Link: https://sskaje.me/2014/12/edgeos-pptp-vpn%e5%ae%a2%e6%88%b7%e7%ab%af%e9%85%8d%e7%bd%ae/
背景及目标
买了个Ubnt EdgeRouter Lite,应同事的需求,研究配置自动翻墙。
考虑过之前配置的各种VPN:PPTP、L2TP、IPSec、AnyConnect/OpenConnect。目前搞定的只有PPTP。
本次配置使用远程PPTP Server,只考虑Google、Twitter和Facebook的自动翻墙,其他可以参照思路自己加路由和NAT。
环境
假设网络已经配置好,eth0为内网口,eth1为外网口。
配置
基本知识
默认账号密码为ubnt/ubnt,可以使用web(https)或SSH连接。本次配置以命令行为主,可以选择使用Web的Console或者SSH。
1 PPTP客户端
官方有文档,http://wiki.ubnt.com/PPTP_Client_-_CLI_Commands。
server-ip可以支持域名或者IP。
1 2 3 4 5 6 7 8 9 10 11 |
configure edit interfaces pptp-client pptpc0 set user-id sskaje set password sskaje set server-ip sskaje.me set require-mppe commit save exit connect interface pptpc0 |
这些没什么可解释的。
2 确定目标网络IP段
Google的IP段之前搞过一次,Google IP Address Ranges。spf纪录,点开文章看就行。
Twitter的一样.
Facebook的spf记录没什么用,但是官方给了个获取IP的方法:Sharing Best Practices for Websites & Mobile Apps
1 |
whois -h whois.radb.net -- '-i origin AS32934' | grep ^route |
这个表里有重复的,需要去重。
完成上述操作后,可能会整理出一个很多行的网段列表,而去很多网段可以合并。这里推荐自己写的网段合并的PHP类:https://github.com/sskaje/ip_calc.
整理之后,我人肉把所有的网络都合并成了 CIDR 16。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
network 8.8.0.0/16 network 8.25.0.0/16 network 23.21.0.0/16 network 31.13.0.0/16 network 45.64.0.0/16 network 64.18.0.0/16 network 64.233.0.0/16 network 66.102.0.0/16 network 66.220.0.0/16 network 66.249.0.0/16 network 69.63.0.0/16 network 69.171.0.0/16 network 72.14.0.0/16 network 74.119.0.0/16 network 74.125.0.0/16 network 96.43.0.0/16 network 103.4.0.0/16 network 107.20.0.0/16 network 173.194.0.0/16 network 173.252.0.0/16 network 179.60.0.0/16 network 182.50.0.0/16 network 185.60.0.0/16 network 199.16.0.0/16 network 199.59.0.0/16 network 204.14.0.0/16 network 204.15.0.0/16 network 204.92.0.0/16 network 207.126.0.0/16 network 209.85.0.0/16 network 216.239.0.0/16 |
3 配置Firewall Network Group
配置Network Group的目的是给NAT用。
没什么用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
set firewall group network-group GFW-IPv4 description "GFW IPv4 Addresses" set firewall group network-group GFW-IPv4 network 8.8.0.0/16 set firewall group network-group GFW-IPv4 network 8.25.0.0/16 set firewall group network-group GFW-IPv4 network 23.21.0.0/16 set firewall group network-group GFW-IPv4 network 31.13.0.0/16 set firewall group network-group GFW-IPv4 network 45.64.0.0/16 set firewall group network-group GFW-IPv4 network 64.18.0.0/16 set firewall group network-group GFW-IPv4 network 64.233.0.0/16 set firewall group network-group GFW-IPv4 network 66.102.0.0/16 set firewall group network-group GFW-IPv4 network 66.220.0.0/16 set firewall group network-group GFW-IPv4 network 66.249.0.0/16 set firewall group network-group GFW-IPv4 network 69.63.0.0/16 set firewall group network-group GFW-IPv4 network 69.171.0.0/16 set firewall group network-group GFW-IPv4 network 72.14.0.0/16 set firewall group network-group GFW-IPv4 network 74.119.0.0/16 set firewall group network-group GFW-IPv4 network 74.125.0.0/16 set firewall group network-group GFW-IPv4 network 96.43.0.0/16 set firewall group network-group GFW-IPv4 network 103.4.0.0/16 set firewall group network-group GFW-IPv4 network 107.20.0.0/16 set firewall group network-group GFW-IPv4 network 173.194.0.0/16 set firewall group network-group GFW-IPv4 network 173.252.0.0/16 set firewall group network-group GFW-IPv4 network 179.60.0.0/16 set firewall group network-group GFW-IPv4 network 182.50.0.0/16 set firewall group network-group GFW-IPv4 network 185.60.0.0/16 set firewall group network-group GFW-IPv4 network 199.16.0.0/16 set firewall group network-group GFW-IPv4 network 199.59.0.0/16 set firewall group network-group GFW-IPv4 network 204.14.0.0/16 set firewall group network-group GFW-IPv4 network 204.15.0.0/16 set firewall group network-group GFW-IPv4 network 204.92.0.0/16 set firewall group network-group GFW-IPv4 network 207.126.0.0/16 set firewall group network-group GFW-IPv4 network 209.85.0.0/16 set firewall group network-group GFW-IPv4 network 216.239.0.0/16 |
4 NAT
这块我是从web端点的,没有去看命令怎么配。贴一段配置文件:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
nat { rule 5000 { description "masq to pptp" log disable outbound-interface pptpc0 protocol all type masquerade } rule 5001 { description default log disable outbound-interface eth1 protocol all type masquerade } } |
5 静态路由
人肉点或者命令行用如下参数:
1 |
set protocols static interface-route 10.1.1.0/24 next-hop-interface pptpc0 |
自己替换一下上边的网络列表
6 DNS
DNS污染是墙的基本功能。
系统自带的DNS服务基于Dnsmasq, 文档在 http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
按照如下参数配置所有需要使用vpn解析的域名记录。
1 |
set service dns forwarding options server=/google.com/8.8.8.8 |
完
Incoming search terms:
- latervc
- widey52
- recallgme
- PPTP 客户端配置文件中各参数含义
- positivesdj
- outsideqza
- not5bc
- negativevhy
- mineralskv6
- minerals8yb
- man1i2
- anyonewtu
- inilf
- hasek9
- handsomeb1r
- eightd8z
- edgeos l2tp vpn
- drewc1q
- discoverqaa
- castjbi