!	esp = aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!	mobike = yes	dpdaction = clear	dpddelay = 60s	left = %any	leftid = @example.com(可換為自己domain)	leftsubnet = 0.0.0.0/0	leftcert = host-vpn.der	leftsendcert = always	right = %any	rightauth = eap-mschapv2	rightsourceip = 192.168.1.100-192.168.1.120(可換)	rightdns = 192.168.1.1(路由器IP)	eap_identity = %identity	forceencaps = yes	auto = add

8.修改/etc/strongswan.conf以下列內容取代

# strongswan.conf - strongSwan configuration file## Refer to the strongswan.conf(5) manpage for details## Configuration changes should be made in the included filescharon {	dns1 = 192.168.0.1(路由IP)	load_modular = yes	plugins {		include strongswan.d/charon/*.conf		dhcp {			force_server_address = yes                        #use_server_port = yes                        # uncomment the line above if log shows that DHCP                        # offer can't be accepted			identity_lease = yes			server = 192.168.1.255(廣播)			# use LAN broadcast address here, not IP address.		}	}}pluto {	threads = 8	dns1 = 192.168.1.1(路由IP)}libstrongswan {	# set to n, the DH exponent size is optimized	#dh_exponent_ansi_x9_42 = no	#crypto_test {	#	on_add = yes	#}}include strongswan.d/*.conf

9.製作證書: 新增/etc/ipsec.d/mk_server.sh檔案,內容如下

#!/bin/shSRVNAME="網域或伺服器名稱"IPADDR="網域或IP"#Uncomment only if vpn server is behind a static IP#IPADDR=$(. /lib/functions/network.sh; network_get_ipaddr ip wan; echo $ip)COUNTRY="TW"ORG="自訂"#Change above to your org and country codeVALIDDAYS="3650"LIFETIME="730"ipsec pki --gen --type rsa --size 4096 --outform der > private/strongswan.derchmod 600 private/strongswan.deripsec pki --self --ca --lifetime $VALIDDAYS --in private/strongswan.der --type rsa --dn "C=$COUNTRY, O=$ORG, CN=$ORG Root CA" --outform der > cacerts/strongswan.deropenssl x509 -inform DER -in cacerts/strongswan.der -out cacerts/strongswan.pem -outform PEMipsec pki --print --in cacerts/strongswan.deripsec pki --gen --type rsa --size 4096 --outform der > private/host-vpn.derchmod 600 private/host-vpn.deripsec pki --pub --in private/host-vpn.der --type rsa | ipsec pki --issue --lifetime $LIFETIME --cacert cacerts/strongswan.der --cakey private/strongswan.der --dn "C=$COUNTRY, O=$ORG, CN=$SRVNAME" --san=$SRVNAME --san $IPADDR --san @$IPADDR --flag serverAuth --flag ikeIntermediate --outform der > certs/host-vpn.deripsec pki --print --in certs/host-vpn.der

10.執行/etc/ipsec.d/mk_server.sh

cd /etc/ipsec.d/./mk_server.sh

11.設定開機並啟動

/etc/init.d/ipsec enable/etc/init.d/ipsec startipsec restart

留言

張貼留言

這個網誌中的熱門文章

OpenVPN Server build on Debian 11

Quote from : https://www.server-world.info/en/note?os=Debian_11&p=openvpn&f=1 [1] Install OpenVPN. root@dlp:~#  apt  -y install openvpn easy-rsa iptables [2] Create CA and Certificates. root@dlp:~#  cd  /usr/share/easy-rsa# initialize root@dlp:/usr/share/easy-rsa# ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /usr/share/easy-rsa/pki # create CA root@dlp:/usr/share/easy-rsa# ./easyrsa build-ca Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021 # set any pass-phrase Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) …….+++++ …………………..+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you ...
閱讀完整內容

OpenWRT dumb AP with WPA3-SAE + 802.11r

圖片
OpenWRT veriosn: 23.05.2 HW: TOTOLINK X5000R Ref: https://vicfree.com/2022/11/openwrt-wpa3-802.11kvr-ap-setup/ Requirement: #install fully wpad package with openssl opkg update opkg install wpad-openssl #disabled firewall, dhcp server and dnsmasq for i in firewall dnsmasq odhcpd; do if /etc/init.d/"$i" enabled; then /etc/init.d/"$i" disable /etc/init.d/"$i" stop fi done Luci setting: /etc/config/wireless: config wifi-iface 'wifinet1' option device 'radio1' option mode 'ap' option ssid 'MY_SSID' option encryption 'sae' option key 'MY_PASSWORD' option ieee80211r '1' option reassociation_deadline '20000' option ft_over_ds '0' option ft_psk_generate_local '0' option ieee80211k '1' option time_zone 'CST-8' ...
閱讀完整內容