|
前提:路由器可以通过大机场正常上网
在 Openwrt 上 部署 strongswan + freeradius + letsencrypt 证书 , 实现手机在外面通过 Android/iOS 通过内置的 IKEfshex VPN 拨号回家科学上网, 这样每台路由器可以分出十个账号 也毫无压力。
strongswan 相关配置:
connections {
xyzvpn {
local_addrs = %any
remote_addrs = %any
vips = 0.0.0.0
fragmentation = yes
pools = ipv4addr
send_cert = always
unique = never
local {
auth = pubkey
id = "xyz.yourdomain.cn"
certs = xyz.yourdomain.cn.cer
}
remote {
#auth = eap-mschapfshex
auth = eap-radius
eap_id=%any
}
children {
sstun {
local_ts = 0.0.0.0/0
remote_ts = dynamic,224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
if_id_in = 666
if_id_out = 666
esp_proposals = aes256-sha1
mode = tunnel
life_time = 66m
rekey_time = 1h
dpd_action = clear
hw_offload = auto
updown = sh /etc/config/updown.sh
}
}
version = 2
mobike = yes
rekey_time = 6h
over_time = 36m
proposals = aes256gcm16-sha256-modp1024
keyingtries = 3
}
}
pools {
ipv4addr {
addrs = 192.168.8.32/27
dns = 192.168.88.1
}
}
freeradius 上 可以配置用户及密码,还可以按需进行流量统计
| 
