1. Preparation.
1. Download the minimum version of Centos 7:
http://mirrors.aliyun.com/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-2207-02.iso
If the network does not have DHCP, set the specified IP address network first during the installation process, saving the trouble of setting the IP address on the command line.
2. Use the yum command to install the necessary components:
yum -y install wget gcc zlib-devel openssl-devel readline-devel ncurses-devel
2. Install Softether
It is recommended to use the SSH connection software "SecureCRT" or "SSH Secure File Transfer Client" to remotely log in to the host and use the connection software to operate. Because some paste and copy operations can be implemented.
1. Download:
Log in to the Sofether download website:
http://softether-download.com/cn.aspx
Check the latest version and download address, and download it with the wget command:
wget https://www.softether-download.com/files/softether/v4.41-9787-rtm-2023.03.14-tree/Linux/SoftEther_VPN_Server/64bit_-_ARM_64bit/softether-vpnserver-v4.41-9787-rtm-2023.03.14-linux-arm64-64bit.tar.gz
2. Installation:
After downloading, unzip it with:
tar zxf softether-vpnserver-v4.41-9787-rtm-2023.03.14-linux-arm64-64bit.tar.gz
Enter the decompressed directory:
cd vpnserver
is installed directly with the make command:
make
The default installation, press Enter to complete the installation.
3. Start, enter the command
./vpnserver start
Sofether VPN can be started.
4. Configuration:
Enter the ./vpncmd command
./vpncmd
Enter the Sofether VPN configuration. 1 is selected by default, and VPN Server or VPN Bridge is installed. Type 1 and press Enter.
Then press Enter for all, the default installation. Until entering the VPN Server management command:
Enter ServerPasswordSe to set the Softether VPN administrator password, the password is case-sensitive:
ServerPasswordSe
5. Add Softether VPN Server to startup:
vi /etc/rc.d/rc.local
Press the I key or the Insert key to enter the vi editing mode, and add "/root/vpnserver/vpnserver start" at the end
Press the ESC key to exit the edit mode, enter
:wq
Save and launch. Because in centos7, the permissions of the /etc/rc.d/rc.local file are reduced, and there is no execution permission, you need to add executable permissions to it:
chmod +x /etc/rc.d/rc.local
3. Firewall configuration
1. The default Softether listening ports are 445,992,1194,5555 ports. Here you need to release port 5555 as the management port first, so that the "SoftEther VPN Server Management Tool" on the Windows side can connect to this server through this port.
input the command:
firewall-cmd --zone=public --add-port=5555/tcp --permanent
2. Reload the firewall configuration:
firewall-cmd --reload
In this way, you can add and manage the server in the "SoftEther VPN Server Management Tool" on the Windows side:
and because the default port 5555 is the default listening port of the Android device adb service, and some IoT settings are based on Android, it will suffer Innocent attacks attempting to compromise IoT devices. Therefore, it is recommended to change the SoftEther VPN Server port to other ports, such as 5500. Create port 5500:
Similarly, open 5500 in the server firewall configuration and close port 5555
firewall-cmd --zone=public --add-port=5500/tcp --permanent
firewall-cmd --zone=public --remove-port=5555/tcp --permanent
Reload the firewall configuration:
firewall-cmd --reload
In the SoftEther VPN Server management tool, configure and log in to the server with the new port:
After logging in, close port 5555:
4. The actual application of SoftEther VPN to build a virtual private network
Objective: To achieve remote networking, so that all Windows system terminals connected to SoftEther VPN can access a certain brand of financial software server and a certain brand of ERP server based on Windows Server system through the VPN network, and it is required that the Internet access function of the terminal connected to the VPN is not based on The VPN network still accesses the network through the local network.
The purpose of doing this is that only the application servers that need to be accessed transmit data through the VPN network, rather than all network data are transmitted through the VPN.
0. Preparation.
First, you need to have a public IP address as the server address. And map the SoftEther VPN server host IP and port 5500 to the public network address and port. Take RouterOS as an example:
/ip firewall nat
chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=5500 protocol=tcp dst-address=公网IP dst-port=5500
Where "Public IP" is replaced with your public IP address.
1. SoftEther VPN Server configuration:
SoftEther VPN Server is based on the concept of a layer 3 switch, and can establish multiple independent virtual HUBs. By default, the virtual HUBs do not communicate with each other and need to be cascaded to communicate with each other. It can be regarded as independent physical routers. If they need to communicate with each other, they need to be connected to the network and strictly control the relationship between the upper and lower layers.
By default, a virtual HUB named DEFAULT has been established, double-click to enter the configuration:
1) Plan the network and set up DHCP.
Reasonably plan the network according to the number of terminals that need to be connected. Here, the network is divided according to the needs of 1000 terminal connections as an example.
DHCP starts from 10 and reserves 8 addresses as server IP.
Note that the options applied to the client should not be filled in. In this way, after the terminal is connected to the VPN server, because there is no gateway, it cannot access the Internet through the network, and still uses the terminal's local network to access the Internet.
2), create a user:
SoftEther VPN Server supports openSSL self-signed certificate login, but it is more convenient to use the account password. For example, it can also be grouped by unit, region, or department for easy management.
2. Install the VPN connection terminal software softether vpnclient:
1) Install softether-vpnclient on the financial software server and ERP server:
Go to Softether official website to download softether-vpnclient, and install and run it by default.
https://www.softether-download.com/files/softether/v4.41-9787-rtm-2023.03.14-tree/Windows/SoftEther_VPN_Client/softether-vpnclient-v4.41-9787-rtm-2023.03.14-windows-x86_x64-intel.exe
After running, double-click "Create a new VPN connection" in the window, and a virtual network card will be installed first. After installation, enter the VPN connection configuration window:
please fill in the host name with the public network IP or the domain name that has been resolved to the public network IP.
The port number is filled with the 5500
virtual HUB name is optional, select DEFAULT
and fill in the account password on the left side, and finally click OK.
Don't worry about connecting, first set the IP address of the server to a fixed IP address. Double-click the established VPN Client Adapter in the virtual network adapter at the bottom of the Softether-vpnclient window, and set the IPV4 address to: 192.168.100.5, and the subnet mask to 255.255.252.0.
Similarly, do not fill in the gateway.
At this time, you can double-click "New VPN Connection" to connect to the VPN network. Right-click "New VPN Connection" again, and click "Connect at startup", so that it will automatically connect to the VPN network every time it is turned on, without manual connection.
2) Install Softether vpnclient on other terminal computers and connect to VPN
The installation and configuration are the same as above, but there is no need to specify an indeterminate IP address. After the connection is successful, you can directly access the IP address (for example: 192.168.100.5) under the VPN network that the server has manually specified, and log in to the server.
3. Device terminals connected to the VPN network access the Internet through the VPN server
Objective: To achieve remote networking, so that the terminals and servers connected to the VPN network are in the same network, and the VPN server provides network connections.
The purpose of this is that both the terminal and server network data are transmitted through the VPN network.
1), SoftEther VPN Server configuration
The installation method is the same as above, just add the gateway when setting DHCP:
2) The installation and configuration of softether vpnclient on the client terminal is the same as above, no modification is required.
5. Mobile phone terminal connected to Softether VPN network in SoftEther VPN application
Applicable to the situation where the mobile terminal needs to access the server in the VPN network, but does not need to go online through the VPN server. That is, the gateway is not filled in the softether VPN server.
0. Preparation
First, you need to enable the L2TP/IPsec function of softether vpn:
And need to open the server 1701 (L2TP port), 4500 (IPcse port), 500 (IPcse port) three UDP protocol ports:
firewall-cmd --zone=public --add-port=1701/udp --permanent
firewall-cmd --zone=public --add-port=4500/udp --permanent
firewall-cmd --zone=public --add-port=500/udp --permanent
And reload the application firewall:
firewall-cmd --reload
Then you also need to map the server IP address and these three UPD ports to the public network address and port:
chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=1701 protocol=udp dst-address=公网IP dst-port=1701
chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=4500 protocol=udp dst-address=公网IP dst-port=4500
chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=500 protocol=udp dst-address=公网IP dst-port=500
Due to differences in mobile phone systems, versions, etc., respectively:
1. VPN connection using L2TP protocol.
Applicable to Apple phones and Android phones with Android 10 system and below:
Take Huawei mobile phones as an example:
Open settings and search for VPN:
Add VPN network:
Fill in the name as you like, fill in VPN here, select L2TP/IPSec PSK as the type, fill in the server address, fill in the IPSec pre-shared key: vpn, and display the advanced settings.
Fill in 192.168.100.0/22 for the forwarding line. That is, any server in the network defined by this subnet mask can be accessed.
Return to the VPN interface, enter the account password, and select Save account information. Connect to a VPN network.
Take the Apple mobile phone as an example:
also search for VPN in the settings:
Select L2TP as the type, any description, fill in VPN here, and fill in your own server address for the server. Fill in the account password, fill in vpn in the key, pay attention to case sensitivity. Turn off send all traffic.
Finally click on the link to VPN.
2. The Android version is above 10, and the VPN connection of the L2TP protocol is cancelled.
Therefore, you can use the third-party software VPN Client Pro to realize the VPN connection based on the SSTP protocol, which is suitable for all android mobile phones.
https://pan.baidu.com/s/1YoIhBDaYOI9tGYiy2knrGg?pwd=gdhz Extraction code: gdhz
After downloading, install and configure as follows:
1. Click the "+" icon in the lower right corner of the program.
2. Click "New SSTP VPN Configuration File"
3. Enter a custom name, here fill in VPN
4. Click the remote server.
5. Click the "+" button in the lower right corner to add a new server connection. Remote server host and port fill in your server address and port.
6. Return to the previous configuration
7. Click the authentication method
8. Select "Save Account and Password"
9. Enter the account password. The account password has been sent OA mail per person.
10. Return to the last configuration
11. Click "IPV4 Routing
12. Unselect "Redirect Gateway"
13. Click the "+" icon in the lower right corner to add a route
14. Fill in the VPN network address of the application server for the destination address, for example "192.168.100.5", and fill in "255.255. 252.0".
15. Finally, click OK to save.
Similarly, if there are multiple application servers under the VPN network that need to be accessed, just add a few routing information here.
16. After returning to the last configuration page, click the save button in the upper right corner
17. Click the "<–" return icon in the upper left corner
18. Click the connect button. connection succeeded! Note that there will be an authentication prompt for the first connection, just agree directly, and there will be no prompt in the future.
3. Make the mobile phone surf the Internet through the VPN network.
First, the VPN server needs to fill in the gateway.
1) If the Android mobile phone uses the L2TP connection mode of its own VPN function, it is enough not to fill in the forwarding line:
2), Apple mobile phone, select to send all traffic
3), VPN Client Pro, select redirection gateway (use server gateway), do not add IPv4 route.
6. Cascade connection of multiple virtual HUBs
If there is only one virtual HUB, it may be difficult for the terminal to connect to the VPN network due to the performance difference of the server host. Multiple virtual HUBs can be created and cascaded, and account passwords are established according to the unit, department or region to which the terminal belongs, and must be connected to the designated virtual HUB.
1. Create multiple virtual HUBs
Create virtual HUBs and create account passwords for each virtual HUB. You can only create account passwords for terminals within the scope of the virtual HUB name division. The advantage of this is that accounts under other virtual HUBs cannot log in to each other, ensuring effective division.
Note that you only need to create an account and password for the newly created virtual HUB, and you don’t need to enable virtual DHCP separately, because after cascading, the DHCP of the root HUB will uniformly assign the terminal IP address.
2. Cascade connection.
First, establish an account password for cascade connection in each virtual HUB, and then select a virtual HUB as the root HUB. Here, the default virtual HUB DEFAULT is used as the root HUB.
Note that the relationship between the upper and lower layers must be strictly controlled to avoid loops.
According to the above illustration, add all the newly created virtual HUBs to the root HUB of DEFAULT.
3. The terminal selects the specified virtual HUB name to connect.
Virtual HUB cascading is not limited to multiple Virtual HUBs of the same VPN server, it can also be used for Virtual HUBs established by different VPN servers. This can solve the problem of adding multiple VPN server hosts when the performance of a single VPN server host is not enough.
For example, my current VPN server topology is:
If you have any questions, you can leave a message. If I understand, I will definitely help. But,,,,, I have just been using this software, so please point out if there are any mistakes in the text. Thank you~~~
========================================================
Attached are the commonly used firewall settings for Linux:
1) Check the version of the firewall
firewall-cmd --version
2) View the status of the firewall
firewall-cmd --state
3) View firewall service status
systemctl status firewalld
4) View all information about the firewall
firewall-cmd --list-all
5) Check the opened ports of the firewall
firewall-cmd --list-port
6) Check the services enabled by the firewall
firewall-cmd --list-service
7) View all service lists
firewall-cmd --get-services
8) Check whether the firewall service is started
systemctl is-enabled firewalld
2. Commands to configure the firewall
1) Start, restart, and close the firewall service
start up
systemctl start firewalld
reboot
systemctl restart firewalld
closure
systemctl stop firewalld
check status
systemctl status firewalld
2) Open and remove a certain port
Open port 80
firewall-cmd --zone=public --add-port=80/tcp --permanent
remove port 80
firewall-cmd --zone=public --remove-port=80/tcp --permanent
3) Open and remove range ports
Open ports between 5000-5500
firewall-cmd --zone=public --add-port=5000-5500/tcp --permanent
Remove ports between 5000-5500
firewall-cmd --zone=public --remove-port=5000-5500/tcp --permanent
4) Open and remove services
open ftp service
firewall-cmd --zone=public --add-service=ftp --permanent
remove http service
firewall-cmd --zone=public --remove-service=ftp --permanent
5) Reload the firewall configuration (reload the firewall configuration or restart the firewall service after modifying the configuration)
firewall-cmd --reload
6) Enable or disable the firewall service when starting up
enable service
systemctl enable firewalld
disable service
systemctl disable firewalld