Search Results for tunnel server linux

自建 6in4 Tunnel Server (iproute2)

IPv4下连IPv6有无数种解决方案，传统的6to4, 6in4, TEREDO…没兴趣讲优缺点，可以在wikipedia的页面上看看各家都用了啥。 TunnelBroker.net 应该是没IPv6的地方最流行的上IPv6的解决方案了。如果你觉得它不爽，其实自己搞一个也没那么难。上边wikipedia页面里说HE的技术实现是Unknown。其实自己试过一次大概都能知道应该往哪个方向去研究它的技术实现了。贴一个我路由器上的IPv6 Tunnel信息。

tun0      Link encap:IPv6-in-IPv4  
          inet6 addr: fe80::c0a8:b01/64 Scope:Link
          inet6 addr: 2001:470:23:1xx::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:900942 errors:0 dropped:0 overruns:0 frame:0
          TX packets:905985 errors:4 dropped:0 overruns:0 carrier:4
          collisions:0 txqueuelen:0 
          RX bytes:559785922 (533.8 MiB)  TX bytes:179756964 (171.4 MiB)

tun0 Link encap:IPv6-in-IPv4

inet6 addr: fe80::c0a8:b01/64 Scope:Link

inet6 addr: 2001:470:23:1xx::2/64 Scope:Global

UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1

RX packets:900942 errors:0 dropped:0 overruns:0 frame:0

TX packets:905985 errors:4 dropped:0 overruns:0 carrier:4

collisions:0 txqueuelen:0

RX bytes:559785922 (533.8 MiB) TX bytes:179756964 (171.4 MiB)

首先，UBNT给我创建的interface是tun0；其次 Link encapsulation 是 IPv6-in-IPv4，也就是传说中的 6in4；再往下看，POINTOPOINT。再加上TunnelBroker的Example Configurations里给了一个iproute2的配置方法：

modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 74.82.46.6 local xx.xx.xx.xx ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:23:1xx::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr

modprobe ipv6

ip tunnel add he-ipv6 mode sit remote 74.82.46.6 local xx.xx.xx.xx ttl 255

ip link set he-ipv6 up

ip addr add 2001:470:23:1xx::2/64 dev he-ipv6

ip route add ::/0 dev he-ipv6

ip -f inet6 addr

思路很简单了。假设服务器端为S，用户路由为R，则两边的参数逻辑应该是： S: Remote: R.ipv4 Local: S.ipv4 V6 IP: S.ipv6 Route: v6子网/CIDR R: Remote: S.ipv4 Local: R.ipv4 V6 IP: R.ipv6 Route: ::/0 即默认路由具体来说，假设你S的IP为1.1.1.1，可支配的IPv6 pool为 2400:1234:5678:9abc::/64，R的IP为2.2.2.2，上述的配置可能是： S.ipv4 = 1.1.1.1 S.ipv6 = 2400:1234:5678:9abc:1000::1/80 v6子网/CIDR = 2400:1234:5678:9abc:2000::/80 R.ipv4 … Continue reading “自建 6in4 Tunnel Server (iproute2)”

Open Connect Server Configuration (Working for iOS)

Working for iOS only, but for OSX, (Cisco AnyConnect Client for OS X 3.1.05160), captive portal is detected. ‘Web Authentication Required’ and error log like

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: compareEKUs File: ../../vpn/CommonCrypt/Certificates/VerifyExtKeyUsage.cpp Line: 330 EKU not found in certificate: 1.3.6.1.5.5.7.3.2
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: Verify File: ../../vpn/CommonCrypt/Certificates/VerifyExtKeyUsage.cpp Line: 100 Extended key usage verification failed
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: VerifyExtKeyUsage File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertUtils.cpp Line: 1163 Invoked Function: CVerifyExtKeyUsage::Verify Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages 
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: VerifyExtKeyUsage File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertificate.cpp Line: 2164 Invoked Function: COpenSSLCertUtils::VerifyExtKeyUsage Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages 
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: getCertList File: ../../vpn/Api/ApiCert.cpp Line: 324 Number of certificates found: 3
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: setConnectionData File: ../../vpn/Api/ConnectMgr.cpp Line: 1871 Certificate retrieved from preferences: Subject Name: CN=com.apple.idms.appleid.prd.41665a636f64723171575536774a574464536a697a513d3d Issuer Name : C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority Store : Mac Keychain User
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type information sent to the user: Contacting vpn.sskaje.me:443.
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Initiating VPN connection to the secure gateway https://vpn.sskaje.me:443
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: TestNetEnv File: ../../vpn/Agent/NetEnvironment.cpp Line: 370 Captive portal detected. Retesting connectivity to the secure gateway in 10 seconds.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11572 Received connect notification (host vpn.sskaje.me:443, profile N/A)
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4813 The requested VPN connection to vpn.sskaje.me:443 is not possible at this time (Captive Portal needs to be remediated).
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type warning sent to the user: Connection attempt has failed.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2641 Content type (unknown) received. Response type (Captive Portal detected) from openconnect.sskaje.me: Captive Portal detected
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: showConnectError File: ../../vpn/Api/ConnectMgr.cpp Line: 5511 Attempt to connect failed when Agent detected a network issue.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type error sent to the user: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: connect File: ../../vpn/Api/ConnectMgr.cpp Line: 2053 ConnectMgr::processIfcData failed
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: initiateConnect File: ../../vpn/Api/ConnectMgr.cpp Line: 1181 Connection failed.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: VPN state: Disconnected Network state: Web Authentication Required Network control state: Network Access: Available Network type: Undefined
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: OnIpcMessageReceivedAtDepot File: ../../vpn/Agent/MainThread.cpp Line: 4234 Received connect failure notification (host vpn.sskaje.me:443, profile N/A)
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: run File: ../../vpn/Api/ConnectMgr.cpp Line: 674 Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009) Description: CONNECTMGR_ERROR_UNEXPECTED 
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: GetPrimaryInterfaceIndex File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 422 Unable to get global IPv6 information from system configuration.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: determinePublicAddrCandidateFromDefRoute File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1769 Invoked Function: CHostConfigMgr::FindDefaultRouteInterface Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED 
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: updatePotentialPublicAddresses File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1914 Invoked Function: CHostConfigMgr::determinePublicAddrCandidateFromDefRoute Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: compareEKUs File: ../../vpn/CommonCrypt/Certificates/VerifyExtKeyUsage.cpp Line: 330 EKU not found in certificate: 1.3.6.1.5.5.7.3.2

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: Verify File: ../../vpn/CommonCrypt/Certificates/VerifyExtKeyUsage.cpp Line: 100 Extended key usage verification failed

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: VerifyExtKeyUsage File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertUtils.cpp Line: 1163 Invoked Function: CVerifyExtKeyUsage::Verify Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: VerifyExtKeyUsage File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertificate.cpp Line: 2164 Invoked Function: COpenSSLCertUtils::VerifyExtKeyUsage Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: getCertList File: ../../vpn/Api/ApiCert.cpp Line: 324 Number of certificates found: 3

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: setConnectionData File: ../../vpn/Api/ConnectMgr.cpp Line: 1871 Certificate retrieved from preferences: Subject Name: CN=com.apple.idms.appleid.prd.41665a636f64723171575536774a574464536a697a513d3d Issuer Name : C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority Store : Mac Keychain User

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type information sent to the user: Contacting vpn.sskaje.me:443.

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Initiating VPN connection to the secure gateway https://vpn.sskaje.me:443

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: TestNetEnv File: ../../vpn/Agent/NetEnvironment.cpp Line: 370 Captive portal detected. Retesting connectivity to the secure gateway in 10 seconds.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11572 Received connect notification (host vpn.sskaje.me:443, profile N/A)

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4813 The requested VPN connection to vpn.sskaje.me:443 is not possible at this time (Captive Portal needs to be remediated).

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type warning sent to the user: Connection attempt has failed.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2641 Content type (unknown) received. Response type (Captive Portal detected) from openconnect.sskaje.me: Captive Portal detected

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: showConnectError File: ../../vpn/Api/ConnectMgr.cpp Line: 5511 Attempt to connect failed when Agent detected a network issue.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type error sent to the user: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: connect File: ../../vpn/Api/ConnectMgr.cpp Line: 2053 ConnectMgr::processIfcData failed

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: initiateConnect File: ../../vpn/Api/ConnectMgr.cpp Line: 1181 Connection failed.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: VPN state: Disconnected Network state: Web Authentication Required Network control state: Network Access: Available Network type: Undefined

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: OnIpcMessageReceivedAtDepot File: ../../vpn/Agent/MainThread.cpp Line: 4234 Received connect failure notification (host vpn.sskaje.me:443, profile N/A)

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: run File: ../../vpn/Api/ConnectMgr.cpp Line: 674 Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009) Description: CONNECTMGR_ERROR_UNEXPECTED

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: GetPrimaryInterfaceIndex File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 422 Unable to get global IPv6 information from system configuration.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: determinePublicAddrCandidateFromDefRoute File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1769 Invoked Function: CHostConfigMgr::FindDefaultRouteInterface Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: updatePotentialPublicAddresses File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1914 Invoked Function: CHostConfigMgr::determinePublicAddrCandidateFromDefRoute Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

OpenConnect on Ubuntu Generate Certificate with GnuTLS and Sign with OpenSSL Incoming search terms:ROUTETABLE_ERROR_GETBESTROUTE_FAILEDNo valid certificates available for authentication192 168 1 99;29001no valid certificates available for authentication 設定ANyConnect No … Continue reading “Open Connect Server Configuration (Working for iOS)”

Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite

参考：https://help.ubnt.com/hc/en-us/articles/204949694-EdgeMAX-OpenVPN-Site-to-Site 不同的是，我一端是Ubuntu Linux，另一端是EdgeRouter Lite。实现的目的也是让EdgeRouter连上远程vpn实现XXXX。 PPTP的方案参考：EdgeOS PPTP VPN客户端配置环境 Ubuntu Linux, 10.99.99.2 EdgeRouter Lite, 10.99.99.1 配置EdgeRouter Lite SSH到Ubnt EdgeRouter Lite 生成共享密钥文件

generate vpn openvpn-key /config/auth/secret

1	generate vpn openvpn-key /config/auth/secret

执行命令创建VPN

configure
set interfaces openvpn vtun0
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 remote-host 服务器公网地址
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
set interfaces openvpn vtun0 local-address 10.99.99.1 
set interfaces openvpn vtun0 remote-address 10.99.99.2
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194
set interfaces openvpn vtun0 openvpn-option --comp-lzo
set interfaces openvpn vtun0 openvpn-option --float
set interfaces openvpn vtun0 openvpn-option "--ping 10"
set interfaces openvpn vtun0 openvpn-option "--ping-restart 20"
set interfaces openvpn vtun0 openvpn-option --ping-timer-rem
set interfaces openvpn vtun0 openvpn-option --persist-tun
set interfaces openvpn vtun0 openvpn-option --persist-key
set interfaces openvpn vtun0 openvpn-option "--user nobody"
set interfaces openvpn vtun0 openvpn-option "--group nogroup"
commit
save
exit

configure

set interfaces openvpn vtun0

set interfaces openvpn vtun0 mode site-to-site

set interfaces openvpn vtun0 remote-host 服务器公网地址

set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret

set interfaces openvpn vtun0 local-address 10.99.99.1

set interfaces openvpn vtun0 remote-address 10.99.99.2

set interfaces openvpn vtun0 local-port 1194

set interfaces openvpn vtun0 remote-port 1194

set interfaces openvpn vtun0 openvpn-option --comp-lzo

set interfaces openvpn vtun0 openvpn-option --float

set interfaces openvpn vtun0 openvpn-option "--ping 10"

set interfaces openvpn vtun0 openvpn-option "--ping-restart 20"

set interfaces openvpn vtun0 openvpn-option --ping-timer-rem

set interfaces openvpn vtun0 openvpn-option --persist-tun

set interfaces openvpn vtun0 openvpn-option --persist-key

set interfaces openvpn vtun0 openvpn-option "--user nobody"

set interfaces openvpn vtun0 openvpn-option "--group nogroup"

commit

save

exit

执行命令启用NAT

configure
set service nat rule 5020 outbound-interface vtun0
set service nat rule 5020 type masquerade
commit
save
exit

configure

set service nat rule 5020 outbound-interface vtun0

set service nat rule 5020 type masquerade

commit

save

exit

如果需要重启tunnel

reset openvpn interface vtun0

1	reset openvpn interface vtun0

配置Linux 安装openvpn

apt-get install openvpn

1	apt-get install openvpn

把EdgeRouter的 /config/auth/secret 复制到 /etc/openvpn/er-site2site-static.key 编辑 /etc/openvpn/server.conf

dev tun
ifconfig 10.99.99.2 10.99.99.1 
secret /etc/openvpn/er-site2site-static.key
lport 1194
rport 1194
user nobody
group nogroup
comp-lzo
ping 10
ping-restart 20
ping-timer-rem
persist-tun
persist-key
verb 3
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log

dev tun

ifconfig 10.99.99.2 10.99.99.1

secret /etc/openvpn/er-site2site-static.key

lport 1194

rport 1194

user nobody

group nogroup

comp-lzo

ping 10

ping-restart 20

ping-timer-rem

persist-tun

persist-key

verb 3

status /var/log/openvpn/openvpn-status.log

log-append /var/log/openvpn/openvpn.log

启动openvpn

/etc/init.d/openvpn start

1	/etc/init.d/openvpn start

测试在EdgeRouter ping Linux

ping 10.99.99.2

1	ping 10.99.99.2

在Linux ping EdgeRouter

ping 10.99.99.1

1	ping 10.99.99.1

如果还有问题，可以看日志配置路由参考下一篇文章 UBNT EdgeOS 配置设备路由(interface-route)的方法 … Continue reading “Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite”

抛开路由为局域网内机器启用IPv6

支持IPv6这事情不一定非得要路由上配，局域网内只要有Linux机器能用IPv6就行。这种事情做之前，对于完全不会的人和会的人都很简单，但对我这种稍微懂一点的，还没做可能就先想多了。测试环境公司路由：TP-Link某老旧企业路由，不支持IPv6 Linux：Debian Jessie, 服务主机，兼顾dns，dhcp等等服务，LAN接口eth0 网络：北京联通家庭光纤 PPPoE IPv6 服务：Tunnel Broker 其他软件：dnsmasq, dhcpd Incoming search terms:wireguard设置ipv6 dhcp-baijiahaoaccept7cnanybodyrx3LAN怎么成为IPv6stoodwx7企业路由ipv6局域网IPV6开启 RADVD维盟路由器 ipv6Link to this post!