vpn
0
总安装量
8
周安装量
安装命令
npx skills add https://github.com/chaterm/terminal-skills --skill vpn
Agent 安装分布
claude-code
6
opencode
5
antigravity
5
gemini-cli
5
cursor
4
windsurf
3
Skill 文档
VPN é ç½®ä¸ç®¡ç
æ¦è¿°
OpenVPNãWireGuardãIPSec VPN é ç½®ä¸ç®¡çæè½ã
WireGuard
å®è£
# Debian/Ubuntu
apt install wireguard
# CentOS/RHEL
yum install epel-release elrepo-release
yum install kmod-wireguard wireguard-tools
# éªè¯å®è£
wg --version
çæå¯é¥
# çæç§é¥
wg genkey > privatekey
# ä»ç§é¥çæå
¬é¥
wg pubkey < privatekey > publickey
# ä¸æ¥çæ
wg genkey | tee privatekey | wg pubkey > publickey
# çæé¢å
±äº«å¯é¥ï¼å¯éï¼å¢å¼ºå®å
¨ï¼
wg genpsk > presharedkey
æå¡ç«¯é ç½®
# /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_private_key>
# å¯ç¨ IP 转å
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32
客æ·ç«¯é ç½®
# /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.2/24
PrivateKey = <client_private_key>
DNS = 8.8.8.8
[Peer]
PublicKey = <server_public_key>
Endpoint = server.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
管çå½ä»¤
# å¯å¨
wg-quick up wg0
systemctl start wg-quick@wg0
# åæ¢
wg-quick down wg0
systemctl stop wg-quick@wg0
# å¼æºå¯å¨
systemctl enable wg-quick@wg0
# æ¥çç¶æ
wg show
wg show wg0
# æ·»å peer
wg set wg0 peer <public_key> allowed-ips 10.0.0.3/32
OpenVPN
å®è£
# Debian/Ubuntu
apt install openvpn easy-rsa
# CentOS/RHEL
yum install epel-release
yum install openvpn easy-rsa
åå§å PKI
# å建 CA ç®å½
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
# åå§å PKI
./easyrsa init-pki
# å建 CA
./easyrsa build-ca nopass
# çææå¡å¨è¯ä¹¦
./easyrsa gen-req server nopass
./easyrsa sign-req server server
# çæ DH åæ°
./easyrsa gen-dh
# çæ TLS å¯é¥
openvpn --genkey secret ta.key
# çæ客æ·ç«¯è¯ä¹¦
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
æå¡ç«¯é ç½®
# /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
客æ·ç«¯é ç½®
# client.ovpn
client
dev tun
proto udp
remote server.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
cipher AES-256-GCM
auth SHA256
verb 3
管çå½ä»¤
# å¯å¨æå¡
systemctl start openvpn@server
systemctl enable openvpn@server
# æ¥çç¶æ
systemctl status openvpn@server
# æ¥çè¿æ¥
cat /var/log/openvpn-status.log
# åéè¯ä¹¦
cd ~/openvpn-ca
./easyrsa revoke client1
./easyrsa gen-crl
IPSec (strongSwan)
å®è£
# Debian/Ubuntu
apt install strongswan strongswan-pki
# CentOS/RHEL
yum install strongswan
çæè¯ä¹¦
# çæ CA
ipsec pki --gen --type rsa --size 4096 --outform pem > ca-key.pem
ipsec pki --self --ca --lifetime 3650 \
--in ca-key.pem --type rsa \
--dn "CN=VPN CA" \
--outform pem > ca-cert.pem
# çææå¡å¨è¯ä¹¦
ipsec pki --gen --type rsa --size 4096 --outform pem > server-key.pem
ipsec pki --pub --in server-key.pem --type rsa | \
ipsec pki --issue --lifetime 1825 \
--cacert ca-cert.pem --cakey ca-key.pem \
--dn "CN=vpn.example.com" \
--san vpn.example.com \
--flag serverAuth --flag ikeIntermediate \
--outform pem > server-cert.pem
æå¡ç«¯é ç½®
# /etc/ipsec.conf
config setup
charondebug="ike 2, knl 2, cfg 2"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@vpn.example.com
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ç¨æ·é ç½®
# /etc/ipsec.secrets
: RSA "server-key.pem"
user1 : EAP "password1"
user2 : EAP "password2"
管çå½ä»¤
# å¯å¨
systemctl start strongswan
systemctl enable strongswan
# éè½½é
ç½®
ipsec reload
ipsec rereadall
# æ¥çç¶æ
ipsec statusall
ipsec status
# æ¥ç SA
ipsec listall
常è§åºæ¯
åºæ¯ 1ï¼WireGuard ç«ç¹å°ç«ç¹
# ç«ç¹ A é
ç½®
[Interface]
Address = 10.0.0.1/24
PrivateKey = <site_a_private>
ListenPort = 51820
[Peer]
PublicKey = <site_b_public>
Endpoint = site-b.example.com:51820
AllowedIPs = 10.0.0.2/32, 192.168.2.0/24
# ç«ç¹ B é
ç½®
[Interface]
Address = 10.0.0.2/24
PrivateKey = <site_b_private>
ListenPort = 51820
[Peer]
PublicKey = <site_a_public>
Endpoint = site-a.example.com:51820
AllowedIPs = 10.0.0.1/32, 192.168.1.0/24
åºæ¯ 2ï¼åæµé ç½®
# WireGuard ä»
代çç¹å®ç½æ®µ
[Peer]
PublicKey = <server_public_key>
Endpoint = server.example.com:51820
AllowedIPs = 10.0.0.0/24, 192.168.100.0/24
åºæ¯ 3ï¼å¤ç¨æ·ç®¡çèæ¬
#!/bin/bash
# add-wg-client.sh
CLIENT_NAME=$1
SERVER_PUBLIC_KEY="<server_public_key>"
SERVER_ENDPOINT="vpn.example.com:51820"
# çæå¯é¥
wg genkey | tee ${CLIENT_NAME}_private | wg pubkey > ${CLIENT_NAME}_public
# çæ客æ·ç«¯é
ç½®
cat > ${CLIENT_NAME}.conf << EOF
[Interface]
PrivateKey = $(cat ${CLIENT_NAME}_private)
Address = 10.0.0.${2}/24
DNS = 8.8.8.8
[Peer]
PublicKey = ${SERVER_PUBLIC_KEY}
Endpoint = ${SERVER_ENDPOINT}
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
EOF
echo "æ·»å å°æå¡å¨ï¼"
echo "[Peer]"
echo "PublicKey = $(cat ${CLIENT_NAME}_public)"
echo "AllowedIPs = 10.0.0.${2}/32"
æ éææ¥
| é®é¢ | ææ¥æ¹æ³ |
|---|---|
| è¿æ¥å¤±è´¥ | æ£æ¥é²ç«å¢ã端å£ãå¯é¥é ç½® |
| æ¡æ失败 | æ£æ¥å ¬é¥é ç½®ãæ¶é´åæ¥ |
| æ æ³è®¿é®å ç½ | æ£æ¥ AllowedIPsãè·¯ç±ãIP 转å |
| æ§è½å·® | æ£æ¥ MTUãå å¯ç®æ³ |
# WireGuard è°è¯
wg show
dmesg | grep wireguard
tcpdump -i any port 51820
# OpenVPN è°è¯
tail -f /var/log/openvpn.log
tcpdump -i any port 1194
# IPSec è°è¯
ipsec statusall
journalctl -u strongswan -f
# æ£æ¥ IP 转å
cat /proc/sys/net/ipv4/ip_forward
sysctl net.ipv4.ip_forward=1