为什么用sstp
前几天pptp还好好的,这几天突然就被干扰了,连接丢包率2%-10%(pingtest.net),用PC测试了各种协议,只有sstp好像还可以用。可能的原因是
1)443端口目前被扫描较少
2)sstp协议每次连接随机端口
openwrt下有现成的:
https://github.com/openwrt/packages/blob/master/net/sstp-client/Makefile
使用方法参考:
https://github.com/reliablehosting/sstp-client/blob/master/USING
简单来说,两种用法,
1)
pppd call <provider> \
pty "/usr/sbin/sstpc [<sstp-opts>] server --nolaunchpppd"
sstpc作为pppd的插件
2)
sstpc --user <DOMAIN\\USER> --password <PASS> [<sstp-opts>] server \
call <provider>
pppd作为sstpc的插件?
调试过程
No auth is possible
pppd debug call test pty "/usr/bin/sstpc --cert-warn --password ***** --user ******@gmail.com --log-level 5 --log-stdout JP2.ASTRILL.NET --nolaunchpppd"
Thu Nov 27 11:23:18 2014 daemon.info pppd[7096]: Using interface ppp0
Thu Nov 27 11:23:18 2014 daemon.notice pppd[7096]: Connect: ppp0 <--> /dev/pts/1
Thu Nov 27 11:23:19 2014 daemon.debug pppd[7096]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xa9b7c3de>]
Thu Nov 27 11:23:19 2014 daemon.debug pppd[7096]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <magic 0x2951636d> <mru 1400>]
Thu Nov 27 11:23:19 2014 daemon.debug pppd[7096]: No auth is possible
Thu Nov 27 11:23:19 2014 daemon.debug pppd[7096]: sent [LCP ConfRej id=0x1 <auth chap MS-v2>]
Thu Nov 27 11:23:19 2014 daemon.debug pppd[7096]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
Thu Nov 27 11:23:19 2014 daemon.debug pppd[7096]: sent [LCP ConfReq id=0x2 <magic 0xa9b7c3de>]
Thu Nov 27 11:23:19 2014 daemon.debug pppd[7096]: rcvd [LCP ConfReq id=0x2 <auth chap MS> <magic 0x2951636d> <mru 1400>]
Thu Nov 27 11:23:19 2014 daemon.debug pppd[7096]: <strong><span style="color:#ffffff;background-color: rgb(255, 0, 0);">No auth is possible</span></strong>
Thu Nov 27 11:23:19 2014 daemon.debug pppd[7096]: sent [LCP ConfRej id=0x2 <auth chap MS>]
Thu Nov 27 11:23:19 2014 daemon.debug pppd[7096]: rcvd [LCP ConfAck id=0x2 <magic 0xa9b7c3de>]
Thu Nov 27 11:23:20 2014 daemon.debug pppd[7096]: rcvd [LCP ConfReq id=0x3 <auth chap MD5> <magic 0x2951636d> <mru 1400>]
Thu Nov 27 11:23:20 2014 daemon.debug pppd[7096]: No auth is possible
Thu Nov 27 11:23:20 2014 daemon.debug pppd[7096]: sent [LCP ConfRej id=0x3 <auth chap MD5>]
Thu Nov 27 11:23:20 2014 daemon.debug pppd[7096]: rcvd [LCP ConfReq id=0x4 <auth pap> <magic 0x2951636d> <mru 1400>]
Thu Nov 27 11:23:20 2014 daemon.debug pppd[7096]: No auth is possible
Thu Nov 27 11:23:20 2014 daemon.debug pppd[7096]: sent [LCP ConfRej id=0x4 <auth pap>]
Thu Nov 27 11:23:20 2014 daemon.debug pppd[7096]: rcvd [LCP ConfReq id=0x5 <auth pap> <magic 0x2951636d> <mru 1400>]
Thu Nov 27 11:23:20 2014 daemon.debug pppd[7096]: No auth is possible
Thu Nov 27 11:23:20 2014 daemon.debug pppd[7096]: sent [LCP ConfRej id=0x5 <auth pap>]
Thu Nov 27 11:23:20 2014 daemon.debug pppd[7096]: Script /usr/bin/sstpc --cert-warn --password ***** --user ******@gmail.com --log-level 5 --log-stdout JP2.ASTRILL.NET --nolaunchpppd finished (pid 7097), status = 0xff
Thu Nov 27 11:23:20 2014 daemon.notice pppd[7096]: Modem hangup
Thu Nov 27 11:23:20 2014 daemon.notice pppd[7096]: Connection terminated.
相关的文件:
Could not connect to sstp-client
Thu Nov 27 13:56:59 2014 local0.notice sstpc[5464]: Started PPP Link Negotiation
Thu Nov 27 13:56:59 2014 daemon.debug pppd[5460]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <magic 0x49740392> <mru 1400>]
Thu Nov 27 13:56:59 2014 daemon.debug pppd[5460]: sent [LCP ConfAck id=0x1 <auth chap MS-v2> <magic 0x49740392> <mru 1400>]
Thu Nov 27 13:56:59 2014 daemon.debug pppd[5460]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
Thu Nov 27 13:56:59 2014 daemon.debug pppd[5460]: sent [LCP ConfReq id=0x2 <magic 0xc317a8a6>]
Thu Nov 27 13:56:59 2014 daemon.debug pppd[5460]: rcvd [LCP ConfAck id=0x2 <magic 0xc317a8a6>]
Thu Nov 27 13:56:59 2014 daemon.debug pppd[5460]: sent [LCP EchoReq id=0x0 magic=0xc317a8a6]
Thu Nov 27 13:56:59 2014 daemon.debug pppd[5460]: rcvd [CHAP Challenge id=0x1 <869c3c44f1ac7bbec2cd46834b6ad3ba>, name = ""]
Thu Nov 27 13:56:59 2014 daemon.debug pppd[5460]: added response cache entry 0
Thu Nov 27 13:56:59 2014 daemon.debug pppd[5460]: sent [CHAP Response id=0x1 <0744f3fcfb016cddab1a9d0464f8d60e0000000000000000fd498b6fa3cf9a7999b8846544b2ac6bcbd95a985e71ec8c00>, name = "******@gmail.com"]
Thu Nov 27 13:56:59 2014 daemon.debug pppd[5460]: sstp_snoop_send: mppe keys are set
Thu Nov 27 13:56:59 2014 daemon.debug pppd[5460]: sstp_snoop_send: The mppe send key: 42d2dd5bb0bb007cf00de6fd973928eb
Thu Nov 27 13:56:59 2014 daemon.debug pppd[5460]: sstp_snoop_send: The mppe recv key: 0344b3273162a28523aebfd54d4fac81
Thu Nov 27 13:56:59 2014 daemon.err pppd[5460]: <span style="color:#ffffff;background-color: rgb(255, 0, 0);">Could not connect to sstp-client (/var/run/sstpc/sstpc-uds-sock)</span>, Connection refused (111)
Thu Nov 27 13:56:59 2014 daemon.info pppd[5460]: Exit.
Thu Nov 27 13:56:59 2014 local0.debug sstpc[5464]: PPPd terminated
Thu Nov 27 13:56:59 2014 local0.notice sstpc[5464]: SSTP session was established for 0 seconds
Thu Nov 27 13:56:59 2014 local0.notice sstpc[5464]: Received 80 bytes, sent 89 bytes
这个是跟踪进去源代码查到的(sstp-event.c),这里是一个典型的 linux socket进程通信,这个文件是一个命名socket,如果ipparam,那么会创建一个sstpc-$ipparam文件,否则会创建一个sstpc-uds-sock文件。所以如果指定了ipparam,那么peer文件中sstp-sock要写成/var/run/sstpc/sstpc-$ipparam
/etc/ppp/chap-secrets has world and/or group access
Thu Nov 27 11:41:36 2014 daemon.warn pppd[7144]: Warning - secret file /etc/ppp/chap-secrets has world and/or group access
报错是说这个文件其他用户也可读,有安全风险。解决办法是chmod到0600(只有root能读写)
Could not parse attributes
Thu Nov 27 14:53:05 2014 daemon.info pppd[5874]: Plugin sstp-pppd-plugin.so loaded.
Thu Nov 27 14:53:05 2014 daemon.notice pppd[5875]: pppd 2.4.7 started by root, uid 0
Thu Nov 27 14:53:05 2014 daemon.debug pppd[5875]: using channel 13
Thu Nov 27 14:53:05 2014 local0.notice sstpc[5879]: (Harvey)run into sstp_event_create!
Thu Nov 27 14:53:05 2014 local0.notice sstpc[5879]: (Harvey)sock filename=/var/run/sstpc/sstpc-test
Thu Nov 27 14:53:05 2014 local0.notice sstpc[5879]: Waiting for sstp-plugin to connect on: /var/run/sstpc/sstpc-test
Thu Nov 27 14:53:05 2014 daemon.info pppd[5875]: Using interface ppp1
Thu Nov 27 14:53:05 2014 daemon.notice pppd[5875]: Connect: ppp1 <--> /dev/pts/2
Thu Nov 27 14:53:05 2014 local0.notice sstpc[5879]: Resolved 50.31.252.45 to 50.31.252.45
Thu Nov 27 14:53:05 2014 local0.notice sstpc[5879]: Connected to 50.31.252.45
Thu Nov 27 14:53:06 2014 daemon.debug pppd[5875]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7ece2a52> <pcomp> <accomp>]
Thu Nov 27 14:53:07 2014 local0.notice sstpc[5879]: The certificate did not match the host: JP2.ASTRILL.NET
Thu Nov 27 14:53:07 2014 local0.info sstpc[5879]: Server certificated failed verification, ignoring
Thu Nov 27 14:53:07 2014 local0.notice sstpc[5879]: Sending Connect-Request Message
Thu Nov 27 14:53:07 2014 local0.err sstpc[5879]: SSTP CRTL PKT(14)
Thu Nov 27 14:53:07 2014 local0.err sstpc[5879]: TYPE(1): CONNECT REQUEST, ATTR(1):
Thu Nov 27 14:53:07 2014 local0.err sstpc[5879]: ENCAP PROTO(1): 6
Thu Nov 27 14:53:07 2014 local0.err sstpc[5879]: SSTP CRTL PKT(48)
Thu Nov 27 14:53:07 2014 local0.err sstpc[5879]: TYPE(2): CONNECT ACK, ATTR(1):
Thu Nov 27 14:53:07 2014 local0.err sstpc[5879]: CRYPTO BIND REQ(4): 40
Thu Nov 27 14:53:07 2014 local0.notice sstpc[5879]: Started PPP Link Negotiation
Thu Nov 27 14:53:07 2014 local0.err sstpc[5879]: SSTP DATA PKT(28)
Thu Nov 27 14:53:08 2014 local0.err sstpc[5879]: SSTP DATA PKT(27)
Thu Nov 27 14:53:08 2014 daemon.debug pppd[5875]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <magic 0x74ed408d> <mru 1400>]
Thu Nov 27 14:53:08 2014 daemon.debug pppd[5875]: sent [LCP ConfAck id=0x1 <auth chap MS-v2> <magic 0x74ed408d> <mru 1400>]
Thu Nov 27 14:53:08 2014 local0.err sstpc[5879]: SSTP DATA PKT(27)
Thu Nov 27 14:53:08 2014 local0.err sstpc[5879]: SSTP DATA PKT(22)
Thu Nov 27 14:53:08 2014 daemon.debug pppd[5875]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
Thu Nov 27 14:53:08 2014 daemon.debug pppd[5875]: sent [LCP ConfReq id=0x2 <magic 0x7ece2a52>]
Thu Nov 27 14:53:08 2014 local0.err sstpc[5879]: SSTP DATA PKT(18)
Thu Nov 27 14:53:08 2014 local0.err sstpc[5879]: SSTP DATA PKT(18)
Thu Nov 27 14:53:08 2014 daemon.debug pppd[5875]: rcvd [LCP ConfAck id=0x2 <magic 0x7ece2a52>]
Thu Nov 27 14:53:08 2014 daemon.debug pppd[5875]: sent [LCP EchoReq id=0x0 magic=0x7ece2a52]
Thu Nov 27 14:53:08 2014 local0.err sstpc[5879]: SSTP DATA PKT(16)
Thu Nov 27 14:53:08 2014 local0.err sstpc[5879]: SSTP DATA PKT(29)
Thu Nov 27 14:53:08 2014 daemon.debug pppd[5875]: rcvd [CHAP Challenge id=0x1 <acf9b570946132c1615883aa33b88f9d>, name = ""]
Thu Nov 27 14:53:08 2014 daemon.debug pppd[5875]: added response cache entry 0
Thu Nov 27 14:53:08 2014 daemon.debug pppd[5875]: sent [CHAP Response id=0x1 <9ef3746b08912dfccf268139d87fc766000000000000000029cc41742738dcc05616b675384f0932371e191ff1feea5a00>, name = "*******@gmail.com"]
Thu Nov 27 14:53:08 2014 daemon.debug pppd[5875]: sstp_snoop_send: mppe keys are set
Thu Nov 27 14:53:08 2014 daemon.debug pppd[5875]: sstp_snoop_send: The mppe send key: 73ad258b2f5780ab94b20e4bef4fe8fe
Thu Nov 27 14:53:08 2014 daemon.debug pppd[5875]: sstp_snoop_send: The mppe recv key: f1abda15c168cb9d9b5caa4e70b249e5
Thu Nov 27 14:53:08 2014 local0.notice sstpc[5879]: Received callback from sstp-plugin
Thu Nov 27 14:53:08 2014 local0.notice sstpc[5879]: Sending Connected Message
Thu Nov 27 14:53:08 2014 local0.err sstpc[5879]: SSTP CRTL PKT(112)
Thu Nov 27 14:53:08 2014 local0.err sstpc[5879]: TYPE(4): CONNECTED, ATTR(1):
Thu Nov 27 14:53:08 2014 local0.err sstpc[5879]: CRYPTO BIND(3): 104
Thu Nov 27 14:53:08 2014 local0.notice sstpc[5879]: Connection Established
Thu Nov 27 14:53:08 2014 local0.err sstpc[5879]: SSTP DATA PKT(82)
Thu Nov 27 14:53:09 2014 local0.err sstpc[5879]: SSTP DATA PKT(16)
Thu Nov 27 14:53:09 2014 daemon.debug pppd[5875]: rcvd [LCP EchoRep id=0x0 magic=0x74ed408d]
Thu Nov 27 14:53:09 2014 local0.err sstpc[5879]: SSTP CRTL PKT(8)
Thu Nov 27 14:53:09 2014 local0.err sstpc[5879]: TYPE(5): ABORT, ATTR(0):
Thu Nov 27 14:53:09 2014 local0.debug sstpc[5879]: Could not parse attributes
Thu Nov 27 14:53:09 2014 local0.debug sstpc[5879]: Unrecoverable SSL error
Thu Nov 27 14:53:09 2014 local0.debug sstpc[5879]: Connection was aborted, Unknown Status Attribute
Thu Nov 27 14:53:09 2014 daemon.debug pppd[5875]: Script /usr/bin/sstpc --cert-warn --ipparam test --log-level 4 JP2.ASTRILL.NET --nolaunchpppd finished (pid 5876), status = 0xff
Thu Nov 27 14:53:09 2014 daemon.notice pppd[5875]: Modem hangup
Thu Nov 27 14:53:09 2014 daemon.notice pppd[5875]: Connection terminated.
Thu Nov 27 14:53:09 2014 daemon.info pppd[5875]: Exit.
怀疑是Plugin sstp-pppd-plugin.so编译的时候缺了什么?因为确实找不到解决方法,只好采用第二种方式也就是sstp连接。
sstpc参数--cert-warn必需
否则:root@OpenWrt:~# sstpc --password "********" --user "********@gmail.com" --log-level 5 JP2.ASTRILL.NET require-mschap-v2 refuse-chap refuse-pap noauth
**Error: Verification of server certificate failed, (-2)
pppd参数noauth必需
root@OpenWrt:~# sstpc --cert-warn --password "********" --user "*****@gmail.com" --log-level 5 JP2.ASTRILL.NET require-mschap-v2 refuse-chap refuse-pap
/dev/pts/1: The remote system is required to authenticate itself
/dev/pts/1: but I couldn't find any suitable secret (password) for it to use to do so.
意思好像是就是服务器无法认证自己,认证不了就报这个错 。解决的办法就是 加上参数noauth
sstpc安装路径要写对
但是我参考了,第一种使用pppd的方法好像不能用。
Mon Nov 17 02:54:53 2014 daemon.info pppd[2653]: Plugin sstp-pppd-plugin.so loaded.
Mon Nov 17 02:54:53 2014 daemon.info pppd[2653]: pppd options in effect:
Mon Nov 17 02:54:53 2014 daemon.notice pppd[2654]: pppd 2.4.7 started by root, uid 0
Mon Nov 17 02:54:53 2014 daemon.debug pppd[2654]: using channel 8
Mon Nov 17 02:54:53 2014 daemon.err pppd[2654]: <span style="color: rgb(255, 255, 255); background-color: rgb(204, 0, 0);">Failed to set PPP kernel option flags: Inappropriate ioctl for device</span>
Mon Nov 17 02:54:53 2014 daemon.info pppd[2654]: Using interface ppp0
Mon Nov 17 02:54:53 2014 daemon.notice pppd[2654]: Connect: ppp0 <--> /dev/pts/1
Mon Nov 17 02:54:53 2014 daemon.debug pppd[2654]: Script /usr/sbin/sstpc --cert-warn --password ***** --user ****** --log-level 5 --log-stdout ******* --nolaunchpppd finished (pid 2655), status = 0x7f
Mon Nov 17 02:54:53 2014 daemon.notice pppd[2654]: Modem hangup
Mon Nov 17 02:54:53 2014 daemon.notice pppd[2654]: Connection terminated.
Mon Nov 17 02:54:53 2014 daemon.info pppd[2654]: Exit.
这个错误的原因是openwrt下sstpc的安装路径不是
/usr/sbin/sstpc而是/usr/bin/sstpc
sstpc参数:--save-server-route参数必需
否则虽然能连上,不使用这个连接的话也不会自动断线;但是只要一使用(比如设为缺省路由或者策略路由)无法传输数据,而且很快断线。
咨询sstp-client作者得到解决方法:https://sourceforge.net/p/sstp-client/discussion/1499217/thread/7b0a16ed/
“This is to let the client maintain the connection when you add a new default route.”
Thu Nov 27 11:02:26 2014 local0.notice sstpc[6996]: Resolved 50.31.252.45 to 50.31.252.45
Thu Nov 27 11:02:27 2014 local0.notice sstpc[6996]: Connected to 50.31.252.45
Thu Nov 27 11:02:28 2014 local0.notice sstpc[6996]: The certificate did not match the host: JP2.ASTRILL.NET
Thu Nov 27 11:02:28 2014 local0.info sstpc[6996]: Server certificated failed verification, ignoring
Thu Nov 27 11:02:28 2014 local0.notice sstpc[6996]: Sending Connect-Request Message
Thu Nov 27 11:02:28 2014 local0.notice sstpc[6996]: Started PPP Link Negotiation
Thu Nov 27 11:02:28 2014 daemon.notice pppd[6997]: pppd 2.4.7 started by root, uid 0
Thu Nov 27 11:02:28 2014 daemon.info pppd[6997]: Using interface ppp0
Thu Nov 27 11:02:28 2014 daemon.notice pppd[6997]: Connect: ppp0 <--> /dev/pts/1
Thu Nov 27 11:02:32 2014 daemon.notice pppd[6997]: CHAP authentication succeeded
Thu Nov 27 11:02:34 2014 daemon.notice pppd[6997]: local IP address 198.18.128.101
Thu Nov 27 11:02:34 2014 daemon.notice pppd[6997]: remote IP address 198.18.128.1
Thu Nov 27 11:02:54 2014 local0.notice sstpc[6996]: Sending Echo-Reply Message
<span style="color:#ffffff;background-color: rgb(204, 0, 0);">Thu Nov 27 11:02:59 2014 daemon.info pppd[6997]: No response to 5 echo-requests
</span><span style="color:#ffffff;background-color: rgb(204, 0, 0);">Thu Nov 27 11:02:59 2014 daemon.notice pppd[6997]: Serial link appears to be disconnected.
</span>Thu Nov 27 11:02:59 2014 daemon.info pppd[6997]: Connect time 0.5 minutes.
Thu Nov 27 11:02:59 2014 daemon.info pppd[6997]: Sent 1486 bytes, received 0 bytes.
Thu Nov 27 11:03:05 2014 daemon.notice pppd[6997]: Connection terminated.
Thu Nov 27 11:03:05 2014 daemon.notice pppd[6997]: Modem hangup
Thu Nov 27 11:03:05 2014 daemon.info pppd[6997]: Exit.
Thu Nov 27 11:03:05 2014 local0.debug sstpc[6996]: PPPd terminated
Thu Nov 27 11:03:05 2014 local0.notice sstpc[6996]: SSTP session was established for 37 seconds
Thu Nov 27 11:03:05 2014 local0.notice sstpc[6996]: Received 548 bytes, sent 2.29 Kb
附设置路由的脚本:
缺省路由:
ip route delete default via 192.168.217.2 dev eth1 proto static
ip route add default via $(ifconfig | grep -A 1 -w "ppp[0-9]" | awk '/inet/{print $3}' | awk -F: '{print $2}') dev ppp0 proto static
恢复默认路由
ip route add default via 192.168.217.2 dev eth1 proto static
要设置防火墙通过,否则连到这个路由器上的设备无法使用sstp通道
openwrt上可以连接:
root@OpenWrt:~# ping baidu.com
PING baidu.com (220.181.111.85): 56 data bytes
64 bytes from 220.181.111.85: seq=0 ttl=50 time=144.951 ms
64 bytes from 220.181.111.85: seq=1 ttl=50 time=145.476 ms
64 bytes from 220.181.111.85: seq=2 ttl=50 time=150.070 ms
64 bytes from 220.181.111.85: seq=3 ttl=50 time=148.155 ms
64 bytes from 220.181.111.85: seq=4 ttl=50 time=146.839 ms
64 bytes from 220.181.111.85: seq=5 ttl=50 time=145.325 ms
64 bytes from 220.181.111.85: seq=6 ttl=50 time=142.559 ms
但是连接openwrt的windows网络不通
C:\Documents and Settings\Harvey>ping baidu.com
Pinging baidu.com [220.181.111.85] with 32 bytes of data:
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.
是因为openwrt的防火墙没设置
附防火墙设置脚本
来自http://www.oldwet.com/archives/25.html
start_vpn_nat() {
iptables -A forwarding_rule -o $TUNDEV -j ACCEPT
iptables -A forwarding_rule -i $TUNDEV -j ACCEPT
iptables -t nat -A postrouting_rule -o $TUNDEV -j MASQUERADE
#以下四行代码解决ios等设备由于mtu值,而无法访问网络的问题。
iptables -t mangle -I FORWARD -o tun+ -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -i tun+ -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
iptables -t mangle -A OUTPUT -o tun+ -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
iptables -t mangle -A POSTROUTING -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
}
stop_vpn_nat() {
iptables -t nat -D postrouting_rule -o $TUNDEV -j MASQUERADE
iptables -D forwarding_rule -i $TUNDEV -j ACCEPT
iptables -D forwarding_rule -o $TUNDEV -j ACCEPT
iptables -t mangle -D FORWARD -o tun+ -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
iptables -t mangle -D FORWARD -i tun+ -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
iptables -t mangle -D OUTPUT -o tun+ -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
iptables -t mangle -D POSTROUTING -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
}
pppd的defaultroute参数无效
Thu Nov 27 08:50:23 2014 daemon.notice netifd: Interface 'sstp' is setting up now
Thu Nov 27 08:50:23 2014 daemon.notice netifd: Interface 'sstp' is now up
Thu Nov 27 08:50:23 2014 user.notice firewall: Reloading firewall due to ifup of sstp (sstp-sstp)
Thu Nov 27 08:50:29 2014 daemon.notice pppd[4536]: pppd 2.4.7 started by root, uid 0
Thu Nov 27 08:50:29 2014 daemon.info pppd[4536]: Using interface sstp-sstp
Thu Nov 27 08:50:29 2014 daemon.notice pppd[4536]: Connect: sstp-sstp <--> /dev/pts/0
Thu Nov 27 08:50:33 2014 daemon.notice pppd[4536]: CHAP authentication succeeded
Thu Nov 27 08:50:34 2014 daemon.err pppd[4536]: <span style="color:#ffffff;background-color: rgb(204, 0, 0);">not replacing existing default route via 192.168.217.2</span>
Thu Nov 27 08:50:34 2014 daemon.notice pppd[4536]: local IP address 198.18.128.16
Thu Nov 27 08:50:34 2014 daemon.notice pppd[4536]: remote IP address 198.18.128.1
可能是因为pppd源码中有检测缺省路由是否存在,见代码
http://www.cnblogs.com/iwasmu/archive/2011/02/25/1965309.html
解决办法可以在连接前删除缺省路由
https://wiki.archlinux.org/index.php/pppd#Default_route
#!/bin/sh
/sbin/route del default
虽然这种方法可行,但是后果很麻烦,pppd一旦断掉,是不会恢复原来的缺省路由的,没有缺省路由,网络就断了
# To do: 用shell保存原路由,断线后自动恢复原路由
最终的成果
- 建立/etc/init.d/sstp,这样可以用/etc/init.d/sstp start(stop)来启动和关闭sstp,同时可以用/etc/init.d/sstp enable来设置开机启动
- 建立/etc/config/sstp,是sstp的配置文件,包括用户名密码服务器等。同时集成了国内外分流的设置。(参考https://github.com/hackgfw/openwrt-gfw-packages)
- 为了配置路由和防火墙,建立/etc/sstp/up和/etc/sstp/down,分别用于sstp连接时和断开时。连接时在/tmp目录下建立gfw-sstp.user和gfw-unsstp.user,用于记录下原本的缺省路由,断开是恢复;同时处理防火墙问题和分流上网的策略路由问题。
- 不是采用OpenWrt标准的网络接口Netifd
- 配置比较麻烦