TunnelBroker for EdgeRouter Lite

创建隧道

在北京联通这种不给IPv6网络的ISP下生存,总有走v6翻墙的欲望。
免费的Tunnel服务很多,最出名莫过HE.net的TunnelBroker

首先申请一个Tunnel。
访问:

注册登录之后,创建并输入当前路由公网IP “YOUR.ROUTER.INTERNET.IP”。

创建成功后会被跳转到

XXXXX的部分是一串数字,所谓的Tunnel ID.

在这个页面上选择第二个标签页 “Example Configurations
选择 “Vyatta / Ubiquiti EdgeMAX

文本框会自动生成如下配置:

remote-ip是创建时选择的远端服务器IP,local-ip本地当前的出口IP。
鉴于ISP给的IP都是动态的,所以local-ip改成如下‘0.0.0.0’。

如果之前有配置过tunnel,需要重新配置,则先删除既有的:

下面开始命令配置tunnel

Router Advert

配置完tunnel,就得配局域网内的配置了,毕竟只有路由能上v6是不够的

如果你本地的DNS规则有过配置,radvd-options 的配置一定要把ipv6地址设成路由器的v6地址

实践证明,我之前折腾了好久的dhcpv6没用,但是配置也可以贴出来

自动更新IP

之前一片EdgeRouter Lite相关的配置文章里,我把He.net提供的DDNS配置好了。Dynamic DNS on HE.net, HE.net Dynamic DNS on Ubiquiti Router.

脚本更新

首先按如下路径生成ddns专用的key

尝试过好多次,EdgeRouter Lite无法通过配置参数添加多个同类型的ddns配置。所以先提供一个简单粗暴的方法。

参考 https://forums.he.net/index.php?topic=1994.0 的说明,有如下的客户端语法:

新增文件 /etc/ppp/ip-up.d/update-tunnelbroker-ip
内容如下:

完成后给执行权限

复用ddclient配置

早先在配置DDNS的时候做过一些尝试,结果发现删除配置时 /etc/ddclient/ 目录下自动生成的配置并未被删除。
而tunnelbroker的IP更新协议跟ddns一样都是用了dyndns风格的。
所以第二个思路是自己写个配置文件(未验证)
参考模板

奇葩问题

从开始配置Tunnel到最终写这篇文章,中间隔了估计有好几个月,一直在更新IP(手动或者自动)时被提示无法连接到我的路由,HE的测试IP是 66.220.2.74
还发邮件问过那边,也怀疑了几种可能,但是确认中国的其他IP都没问题。

就在刚才,突然想到可能是路由表错了。
因为之前整理过 Google/Twitter/Facebook 的IP段(Google IP Address Ranges, EdgeOS PPTP VPN客户端配置),简单粗暴地直接把零散的IP段合并成一个个CIDR 16的网段,然后指向了我的pptpc0。
其中就有

核对了一下FB的网段,调整了路由:

TunnelBroker for EdgeRouter Lite by @sskaje: https://sskaje.me/2015/05/tunnelbroker-edgerouter-lite/

Incoming search terms:

HE.net Dynamic DNS on Ubiquiti Router

HE.net provides free DDNS service, compatible with DynDNS’s update format.
Link: Dynamic DNS on HE.net.

I’m using Ubiquiti EdgeRouter Lite, Dynamic DNS support can be found from web GUI console, but the server address is not configurable.

Here is a copy of my config:

You can also configure from CLI.

1 Pick the right interface
2 Set server
3 DO NOT SAVE OR UPDATE FROM WEB GUI CONSOLE!

HE.net Dynamic DNS on Ubiquiti Router by @sskaje: https://sskaje.me/2015/03/he-net-ddns-on-ubnt-router/

Incoming search terms:

Ocserv IPv6

I’m using AnyConnect both on iOS and OS X, you can read previously posted article on my blog: anyconnect, openconnect, ocserv.

You can find ipv6-network and ipv6-prefix in ocserv’s sample.config:

which means ocserv should be compatible with IPv6.
And, in AnyConnect for iOS, ipv6 can be found somewhere, seems ipv6 is also compatible here.

My VPN is hosted on Linode VPS. Linode provides free IPv6 address pool. Open a ticket and ask for an address pool, you’ll get your own pool routed to your VPS’s ipv6 address.
After that, set the ipv6-network and ipv6-prefix.

Ocserv 0.8.9 does not send correct headers to AnyConnect for iOS, but 0.9.0-dev does.
I can now get a correct ipv6 address on my iPhone but with no connectivity. As it’s said, X-CSTP-Split-Include/Exclude is not well handled by AnyConnect for IPv6 addresses.
After that, I tried the latest AnyConnect for OSX, you can download it here: http://dl.sskaje.me/anyconnect/4.0/4.0.00051/

IPv6 is also assigned to my MBP, also with route, but still not working.

Ocserv IPv6 by @sskaje: https://sskaje.me/2015/01/ocserv-ipv6/

Incoming search terms:

EdgeOS PPTP VPN客户端配置

背景及目标

买了个Ubnt EdgeRouter Lite,应同事的需求,研究配置自动翻墙。
考虑过之前配置的各种VPN:PPTPL2TPIPSecAnyConnect/OpenConnect。目前搞定的只有PPTP。

本次配置使用远程PPTP Server,只考虑Google、Twitter和Facebook的自动翻墙,其他可以参照思路自己加路由和NAT。

环境

假设网络已经配置好,eth0为内网口,eth1为外网口。
Continue reading “EdgeOS PPTP VPN客户端配置” »

EdgeOS PPTP VPN客户端配置 by @sskaje: https://sskaje.me/2014/12/edgeos-pptp-vpn%e5%ae%a2%e6%88%b7%e7%ab%af%e9%85%8d%e7%bd%ae/

Incoming search terms:

OCServ with AnyConnect on OSX

I tried a lot to make Cisco Anyconnect Secure Mobility Client work with OCServ, on OSX, on Windows, all failed.
But the AnyConnect for iOS works fine.
You can download the latest clients from: Cisco AnyConnect Clients 3.1.05170 download, 3.1.05182 is also provided.

AnyConnect for OSX always says:

In /var/log/system.log:

I read the chapter ‘False Captive Portal Detection‘ from Cisco’s official documentation, nothing useful.

I saw someone said that AnyConnect 3.1 added extra certificate verification than 3.0, which makes 3.1 not compatible with ocserv.
The latest version of AnyConnect for iOS is 3.0.12119, but for PC/Mac 3.1.05182.
I tried to find clients of AnyConnect 3.0.11042/3.0.11046, only two can be found, and MD5 checksum are same no matter where I downloaded.

You can find files here: http://dl.sskaje.me/anyconnect/3.0/3.0.11042/

I tested the OSX one, the PKG file requires me change security level of application installing, it really works, the bad news is, there’s nowhere to choose client certificate but clicking allow/decline of private key usage.

QQ20141013-1

QQ20141013-2

BTW, DO NOT INSTALL WEB SECURITY MODULE!!!

OCServ with AnyConnect on OSX by @sskaje: https://sskaje.me/2014/10/ocserv-anyconnect-osx/

Incoming search terms: