EdgeRouter Policy Based Routing Using DNSMASQ IPSET

之前用SNIProxy按域名区分流量,着实麻烦。尤其是后期发现路由表莫名其妙出问题。

EdgeRouter的Policy Based Routing(PBR)使用的是自带配置语法的firewall modify功能。
官方有两篇教程:
EdgeRouter – Policy-based routing for destination port
EdgeRouter – Policy-based routing (source address based)

第二篇文章顺带提了network-group。之前在配置VPN时,使用过network-group,还比较过使用firewall modify + network-group 与配置一堆interface-route的区别。

而,这里的network-group的实现,使用了netfilter的ipset。Man pages可以看这里,命令在edgerouter上也附带了。

dnsmasq支持 ‘–ipset‘ 参数,把对配置域名解析的IP存入到指定的ipset。具体细节可以看dnsmasq的文档

dnsmasq配置的语法比较简单。

domain 部分参考 address 的语法。例如:

配置好所有自己需要的域名,重启dnsmasq即可。

ipset本身支持timeout,但是edge os的network-group不支持,所以在配置dnsmasq之前,最好创建一个新的network-group。

假定新建的ipset名叫 MY_SET,edge router的主要相关配置如下:

其他诸如配置 static table, interface firewall 可以参考最前边的文档。

EdgeRouter Policy Based Routing Using DNSMASQ IPSET by @sskaje: https://sskaje.me/2017/04/edgerouter-policy-based-routing-dnsmasq-ipset/

Incoming search terms:

Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite

参考:https://help.ubnt.com/hc/en-us/articles/204949694-EdgeMAX-OpenVPN-Site-to-Site
不同的是,我一端是Ubuntu Linux,另一端是EdgeRouter Lite。

实现的目的也是让EdgeRouter连上远程vpn实现XXXX。
PPTP的方案参考:EdgeOS PPTP VPN客户端配置

环境

Ubuntu Linux, 10.99.99.2
EdgeRouter Lite, 10.99.99.1

配置EdgeRouter Lite

SSH到Ubnt EdgeRouter Lite
生成共享密钥文件

执行命令创建VPN

执行命令启用NAT

如果需要重启tunnel

配置Linux

安装openvpn

把EdgeRouter的 /config/auth/secret 复制到 /etc/openvpn/er-site2site-static.key

编辑 /etc/openvpn/server.conf

启动openvpn

测试

在EdgeRouter ping Linux

在Linux ping EdgeRouter

如果还有问题,可以看日志

配置路由

参考下一篇文章 UBNT EdgeOS 配置设备路由(interface-route)的方法

Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite by @sskaje: https://sskaje.me/2016/02/set-openvpn-site-to-site-ubnt-edgerouter-lite/

Incoming search terms:

EdgeOS PPTP VPN客户端配置

背景及目标

买了个Ubnt EdgeRouter Lite,应同事的需求,研究配置自动翻墙。
考虑过之前配置的各种VPN:PPTPL2TPIPSecAnyConnect/OpenConnect。目前搞定的只有PPTP。

本次配置使用远程PPTP Server,只考虑Google、Twitter和Facebook的自动翻墙,其他可以参照思路自己加路由和NAT。

环境

假设网络已经配置好,eth0为内网口,eth1为外网口。
Continue reading “EdgeOS PPTP VPN客户端配置” »

EdgeOS PPTP VPN客户端配置 by @sskaje: https://sskaje.me/2014/12/edgeos-pptp-vpn%e5%ae%a2%e6%88%b7%e7%ab%af%e9%85%8d%e7%bd%ae/

Incoming search terms:

OpenConnect DNS Only + Google Only

I’m using 4G by China Mobile, but the DNS it provides really sucks. Changing DNS from Cellular Data on a not-jailbroken iPhone is impossible so far as I know (I tried mobileconfig but can find any working options).

The first idea is pushing DNS from a PPTP server, which I wrote: Notes: PPTP/L2TP Server on Ubuntu.
I can create two connections on my iOS, one set default route, one not. All users share a same setting from PPTPd, it’s almost impossible if I want to use a different DNS in these two connections, changing default pptp port from 1723 to others is not as easy as it is on windows.
Don’t forget that PPTP is what GF*W likes.
Continue reading “OpenConnect DNS Only + Google Only” »

OpenConnect DNS Only + Google Only by @sskaje: https://sskaje.me/2014/06/openconnect-dns-google/

Incoming search terms:

OpenConnect Public Key Authentication

Here are old articles about OpenConnect, the open source AnyConnect server:
OpenConnect on Ubuntu
Open Connect Server Configuration (Working for iOS)
Cisco AnyConnect Client for OS X/Windows/Linux (Version 3.1.05160)

This time, OCServ 0.80 on Ubuntu 14.04.
And still doesn’t work for OS X.

I was using password based authentication, but clients on iOS can not remember my password.
So now add some configurations based on “Open Connect Server Configuration (Working for iOS)“.

Create Client Certificates

Just follow the manual: http://www.infradead.org/ocserv/manual.html.
If you already have a CA based on openssl, I have another article: Generate Certificate with GnuTLS and Sign with OpenSSL.

Here is my user.tmpl:

After the pkcs12 is created like ‘Create Client Config’ in “iOS IPSec VPN Server on Ubuntu“, the mobileconfig should be also created.
Remember to leave the ‘Account‘ and ‘Group‘ BLANK in the VPN page.

Update config

Copy a new sample.config from source, edit it following Open Connect Server Configuration (Working for iOS)

Now comes the certificate authentication related changes:

auth

I tried to use both certificate and plain, but failed.
Just keep the certificate one.

server-cert & server-key

You can add your own certificate or get it somewhere like startssl.com.
I got my certificates from startssl.com, class 1, I got three files: ca.pem, sub.class1.server.ca.pem, and my own ssl.crt:

If you don’t make these three in a right order, you’ll see errors below in syslog:

The server-key I got from startssl is encrypted, decrypt it:

Encrypted private key would result:

ca-cert

This ca-cert is for CLIENT certificates!

cert-user-oid & cert-group-oid

Follow the comment:

cisco-client-compat

Enable this! Thanks to @simamy.

OpenConnect Public Key Authentication by @sskaje: https://sskaje.me/2014/06/openconnect-public-key-authentication/

Incoming search terms: