install
source · Clone the upstream repo
git clone https://github.com/chaterm/terminal-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/chaterm/terminal-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/network/vpn" ~/.claude/skills/chaterm-terminal-skills-vpn && rm -rf "$T"
manifest:
network/vpn/SKILL.mdsource content
VPN 配置与管理
概述
OpenVPN、WireGuard、IPSec VPN 配置与管理技能。
WireGuard
安装
# Debian/Ubuntu apt install wireguard # CentOS/RHEL yum install epel-release elrepo-release yum install kmod-wireguard wireguard-tools # 验证安装 wg --version
生成密钥
# 生成私钥 wg genkey > privatekey # 从私钥生成公钥 wg pubkey < privatekey > publickey # 一步生成 wg genkey | tee privatekey | wg pubkey > publickey # 生成预共享密钥(可选,增强安全) wg genpsk > presharedkey
服务端配置
# /etc/wireguard/wg0.conf [Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = <server_private_key> # 启用 IP 转发 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = <client_public_key> AllowedIPs = 10.0.0.2/32
客户端配置
# /etc/wireguard/wg0.conf [Interface] Address = 10.0.0.2/24 PrivateKey = <client_private_key> DNS = 8.8.8.8 [Peer] PublicKey = <server_public_key> Endpoint = server.example.com:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25
管理命令
# 启动 wg-quick up wg0 systemctl start wg-quick@wg0 # 停止 wg-quick down wg0 systemctl stop wg-quick@wg0 # 开机启动 systemctl enable wg-quick@wg0 # 查看状态 wg show wg show wg0 # 添加 peer wg set wg0 peer <public_key> allowed-ips 10.0.0.3/32
OpenVPN
安装
# Debian/Ubuntu apt install openvpn easy-rsa # CentOS/RHEL yum install epel-release yum install openvpn easy-rsa
初始化 PKI
# 创建 CA 目录 make-cadir ~/openvpn-ca cd ~/openvpn-ca # 初始化 PKI ./easyrsa init-pki # 创建 CA ./easyrsa build-ca nopass # 生成服务器证书 ./easyrsa gen-req server nopass ./easyrsa sign-req server server # 生成 DH 参数 ./easyrsa gen-dh # 生成 TLS 密钥 openvpn --genkey secret ta.key # 生成客户端证书 ./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1
服务端配置
# /etc/openvpn/server.conf port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem tls-auth ta.key 0 server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-256-GCM auth SHA256 user nobody group nogroup persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3
客户端配置
# client.ovpn client dev tun proto udp remote server.example.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key tls-auth ta.key 1 cipher AES-256-GCM auth SHA256 verb 3
管理命令
# 启动服务 systemctl start openvpn@server systemctl enable openvpn@server # 查看状态 systemctl status openvpn@server # 查看连接 cat /var/log/openvpn-status.log # 吊销证书 cd ~/openvpn-ca ./easyrsa revoke client1 ./easyrsa gen-crl
IPSec (strongSwan)
安装
# Debian/Ubuntu apt install strongswan strongswan-pki # CentOS/RHEL yum install strongswan
生成证书
# 生成 CA ipsec pki --gen --type rsa --size 4096 --outform pem > ca-key.pem ipsec pki --self --ca --lifetime 3650 \ --in ca-key.pem --type rsa \ --dn "CN=VPN CA" \ --outform pem > ca-cert.pem # 生成服务器证书 ipsec pki --gen --type rsa --size 4096 --outform pem > server-key.pem ipsec pki --pub --in server-key.pem --type rsa | \ ipsec pki --issue --lifetime 1825 \ --cacert ca-cert.pem --cakey ca-key.pem \ --dn "CN=vpn.example.com" \ --san vpn.example.com \ --flag serverAuth --flag ikeIntermediate \ --outform pem > server-cert.pem
服务端配置
# /etc/ipsec.conf config setup charondebug="ike 2, knl 2, cfg 2" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@vpn.example.com leftcert=server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity
用户配置
# /etc/ipsec.secrets : RSA "server-key.pem" user1 : EAP "password1" user2 : EAP "password2"
管理命令
# 启动 systemctl start strongswan systemctl enable strongswan # 重载配置 ipsec reload ipsec rereadall # 查看状态 ipsec statusall ipsec status # 查看 SA ipsec listall
常见场景
场景 1:WireGuard 站点到站点
# 站点 A 配置 [Interface] Address = 10.0.0.1/24 PrivateKey = <site_a_private> ListenPort = 51820 [Peer] PublicKey = <site_b_public> Endpoint = site-b.example.com:51820 AllowedIPs = 10.0.0.2/32, 192.168.2.0/24 # 站点 B 配置 [Interface] Address = 10.0.0.2/24 PrivateKey = <site_b_private> ListenPort = 51820 [Peer] PublicKey = <site_a_public> Endpoint = site-a.example.com:51820 AllowedIPs = 10.0.0.1/32, 192.168.1.0/24
场景 2:分流配置
# WireGuard 仅代理特定网段 [Peer] PublicKey = <server_public_key> Endpoint = server.example.com:51820 AllowedIPs = 10.0.0.0/24, 192.168.100.0/24
场景 3:多用户管理脚本
#!/bin/bash # add-wg-client.sh CLIENT_NAME=$1 SERVER_PUBLIC_KEY="<server_public_key>" SERVER_ENDPOINT="vpn.example.com:51820" # 生成密钥 wg genkey | tee ${CLIENT_NAME}_private | wg pubkey > ${CLIENT_NAME}_public # 生成客户端配置 cat > ${CLIENT_NAME}.conf << EOF [Interface] PrivateKey = $(cat ${CLIENT_NAME}_private) Address = 10.0.0.${2}/24 DNS = 8.8.8.8 [Peer] PublicKey = ${SERVER_PUBLIC_KEY} Endpoint = ${SERVER_ENDPOINT} AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25 EOF echo "添加到服务器:" echo "[Peer]" echo "PublicKey = $(cat ${CLIENT_NAME}_public)" echo "AllowedIPs = 10.0.0.${2}/32"
故障排查
| 问题 | 排查方法 |
|---|---|
| 连接失败 | 检查防火墙、端口、密钥配置 |
| 握手失败 | 检查公钥配置、时间同步 |
| 无法访问内网 | 检查 AllowedIPs、路由、IP 转发 |
| 性能差 | 检查 MTU、加密算法 |
# WireGuard 调试 wg show dmesg | grep wireguard tcpdump -i any port 51820 # OpenVPN 调试 tail -f /var/log/openvpn.log tcpdump -i any port 1194 # IPSec 调试 ipsec statusall journalctl -u strongswan -f # 检查 IP 转发 cat /proc/sys/net/ipv4/ip_forward sysctl net.ipv4.ip_forward=1