| pfSense、OPNsense安装配置SoftEther VPN | 您所在的位置:网站首页 › opnsense设置中文 › pfSense、OPNsense安装配置SoftEther VPN |
pfSense、OPNsense安装配置SoftEther VPN
|
SoftEther VPN (“SoftEther”意为“软件以太网”)是世界上最强大和易于使用的多协议 VPN 软件之一。它可以在 Windows、Linux、Mac、FreeBSD 和 Solaris 上运行。 SoftEther VPN不仅是现有VPN产品(OpenVPN、IPsec 和 MS-SSTP)的替代VPN服务器,同时还具有独创的强大SSL-VPN协议,可以穿透任何类型的防火墙。 SoftEther VPN 的特点: 免费和开源软件。轻松建立远程访问 和站点到站点 VPN。SSL-VPN 隧道在 HTTPS 上 通过 NAT 和防火墙。革命性的VPN over ICMP 和VPN overDNS 功能。抵抗高度限制的防火墙。VPN 上的以太网桥接 (L2) 和 IP 路由 (L3) 。嵌入式 动态 DNS 和 NAT 遍历 ,因此不需要静态或固定 IP 地址。AES 256 位和 RSA 4096 位 加密。足够的安全功能,例如日志记录 和防火墙 内部 VPN 隧道。1Gbps 级高速吞吐量性能 ,内存和CPU占用率低。 支持Windows、Linux、Mac、Android、iPhone、iPad 和 Windows Mobile 。SSL-VPN (HTTPS) 和 6 种主要的 VPN 协议(OpenVPN、 IPsec、 L2TP、 MS-SSTP、 L2TPv3 和 EtherIP)都支持作为 VPN 隧道底层协议。OpenVPN 克隆功能 支持旧版 OpenVPN 客户端。IPv4 / IPv6 双栈。VPN服务器可以在Windows、Linux、FreeBSD、Solaris 和 Mac OS X 上运行 。可以在GUI上配置所有设置 。多语言 (英语、日语和简体中文)。没有内存泄漏。高质量稳定代码,适合长期运行。RADIUS/NT域用户认证功能RSA证书认证功能深度检测数据包日志记录功能源IP地址控制列表功能系统日志传输函数SoftEther VPN提供了FreeBSD平台的运行程序,可以在pfSense和OPNsense上运行。本文介绍在pfSense和OPNsense上安装和配置SoftEther VPN的方法。 在pfSense上安装配置SoftEther VPN使用的防火墙软件版本:pfSense plus 23.01中文定制版。 安装SoftEther VPN进入防火墙shell环境,运行以下命令安装: pkg add -f https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/softether-4.41.9787.pkg后续版本升级,可以在这里搜索softether下载地址。下面为运行安装命令后显示的内容: [23.01-RELEASE][[email protected]]/root: pkg add -f https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/softether-4.41.9787.pkg Fetching softether-4.41.9787.pkg: 100% 3 MiB 16.1kB/s 03:10 Installing softether-4.41.9787... pkg: wrong architecture: FreeBSD:13:amd64 instead of FreeBSD:14:amd64 package softether is already installed, forced install Extracting softether-4.41.9787: 100% ===== Message from softether-4.41.9787: -- To run SoftEtherVPN client from startup, run sysrc softether_client_enable=yes To run SoftEtherVPN server from startup, run sysrc softether_server_enable=yes To run SoftEtherVPN bridge from startup, run sysrc softether_bridge_enable=yes To run SoftEtherVPN traffic server from startup, run sysrc softether_trafficserver_enable=yes Initial and further configuration of all softether services can be done either by using a Windows client to connect to the running services or by vpncmd from command line. Please note client functionality is not supported on FreeBSD right now. When removing SoftEther VPN without the desire to reinstall, please ensure to remove the following directories as well: - /var/db/softether - /var/log/softether - /var/run/softether根据提示,需要添加不同类型程序的启动项,可以把所有的程序启动项都添加上: [23.01-RELEASE][[email protected]]/root: sysrc softether_trafficserver_enable=yes softether_trafficserver_enable: -> yes [23.01-RELEASE][[email protected]]/root: sysrc softether_client_enable=yes softether_client_enable: -> yes [23.01-RELEASE][[email protected]]/root: sysrc softether_bridge_enable=yes softether_bridge_enable: -> yes [23.01-RELEASE][[email protected]]/root: sysrc softether_server_enable=yes softether_server_enable: yes -> yes命令执行后会在/etc/rc.conf文件添加以下参数: softether_server_enable="yes" softether_trafficserver_enable="yes" softether_client_enable="yes" softether_bridge_enable="yes"程序安装以后,安装文件存放在以下目录: /usr/local/etc/rc.d/softether_bridge /usr/local/etc/rc.d/softether_client /usr/local/etc/rc.d/softether_server /usr/local/etc/rc.d/softether_trafficserver /usr/local/libexec/softether/hamcore.se2 /usr/local/libexec/softether/vpnbridge /usr/local/libexec/softether/vpnclient /usr/local/libexec/softether/vpncmd /usr/local/libexec/softether/vpnserver /usr/local/sbin/vpncmd启动SoftEther VPN输入命令,启动SoftEther VPN 服务器: /usr/local/libexec/softether/vpnserver start停止SoftEther VPN 服务器运行命令: /usr/local/libexec/softether/vpnserver stop输入启动命令以后,会出现以下提示: [23.01-RELEASE][[email protected]]/root: /usr/local/libexec/softether/vpnserver start The SoftEther VPN Server service has been started. Let's get started by accessing to the following URL from your PC: https://202.101.151.20:5555/ or https://202.101.151.20/ Note: IP address may vary. Specify your server's IP address. A TLS certificate warning will appear because the server uses self signed certificate by default. That is natural. Continue with ignoring the TLS warning.根据提示使用https://202.101.151.20:5555 或 https://202.101.151.20地址访问SoftEther VPN的配置界面。 该地址为防火墙的WAN接口地址,需要添加防火墙规则才能访问。 注意:如果要运行SoftEther VPN的客户端或网桥程序,请参照上面的命令格式即可。 添加防火墙规则导航到防火墙>规则策略,WAN选项卡,添加放开防火墙5555和443端口的规则。由于国内443端口都已被运营商禁用,本示例未添加。
放开后就可以使用https://202.101.151.20:5555 地址访问SoftEether VPN的Web管理界面。 设置开机启动安装shellcmd插件,添加以下两条开机启动命令。 1、创建程序运行的临时目录 mkdir /var/run/softether
2、启动softether服务 /usr/local/etc/rc.d/softether_server start
注意两条命令的Shellcmd类型不同,这是为了区分命令的启动顺序,以保证程序正常运行。 配置SoftEther VPNSoftEether VPN的Web配置界面功能过于简单,建议下载客户端程序进行配置。以SoftEther VPN Server配置程序为例,运行以后,点击左下角的新设置,新建一个连接。
输入连接信息,注意密码为空:
点击确定后返回主程序。点击连接(c)按钮,第一次连接时,会提示创建管理员密码。使用新的密码登录以后,就可以配置SoftEther VPN了。
所使用的防火墙软件版本:OPNsense 23.1.5_4。 安装SoftEther VPN导航到系统>固件>插件选项卡,找到os-softether-devel插件,点击右侧的安装按钮进行安装。或运行以下命令来安装SoftEther VPN: pkg install os-softether-devel运行安装命令后会显示以下内容: root@OPNsense:~ # pkg install os-softether-devel Updating OPNsense repository catalogue... OPNsense repository is up to date. Updating mimugmail repository catalogue... mimugmail repository is up to date. All repositories are up to date. Checking integrity... done (0 conflicting) The following 2 package(s) will be affected (of 0 checked): New packages to be INSTALLED: os-softether-devel: 0.3 [OPNsense] softether: 4.41.9787 [OPNsense] Number of packages to be installed: 2 The process will require 10 MiB more space. Proceed with this action? [y/N]: y [1/2] Installing softether-4.41.9787... [1/2] Extracting softether-4.41.9787: 100% [2/2] Installing os-softether-devel-0.3... [2/2] Extracting os-softether-devel-0.3: 100% Stopping configd...done Starting configd. Reloading plugin configuration Configuring system logging...done. Reloading template OPNsense/Softether: OK ===== Message from softether-4.41.9787: -- To run SoftEtherVPN client from startup, run sysrc softether_client_enable=yes To run SoftEtherVPN server from startup, run sysrc softether_server_enable=yes To run SoftEtherVPN bridge from startup, run sysrc softether_bridge_enable=yes To run SoftEtherVPN traffic server from startup, run sysrc softether_trafficserver_enable=yes Initial and further configuration of all softether services can be done either by using a Windows client to connect to the running services or by vpncmd from command line. Please note client functionality is not supported on FreeBSD right now. When removing SoftEther VPN without the desire to reinstall, please ensure to remove the following directories as well: - /var/db/softether - /var/log/softether - /var/run/softether根据提示,需要添加不同类型的程序启动项: [23.01-RELEASE][[email protected]]/root: sysrc softether_trafficserver_enable=yes softether_trafficserver_enable: -> yes [23.01-RELEASE][[email protected]]/root: sysrc softether_client_enable=yes softether_client_enable: -> yes [23.01-RELEASE][[email protected]]/root: sysrc softether_bridge_enable=yes softether_bridge_enable: -> yes [23.01-RELEASE][[email protected]]/root: sysrc softether_server_enable=yes softether_server_enable: yes -> yes命令运行后会在/etc/rc.conf文件添加以下参数: softether_server_enable="yes" softether_trafficserver_enable="yes" softether_client_enable="yes" softether_bridge_enable="yes"启动SoftEther VPN导航到防火墙的VPN>SoftEther菜单,选中启用SoftEther选项。
运行SoftEther VPN Server客户端配置程序,点击左下角的新设置,新建一个连接。 默认地址为防火墙的LAN地址,端口为443,密码为空。如果端口与你的防火墙web访问端口冲突,可以使用vpncmd命令修改默认端口,也可以更改防火墙的Web访问端口。
点击确定后返回主程序。点击连接(c)按钮,第一次连接时,会提示创建管理员密码。使用新的密码登录以后,就可以配置SoftEther VPN了。 配置SoftEther VPN动态域名SoftEther VPN服务器搭建好以后,我们可以使用它提供的各种功能。SoftEther VPN提供了免费的动态域名功能,下面介绍在pfSense上的配置方法。 启用动态域名在SoftEther VPN服务器管理界面,单击左下角的动态DNS设置。
设置一个访问pfSense防火墙的域名。
域名设置即时生效。 防火墙设置由于默认443端口被运营商禁用,我们需要把访问防火墙默认端口修改为一个能用的端口号。 导航到防火墙的系统>高级选项菜单,找到管理员访问选项卡,修改默认访问端口。本示例修改为5678。
同时为了防止防火墙的重绑定检查,还需要输入备用主机名选项。
导航到防火墙>规则策略,WAN选项卡,添加允许ping协议和放行5678端口访问的规则。允许ping协议是可选项,只是为了方便测试。
浏览器输入https://pfwall.softether.net:5678,应该可以正常访问防火墙了。
SoftEther VPN 各项功能的详细配置,请参考网络上的其他相关文章,不再赘叙。 |
【本文地址】