方法1
网络->接口->lan->DHCP服务器->高级设置->DHCP-选项:
6,10.207.27.253保存并应用,重启路由器
方法2
网络->DHCP/DNS:
- 基本设置->DNS转发:114.114.114.114
- HOSTS和解析文件: 忽略解析文件、忽略 /etc/hosts (可选)
网络->接口->lan->DHCP服务器->高级设置->DHCP-选项:
6,10.207.27.253保存并应用,重启路由器
网络->DHCP/DNS:
~/.git-completion.bashgit-completion.bash中,https://github.com/git/git/blob/master/contrib/completion/git-completion.bash~/.bash_profile中新增一行 source ~/.git-completion.bashsource ~/.bash_profilecurl https://raw.githubusercontent.com/git/git/master/contrib/completion/git-completion.bash -o ~/.git-completion.bash && echo "source ~/.git-completion.bash" >> ~/.bash_profile && source ~/.bash_profile rm -rf ~/Library/Application\ Support/Developer/Shared/Xcode/Plug-ins/Alcatraz.xcplugin curl -fsSL https://raw.githubusercontent.com/supermarin/Alcatraz/deploy/Scripts/install.sh | sh defaults read /Applications/Xcode.app/Contents/Info DVTPlugInCompatibilityUUID
#例如`ACA8656B-FEA8-4B6D-8E4A-93F4C95C362C cd ~/Library/Application Support/Developer/Shared/Xcode/Plug-ins/XVim.xcplugin/Contents
#打开Info.plist,并找到UUID array,把上面得到的`ACA8656B-FEA8-4B6D-8E4A-93F4C95C362C`加入load bundle or skip时,选择load bundleAlcatraz遇到mktemp错误的解决办法 wget https://raw.githubusercontent.com/supermarin/Alcatraz/deploy/Scripts/install.sh
#打开 install.sh,找到第10行,修改如下
TMP_FILE="$(/usr/bin/mktemp -t ${BUNDLE_ID})"保存,并赋予可执行权限,运行.
小组人员不是太多,dnsmasq足够支撑作为DNS服务器
pacman -S dnsmasq
vi/etc/dnsmasq.conf
#找到 listen-address,去掉注释;改为
listen-address=127.0.0.1,10.207.x.x
vi /etc/resolv.conf
nameserver 127.0.0.1
vi /etc/dnsmasq.conf
#找到 resolv-file 修改如下
resolv-file=/etc/resolv.dnsmasq.conf
#创建上游DNS服务器文件
cd /etc && touch resolv.dnsmasq.conf
vi resolv.dnsmasq.conf
#文件内容如下
# Google's nameservers, for example
nameserver 114.114.114.114
nameserver 8.8.8.8vi /etc/dnsmasq.conf
#找到 conf-dir 去掉注释
conf-dir=/etc/dnsmasq.d/,*.conf
#创建内网域名解析文件
mkdir -p /etc/dnsmasq.d
vi /etc/dnsmasq.d/nameserver.conf
#设置域名解析内容(server 让域名从指定的ip去查找dns服务)
server=/leju.dev/127.0.0.1
server=/.yjiang.dev/10.207.x.x
#指定ip 类似hosts硬解)
address=/leju.dev/127.0.0.1还可以配合 google hosts 文件实现自动翻墙
systemctl enable dnsmasq.service
systemctl restart dnsmasq.service
/etc/dnsmasq.conf中的listen-address=127.0.0.1,10.207.x.x必须加127.0.0.1;不然本地无法监听dns服务导致别人可以正常访问而DNS服务器本机不行.
/etc/dnsmasq.conf中的server=114.114.114.114为设置上游dns
测试平台 :DigitalOcean VPS ubuntu14.04 x64, strongswan5.2.2
运行以下命令请使用root权限
由于ubuntu软件仓库中strongswan版本较低,因此从官网源码编译安装
apt-get install build-essential #编译环境
aptitude install libgmp10 libgmp3-dev libssl-dev pkg-config libpcsclite-dev libpam0g-dev #编译所需要的软件wget http://download.strongswan.org/strongswan-5.2.2.tar.bz2
tar -jxvf strongswan-5.2.2.tar.bz2 && cd strongswan-5.2.2
./configure --prefix=/usr --sysconfdir=/etc --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
make&& make installwin7+和Android、wp8.1等平台的VPN客户端走ikev2协议,需要制作相应的证书
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "C=CN, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pemipsec pki --gen --outform pem > serverKey.pem
ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=VPS的公网ip或域名" --san="VPS的公网ip或域名" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pemipsec pki --gen --outform pem > clientKey.pem
ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CN, O=strongSwan, CN=client" --outform pem > clientCert.pem生成的客户端证书 clientCert.pem 不能直接导入到win7+或Anroid设备中,需先转换为.p12格式。执行后会提示要设置证书使用密码,可以设置一下密码也可以直接回车(密码为空)
openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12cp caCert.pem /etc/ipsec.d/cacerts/
cp serverCert.pem /etc/ipsec.d/certs/
cp serverKey.pem /etc/ipsec.d/private/客户端安装caCert.pem与clientCert.pem(clientCert.p12),下载文件可使用ftp软件,或使用
cat caCert.pem及cat clientCert.pem命令,将打印出的内容直接复制到本地即可。
config setup
strictcrlpolicy = yes
cachecrls = yes
uniqueids = yes #允许多设备同时在线
conn %default
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=10.11.1.0/24
rightdns=8.8.8.8,8.8.4.4
conn ikev1
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth
auto=add
conn windows7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
leftauth=pubkey
leftcert=server.cert.pem
rightauth=eap-mschapv2
rightsourceip=10.31.2.0/24
rightsendcert=never
rightdns=8.8.8.8,8.8.4.4
eap_identity=%any
auto=add: RSA server.pem
: PSK "foo" #设置的证书密码
username : XAUTH "passwd"
username2 : EAP "passwd" #windows用户对于windowsphone8.1,在客户端输入的用户名发送到服务器显示为
设备名称\用户名的形式,故认证需加上设备名称,设备名称在设置-关于-手机信息中查看
#加入分配的dns
charon {
dns1 = 8.8.8.8
dns2 = 208.67.222.222
}iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
#开启转发
vi /etc/sysctl.conf
#打开注释
net.ipv4.ip_forward = 1
#执行
sysctl -p
iptables -t nat -A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE #地址与上面地址池对应
iptables -A FORWARD -s 10.11.1.0/24 -j ACCEPT #同上
#为避免VPS重启后NAT功能失效,可以把如上5行命令添加到 /etc/rc.local 文件中,添加在exit那一行之前即可。ipsec start ipsec start --noforkCopyright © 2016 yjiang's cake