router set 左IPSEC VPN去SERVER再上大陸網頁的SPEED TEST

本帖最後由 mikecheung 於 2015-11-19 14:57 編輯

工具:
一台有大陸BANDWIDTH的VPS (本來想係大陸租)但係... 要實名)用STRONGSWAN做IPSEC SERVER
UBNT EDGE LITE FW V1.7 (唔知做咩 296條ROUTE之後傻傻地有無人有其他推介)
大陸的IP RANGE (http://www.parkansky.com/china.htm) 呵呵佢用來BLOCK 我用來ROUTE

VPN比較: IPSEC因為HW 加速一般上100Mb都得,OPENVPN因為SINGLE THREAD同無HW加速用來做E O的野都係IPSEC好好多... PPPOE 其實都得不過... 都係ENCRYPT下好少少咁

IPSEC要用VTI拿個INTERFACE先可以SET咁多ROUTE...

租左一台有大陸BANDWIDTH的VPS做左VTI IPSEC去大陸,留意廣州電信個TEST大陸都過百Mb,另外大陸內地的測試大約到32Mb (全部講細b但睇劇係夠的)

*解下畫: 香港TRAFFIC4xxMB係唔經VPS直出PCCW 自己個家居500個PLAN, 只為SHOW個route SETUP識分中港TRAFFIC

比大家參考一下結果 得閑寫文再講點CONFIG
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

用來睇電視?

TOP

回覆 2# keis


    暫時諗到係咁用實際係我無聊係做下LAB玩下家用版逆向CDN

TOP

回覆  keis


    暫時諗到係咁用實際係我無聊係做下LAB玩下家用版逆向CDN ...
mikecheung 發表於 2015-11-18 22:10


how much for 一台有大陸BANDWIDTH的VPS ?

TOP

回覆 4# mc16888


    1G RAM 1CPU 118一個月

TOP

大至setting係咁... DISABLE左CHARON個自動ADD ROUTE同VIRTUAL IP 自已用LEFTUPDOWN SCRIPT,其他INTERFACE MTU都試左好耐,FIREWALL果O的唔講啦做得果O的都會自己做,主力分享個UP DOWN SCRIPT

仲有IPSEC VTI係要打個IP係ROUTER SETTING 即係轉左IP要入多次.. 希望遲O的可以DYNAMIC IP不過唔BOOT ROUTER無事,唔知有無MASK少左野... 如有不小心留下我自己IP請高抬貴手... 我部SERVER無乜HARDENING到... 我唔識

STRONGSWAN 的config
  1. # ipsec.conf - strongSwan IPsec configuration file

  2. # basic configuration

  3. config setup
  4.     uniqueids=never
  5.     charondebug="cfg 2, dmn 2, ike 2, net 0"

  6. conn %default
  7.     right=%any
  8.     ikelifetime=8h
  9.     keylife=1h
  10.     keyingtries=%forever
  11.     keyexchange=ikev1
  12.     ike=3des-sha1-modp2048
  13.     esp=3des-sha1-modp2048
  14.     authby=secret

  15. conn net-net
  16.     leftupdown=/usr/local/sbin/ipsec_updown_script.sh
  17.     left=122.<local server ip>
  18.     leftauth=secret
  19.     leftsubnet=0.0.0.0/0
  20.     keyexchange=ikev1
  21.     type=tunnel
  22.     right=%any
  23.     rightsubnet=0.0.0.0/0
  24.     rightauth=secret
  25.     authby=secret
  26.     auto=start
  27.     mark=100
複製代碼
  1. ipsec_updown_script.sh

  2. case "${PLUTO_VERB}" in
  3.     up-client)
  4.      ip link add vti_0 type vti key 100 remote ${PLUTO_PEER} local ${PLUTO_ME}
  5.      ip link set vti_0 up
  6.      ip addr add 192.168.220.254/24 remote 192.168.220.1/24 dev vti_0
  7.      ip link set vti_0 mtu 1436
  8.      ip link set ip_vti0 mtu 1436
  9.      echo 0 > /proc/sys/net/ipv4/conf/vti_0/rp_filter
  10.      echo 1 > /proc/sys/net/ipv4/conf/vti_0/disable_policy
  11.      echo 1 > /proc/sys/net/ipv4/conf/ip_vti0/disable_xfrm
  12.      echo 1 > /proc/sys/net/ipv4/conf/ip_vti0/disable_policy
  13.      ip route add 172.16.0.0/16 via 192.168.220.254 dev vti_0 proto static
  14.         ;;
  15.     down-client)
  16.         ip tunnel del vti_0
  17.         ;;
  18. esac
複製代碼
ubnt vti 個SETUP
https://help.ubnt.com/hc/en-us/a ... ample-on-EdgeRouter

TOP

回覆 5# mikecheung

Very cheap, no monthly bandwidth limitation ?  Can you pm me the VPS seller, Thanks.

I use UBnt edgelite fw1.7 at home with policy based routing to 3 different PPTP vpn with around 200 ip without problem.  Is your 296 route static route or policy based route ?

TOP

回覆  mc16888


    1G RAM 1CPU 118一個月
mikecheung 發表於 2015-11-18 23:54



    可以PM VPS資料比我嗎?

TOP

mikecheung 師兄, got it, Thanks.

TOP

求 VPS SELLER also ~~~

感謝樓主 ^_^!!

TOP