Search Results for edgemax pptp

EdgeRouter PPtP Server访问本地DNS服务

UBNT EdgeRouter 自带了PPTP Server，典型的配置方法是

set vpn pptp remote-access authentication local-users username sskaje password PASSWORD
set vpn pptp remote-access authentication mode local
set vpn pptp remote-access client-ip-pool start 192.168.100.210
set vpn pptp remote-access client-ip-pool stop 192.168.100.219
set vpn pptp remote-access dns-servers server-1 8.8.8.8
set vpn pptp remote-access mtu 1492

set vpn pptp remote-access authentication local-users username sskaje password PASSWORD

set vpn pptp remote-access authentication mode local

set vpn pptp remote-access client-ip-pool start 192.168.100.210

set vpn pptp remote-access client-ip-pool stop 192.168.100.219

set vpn pptp remote-access dns-servers server-1 8.8.8.8

set vpn pptp remote-access mtu 1492

官方参考guide: https://help.ubnt.com/hc/en-us/articles/205220840-EdgeMAX-PPTP-VPN-with-local-users-RADIUS 这个案例里，我的路由eth0是LAN口，eth0的IP是 192.168.100.1，这个配置下我的pptp客户端能正常访问到我的内网的机器。但是如果我需要把DNS设成 192.168.100.1，DNS请求就会一直没响应。路由端抓 UDP 53 的包，可以看到pptp客户端发出的dns请求，但是没有回包。看了眼/etc/dnsmasq.conf:

log-facility=/var/log/dnsmasq.log
interface=eth0
interface=eth2
cache-size=10000

log-facility=/var/log/dnsmasq.log

interface=eth0

interface=eth2

cache-size=10000

man dnsmasq -i, –interface= Listen only on the specified interface(s). Dnsmasq automatically adds the loopback (local) interface to the list of interfaces to use when the –interface option is used. If no –interface or –listen-address options are given … Continue reading “EdgeRouter PPtP Server访问本地DNS服务”

UBNT VPN + Socks5 代理

VPN的方案可以参考 Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite 或 EdgeOS PPTP VPN客户端配置。由于某些国际CDN的问题，部分网站不适合用IP路由来设定跳转。所以这里的需求是，针对特定域名把80/443的请求转由VPN的设备出去，其他的不管。思路1，用EdgeMax自带的webproxy功能，但是很可惜，squid不支持选择outgoing的interface，只能选目标IP。所以放弃。思路2，DPI监测域名或SNI，但是EdgeRouter Lite的最新版beta 1.8.0b3文档不完整，自己测试了一下相关命令，没搞成，理论上有戏。思路3，本地socks5代理。我一直会用firefox+foxyproxy作为专用浏览器，正常的需求都用chrome。而且最近secure pipes经常掉，不确定什么情况，包括用国内vps代理远端ssh的方案也不行。尝试了一些方案，包括dante-server 选上行interface, SSH Tunnel + DNAT，都不行。DNAT的方案不想直接用iptables，怕配置命令保存不方便，所以最终回到了haproxy的方案。 VPS上，配置socks5代理。方案很简单，参考命令如下：

ssh -f -N -D 10.99.99.2:31080 -D 192.168.121.1:31080 sskaje@127.0.0.1

1	ssh -f -N -D 10.99.99.2:31080 -D 192.168.121.1:31080 sskaje@127.0.0.1

10.99.99.2 和 192.168.121.1 分别是我两种vpn方案的服务端私有IP。这行命令被我加到了rc.local。当然，还得配ssh 公钥登录。路由上，安装配置haproxy。依旧参考使用HAProxy搭建SSH代理。 /etc/haproxy/haproxy.cfg

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

defaults
	log	global
	mode	tcp
        timeout connect 5000
        timeout client  50000
        timeout server  50000

listen proxy
	option tcplog
	option logasap
	option tcpka
	maxconn 9999
	bind 0.0.0.0:31080
	server server-1 10.99.99.2:31080 maxconn 5000
	server server-2 192.168.121.1:31080 maxconn 5000
	retries 10
        timeout connect 500
        timeout client  5000
        timeout server  5000

global

log /dev/log local0

log /dev/log local1 notice

chroot /var/lib/haproxy

stats socket /run/haproxy/admin.sock mode 660 level admin

stats timeout 30s

user haproxy

group haproxy

daemon

defaults

log global

mode tcp

timeout connect 5000

timeout client 50000

timeout server 50000

listen proxy

option tcplog

option logasap

option tcpka

maxconn 9999

bind 0.0.0.0:31080

server server-1 10.99.99.2:31080 maxconn 5000

server server-2 192.168.121.1:31080 maxconn 5000

retries 10

timeout connect 500

timeout client 5000

timeout server 5000

Incoming search terms:socks5 proxyclassroom3bmvotemfwLink to this post!

Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite

参考：https://help.ubnt.com/hc/en-us/articles/204949694-EdgeMAX-OpenVPN-Site-to-Site 不同的是，我一端是Ubuntu Linux，另一端是EdgeRouter Lite。实现的目的也是让EdgeRouter连上远程vpn实现XXXX。 PPTP的方案参考：EdgeOS PPTP VPN客户端配置环境 Ubuntu Linux, 10.99.99.2 EdgeRouter Lite, 10.99.99.1 配置EdgeRouter Lite SSH到Ubnt EdgeRouter Lite 生成共享密钥文件

generate vpn openvpn-key /config/auth/secret

1	generate vpn openvpn-key /config/auth/secret

执行命令创建VPN

configure
set interfaces openvpn vtun0
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 remote-host 服务器公网地址
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
set interfaces openvpn vtun0 local-address 10.99.99.1 
set interfaces openvpn vtun0 remote-address 10.99.99.2
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194
set interfaces openvpn vtun0 openvpn-option --comp-lzo
set interfaces openvpn vtun0 openvpn-option --float
set interfaces openvpn vtun0 openvpn-option "--ping 10"
set interfaces openvpn vtun0 openvpn-option "--ping-restart 20"
set interfaces openvpn vtun0 openvpn-option --ping-timer-rem
set interfaces openvpn vtun0 openvpn-option --persist-tun
set interfaces openvpn vtun0 openvpn-option --persist-key
set interfaces openvpn vtun0 openvpn-option "--user nobody"
set interfaces openvpn vtun0 openvpn-option "--group nogroup"
commit
save
exit

configure

set interfaces openvpn vtun0

set interfaces openvpn vtun0 mode site-to-site

set interfaces openvpn vtun0 remote-host 服务器公网地址

set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret

set interfaces openvpn vtun0 local-address 10.99.99.1

set interfaces openvpn vtun0 remote-address 10.99.99.2

set interfaces openvpn vtun0 local-port 1194

set interfaces openvpn vtun0 remote-port 1194

set interfaces openvpn vtun0 openvpn-option --comp-lzo

set interfaces openvpn vtun0 openvpn-option --float

set interfaces openvpn vtun0 openvpn-option "--ping 10"

set interfaces openvpn vtun0 openvpn-option "--ping-restart 20"

set interfaces openvpn vtun0 openvpn-option --ping-timer-rem

set interfaces openvpn vtun0 openvpn-option --persist-tun

set interfaces openvpn vtun0 openvpn-option --persist-key

set interfaces openvpn vtun0 openvpn-option "--user nobody"

set interfaces openvpn vtun0 openvpn-option "--group nogroup"

commit

save

exit

执行命令启用NAT

configure
set service nat rule 5020 outbound-interface vtun0
set service nat rule 5020 type masquerade
commit
save
exit

configure

set service nat rule 5020 outbound-interface vtun0

set service nat rule 5020 type masquerade

commit

save

exit

如果需要重启tunnel

reset openvpn interface vtun0

1	reset openvpn interface vtun0

配置Linux 安装openvpn

apt-get install openvpn

1	apt-get install openvpn

把EdgeRouter的 /config/auth/secret 复制到 /etc/openvpn/er-site2site-static.key 编辑 /etc/openvpn/server.conf

dev tun
ifconfig 10.99.99.2 10.99.99.1 
secret /etc/openvpn/er-site2site-static.key
lport 1194
rport 1194
user nobody
group nogroup
comp-lzo
ping 10
ping-restart 20
ping-timer-rem
persist-tun
persist-key
verb 3
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log

dev tun

ifconfig 10.99.99.2 10.99.99.1

secret /etc/openvpn/er-site2site-static.key

lport 1194

rport 1194

user nobody

group nogroup

comp-lzo

ping 10

ping-restart 20

ping-timer-rem

persist-tun

persist-key

verb 3

status /var/log/openvpn/openvpn-status.log

log-append /var/log/openvpn/openvpn.log

启动openvpn

/etc/init.d/openvpn start

1	/etc/init.d/openvpn start

测试在EdgeRouter ping Linux

ping 10.99.99.2

1	ping 10.99.99.2

在Linux ping EdgeRouter

ping 10.99.99.1

1	ping 10.99.99.1

如果还有问题，可以看日志配置路由参考下一篇文章 UBNT EdgeOS 配置设备路由(interface-route)的方法 … Continue reading “Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite”

TunnelBroker for EdgeRouter Lite

创建隧道在北京联通这种不给IPv6网络的ISP下生存，总有走v6翻墙的欲望。免费的Tunnel服务很多，最出名莫过HE.net的TunnelBroker 首先申请一个Tunnel。访问：

https://tunnelbroker.net/new_tunnel.php

1	https://tunnelbroker.net/new_tunnel.php

注册登录之后，创建并输入当前路由公网IP “YOUR.ROUTER.INTERNET.IP”。创建成功后会被跳转到

https://tunnelbroker.net/tunnel_detail.php?tid=XXXXX

1	https://tunnelbroker.net/tunnel_detail.php?tid=XXXXX

XXXXX的部分是一串数字，所谓的Tunnel ID. 在这个页面上选择第二个标签页 “Example Configurations” 选择 “Vyatta / Ubiquiti EdgeMAX” 文本框会自动生成如下配置：

configure
edit interfaces tunnel tun0
set encapsulation sit
set local-ip YOUR.ROUTER.INTERNET.IP
set remote-ip 74.82.46.6
set address 2001:470:23:XXXX::XX/64
set description "HE.NET IPv6 Tunnel"
exit
set protocols static interface-route6 ::/0 next-hop-interface tun0
commit

configure

edit interfaces tunnel tun0

set encapsulation sit

set local-ip YOUR.ROUTER.INTERNET.IP

set remote-ip 74.82.46.6

set address 2001:470:23:XXXX::XX/64

set description "HE.NET IPv6 Tunnel"

exit

set protocols static interface-route6 ::/0 next-hop-interface tun0

commit

remote-ip是创建时选择的远端服务器IP，local-ip是本地当前的出口IP。鉴于ISP给的IP都是动态的，所以local-ip改成如下‘0.0.0.0’。如果之前有配置过tunnel，需要重新配置，则先删除既有的：

delete interfaces tunnel tun0

1	delete interfaces tunnel tun0

下面开始命令配置tunnel

configure
# tun to ipv6
edit interfaces tunnel tun0
set encapsulation sit
set local-ip 0.0.0.0
set remote-ip 74.82.46.6
set address 2001:470:23:XXXX::XX/64
set description "HE.NET IPv6 Tunnel"
exit
set protocols static interface-route6 ::/0 next-hop-interface tun0
commit
save

configure

# tun to ipv6

edit interfaces tunnel tun0

set encapsulation sit

set local-ip 0.0.0.0

set remote-ip 74.82.46.6

set address 2001:470:23:XXXX::XX/64

set description "HE.NET IPv6 Tunnel"

exit

set protocols static interface-route6 ::/0 next-hop-interface tun0

commit

save

Router Advert 配置完tunnel，就得配局域网内的配置了，毕竟只有路由能上v6是不够的

interfaces {
    ethernet eth0 {               
        address 192.168.11.1/24   
        duplex auto               
        ipv6 {                    
            address {             
                autoconf           
            }                     
            dup-addr-detect-transmits 1
            router-advert {                        
                cur-hop-limit 64  
                link-mtu 0        
                managed-flag false
                max-interval 600  
                other-config-flag false
                prefix 2001:470:24:xxx::/64 {
                    autonomous-flag true
                    on-link-flag true       
                    valid-lifetime 2592000         
                }                 
                radvd-options "RDNSS 2001:470:20::2  {} ;"
                reachable-time 0  
                retrans-timer 0   
                send-advert true  
            }                     
        }                         
        speed auto                          
    } 
...
}

interfaces {

ethernet eth0 {

address 192.168.11.1/24

duplex auto

ipv6 {

address {

autoconf

}

dup-addr-detect-transmits 1

router-advert {

cur-hop-limit 64

link-mtu 0

managed-flag false

max-interval 600

other-config-flag false

prefix 2001:470:24:xxx::/64 {

autonomous-flag true

on-link-flag true

valid-lifetime 2592000

}

radvd-options "RDNSS 2001:470:20::2 {} ;"

reachable-time 0

retrans-timer 0

send-advert true

}

speed auto

}

...

}

如果你本地的DNS规则有过配置，radvd-options 的配置一定要把ipv6地址设成路由器的v6地址实践证明，我之前折腾了好久的dhcpv6没用，但是配置也可以贴出来

...
service { 
...                     
    dhcpv6-server {                              
        shared-network-name LAN_DEAD {   
            name-server 2001:4860:4860::8888
            name-server 2001:4860:4860::8844 
            subnet 2001:470:23:xxxx:dead::/80 {   
                address-range {         
                    start 2001:470:23:xxxx:dead::1000 {
                        stop 2001:470:23:xxxx:dead::8000
                    }                            
                }                       
                name-server 2001:4860:4860::8888 
                name-server 2001:4860:4860::8844
                prefix-delegation {              
                    start 2001:470:23:xxxx:dead::1000 {
                        prefix-length 80
                    }                  
                }                          
            }                           
        }                               
    }  
}

...

service {

...

dhcpv6-server {

shared-network-name LAN_DEAD {

name-server 2001:4860:4860::8888

name-server 2001:4860:4860::8844

subnet 2001:470:23:xxxx:dead::/80 {

address-range {

start 2001:470:23:xxxx:dead::1000 {

stop 2001:470:23:xxxx:dead::8000

}

name-server 2001:4860:4860::8888

name-server 2001:4860:4860::8844

prefix-delegation {

start 2001:470:23:xxxx:dead::1000 {

prefix-length 80

}

自动更新IP 之前一片EdgeRouter Lite相关的配置文章里，我把He.net提供的DDNS配置好了。Dynamic DNS on HE.net, HE.net Dynamic DNS on Ubiquiti Router. 脚本更新首先按如下路径生成ddns专用的key

TunnelBroker.net -> Tunnel Details -> Advanced -> Update Key

1	TunnelBroker.net -> Tunnel Details -> Advanced -> Update Key

尝试过好多次，EdgeRouter Lite无法通过配置参数添加多个同类型的ddns配置。所以先提供一个简单粗暴的方法。参考 https://forums.he.net/index.php?topic=1994.0 的说明，有如下的客户端语法： … Continue reading “TunnelBroker for EdgeRouter Lite”