EdgeOS PPTP VPN客户端配置

By @sskaje
Link: https://sskaje.me/2014/12/edgeos-pptp-vpn%e5%ae%a2%e6%88%b7%e7%ab%af%e9%85%8d%e7%bd%ae/

背景及目标

买了个Ubnt EdgeRouter Lite，应同事的需求，研究配置自动翻墙。
考虑过之前配置的各种VPN：PPTP、L2TP、IPSec、AnyConnect/OpenConnect。目前搞定的只有PPTP。

本次配置使用远程PPTP Server，只考虑Google、Twitter和Facebook的自动翻墙，其他可以参照思路自己加路由和NAT。

环境

假设网络已经配置好，eth0为内网口，eth1为外网口。

配置

基本知识

默认账号密码为ubnt/ubnt，可以使用web（https）或SSH连接。本次配置以命令行为主，可以选择使用Web的Console或者SSH。

1 PPTP客户端

官方有文档，http://wiki.ubnt.com/PPTP_Client_-_CLI_Commands。
server-ip可以支持域名或者IP。

configure
edit interfaces pptp-client pptpc0
set user-id sskaje
set password sskaje
set server-ip sskaje.me
set require-mppe
commit
save
exit

connect interface pptpc0

configure

edit interfaces pptp-client pptpc0

set user-id sskaje

set password sskaje

set server-ip sskaje.me

set require-mppe

commit

save

exit

connect interface pptpc0

这些没什么可解释的。

2 确定目标网络IP段

Google

Google的IP段之前搞过一次，Google IP Address Ranges。spf纪录，点开文章看就行。

Twitter

Twitter的一样.

Facebook

Facebook的spf记录没什么用，但是官方给了个获取IP的方法：Sharing Best Practices for Websites & Mobile Apps

whois -h whois.radb.net -- '-i origin AS32934' | grep ^route

1	whois -h whois.radb.net -- '-i origin AS32934' \| grep ^route

这个表里有重复的，需要去重。

完成上述操作后，可能会整理出一个很多行的网段列表，而去很多网段可以合并。这里推荐自己写的网段合并的PHP类：https://github.com/sskaje/ip_calc.
整理之后，我人肉把所有的网络都合并成了 CIDR 16。

            network 8.8.0.0/16
            network 8.25.0.0/16
            network 23.21.0.0/16
            network 31.13.0.0/16
            network 45.64.0.0/16
            network 64.18.0.0/16
            network 64.233.0.0/16
            network 66.102.0.0/16
            network 66.220.0.0/16
            network 66.249.0.0/16
            network 69.63.0.0/16
            network 69.171.0.0/16
            network 72.14.0.0/16
            network 74.119.0.0/16
            network 74.125.0.0/16
            network 96.43.0.0/16
            network 103.4.0.0/16
            network 107.20.0.0/16
            network 173.194.0.0/16
            network 173.252.0.0/16
            network 179.60.0.0/16
            network 182.50.0.0/16
            network 185.60.0.0/16
            network 199.16.0.0/16
            network 199.59.0.0/16
            network 204.14.0.0/16
            network 204.15.0.0/16
            network 204.92.0.0/16
            network 207.126.0.0/16
            network 209.85.0.0/16
            network 216.239.0.0/16

network 8.8.0.0/16

network 8.25.0.0/16

network 23.21.0.0/16

network 31.13.0.0/16

network 45.64.0.0/16

network 64.18.0.0/16

network 64.233.0.0/16

network 66.102.0.0/16

network 66.220.0.0/16

network 66.249.0.0/16

network 69.63.0.0/16

network 69.171.0.0/16

network 72.14.0.0/16

network 74.119.0.0/16

network 74.125.0.0/16

network 96.43.0.0/16

network 103.4.0.0/16

network 107.20.0.0/16

network 173.194.0.0/16

network 173.252.0.0/16

network 179.60.0.0/16

network 182.50.0.0/16

network 185.60.0.0/16

network 199.16.0.0/16

network 199.59.0.0/16

network 204.14.0.0/16

network 204.15.0.0/16

network 204.92.0.0/16

network 207.126.0.0/16

network 209.85.0.0/16

network 216.239.0.0/16

3 配置Firewall Network Group

~~配置Network Group的目的是给NAT用。~~
没什么用

set firewall group network-group GFW-IPv4 description "GFW IPv4 Addresses"
set firewall group network-group GFW-IPv4 network 8.8.0.0/16
set firewall group network-group GFW-IPv4 network 8.25.0.0/16
set firewall group network-group GFW-IPv4 network 23.21.0.0/16
set firewall group network-group GFW-IPv4 network 31.13.0.0/16
set firewall group network-group GFW-IPv4 network 45.64.0.0/16
set firewall group network-group GFW-IPv4 network 64.18.0.0/16
set firewall group network-group GFW-IPv4 network 64.233.0.0/16
set firewall group network-group GFW-IPv4 network 66.102.0.0/16
set firewall group network-group GFW-IPv4 network 66.220.0.0/16
set firewall group network-group GFW-IPv4 network 66.249.0.0/16
set firewall group network-group GFW-IPv4 network 69.63.0.0/16
set firewall group network-group GFW-IPv4 network 69.171.0.0/16
set firewall group network-group GFW-IPv4 network 72.14.0.0/16
set firewall group network-group GFW-IPv4 network 74.119.0.0/16
set firewall group network-group GFW-IPv4 network 74.125.0.0/16
set firewall group network-group GFW-IPv4 network 96.43.0.0/16
set firewall group network-group GFW-IPv4 network 103.4.0.0/16
set firewall group network-group GFW-IPv4 network 107.20.0.0/16
set firewall group network-group GFW-IPv4 network 173.194.0.0/16
set firewall group network-group GFW-IPv4 network 173.252.0.0/16
set firewall group network-group GFW-IPv4 network 179.60.0.0/16
set firewall group network-group GFW-IPv4 network 182.50.0.0/16
set firewall group network-group GFW-IPv4 network 185.60.0.0/16
set firewall group network-group GFW-IPv4 network 199.16.0.0/16
set firewall group network-group GFW-IPv4 network 199.59.0.0/16
set firewall group network-group GFW-IPv4 network 204.14.0.0/16
set firewall group network-group GFW-IPv4 network 204.15.0.0/16
set firewall group network-group GFW-IPv4 network 204.92.0.0/16
set firewall group network-group GFW-IPv4 network 207.126.0.0/16
set firewall group network-group GFW-IPv4 network 209.85.0.0/16
set firewall group network-group GFW-IPv4 network 216.239.0.0/16

set firewall group network-group GFW-IPv4 description "GFW IPv4 Addresses"

set firewall group network-group GFW-IPv4 network 8.8.0.0/16

set firewall group network-group GFW-IPv4 network 8.25.0.0/16

set firewall group network-group GFW-IPv4 network 23.21.0.0/16

set firewall group network-group GFW-IPv4 network 31.13.0.0/16

set firewall group network-group GFW-IPv4 network 45.64.0.0/16

set firewall group network-group GFW-IPv4 network 64.18.0.0/16

set firewall group network-group GFW-IPv4 network 64.233.0.0/16

set firewall group network-group GFW-IPv4 network 66.102.0.0/16

set firewall group network-group GFW-IPv4 network 66.220.0.0/16

set firewall group network-group GFW-IPv4 network 66.249.0.0/16

set firewall group network-group GFW-IPv4 network 69.63.0.0/16

set firewall group network-group GFW-IPv4 network 69.171.0.0/16

set firewall group network-group GFW-IPv4 network 72.14.0.0/16

set firewall group network-group GFW-IPv4 network 74.119.0.0/16

set firewall group network-group GFW-IPv4 network 74.125.0.0/16

set firewall group network-group GFW-IPv4 network 96.43.0.0/16

set firewall group network-group GFW-IPv4 network 103.4.0.0/16

set firewall group network-group GFW-IPv4 network 107.20.0.0/16

set firewall group network-group GFW-IPv4 network 173.194.0.0/16

set firewall group network-group GFW-IPv4 network 173.252.0.0/16

set firewall group network-group GFW-IPv4 network 179.60.0.0/16

set firewall group network-group GFW-IPv4 network 182.50.0.0/16

set firewall group network-group GFW-IPv4 network 185.60.0.0/16

set firewall group network-group GFW-IPv4 network 199.16.0.0/16

set firewall group network-group GFW-IPv4 network 199.59.0.0/16

set firewall group network-group GFW-IPv4 network 204.14.0.0/16

set firewall group network-group GFW-IPv4 network 204.15.0.0/16

set firewall group network-group GFW-IPv4 network 204.92.0.0/16

set firewall group network-group GFW-IPv4 network 207.126.0.0/16

set firewall group network-group GFW-IPv4 network 209.85.0.0/16

set firewall group network-group GFW-IPv4 network 216.239.0.0/16

4 NAT

这块我是从web端点的，没有去看命令怎么配。贴一段配置文件：

    nat {
        rule 5000 {
            description "masq to pptp"
            log disable
            outbound-interface pptpc0
            protocol all
            type masquerade
        }
        rule 5001 {
            description default
            log disable
            outbound-interface eth1
            protocol all
            type masquerade
        }
    }

nat {

rule 5000 {

description "masq to pptp"

log disable

outbound-interface pptpc0

protocol all

type masquerade

}

rule 5001 {

description default

log disable

outbound-interface eth1

protocol all

type masquerade

}

5 静态路由

人肉点或者命令行用如下参数：

set protocols static interface-route 10.1.1.0/24 next-hop-interface pptpc0

1	set protocols static interface-route 10.1.1.0/24 next-hop-interface pptpc0

自己替换一下上边的网络列表

6 DNS

DNS污染是墙的基本功能。
系统自带的DNS服务基于Dnsmasq, 文档在 http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
按照如下参数配置所有需要使用vpn解析的域名记录。

set service dns forwarding options server=/google.com/8.8.8.8

1	set service dns forwarding options server=/google.com/8.8.8.8

完

EdgeOS PPTP VPN客户端配置 by @sskaje: https://sskaje.me/2014/12/edgeos-pptp-vpn%e5%ae%a2%e6%88%b7%e7%ab%af%e9%85%8d%e7%bd%ae/