Pages

Thursday, 30 April 2015

SoftEther VPN Server 的安装与配置

SoftEther VPN是岛国某大学的一个开源项目,基于这个项目又有一个名为VPN GATE的项目。SoftEther VPN支持VPN桥接,可以轻易的搭建集群式的VPN满足多用户高流量需求,同时也能通过在各地部署VPN中继服务器来做成VPN Gate这类的全球分布式公共 VPN 中继服务器,设置非常方便。在OpenVPN已经彻底被GFW照顾的现在,是一个非常好的替代方案。

SoftEther VPN的特点就是设置非常方便,不用像OpenVPN那样进行在命令行下进行繁琐的证书生成、配置文件更改的工作,SoftEther VPN安装完成后,只需启动服务即可在任意一台Windows电脑上利用图形化的界面进行完整的配置工作。

 SoftEther VPN Server的安装

在Windows服务器上的安装我就不介绍了,直接双击安装下一步就OK了,安装完成会添加系统服务:SoftEther VPN Server,开机自动运行,此时执行管理工具即可配置,这个在下一节介绍.

这里重点介绍在Linux服务器下的编译、安装、启动,以Ubuntu为例。

先安装编译环境:   
apt-get update -y
apt-get install -y build-essential gcc g++ automake autoconf libtool make re2c wget cron bzip2 libzip-dev file flex bison m4 original-awk less cpp binutils tar bzip2 p7zip libncurses5 libevent-dev libev-dev  libperl-dev openssl libssl-dev libsasl2-dev libxml2 libxml2-dev libltdl-dev libltdl-dev libmcrypt-dev libbz2-1.0 libbz2-dev libglib2.0-0 libglib2.0-dev libfreetype6 libfreetype6-dev libjpeg62 libxslt1-dev libpspell-dev libmhash2 libmhash-dev libpq-dev libpq5 gettext libncurses5-dev libldap2-dev libreadline-dev git unzip zip nano pkg-config libpam0g-dev libwrap0-dev gnutls-bin libgnutls28-dev libseccomp-dev libhttp-parser-dev libnl-nf-3-dev libdbus-1-dev libprotobuf-c-dev libpcl1-dev libopts25-dev lsof psmisc libcurl4 libcurl4-gnutls-dev curl
(先要安装libcurl4,然后才能成功安装curl)

(注意:从debian8起,才默认有libgnutls28-dev libseccomp-dev libhttp-parser-dev这些包
debian7下,
E: 未发现软件包 libgnutls28-dev
E: 未发现软件包 libseccomp-dev
E: 未发现软件包 libprotobuf-c-dev

E: 未发现软件包 libhttp-parser-dev


如果是CENTOS/FEDORA系统,则:
# yum update -y
# yum -y install gcc gcc-c++ autoconf automake wget libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel 
git unzip zip nano readline-devel pam-devel libev-devel pam binutils lsof psmisc ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel libidn openssl openssl-devel openldap openldap-devel nss_ldap make patch tar libtool libtool-ltdl-devel krb5-devel 

在LINUX VPS上编译SoftEther VPN Server:
git clone https://github.com/SoftEtherVPN/SoftEtherVPN
cd SoftEtherVPN
./configure 
make
make install
编译成功后,会提示:
Installation completed successfully.
Execute 'vpnserver start' to run the SoftEther VPN Server background service.
Execute 'vpnbridge start' to run the SoftEther VPN Bridge background service.
Execute 'vpnclient start' to run the SoftEther VPN Client background service.
Execute 'vpncmd' to run SoftEther VPN Command-Line Utility to configure VPN Server, VPN Bridge or VPN Client.
下载客户端程序:
http://www.softether-download.com/?product=softether,
You can download the GUI Tools from http://www.softether-download.com/.

(参考:
 http://www.softether.org/5-download/src
http://www.softether.org/5-download/src/2.unix)



上传
如果是远程服务器,可以使用FTP、SFTP等方式上传至服务器中,当然如果是国外服务器,最好直接在终端中,执行:
wget http://www.softether-download.com/files/softether/v4.04-9412-rtm-2014.01.15-tree/Linux/SoftEther%20VPN%20Server/32bit%20-%20Intel%20x86/softether-vpnserver-v4.04-9412-rtm-2014.01.15-linux-x86-32bit.tar.gz

假设当前目录为/root,tar.gz下载到了/root目录下,接着解压缩:   
tar zxvf 文件名.tar.gz

此时会在/root下解压出一个vpnserver目录,接下来运行安装脚本:   
cd vpnserver
./install.sh

接下来按照提示,按1、1、1同意许可等等操作后,脚本会完成make并在当前目录生成需要的可执行文件vpnserver。

执行以下命令启动vpn服务:
./vpnserver start

当然要确保防火墙打开了VPN所使用的端口,未配置前VPN监听443(HTTPS), 5555等端口,建议先打开这些端口,至少开一个。如果你的VPS运行了Web服务并占用了443接口,那么你需要避开443使用其他端口。
Ubuntu下建议使用ufw来管理防火墙配置,具体安装参照ubuntu官方的中文文档,说的很清楚。
利用ufw执行以下命令打开443端口:
ufw allow https

如果你准备将VPN的端口改到12345端口上,那么执行
ufw allow 12345

Server端的配置
在服务器运行了vpnserver服务的情况下,可以在一台运行了Windows系统的电脑上配置Server端,非常简单,在上面给出的下载页面中,下载SoftEther VPN Server的Windows版本,就包含了了SoftEther Server的配置工具(当然你也可以单独下载SoftEtherVPN Server Manager for Windows,这是单独的Server配置工具)。在Linux下通过命令行配置工具vpncmd也可以,不过稍显麻烦,在这里就不多做介绍。

启动SoftEther VPN Server Manager for Windows,填入主机名(域名或者IP),端口号(第一次配置可以保留默认的443,修改过端口号后记得更改这里),如果通过代理上网,填入代理,否则保持默认,点OK保存后,点击“连接”

接下来的操作,主要就是:
1、配置监听端口
2、建立新的虚拟HUB或者使用默认的DEFAULT
3、添加用户及认证方式(密码认证或者证书认证,证书认证还需生成证书)
4、如果你只是通过VPN Server做代理翻墙上网,你可以直接打开SecureNAT即可完成配置;如果你是通过VPN访问服务器所在的工作网络(其实这才是VPN的本来用途),而且服务器的IP地址是其所在网络的DHCP服务器所分配,那么不需要打开SecureNAT,而是要将Server的物理网卡桥接到虚拟HUB上;如果服务器所在网络属于静态IP,那么你要么手动配置客户端的虚拟网卡的IP,要么就需要配置SecureNAT,这需要你了解IPv4地址的配置方式。

完成以上操作后,服务端就完成了配置工作了,你需要在客户端上运行SoftEther VPN Client管理工具,建议直接使用VPN Gate(它其实就是带有VPN Gate插件的SoftEther VPN Client)。当然如果你不需要VPN Gate,你可以到SoftEther VPN官方下载页面下载不带VPN Gate插件的客户端:http://www.softether-download.com/?product=softether

启动SoftEther VPN Client管理工具,点击创建新的VPN连接,填入服务端的配置确定即可。

然后右击新建的VPN连接,选择连接即可。
---------

首先要在服务器上,下载并解压安装文件,一定注意是32位还是64位(可通过uname -a命令查看)。
32位系统:
wget http://jp.softether-download.com/files/softether/v4.20-9608-rtm-2016.04.17-tree/Linux/SoftEther_VPN_Server/32bit_-_Intel_x86/softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x86-32bit.tar.gz

64位系统:
wget http://jp.softether-download.com/files/softether/v4.20-9608-rtm-2016.04.17-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit.tar.gz
以上为截止发布本文时的最新版本,建议从SoftEther官方网站获取最新版本。

tar zxvf softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit.tar.gz
mv vpnserver softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit
cd softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit
make
会显示:
...
*** How to start the SoftEther VPN Server Service ***

Please execute './vpnserver start' to run the SoftEther VPN Server Background Service.
And please execute './vpncmd' to run the SoftEther VPN Command-Line Utility to configure SoftEther VPN Server.
Of course, you can use the VPN Server Manager GUI Application for Windows on the other Windows PC in order to configure the SoftEther VPN Server remotely.
make[1]: Leaving directory `/root/softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit'
root@gcv:~/softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit#
root@gcv:~/softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit# ls
Authors.txt  lib       ReadMeFirst_License.txt
chain_certs  Makefile       vpncmd
code      ReadMeFirst_Important_Notices_cn.txt  vpnserver
hamcore.se2  ReadMeFirst_Important_Notices_en.txt
lang.config  ReadMeFirst_Important_Notices_ja.txt
root@gcv:~/softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit# ./vpnserver
SoftEther VPN Server service program
Copyright (c) SoftEther VPN Project. All Rights Reserved.

vpnserver command usage:
 vpnserver start  - Start the SoftEther VPN Server service.
 vpnserver stop   - Stop the SoftEther VPN Server service if the service has been already started.

root@gcv:~/softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit# ./vpnserver start
The SoftEther VPN Server service has been started.
root@gcv:~/softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit# ./vpncmd

运行./vpncmd进入VPN的命令行:

vpncmd command - SoftEther VPN Command Line Management Utility
SoftEther VPN Command Line Management Utility (vpncmd command)
Version 4.20 Build 9608 (English)
Compiled 2016/04/17 21:59:35 by yagi at pc30
Copyright (c) SoftEther VPN Project. All Rights Reserved.

By using vpncmd program, the following can be achieved.

Management of VPN Server or VPN Bridge
Management of VPN Client
Use of VPN Tools (certificate creation and Network Traffic Speed Test Tool)
Select 1, 2 or 3:

这里我们选择1,然后出现:

Specify the host name or IP address of the computer that the destination VPN Server or VPN Bridge is operating on.
By specifying according to the format ‘host name:port number’, you can also specify the port number.
(When the port number is unspecified, 443 is used.)
If nothing is input and the Enter key is pressed, the connection will be made to the port number 8888 of localhost (this computer).
Hostname of IP Address of Destination:

这里需要选择地址和端口。由于这台VPS我搭了一个网站,用了SSL,占用了443端口,所以默认的443端口是用不了了,所以一定要改。我改用了5555端口,所以在这里输入localhost:5555,然后出现:

If connecting to the server by Virtual Hub Admin Mode, please input the Virtual Hub name.
If connecting by server admin mode, please press Enter without inputting anything.
Specify Virtual Hub Name:

这里就是指定一个虚拟HUB名字,用默认的直接回车就行。

Connection has been established with VPN Server “localhost” (port 5555).

You have administrator privileges for the entire VPN Server.

VPN Server>

这时我们需要输入ServerPasswordSet命令设置远程管理密码,设置远程管理密码后就可以通过本地机器版的SoftEther VPN Server Manager远程管理了。

VPN管理

首先下载并安装SoftEther VPN Server Manager- http://softether-download.com/en.aspx(居然最近移植了Mac版),其实只用到了管理工具。

mac版:http://softether-download.com/files/softether/v4.21-9613-beta-2016.04.24-tree/Mac_OS_X/Admin_Tools/VPN_Server_Manager_Package/softether-vpnserver_manager-v4.21-9613-beta-2016.04.24-macos-x86-32bit.pkg
win version:
http://softether-download.com/files/softether/v4.22-9634-beta-2016.11.27-tree/Windows/SoftEther_VPN_Server_and_VPN_Bridge/softether-vpnserver_vpnbridge-v4.22-9634-beta-2016.11.27-windows-x86_x64-intel.exe

安装之后运行它,

http://www.shintaku.cc/posts/softether/
--------------------

编译 SoftEther VPN 并在其基础上,搭建OpenVPN


  1. 由于 SoftEtherVPN 源码在 GitHub, 所以这里使用 lantern 加快下载速度
     wget https://coding.net/u/ilanyu/p/lantern/git/raw/master/lantern_linux_amd64_server.tar.gz
     tar zxvf lantern_linux_amd64_server.tar.gz
     ./lantern_linux_amd64_server -proxyall > lantern.log &
     curl -x http://127.0.0.1:8787 myip.ipip.net
    
  1. 下载 SoftEtherVPN 源码
     yum install git -y
     export http_proxy=http://127.0.0.1:8787/
     git clone https://github.com/SoftEtherVPN/SoftEtherVPN.git
     unset http_proxy
    
  2. 修改 SoftEtherVPN 源码
    由于使用 SoftEtherVPN 搭建的 OpenVPN 的默认 ping 值过小, 且这个参数不支持通过配置文件修改, 所以需要手工在源码中将该值改大.
     cd SoftEtherVPN
     vim src/Cedar/Interop_OpenVPN.h
    
    133、134行
     #define OPENVPN_PING_SEND_INTERVAL              3000    // Transmission interval of Ping
     #define OPENVPN_RECV_TIMEOUT                    10000   // Communication time-out
    
    修改为
     #define OPENVPN_PING_SEND_INTERVAL              10000   // Transmission interval of Ping
     #define OPENVPN_RECV_TIMEOUT                    120000  // Communication time-out
    
  3. 编译并安装 SoftEtherVPN
     yum -y groupinstall "Development Tools"
     yum -y install readline-devel ncurses-devel openssl-devel
     ./configure
     make
     make install
    
  4. 搭建 OpenVPN
    1. 运行 SoftEtherVPN
       vpnserver start
      
    2. 下载 SoftEther VPN Server Manager for Windows
      到 http://www.softether-download.com/cn.aspx?product=softether 下载最新 SoftEther VPN Server Manager for Windows , 我下载到的是 http://www.softether-download.com/files/softether/v4.22-9634-beta-2016.11.27-tree/Windows/Admin_Tools/VPN_Server_Manager_and_Command-line_Utility_Package/softether-vpn_admin_tools-v4.22-9634-beta-2016.11.27-win32.zip
    3. 使用 SoftEther VPN Server Manager 设置 SoftEther VPN
      运行压缩包中 vpnsmgr.exe
      初始化: 新设置 -> 输入主机名, 密码为空 -> 确定 -> 连接 -> 设置新管理密码 -> 勾上远程访问 VPN Server -> 下一步 -> 是 -> 确定 -> 退出 -> 确定 -> 禁用 VPN Azure -> 确定 -> 创建用户 -> 输入用户名、密码、确认密码 -> 确定 -> 关闭 -> 设置本地网桥 选择 eth0 -> 关闭 -> 确定
      开启 OpenVPN: OpenVPN/MS-SSTP 设置 -> 勾选 启用 OpenVPN 克隆 Server 功能, 端口修改为 443 -> 取消勾选 开启 MS-SSTP VPN 克隆 Server 功能 -> 为 OpenVPN Client 生成配置样本文件 -> 确定
      删除 监听器列表 992、1194、5555 端口
      开启 SecureNAT : 点击 虚拟 HUB 名 VPN -> 管理虚拟 HUB -> 虚拟 NAT 和 虚拟 DHCP 服务器 -> SecureNAT 配置 -> DNS 服务器地址 1、2分别修改为 114.114.114.114、114.114.115.115 -> 确定 -> 启用 SecureNAT -> 确定 -> 关闭
      OpenVPN 服务器端配置完毕
    4. 解压刚才生成的配置样本文件, 以文本文件格式打开 *remote_access*.ovpn, 删除所有以 # 及 ; 开头的行, 得到下面的文件
       dev tun
       proto udp
       remote *.v4.sedns.cn 443
       cipher AES-128-CBC
       auth SHA1
       resolv-retry infinite
       nobind
       persist-key
       persist-tun
       client
       verb 3
       auth-user-pass
       <ca>
       -----BEGIN CERTIFICATE-----
       MIID3DCCAsSgAwIBAgIBADANBgkqhkiG9w0BAQsFADBtMR4wHAYDVQQDExV2cG43
       ...
       ...
       ...
       tOTfZpYbLgwiW22781tG6ocNDsVR3nsVzOeiPbFj5zY=
       -----END CERTIFICATE-----
       </ca>
       <cert>
       -----BEGIN CERTIFICATE-----
       MIID1jCCAr6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBqMR0wGwYDVQQDExQxMzA1
       ...
       ...
       ...
       JugWtk4MMuSsC/mWKjqVf1wApLFY+Ic6Gjo=
       -----END CERTIFICATE-----
       </cert>
       <key>
       -----BEGIN PRIVATE KEY-----
       MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCuyq8cqgbhdiwy
       ...
       ...
       ...
       K40bn0snchyEVhn7ZrKUTSW0tA==
       -----END PRIVATE KEY-----
       </key>
      修改 proto udp 为 proto tcpremote *.v4.sedns.cn 443 中 *.v4.sedns.cn 改为 服务器IP地址。
      OpenVPN 配置文件修改完成。
为什么用 SoftEther VPN, 不用 OpenVPN: 具体是因为测试时发现 OpenVPN使用 tun 模式, 无法广播 udp 包, 部分不支持直接输入IP的局域网联机游戏无法搜索到对方, 同时 SoftEther VPN 配置起来也比 OpenVPN 方便.
---------------------


















SoftEther on VPS

I saw a post on lowendtalk last week introducing a new piece of vpn software call SoftEther.

What is SoftEther

A Free Cross-platform Multi-protocol VPN program, as an academic project from University of Tsukuba.
It is a single server which support SSL-VPN (HTTPS) and 6 major VPN protocols (OpenVPN, IPsec, L2TP, MS-SSTP, L2TPv3 and EtherIP).
I would like to also highlight the VPN over ICMP and VPN over DNS feature if you are inside a very strict network.

VPS Setup Guide

This post use SecureNAT. You may want to setup local bridge.
SoftEther author contacted me to highlight serveral points:
  • On physical server, local bridge will perform better than SecureNAT
  • DO NOT enable both local bridge and SecureNAT at the same time. Packets will loop infinitly and make your server 100% CPU usage.
Requirement: VPS
I am using vps from buyvm. I got from a year deal which is USD12/year. I would recommendRamnode(affiliated) as a VPS provider. Their VPS is speedy and support is amazing.
  • Spec:
    • RAM: 128MB
    • Burst: 256MB
    • Disk Space: 15GB
    • Bandwidth: 500GB
    • Location: Buffalo, USA
  • OS:
    • Debian 6.0 64bit (minimal)
Make sure you login root as follow:
login as rootlogin as root
Before installing SoftEther Server let us install some prerequisite.

















(build_tools.sh)download
1
2
apt-get update
apt-get install build-essential

Go to SoftEther to download the server binary.
download selectiondownload selection
I am using Ver 1.00, Build 9029, rc2 in this tutorial.
After download, run

















(make.sh)download
1
2
3
tar zxf softether-vpnserver-v1.00-9029-rc2-2013.03.16-linux-x64-64bit.tar.gz
cd vpnserver
make

Read the Agreement and press 1 three times.
Then we move the dir to /usr/local/

















(install.sh)download
1
2
3
4
5
6
7
cd ..
mv vpnserver /usr/local
cd /usr/local/vpnserver/
chmod 600 *
chmod 700 vpncmd
chmod 700 vpnserver
nano /etc/init.d/vpnserver

paste the following content to nano

















(vpnserver.sh)download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable Softether by daemon.
### END INIT INFO
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

ctrl-o ret ctrl-x
After that we enable the service

















(service.sh)download
1
2
3
4
5
chmod 755 /etc/init.d/vpnserver
mkdir /var/lock/subsys
update-rc.d vpnserver defaults
/etc/init.d/vpnserver start
cd /usr/local/vpnserver/

Then we need to do a checking.

















1
2
3
./vpncmd
3
check

You should get 4 “Pass”.
We need to set the server admin password

















1
2
3
4
5
./vpncmd
1
ret
ret
VPN Server>ServerPasswordSet

Enter the admin password.
I do the setting on a windows client. It is running
server managerserver manager
Install it, run it, click New setting. Input ip and password.
input settinginput setting
Then connect to it. On successful login, it will pop up Easy Setup
easy setupeasy setupCheck Remote Access Server and Next
warningwarning
Yes
Virtual Hub nameVirtual Hub name
OK
Setup L2TPSetup L2TPCheck Enable L2TP Server Function and input your own pre-share key
OK
AzureAzureWe disable Azure VPN
Create UserCreate User
Then we need to create a new user. This is trivial.
UserUser
ManagerManagerClick on “Manage Virtual Hub”
Click on “Secure NAT” (If you want a faster connection we can refer to my 2nd post on softether)
Secure NATSecure NAT
Enable the Virtual NAT
Again DO NOT enable SecureNAT and local bridge at the same time!

Done

You can try to connect to the vpn server through L2TP/IPSec.

from from http://archive.is/oQCgx
-------------------------------------------
















Softether on VPS Using Local Bridge

This post continues on the last post about Softether setup on a VPS.

Problem on SecureNAT

SecureNAT is a fairly simple way to setup Softether. You don’t need a lot of sysadmin skill and network understanding in order to get Softether up and running.
The problem is SecureNAT is a bit SLOW. I will show a comparison at the end of this article.
We can boost the performance using a local bridge.

Softether using local bridge

To start with you need Softether installed and setup. You can follow the guide on Softether on VPS
Just skip the last step “Enable the Virtual NAT”

Local bridge Setup

Network setup
VPN Server IP: 192.168.7.1
VPN Client IP Range: 192.168.7.50-192.168.7.60
Tap Device name: tap_soft
From here we go to the “Local Bridge Setting”
Local Bridge SettingLocal Bridge Setting
First we choose the Virtual Hub. It should be only one for normal setup.
Then we check the tap device box.
After that we type in the name of the tap device(I use soft here for simplicity).
Create Local BridgeCreate Local Bridge
After the creation of the local bridge we jump back to our server. And run
















1
# ifconfig tap_soft

It should show you something similar to this
Check on the serverCheck on the server
Because we are not going to use SecureNAT and SecureDHCP. We need to install a DHCP server on our VPS. We are going to use dnsmasq as our DHCP server.
















1
# apt-get install dnsmasq

Now edit the /etc/dnsmasq.conf file. Add these 3 lines at the end.
















1
2
3
interface=tap_soft
dhcp-range=tap_soft,192.168.7.50,192.168.7.60,12h
dhcp-option=tap_soft,3,192.168.7.1

The above 3 lines are used to enable the dhcp server on interface tap_soft.
Next step we need a new set of init script which will config tap interface for us when Softether start up.
















/etc/init.d/vpnserver
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable Softether by daemon.
### END INIT INFO
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_ADDR=192.168.7.1

test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 1
/sbin/ifconfig tap_soft $TAP_ADDR
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 1
/sbin/ifconfig tap_soft $TAP_ADDR
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

Then we need to enable NAT on linux server.
Add this file to /etc/sysctl.d/ to enable ipv4 forwarding.
















/etc/sysctl.d/ipv4_forwarding.conf
1
net.ipv4.ip_forward = 1

Apply the sysctl run
















1
# sysctl --system

Then we add a POSTROUTING rule to iptables
















1
# iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source [YOUR VPS IP ADDRESS]

To make our iptables rule survive after reboot install iptables-persistent
















1
# apt-get install iptables-persistent

After all the above setting, restart the vpnserver then we are good to go.
















1
2
# /etc/init.d/vpnserver restart
# /etc/init.d/dnsmasq restart

Comparison on SecureNAT and local bridge method.
Speed test on local bridgeSpeed test on local bridgeSpeed test on SecureNATSpeed test on SecureNAT

Conclusion

Local bridge use far less CPU resources than SecureNAT. It is a bit trouble to setup but I think it is worth to use local bridge.
from http://archive.is/9MelR
----------------------------------

使用SoftEther设置VPN Server

SoftEther(means Software Ethernet) 是日本筑波大学的一个开源跨平台多协议的 VPN,是世界上最强大、易用的多协议VPN软件之一。可以运行在Windows、Linux、Mac、FreeBSD和Solaris上。支持SSL-VPN(HTTPS)及6种主流VPN协议(OpenVPN、IPsec、L2TP、MS-SSTP、L2TPv3和EtherIP)。
softether_arch
下面介绍如何使用SoftEther搭建VPN Server。

Step 1: 获取机器

Amazon AWS提供12个月每月750小时(31.25天)t2.micro实例随意搭配使用,你可以同时开10个Linux连续运行75小时,超过这个期限就要收费了。但搭建VPN只需要一个实例,所以时间足够了。建议选择比较近的DC,如Tokyo、Seoul。
在亚马逊上启动一台实例需要一个keypair,创建keypair时要把key(如tokyo.pem)保存下来,登陆或与虚机传数据都会用到这个key。















# 使用key来登陆时可能会遇到权限的问题
$ sudo chmod 500 tokyo.pem

# 登陆,instance-ip为实例占有的公网IP
$ sudo ssh -i tokyo.pem <instance-ip>

# 将本地file.txt拷贝到EC2实例
$ sudo scp -i tokyo.pem file.txt ec2-user@<instance-ip>:~/

# 将EC2实例中的数据拷贝到本地
$ sudo scp -i tokyo.pem ec2-user@<instance-ip>:~/remote-file.txt .

更新服务器上的软件
Debian/Ubuntu:















$ sudo apt-get update && sudo apt-get upgrade

# 编译SoftEther依赖的工具
$ sudo apt-get install build-essential -y

CentOS/RHEL:















$ sudo yum upgrade

# 编译SoftEther依赖的工具
$ sudo yum groupinstall "Development Tools"

Step 2: 获取SoftEther

SoftEther网站在国内访问不到,又不能在EC2实例上使用浏览器,这时需要用到文本网络浏览器lynx这个利器。
下载lynx
Debian/Ubuntu:















$ sudo apt-get install lynx -y

CentOS/RHEL:















# 在AWS RHEL EC2实例上安装lynx需要开启下面的通道
$ sudo yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
$ sudo yum install lynx -y

下载softether















$ lynx http://www.softether-download.com/files/softether/

lynx
选择平台
platform
选择服务端软件
vpnserver
选择机器位数
64bit package
下载
download
SoftEther客户端也可以使用这种方式下载,之后通过前边的scp将其拷贝到本地。

Step 3: 安装并配置SoftEther
















# 解压
$ tar xzvf softether-vpn-v4.22-9634-beta-2016.11.24-linux-x64-64bit.tar.gz

# 编译
$ cd vpnserver
$ make

编译的过程中会多次提示License Agreement的选择,想用就选Yes(type ‘1’)。
lisence
配置















# 更改目录位置
$ cd ..
$ mv vpnserver /usr/local
$ cd /usr/local/vpnserver/

# 更改权限
$ sudo chmod 600 *
$ sudo chmod 700 vpnserver
$ sudo chmod 700 vpncmd

开机启动
将SoftEther创建问一个service,并配置开机自动启动。
首先创建一个文件vim /etc/init.d/vpnserver,将以下内容粘贴进去:















#!/bin/sh
# chkconfig: 2345 99 01
# description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" instart)
    $DAEMON start
    touch $LOCK
    ;;
stop)
    $DAEMON stop
    rm $LOCK
    ;;
restart)
    $DAEMON stop
    sleep 3
    $DAEMON start
    ;;
*)
    echo "Usage: $0 {start|stop|restart}"
    exit 1
esacexit 0

如果不存在/var/lock/subsys文件夹,则需要创建一个mkdir /var/lock/subsys
启动服务















# 启动
$ sudo chmod 755 /etc/init.d/vpnserver && /etc/init.d/vpnserver start

# 开机自启动
# Debian/Ubuntu
$ sudo update-rc.d vpnserver defaults

# CentOS/RHEL
$ sudo chkconfig --add vpnserver

Step 4: 更改Admin密码
















$ cd /var/local/vpnserver/
$ ./vpncmd    # 选择1 "Management of VPN Server or VPN Bridge"

# 在提示输入的地方直接按空格,设置服务密码
VPN Server> ServerPasswordSet

Step 5: 创建一个虚拟Hub
















$ cd /var/local/vpnserver/
$ ./vpncmd    # 选择1 "Management of VPN Server or VPN Bridge"

vpncmd
注意看上图的提示,如果选择连接到某一个Virtual Hub则写入Hub的名称,如果要使用Admin模式连接Server,则直接按Enter键。这一点很重要。创建Hub需要Admin权限。你可以根据提示符是VPN Server>还是VPN Server/VPN>来区分。















# 创建一个名为VPN的Hub
VPN Server> HubCreate VPN

# 进入名为VPN的Hub的上下文
VPN Server> Hub VPN

Step 6: Enable SecureNAT

SecureNAT需要绑定到特定的Virtual Hub上,所以这里需要进入Hub的上下文。















VPN Server/VPN> SecureNatEnable

Step 7: 创建用户并设置用户密码
















VPN Server/VPN> UserCreate zhjwpku
VPN Server/VPN> UserPasswordSet zhjwpku

usercreate

Step 8: Setup L2TP/IPsec

运行该命令需要Admin Mode。
ipsec

Step 9: Setup SSTP/OpenVPN

SoftEther支持Microsoft SSTP VPN和OpenVPN。















# 生成自签名证书
VPN Server> ServerCertRegenerate <instance-ip>

# 生成证书,该证书可被导入操作系统或浏览器
VPN Server> ServerCertGet ~/cert.cer

# enable OpenVPN
VPN Server> OpenVpnEnable yes /PORTS:1194

# 获取OpenVPN配置
VPN Server> OpenVpnMakeConfig ~/my_openvpn_config.zip

客户端设置

这里只讲在Windows上使用SoftEther客户端进行配置。安装SoftEther的过程很简单,略。
创建虚拟适配器
adapter
创建VPN连接
connetion
Tips:
SoftEther命令行可以说非常强大,本文只介绍了它的冰山一角,可以使用?help来查看其所有命令。AWS Free Tier提供的流量完全够自己使用,如果多人使用可能会超流量,这时候就会从你的信用卡上扣钱了。如果怀疑有恶意连接,则可以使用iftop来监控机器的带宽使用情况,并将恶意ip使用EC2的安全策略过滤掉。
另外,可以使用docker的方式来部署SoftEther VPN Server,这个我还没有试过,想玩的请参考[2]。
from http://archive.is/p8Xod