Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite

参考:https://help.ubnt.com/hc/en-us/articles/204949694-EdgeMAX-OpenVPN-Site-to-Site
不同的是,我一端是Ubuntu Linux,另一端是EdgeRouter Lite。

实现的目的也是让EdgeRouter连上远程vpn实现XXXX。
PPTP的方案参考:EdgeOS PPTP VPN客户端配置

环境

Ubuntu Linux, 10.99.99.2
EdgeRouter Lite, 10.99.99.1

配置EdgeRouter Lite

SSH到Ubnt EdgeRouter Lite
生成共享密钥文件

执行命令创建VPN

执行命令启用NAT

如果需要重启tunnel

配置Linux

安装openvpn

把EdgeRouter的 /config/auth/secret 复制到 /etc/openvpn/er-site2site-static.key

编辑 /etc/openvpn/server.conf

启动openvpn

测试

在EdgeRouter ping Linux

在Linux ping EdgeRouter

如果还有问题,可以看日志

配置路由

参考下一篇文章 UBNT EdgeOS 配置设备路由(interface-route)的方法

Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite by @sskaje: https://sskaje.me/2016/02/set-openvpn-site-to-site-ubnt-edgerouter-lite/

Incoming search terms:

Easy-RSA 3 HowTo

OpenVPN 自带了一套CA相关的脚本,乱七八糟的,用起来并没觉得有多easy,不过新版把文件整合了,github: https://github.com/OpenVPN/easy-rsa
Easy-RSA 3.0 今天刚Release。

配置

配置起来比较简单,把下列文件放在同一个目录里即可,或者下载官方的release,直接改名 vars.example 为 vars。

  • easyrsa
  • openssl-1.0.cnf
  • vars
  • x509-types

以前的版本,需要修改vars文件,然后 source 加载一下,新版本可以用 –vars=/path/to/vars 或者完全靠命令行参数传参。
vars文件需要配置,可以看文件注释,给一个参考的版本。

Continue reading “Easy-RSA 3 HowTo” »

Easy-RSA 3 HowTo by @sskaje: https://sskaje.me/2015/09/easy-rsa-3-howto/

Incoming search terms:

Ocserv IPv6

I’m using AnyConnect both on iOS and OS X, you can read previously posted article on my blog: anyconnect, openconnect, ocserv.

You can find ipv6-network and ipv6-prefix in ocserv’s sample.config:

which means ocserv should be compatible with IPv6.
And, in AnyConnect for iOS, ipv6 can be found somewhere, seems ipv6 is also compatible here.

My VPN is hosted on Linode VPS. Linode provides free IPv6 address pool. Open a ticket and ask for an address pool, you’ll get your own pool routed to your VPS’s ipv6 address.
After that, set the ipv6-network and ipv6-prefix.

Ocserv 0.8.9 does not send correct headers to AnyConnect for iOS, but 0.9.0-dev does.
I can now get a correct ipv6 address on my iPhone but with no connectivity. As it’s said, X-CSTP-Split-Include/Exclude is not well handled by AnyConnect for IPv6 addresses.
After that, I tried the latest AnyConnect for OSX, you can download it here: http://dl.sskaje.me/anyconnect/4.0/4.0.00051/

IPv6 is also assigned to my MBP, also with route, but still not working.

Ocserv IPv6 by @sskaje: https://sskaje.me/2015/01/ocserv-ipv6/

Incoming search terms:

EdgeOS PPTP VPN客户端配置

背景及目标

买了个Ubnt EdgeRouter Lite,应同事的需求,研究配置自动翻墙。
考虑过之前配置的各种VPN:PPTPL2TPIPSecAnyConnect/OpenConnect。目前搞定的只有PPTP。

本次配置使用远程PPTP Server,只考虑Google、Twitter和Facebook的自动翻墙,其他可以参照思路自己加路由和NAT。

环境

假设网络已经配置好,eth0为内网口,eth1为外网口。
Continue reading “EdgeOS PPTP VPN客户端配置” »

EdgeOS PPTP VPN客户端配置 by @sskaje: https://sskaje.me/2014/12/edgeos-pptp-vpn%e5%ae%a2%e6%88%b7%e7%ab%af%e9%85%8d%e7%bd%ae/

Incoming search terms:

OCServ with AnyConnect on OSX

I tried a lot to make Cisco Anyconnect Secure Mobility Client work with OCServ, on OSX, on Windows, all failed.
But the AnyConnect for iOS works fine.
You can download the latest clients from: Cisco AnyConnect Clients 3.1.05170 download, 3.1.05182 is also provided.

AnyConnect for OSX always says:

In /var/log/system.log:

I read the chapter ‘False Captive Portal Detection‘ from Cisco’s official documentation, nothing useful.

I saw someone said that AnyConnect 3.1 added extra certificate verification than 3.0, which makes 3.1 not compatible with ocserv.
The latest version of AnyConnect for iOS is 3.0.12119, but for PC/Mac 3.1.05182.
I tried to find clients of AnyConnect 3.0.11042/3.0.11046, only two can be found, and MD5 checksum are same no matter where I downloaded.

You can find files here: http://dl.sskaje.me/anyconnect/3.0/3.0.11042/

I tested the OSX one, the PKG file requires me change security level of application installing, it really works, the bad news is, there’s nowhere to choose client certificate but clicking allow/decline of private key usage.

QQ20141013-1

QQ20141013-2

BTW, DO NOT INSTALL WEB SECURITY MODULE!!!

OCServ with AnyConnect on OSX by @sskaje: https://sskaje.me/2014/10/ocserv-anyconnect-osx/

Incoming search terms: