Category: Tech

這個問題困擾我很久了，Amazon Linux 2023 ARM64 的repo 中軟體太過稀有，以至於很多的軟體都要從Redhat9 的binary 去獲取。

為什麼是ARM64？感覺是個趨勢吧，畢竟是這麼“節儉”的公司，不會亂花錢去做到目前的Graviton 4。

但問題是，官方並沒有明確Amazon Linux 2023 對應到哪一個版本的Fedora 或者RHEL，這就有點玄學的意思，自己試？我試了幾個版本，失敗。

直接從source code 來compile 算了。

dnf install gcc make openssl-devel -y 
mkdir src && cd src
wget https://download.strongswan.org/strongswan-6.0.0.tar.gz
tar zxf strongswan-6.0.0.tar.gz && cd strongswan-6.0.0
./configure --prefix=/usr/local/strongswan --enable-libipsec --enable-stroke && make && make install
sudo tee /etc/systemd/system/strongswan.service > /dev/null <<EOL
[Unit]
Description=strongSwan IPsec IKEv1/IKEv2 daemon
After=network.target
[Service]
ExecStart=/usr/local/strongswan/sbin/ipsec start --nofork
ExecStop=/usr/local/strongswan/sbin/ipsec stop
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOL

寫入幾個微小的配置檔。

sudo tee /usr/local/strongswan/etc/ipsec.secrets > /dev/null <<EOL
2100:ab16:796:5a00:bg29:6r8d:4dca:b02a someone@aws.net : PSK "86f6g7da3316a95b0f4e6416f4f0b15c44083a8b4c2da0dee8ac"
EOL
sudo tee /usr/local/strongswan/etc/ipsec.conf > /dev/null <<EOL
config setup
    uniqueids=never
    charondebug="cfg 2, dmn 2, ike 3, net 2"
conn Someone2AWS-v6
        authby=secret
        left=2100:ab16:796:5a00:bg29:6r8d:4dca:b02a
        leftid=2100:ab16:796:5a00:bg29:6r8d:4dca:b02a
        leftsubnet=10.4.0.0/16
        right=2406:520:88:5cb::1
        #right=host.domain.org
        rightid=someone@aws.net
        rightsubnet=10.1.3.0/24
        ike=aes128gcm128-sha256-modp2048!
        esp=aes128gcm128-modp2048!
        keyingtries=0
        ikelifetime=8h
        lifetime=1h
        auto=start
EOL

嘗試啟動

systemctl stop strongswan
systemctl disable strongswan
systemctl daemon-reload
systemctl enable strongswan
systemctl restart strongswan
systemctl status strongswan

把ipsec command link 一下

ln -s /usr/local/strongswan/sbin/ipsec /usr/sbin/ipsec
ipsec status

查看一下log 是否正常

journalctl -u strongswan --since -1min

還需要對防火牆進行一點點改動，打開相應的port 和forward

dnf install firewalld -y
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --add-service=ipsec --permanent
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --permanent --zone=public --add-interface=ens5
firewall-cmd --reload

---

Update 20250429

cd src
curl -O https://download.strongswan.org/strongswan-6.0.1.tar.gz
tar zxf strongswan-6.0.1.tar.gz
cd strongswan-6.0.1
dnf install systemd-devel
./configure --enable-systemd && make && make install
rm /etc/systemd/system/strongswan.service
sudo tee /etc/systemd/system/strongswan.service > /dev/null <<EOL
[Unit]
Description=strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
After=network-online.target
Documentation=man:charon-systemd(8) man:swanctl(8)

[Service]
Type=notify
ExecStart=/usr/local/sbin/charon-systemd
ExecStartPost=/usr/local/sbin/swanctl --load-all
ExecReload=/usr/local/sbin/swanctl --reload
Restart=on-abnormal

[Install]
WantedBy=multi-user.target
EOL

是時候拋棄ipsec command了，啟用systemd 和swanctl

一個使用swanctl 的conf

connections {
    AWS2BuyVM {
        local_addrs = 2605:6600:10:e95:62cb:d245:1888:eeee
        local {
            id = 2605:6600:10:e95:62cb:d245:1888:eeee
            auth = psk
        }
        remote {
            auth = psk
            id = 2406:da16:7e3:5a00:ca98:6f8d:4cfe:bbbb
        }
        remote_addrs = 2406:da16:7e3:5a00:ca98:6f8d:4cfe:bbbb
        children {
            AWS2BuyVM {
                local_ts = 10.30.96.0/24
                remote_ts = 10.2.0.0/16,10.3.0.0/16,10.4.0.0/16,10.5.0.0/16
                esp_proposals = aes128gcm128-modp2048
                life_time = 1h
                start_action = route
            }
        }
        version = 2
        proposals = aes128gcm128-sha256-modp2048
        rekey_time = 8h
        keyingtries = 0
    }
}

secrets {
    ike-AWS2BuyVM {
        id-local = 2605:6600:10:e95:62cb:d245:1888:eeee
        id-remote = 2406:da16:7e3:5a00:ca98:6f8d:4cfe:bbbb
        secret = "0000000000000000_r"
    }
}

查看一下連結的情況：

swanctl --list-sas
BuyVM2AWS: #17, ESTABLISHED, IKEv2, 6e00f87f2e29ab73_i* b801ad6c15b17e01_r
  local  '2406:da16:7e3:5a00:ca98:6f8d:4cfe:bbbb' @ 2406:da16:7e3:5a00:ca98:6f8d:4cfe:bbbb[4500]
  remote '2605:6600:10:e95:62cb:d245:1888:eeee' @ 2605:6600:10:e95:62cb:d245:1888:eeee[4500]
  AES_GCM_16-128/PRF_HMAC_SHA2_256/MODP_2048
  established 85s ago, rekeying in 26399s
  BuyVM2AWS: #7, reqid 5, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
    installed 86s ago, rekeying in 2873s, expires in 3515s
    in  ce702c32,   4620 bytes,    55 packets,    31s ago
    out c273aa68,   4872 bytes,    58 packets,    12s ago
    local  10.2.0.0/16 10.3.0.0/16 10.4.0.0/16 10.5.0.0/16
    remote 10.30.96.0/24

過年的時候在外地加班不太方便，因為家裡有防火牆上的ipsec site to site 到雲端的VPC內，出門在外的時候就需要client VPN來做這些事情。

於是在伺服器上裝了OpenVPN 和WireGuard，用於方便的連結到VPC內。WireGuard 已經出很久了，我之所以一直沒有用他，是因為他沒有經過歷史的考驗，也沒有大公司背書，只有時間可以洗練出真金，他的時間長度還不足以證明他無法被攻破，但是Jess 說有些底層跑的都是WireGuard，我想，既然大家都如此隨便，那我也來用上。

---

OpenVPN 算是傳統技能了，

還在中國移動cmwap 的年代我就開始用他來穿透wap 網關獲得cmnet 的網絡，在那個包月20元的2.5G年代用出好多個G的流量，新版的easyrsa cert 初始化似乎有一點點改動，畢竟我已經快要十年沒有用他了，因為他的流量特徵很明顯而易於被GFW 檢測到，後來我常用的是不會被GFW 攔截的ipsec。

./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa build-server-full server nopass
./easyrsa build-client-full client nopass


systemctl enable openvpn-server@server
systemctl start openvpn-server@server

server.conf

daemon
server 10.8.0.0 255.255.255.0
proto udp
port 443
dev tun
data-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
keepalive 15 60
verb 3
duplicate-cn
push "redirect-gateway def1"
ca /etc/openvpn/server/ca.crt
dh /etc/openvpn/server/dh.pem
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
status-version 2
status status 5

client.conf

client
dev tun
proto udp
remote 15.15.18.19 443
float
data-ciphers CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
keepalive 15 60
remote-cert-tls server
key-direction 1
resolv-retry infinite
nobind
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END PRIVATE KEY-----
</key>
route-nopull
route 10.2.0.0 255.255.0.0 vpn_gateway
route 10.3.0.0 255.255.0.0 vpn_gateway
route 10.4.0.0 255.255.0.0 vpn_gateway
route 10.5.0.0 255.255.0.0 vpn_gateway

---

WireGuard 算是新技能，第一次在Linux 上安裝，無比簡單。

dnf install wireguard-tools -y
cd /etc/wireguard
wg genkey | tee server_privateKey | wg pubkey > server_publicKey
vi wg0.conf

[Interface]
Address = 10.254.254.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = kFFVyz4WC0s+oqoQ72b9mjXK0TNtw6/YsR+r8fexdWE=

#OfficeMac
[Peer]
AllowedIPs = 10.254.254.11/32
PublicKey = kMp2fqFE+GXcfR06u+NI2KeFDeEPlSvG1uefrrDBPEA=

systemctl enable wg-quick@wg0.service
systemctl restart wg-quick@wg0.service

and FreeBSD

pkg install wireguard-tools
cd /usr/local/etc/
mkdir wireguard && cd wireguard
wg genkey | tee server_privateKey | wg pubkey > server_publicKey

sysrc wireguard_enable="YES"
sysrc wireguard_interfaces="wg0"
/usr/local/etc/rc.d/wireguard start

這個問題困擾我很久了，有時候照相機導出的照片會被添加莫名其妙的下滑線和連結符，更討厭的是有的software 會添加空格，加空格究竟是你媽個什麼鬼。

但是，FreeBSD 下面默認的renamex 我不會用，找了很多參考文件還是不行，應該是我理解能力太差，放棄，

改用perl 的rename

pkg install p5-File-Rename
rename "s/ //g" *
rename "s/_//g" *
rename "s/-//g" *
rename "s/\)//g" *
rename "s/,//g" *

vi 的替換command 似乎也是類似的

%s/logs/\/home\/www\/logs/g

增加了自動升級，雖然FreeBSD 不升級也不會像Linux 那麼倒霉。

crontab -l
0 9 * * * /home/www/sh/pkg-auto-upgrade.sh
#!/bin/sh
pkg update -f
sleep 5
pkg upgrade -y
sleep 5
pkg clean -y
sleep 1
pkg autoremove -y

還有，使用dnf 的Linux現在也有自動升級可以用，

dnf install dnf-automatic -y
vi /etc/dnf/automatic.conf
random_sleep = 120
apply_updates = yes
emit_via = motd
systemctl enable --now dnf-automatic.timer

最近老家的媽咪手機號不知道怎麼突然連不上了，也許是sim卡或插槽有問題，也許是中國聯通又在發神經，動不動就以反詐騙的名義把號碼給停了，然後今天突然發現一直插在電源上媽咪的舊手機電池鼓包，快要把螢幕撐破。

這大概是媽咪在跟我告別了吧。