linux上的vpn服务器？

Question

应用场景：阿里云服务器上有些服务需要访问国外的供应商，不使用vpn的话会比较慢。之前有搭建过Shadowsocks+privoxy ，但是效果不佳（它是将socket转为http，会影响我其它的一些服务使用）

怪我咯 · Answer

Use a ladder, it’s not expensive and very stable

PHP中文网 · Answer

I don’t know what kind of Linux distribution yours is, so I might as well put CentOS.
YOUR_IPSEC_PSK
YOUR_USERNAME
YOUR_PASSWORD
Just fill in the key user name and password respectively, and other parameter scripts will automatically obtain and install automatically.

#!/bin/sh
#
# Script for automatic setup of an IPsec VPN server on CentOS/RHEL 6 & 7.
# Works on dedicated servers and any KVM- or Xen-based Virtual Private Server (VPS).
#
# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN
# ON YOUR DEDICATED SERVER OR VPS!
#
# Copyright (C) 2015-2016 Lin Song 
# Based on the work of Thomas Sarlandie (Copyright 2012)
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!

# ===========================================================

# Define your own values for these variables
# - IPsec pre-shared key, VPN username and password
# - All values MUST be placed inside 'single quotes'
# - DO NOT use these characters within values:  \ " '

YOUR_IPSEC_PSK=''
YOUR_USERNAME=''
YOUR_PASSWORD=''

# Important Notes:   https://git.io/vpnnotes
# Setup VPN Clients: https://git.io/vpnclients

# ===========================================================

# Check https://libreswan.org for the latest version
SWAN_VER=3.17

export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

echoerr() { echo "$@" 1>&2; }

if [ ! -f /etc/redhat-release ]; then
  echoerr "This script only supports CentOS/RHEL."
  exit 1
fi

if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then
  echoerr "This script only supports CentOS/RHEL 6 and 7."
  exit 1
fi

if [ -f /proc/user_beancounters ]; then
  echoerr "This script does not support OpenVZ VPS."
  exit 1
fi

if [ "$(id -u)" != 0 ]; then
  echoerr "Script must be run as root. Try 'sudo sh rrreee'"
  exit 1
fi

eth0_state=$(cat /sys/class/net/eth0/operstate 2>/dev/null)
if [ -z "$eth0_state" ] || [ "$eth0_state" = "down" ]; then
cat 1>&2 <<'EOF'
Network interface 'eth0' is not available. Aborting.

Run 'cat /proc/net/dev' to find the name of the active network interface,
then search and replace ALL 'eth0' and 'eth+' in this script with that name.
EOF
exit 1
fi

[ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK"
[ -n "$YOUR_USERNAME" ] && VPN_USER="$YOUR_USERNAME"
[ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD"

if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then
  echo "VPN credentials not set by user. Generating random PSK and password..."
  echo
  VPN_IPSEC_PSK="$(< /dev/urandom tr -dc 'A-HJ-NPR-Za-km-z2-9' | head -c 16)"
  VPN_USER=vpnuser
  VPN_PASSWORD="$(< /dev/urandom tr -dc 'A-HJ-NPR-Za-km-z2-9' | head -c 16)"
fi

if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
  echoerr "All VPN credentials must be specified. Edit the script and re-enter them."
  exit 1
fi

echo "VPN setup in progress... Please be patient."
echo

# Create and change to working dir
mkdir -p /opt/src
cd /opt/src || exit 1

# Make sure basic commands exist
yum -y install wget bind-utils openssl
yum -y install iproute gawk grep sed net-tools

cat <<'EOF'

Trying to auto discover IPs of this server...

In case the script hangs here for more than a few minutes,
use Ctrl-C to interrupt. Then edit it and manually enter IPs.

EOF

# In case auto IP discovery fails, you may manually enter server IPs here.
# If your server only has a public IP, put that public IP on both lines.
PUBLIC_IP=${VPN_PUBLIC_IP:-''}
PRIVATE_IP=${VPN_PRIVATE_IP:-''}

# In Amazon EC2, these two variables will be retrieved from metadata
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(wget -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')

# Try to find IPs for non-EC2 servers
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')

# Check IPs for correct format
IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then
  echoerr "Cannot find valid public IP. Edit the script and manually enter IPs."
  exit 1
fi
if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
  echoerr "Cannot find valid private IP. Edit the script and manually enter IPs."
  exit 1
fi

# Add the EPEL repository
yum -y install epel-release
yum list installed epel-release >/dev/null 2>&1
[ "$?" != "0" ] && { echoerr "Cannot add EPEL repository. Aborting."; exit 1; }

# Install necessary packages
yum -y install nss-devel nspr-devel pkgconfig pam-devel \
    libcap-ng-devel libselinux-devel \
    curl-devel flex bison gcc make \
    fipscheck-devel unbound-devel xmlto
yum -y install ppp xl2tpd

# Install Fail2Ban to protect SSH
yum -y install fail2ban

# Install IP6Tables
if grep -qs "release 6" /etc/redhat-release; then
  yum -y install iptables-ipv6
fi

# Installed Libevent2
if grep -qs "release 6" /etc/redhat-release; then
  yum -y remove libevent-devel
  yum -y install libevent2-devel
elif grep -qs "release 7" /etc/redhat-release; then
  yum -y install libevent-devel
fi

# Compile and install Libreswan
swan_file="libreswan-${SWAN_VER}.tar.gz"
swan_url1="https://download.libreswan.org/$swan_file"
swan_url2="https://github.com/libreswan/libreswan/archive/v${SWAN_VER}.tar.gz"
wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"
[ "$?" != "0" ] && { echoerr "Cannot download Libreswan source. Aborting."; exit 1; }
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$SWAN_VER" || { echoerr "Cannot enter Libreswan source dir. Aborting."; exit 1; }
echo "WERROR_CFLAGS =" > Makefile.inc.local
make -s programs && make -s install

# Verify the install and clean up
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER"
[ "$?" != "0" ] && { echoerr; echoerr "Libreswan $SWAN_VER failed to build. Aborting."; exit 1; }

# Create IPsec (Libreswan) config
sys_dt="$(date +%Y-%m-%d-%H:%M:%S)"
/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$sys_dt" 2>/dev/null
cat > /etc/ipsec.conf </dev/null
cat > /etc/ipsec.secrets </dev/null
cat > /etc/xl2tpd/xl2tpd.conf </dev/null
cat > /etc/ppp/options.xl2tpd </dev/null
cat > /etc/ppp/chap-secrets </dev/null
VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
echo "${VPN_USER}:${VPN_PASSWORD_ENC}:xauth-psk" > /etc/ipsec.d/passwd

# Update sysctl settings
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
/bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$sys_dt" 2>/dev/null
cat >> /etc/sysctl.conf </dev/null
service fail2ban stop >/dev/null 2>&1
if [ "$(iptables-save | grep -c '^\-')" = "0" ]; then
cat > /etc/sysconfig/iptables < /etc/sysconfig/iptables
iptables-save >> /etc/sysconfig/iptables
fi
fi

# Create basic IPv6 rules
if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/ip6tables; then
/bin/cp -f /etc/sysconfig/ip6tables "/etc/sysconfig/ip6tables.old-$sys_dt" 2>/dev/null
cat > /etc/sysconfig/ip6tables < /etc/fail2ban/jail.local </dev/null
cat >> /etc/rc.local < /proc/sys/net/ipv4/ip_forward
EOF
fi

# Restore SELinux contexts
restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null

# Reload sysctl.conf
sysctl -q -p 2>/dev/null

# Update file attributes
chmod +x /etc/rc.local
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*

# Apply new IPTables rules
iptables-restore < /etc/sysconfig/iptables
ip6tables-restore < /etc/sysconfig/ip6tables >/dev/null 2>&1

# Restart services
service fail2ban stop >/dev/null 2>&1
service ipsec stop >/dev/null 2>&1
service xl2tpd stop >/dev/null 2>&1
service fail2ban start
service ipsec start
service xl2tpd start

cat <

黄舟 · Answer

HTTP you can try n2n + Nginx forward proxy

Use n2n to create a tunnel between two VPS, and the two computers will run on the same LAN
Use Nginx to establish a forward proxy on the foreign VPS
Use virtual intranet IP+Forward proxy port numberAccess HTTP proxy service on foreign VPS

There is also V2way you can try, which comes with HTTP proxy function, uses its own protocol, and supports automatic switching of multiple ports
The disadvantage is that the delay is relatively large

怪我咯 · Answer

The question you asked is to let your Alibaba Cloud Linux server access foreign resources. I had the same scenario and solved it like this, without using third-party software or tools.
First of all, I also purchased the cheapest Hong Kong host from Alibaba Cloud, and then used ssh forward proxy.
The tunnel monitors the local port and provides a secure connection for ordinary activities, that is, a socket proxy

ssh -qTfnN -L port:host:hostport -l user remote_ip

To put it simply

ssh -D 7000 root@202.102.1.1 
//假设202.102.1.1是香港服务器哈，输入密码。。。搞定

If instability problems are found, error ignoring and compressed transmission can be added

ssh -qTfnN -D 7000 root@202.102.1.1

This is equivalent to creating a local 7000 sock proxy
Basically, many command line software provide an http proxy server interface. Enter 127.0.0.1 port 7000 to access the Internet through the proxy

阿神 · Answer

You can use fs to accelerate or sharp speed to accelerate. Double the package, very soon!