Total Pageviews

Saturday, 3 March 2018

vpn方案-sigmavpn

git clone https://github.com/neilalexander/sigmavpn
cd sigmavpn
make (这一步会遇错,如果你没安装libsodium)
cd ~
wget https://download.libsodium.org/libsodium/releases/libsodium-1.0.16.tar.gz
tar zxvf libsodium-1.0.16.tar.gz
cd libsodium-1.0.16
./configure
make
make install
ldconfig

cd ~/sigmavpn
make (这次,make不会再遇错。make后,会在当前目录下,生成可执行文件sigmavpn)

root@ar:~/sigmavpn# ls
Makefile  intf.h     modules.h        naclkeypair.o  proto       tai.c
dep      main.c     modules.o        pack.c       proto.h     tai.h
extras      main.o     naclkeypair    pack.h       sigmavpn    tai.o
intf      modules.c  naclkeypair.c  pack.o       sigmavpn.1  types.h
root@ar:~/sigmavpn# ./sigmavpn
SigmaVPN.
Copyright (c) 2011 Neil Alexander T. All rights reserved.
Configuration file '/usr/local/etc/sigmavpn.conf' could not be parsed
root@ar:~/sigmavpn#
(提示:未找到配置文件sigmavpn.conf)

在这个issue:https://github.com/neilalexander/sigmavpn/issues/8里,程序作者说:
There are some details on Google Code: https://code.google.com/p/sigmavpn/wiki/Configuration


https://github.com/neilalexander/sigmavpn
https://code.google.com/p/sigmavpn/wiki/Configuration
https://code.google.com/archive/p/sigmavpn/wikis/Configuration.wiki 

https://gist.github.com/clowwindy/57d44b69741992d3eaa3
-------------

SigmaVPN Android Setup


A short guide to setting up SigmaVPN for Android. SigmaVPN for Android requires the peer to be running SigmaVPN or QuickTun.This guide uses SigmaVPN for Android v0.27 (2013-06-05) and SigmaVPN commit c05cccfa2277a6c186e62e6cb85bd9fedcf3bbcd on 2014-06-18.

TUN/TAP interface provides a a virtual TUNnel for IP packets, or a virtual network TAP for ethernet frames.SigmaVPN for Android supports only the TUN interface.

A TUN device needs to be configured with a network range. SigmaVPN requires a separate TUN device for each peer Android device.Since it is a point-to-point arrangement, we will create a /30 network for each peer Android device. Let's use the private range 172.30.172.0/30 for the first TUN device. We'll assign 172.30.172.1 to the TUN device on the SigmaVPN host, and 172.30.172.2 to the TUN device created by SigmaVPN for Android.

Bare-bone Setup

SigmaVPN host setup:
# Generate keys for the SigmaVPN host.
$ naclkeypair
PRIVATE KEY: 55467491bb51b6166add9c22c560a6a0ce0ca8836aab29db5d6fd3abd56eec2b 
PUBLIC KEY: fce78ab3177a6541713ab826e735521f2764a450dc168b7a0c30107a3e04f45b 

# Creates the tun device.
$ ip tuntap add dev tun0 mode tun
$ ip addr add 172.30.172.1/30 dev tun0
# Let's not introduce unnecessary fragmentation.
$ ip link set dev tun0 mtu 1400 
# Activate the interface.
$ ip link set dev tun0 up

$cat > /etc/sigmavpn.conf << 'EOF'
# Comments are allowed
[firstandroiddevicename]
# Don't use nacl0 which is not secure.
proto = nacltai
# Remote's public key, get this from SigmaVPN for Android side.
proto_publickey = 8fa2b21bc9b7188067b75255232d571de254cba2dc7a960312db754842f4c72a
# Local's private key, this will be the PRIVATE KEY from the earlier naclkeypair invocation.
proto_privatekey = 55467491bb51b6166add9c22c560a6a0ce0ca8836aab29db5d6fd3abd56eec2b
local = tuntap
local_interface = tun0
# Tell SigmaVPN that tun0 is a tun device since in Linux the TUN device can be named anything.
local_tunmode = 1
# SigmaVPN for Android requires protocol info to be disabled.
local_protocolinfo = 0
peer = udp
# The address of SigmaVPN for Android device will be changing constantly.
peer_remotefloat = 1
# Where SigmaVPN should be listening for UDP. Typically this will be the address of the Internet-bound network interface.
peer_localaddr = 10.0.0.1
# Choose whatever port, SigmaVPN does not have a default port number.
peer_localport = 5678
EOF

$ sigmavpn -c  /etc/sigmavpn.conf
SigmaVPN.
Copyright (c) 2011 Neil Alexander T. All rights reserved.
Using configuration file '/etc/sigmavpn.conf'
firstandroiddevicename: Session active
Remote endpoint is now 1.2.3.4:5977

SigmaVPN for Android setup:
  • Tunnel/Remote Address & Port: the Internet address of the SigmaVPN host.
  • Tunnel/Remote Public Key: the SigmaVPN's host public key for this device.
  • Tunnel/Use TAI64 nonce: always enable this.
  • Network/Tunnel Address Prefix: 172.30.172.2/30
  • Network/Static Route: what ranges should be routed through the VPN. If not specified, only 172.30.172.0/30 will be.
  • Network/DNS Servers: if not specified, will use the DNS server  
At this point, you should be able to ping 172.30.172.1 from the Android device, and 172.30.172.2 from the SigmaVPN host.

Internet Access for the Android Device

There are additional setup if you want the Android device to access the Internet through the SigmaVPN host.

On the SigmaVPN host (assuming a Linux):
# Enable IP forwarding.
sysctl -w net.ipv4.ip_forward=1
# Masquerade traffic from VPN to the Internet, assuming eth0 is the Internet-bound network interface.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Allow established traffic to be forwarded.
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow traffic initiated from VPN to access the world.
iptables -A FORWARD -i tun0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT

SigmaVPN for Android setup:
  • Network/Static Route: 0.0.0.0/0
  • Network/DNS Servers: get it from /etc/resolv.conf on the SigmaVPN host

A Second Android Device

  • New keys for the Sigma VPN host. You can use the same one but if you lose an Android device, you'll have to change the keys for all the others.
  • A new TUN device with a different range, let's say 172.30.172.4/30.
  • The TUN address on the SigmaVPN host is 172.30.172.5/30.
  • SigmaVPN on the host must listen on a different port.
  • SigmaVPN for Android's Network/Tunnel Address Prefix: 172.30.172.6/30.
  • If you want the second Android device  to access Internet:
    iptables -A FORWARD -i tun1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT 

from http://workiis.blogspot.com/2015/03/sigmavpn-android-setup.html
-----

安装SigmaVPN


Install SigmaVPN on Raspbian
在树莓派上安装SigmaVPN

以下配置还有一些问题待解决:从Android SigmaVPN连接服务器,提示数据解密FAIL,问题原因未知,我觉得是sigmaVPN软件的BUG。最后我架了一个Shadowsocks服务器,android手机上用影梭全局访问,在外面可以访问家里全部局域网资源。

获取SigmaVPN代码

从github获取代码
git clone https://github.com/neilalexander/sigmavpn.git

安装libsodium

SigmaVPN依赖libsodium,安装libsodium
sudo apt-get install libsodium-dev

编译SigmaVPN

$cd sigmavpn
$make
显示以下编译信息,编译完成,没有想到编译如此简单顺利。
cc -I/usr/local/include -O2 -fPIC -Wall -Wextra -c naclkeypair.c -o naclkeypair.o
cc -I/usr/local/include -O2 -fPIC -Wall -Wextra -c pack.c -o pack.o
cc -I/usr/local/include -O2 -fPIC -Wall -Wextra -c tai.c -o tai.o
cc -o naclkeypair naclkeypair.o -L/usr/local/lib -lsodium -ldl -pthread
cc -o sigmavpn main.o modules.o dep/ini.o -L/usr/local/lib -lsodium -ldl -pthread
cc -I/usr/local/include -I/usr/local/include proto/proto_raw.c -o proto/proto_raw.o -O2 -fPIC -Wall -Wextra -shared -L/usr/local/lib -lsodium
cc -I/usr/local/include -I/usr/local/include proto/proto_nacl0.c pack.o -o proto/proto_nacl0.o -O2 -fPIC -Wall -Wextra -shared -L/usr/local/lib -lsodium
cc -I/usr/local/include -I/usr/local/include proto/proto_nacltai.c pack.o tai.o -o proto/proto_nacltai.o -O2 -fPIC -Wall -Wextra -shared -L/usr/local/lib -lsodium
cc -I/usr/local/include intf/intf_tuntap.c -o intf/intf_tuntap.o -O2 -fPIC -Wall -Wextra -shared
cc -I/usr/local/include intf/intf_udp.c -o intf/intf_udp.o -O2 -fPIC -Wall -Wextra -shared

sigmavpn执行环境

sigmavpn不安装,把需要的可执行程序提取出来。sigmavpn支持模块化,需要protointf里的几个.o文件。
mkdir -p ~/tools/sigmavpn
cp naclkeypair  ~/tools/sigmavpn/
cp sigmavpn     ~/tools/sigmavpn/
cp ./proto/*.o  ~/tools/sigmavpn/
cp ./intf/*.o   ~/tools/sigmavpn/

SigmaVPN配置

我参考的是clowwindy的配置 https://gist.github.com/clowwindy/57d44b69741992d3eaa3

生成proto_publickey和proto_privatekey

运行naclkeypair生成proto_publickey和proto_privatekey。
cd ~/tools/sigmavpn/
./naclkeypair

创建vpn.conf

其中192.168.1.104是树莓派的IP,如果是VPS则换成VPS的公网IP。proto_publickey和proto_privatekey替换成上面的生成的值。
[mysigmavpn]
proto = nacltai
proto_publickey = ce499073fc29bda865d0e0a4a4cf82428252409734de4691242804e45fa67e3d
proto_privatekey = 76db698a3ef69b0e1158a4cb238ee72a1cc5d30ed1c6fadeaa4c62549e02d95d
local = tuntap
local_interface = tunnel
local_tunmode = 1
peer = udp
peer_localaddr = 192.168.1.104
peer_localport = 5678
peer_remotefloat = 1

创建tunnel网口和配置iptables

sudo ip tuntap add dev tunnel mode tun
sudo ifconfig tunnel 10.8.0.1/24
sudo ifconfig tunnel mtu 1440
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o tunnel -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i tunnel -o eth0 -j ACCEPT
sudo iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400

启动sigmavpn

./sigmavpn -c vpn.conf -m . &
-m指定模块.o所在的目录。

配置android上sigmavpn客户端

在市场安装sigmavpn客户端。

TUNNEL配置

Remote Address : vpn.conf里的peer_localaddr
Remote Port : vpn.conf里的peer_localport
Remote Public Key: vpn.conf里的proto_publickey
选中Use TAI64 nonce

NETWORK配置

Tunnel Address Prefix:10.8.0.2/24
配置完成后,点击STATUS页的CONNECT按钮,看看状态栏是不是有VPN的小钥匙了.

No comments:

Post a Comment