Centos VPS+黑莓VPN教程

2012年12月1日 | 分类: 手机翻墙 | 标签: , , ,

@bao3童鞋废寝忘食的折腾黑莓VPN的解决方法,总算有了结果:chinablock.me/bbvpn(需翻墙),他那是在Debian下安装racoon搞定的,可是我的VPS上系统是Xen CentOS的,所以方法略有不同,配置文件基本上按他上面的做法,同时参考了这里的解决方案,在此感觉他们的努力。

1. 安装IPSec-tools/racoon

1
2
3
wget ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-0.8.0-1.el5.pp.i386.rpm
wget ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/i386/ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm
yum localinstall --nogpgcheck ipsec-tools-libs-0.8.0-1.el5.pp.i386.rpm ipsec-tools-0.8.0-1.el5.pp.i386.rpm

2. 配置(说明参见@bao3童鞋的文章)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log warning;
remote anonymous {
    exchange_mode aggressive;
    lifetime time 1440 min;
    initial_contact on;
    verify_identifier on;
    mode_cfg on;
    ike_frag on;
    passive on;
    proposal_check obey;
    generate_policy unique;
    nat_traversal on;
    dpd_delay 200;
    proposal {
        encryption_algorithm aes 256; #3des,des;
        hash_algorithm sha1;
        authentication_method xauth_psk_server; #pre_shared_key;
        dh_group 2;
    }
}
sainfo anonymous {
    lifetime time 10 min;
    encryption_algorithm aes 256, 3des, blowfish;
    authentication_algorithm hmac_sha1, hmac_md5;
    #compression_algorithm deflate;
    compression_algorithm lzs;
}
padding {
    #to hinder guessing
    randomize on;
    randomize_length on;
    strict_check off;
    exclusive_tail on;
}
mode_cfg {
    auth_source system;
    conf_source local;
    default_domain "local";
    pool_size 10;
    network4 10.0.88.100;
    netmask4 255.255.255.0;
    dns4 8.8.8.8;
    banner "/etc/racoon/motd";
    auth_throttle 3;
    #pfs_group 2;
}

3. 修改psk.txt(自个修改test部分)
# cat /etc/racoon/psk.txt

#group name group Secret
test test

4. 添加欢迎词motd(可选)
# cat /etc/racoon/motd

Welcome to IPSec world!

5. 修改iptables
请参考《VPN在Xen和OpenVZ下配置iptables的差别》Xen部分

1
2
3
4
5
6
7
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A FORWARD -s 10.0.88.0/255.255.255.0 -j ACCEPT
iptables -A POSTROUTING -s 10.0.88.0/255.255.255.0 -o eth0 -j MASQUERADE
service iptables save
service iptables restart

补充:如果执行“iptables -A POSTROUTING”报错:iptables: No chain/target/match by that name
原因是没有指定nat表为缺省表,解决方法是增加“-t nat”参数,参见:http://is.gd/3PFk4O
iptables -t nat -A POSTROUTING -s 10.0.88.0/255.255.255.0 -o eth0 -j MASQUERADE

5. 修改net.ipv4.ip_forward为1

1
2
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sysctl -p

6. 添加racoon服务并启动

1
2
chkconfig racoon on
service racoon start

调试命令:# racoon -d -F -f /etc/racoon/racoon.conf

如果没有出错按Ctrl+C退出程序,然后以服务方式运行,输出日志:
cat /var/log/messages

清空日志再调试:
cat /dev/null > /var/log/messages

7. 黑莓客户端配置
搜索“Cisco IPSec VPN 安装配置说明”,可以找到好多PDF文件,照着方案一,注意几个容易出错的地方:
a) 启动扩展验证(Enable extended authentication)要钩选
b) IPSec加密和无用数据组选IKE密钥(比如AES 256)和IKE无用数据(比如HMAC SHA1 160)两部分的组合(比如AES256-SHA1)。
c) 登录组用前面第3步的设置,用户用VPS的用户,可以用“useradd username -s /sbin/nologin -M”新建。

配置说明的一个链接供参考:Cisco_IPSec_VPN_Guide_for_BlackBerry_v1.3.pdf

8. 问题
a) ERROR: racoon: MLS support is not enabled. // 忽略之
b) ERROR: libipsec failed pfkey open (Address family not supported by protocol) // 你的VPS不支持modprobe af_key,估计没戏了,参考http://blog.csdn.net/open_free_share/article/details/5159112
c) ERROR: no suitable proposal found. // 没钩前面第7条a)项。

9. 验证
按前面的配置说明成功连接后下载Twitter官方客户端,手机自带浏览器访问http://blackberry.com/twitter(直连),没有黑莓App帐户选第二个按钮完成安装。

如果先运行Twitter客户端再开启VPN可能会登录失败,解决办法是重启或杀进程(含twitter_lib进程?)。

总结:黑莓能走VPN的程序太少了,Twitter官方客户端能行,黑莓自带浏览器不行,据说ucweb可行,没试过。

PS. 只能走WIFI,多谢@ffxk的补充。

原文http://lordong.me/wp/post/1420.html

  1. 2014年12月27日21:23

    不错,多谢了。

  2. AS
    2012年12月1日20:04
  3. AS
    2012年12月1日19:27

    http://advocacy.globalvoicesonline.org/2012/12/01/to-the-netizens-of-china-from-a-netizen-of-pakistan/
    ” Open Letter: To the Netizens of China, From a Netizen of Pakistan
    Written bySana Saleem
    Posted 1 December 2012 7:39 GMT
    Categories: Advocacy, China, Feature, Freedom of Expression, Pakistan, Regulation, Surveillance, TYPE
    Tweet
    Google +1 icon
    submit to reddit

    Email this to a friend
    StumbleUpon
    delicious
    Instapaper

    Print version Print version

    To the Netizens of China,

    致中国网民,

    I am writing this letter to you on behalf of many Pakistani Internet users who are currently fighting their government’s attempt to restrict their access to information. The 20 million Internet users in Pakistan are on the brink of being monitored, filtered and possibly silenced for their views, and we fear that the government of China and Chinese spy-tech companies are aiding this human rights violations. It is distressing that Chinese companies have been named as being involved in aiding authoritarian regimes. Chinese companies like ZTE Corp and Huwaei have been accused of aiding censorship in Libya and Iran. Although it is difficult to track China’s involvement, there are no qualms about China’s censorship model being an ideal for developing countries and authoritative regimes.

    我代表很多巴基斯坦网民写这封信,是因为希望你们了解我们正在与政府限制访问互联网信息的举措进行抗争。 巴基斯坦超过2000万网络用户正处于被监控、过滤和噤声的边缘。我们担心中国政府和中国的监控技术公司也帮助了这种侵犯人权的行为,所以希望你们知情和支持。 一些中国公司,例如中兴通讯和华为公司,都有辅助官方的审查计划,在利比亚和伊朗的网络审查中也被揭参与。虽然很难追查他们的具体参与细节,但是毫无疑问中国的审查模式已经被这些发展中国家和独裁政权所效仿。…….”

  4. AS
    2012年12月1日12:20

    New ver.:ExploitShield Browser Edition 0.8
    http://www.zerovulnerabilitylabs.com/home/exploitshield-browser-edition-0-8/

    Improved detection of memory exploits
    Improved detection of Java exploits
    Improved prevention of false positives
    Ability to run as a non-administrator user
    Fixes for various bugs and crashes”

    2012年12月1日