1、安装依赖rootyyvnjarl:~/pki# apt update apt install strongswan strongswan-pki iptables-persistent -y2、证书生成rootyyvnjarl:~/pki# mkdir -p ~/pki/{cacerts,certs,private}cd ~/pkipki --gen --type rsa --size 4096 --outform pem private/ca.key.pempki --self --ca --lifetime 3650 \--in private/ca.key.pem --type rsa \--dn CNVPN-CA \--outform pem cacerts/ca.cert.pempki --gen --type rsa --size 4096 --outform pem private/server.key.pempki --pub --in private/server.key.pem --type rsa \| pki --issue --lifetime 1825 \--cakey private/ca.key.pem \--cacert cacerts/ca.cert.pem \--dn CN$(curl -s ifconfig.me) \--san $(curl -s ifconfig.me) \--flag serverAuth --flag ikeIntermediate \--outform pem certs/server.cert.pem3、配置rootyyvnjarl:~/pki# mv /etc/ipsec.conf /etc/ipsec.conf.bak 2/dev/nullcat /etc/ipsec.conf EOFconfig setupuniqueidsneverconn ikev2-vpnautoaddcompressnotypetunnelkeyexchangeikev2fragmentationyesikeaes256-sha256-modp2048!espaes256-sha256!dpdactioncleardpddelay300srekeynoleft%anyleftid%anyleftcertserver.cert.pemleftsendcertalwaysleftsubnet0.0.0.0/0right%anyrightsourceip10.10.10.0/24rightsendcertneverEOF4、设置vpn账号密码rootyyvnjarl:~/pki# cat /etc/ipsec.secrets EOF: RSA server.key.pemvpnuser : EAP 20260318EOF5、移动证书rootyyvnjarl:~/pki# cp ~/pki/cacerts/ca.cert.pem /etc/ipsec.d/cacerts/cp ~/pki/certs/server.cert.pem /etc/ipsec.d/certs/cp ~/pki/private/server.key.pem /etc/ipsec.d/private/6、防火墙流量转发rootyyvnjarl:~/pki# sysctl -w net.ipv4.ip_forward1echo net.ipv4.ip_forward1 | tee -a /etc/sysctl.confiptables -t nat -A POSTROUTING -s 10.10.10.0/24 -j MASQUERADEnetfilter-persistent saveufw allow 500/udpufw allow 4500/udp7、启动rootyyvnjarl:~/pki# systemctl restart strongswan-starterrootyyvnjarl:~/pki# systemctl enable strongswan-starterrootyyvnjarl:~/pki# systemctl status strongswan-starter去手机里vpn设置导入信息即可
IKEv2
1、安装依赖rootyyvnjarl:~/pki# apt update apt install strongswan strongswan-pki iptables-persistent -y2、证书生成rootyyvnjarl:~/pki# mkdir -p ~/pki/{cacerts,certs,private}cd ~/pkipki --gen --type rsa --size 4096 --outform pem private/ca.key.pempki --self --ca --lifetime 3650 \--in private/ca.key.pem --type rsa \--dn CNVPN-CA \--outform pem cacerts/ca.cert.pempki --gen --type rsa --size 4096 --outform pem private/server.key.pempki --pub --in private/server.key.pem --type rsa \| pki --issue --lifetime 1825 \--cakey private/ca.key.pem \--cacert cacerts/ca.cert.pem \--dn CN$(curl -s ifconfig.me) \--san $(curl -s ifconfig.me) \--flag serverAuth --flag ikeIntermediate \--outform pem certs/server.cert.pem3、配置rootyyvnjarl:~/pki# mv /etc/ipsec.conf /etc/ipsec.conf.bak 2/dev/nullcat /etc/ipsec.conf EOFconfig setupuniqueidsneverconn ikev2-vpnautoaddcompressnotypetunnelkeyexchangeikev2fragmentationyesikeaes256-sha256-modp2048!espaes256-sha256!dpdactioncleardpddelay300srekeynoleft%anyleftid%anyleftcertserver.cert.pemleftsendcertalwaysleftsubnet0.0.0.0/0right%anyrightsourceip10.10.10.0/24rightsendcertneverEOF4、设置vpn账号密码rootyyvnjarl:~/pki# cat /etc/ipsec.secrets EOF: RSA server.key.pemvpnuser : EAP 20260318EOF5、移动证书rootyyvnjarl:~/pki# cp ~/pki/cacerts/ca.cert.pem /etc/ipsec.d/cacerts/cp ~/pki/certs/server.cert.pem /etc/ipsec.d/certs/cp ~/pki/private/server.key.pem /etc/ipsec.d/private/6、防火墙流量转发rootyyvnjarl:~/pki# sysctl -w net.ipv4.ip_forward1echo net.ipv4.ip_forward1 | tee -a /etc/sysctl.confiptables -t nat -A POSTROUTING -s 10.10.10.0/24 -j MASQUERADEnetfilter-persistent saveufw allow 500/udpufw allow 4500/udp7、启动rootyyvnjarl:~/pki# systemctl restart strongswan-starterrootyyvnjarl:~/pki# systemctl enable strongswan-starterrootyyvnjarl:~/pki# systemctl status strongswan-starter去手机里vpn设置导入信息即可
