update at 2024-03-07 16:11:26

codeblock/home-network/ikev2.yaml

@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: ikev2
+  name: ikev2
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      app: ikev2
+  template:
+    metadata:
+      labels:
+        app: ikev2
+    spec:
+      containers:
+        - image: imroc/ipsec-vpn-server:4.12
+          imagePullPolicy: IfNotPresent
+          name: ikev2
+          ports:
+            - containerPort: 500
+              protocol: UDP
+              hostPort: 600
+            - containerPort: 4500
+              protocol: UDP
+              hostPort: 4600
+          envFrom:
+            - secretRef:
+                name: ikev2-secret
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - mountPath: /etc/ipsec.d
+              name: ikev2-vpn-data
+            - mountPath: /lib/modules
+              name: mod
+              readOnly: true
+      dnsPolicy: Default
+      restartPolicy: Always
+      volumes:
+        - hostPath:
+            path: /lib/modules
+            type: Directory
+          name: mod
+        - secret:
+            secretName: ikev2-vpn-data
+          name: ikev2-vpn-data
+  updateStrategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate

codeblock/home-network/vpn.env

@@ -0,0 +1,29 @@
+# 定义 VPN 配置文件的密码，以及登录 VPN 的用户名和密
+VPN_IPSEC_PSK=123456
+VPN_USER=roc
+VPN_PASSWORD=123456
+
+# Define additional VPN users
+# - DO NOT put "" or '' around values, or add space around =
+# - DO NOT use these special characters within values: \ " '
+# - Usernames and passwords must be separated by spaces
+# VPN_ADDL_USERS=additional_username_1 additional_username_2
+# VPN_ADDL_PASSWORDS=additional_password_1 additional_password_2
+
+# 改成家里公网 IP 对应的域名
+VPN_DNS_NAME=home.yourdomain.com
+
+# Specify a name for the first IKEv2 client
+# - Use one word only, no special characters except '-' and '_'
+# - The default is 'vpnclient' if not specified
+VPN_CLIENT_NAME=roc
+
+# 可以改成家里宽带使用的 DNS 地址
+VPN_DNS_SRV1=61.139.2.69
+VPN_DNS_SRV2=218.6.200.139
+
+# Protect IKEv2 client config files using a password
+# - By default, no password is required when importing IKEv2 client configuration
+# - Uncomment if you want to protect these files using a random password
+VPN_PROTECT_CONFIG=yes
+

content/cases/home-network/ikev2.md

@@ -0,0 +1,86 @@
+# IKEv2
+
+## 为什么需要 IKEv2
+
+如果需要手机或电脑在外面连上家里的内网，可以在家里路由器搭建 VPN 服务端，苹果的系统(iOS/MacOS)内置了 IKEv2 协议的 VPN 客户端，一些安卓设备也内置了，我们在路由器里部署下支持 IKEv2 协议的 VPN 服务端并暴露出来就可以实现远程连上家里内网了。
+
+## 开源项目 
+
+本文部署的 IKEv2 VPN 服务使用这个开源项目：https://github.com/hwdsl2/docker-ipsec-vpn-server
+
+## 生成配置
+
+准备环境变量文件：
+
+<FileBlock showLineNumbers title="config/vpn.env" file="home-network/vpn.env" />
+
+再准备一个存储自动生成的 VPN 配置的目录：
+
+```bash
+mkdir -p config/ikev2-vpn-data
+```
+
+然后使用 docker 运行并引用环境变量文件，生成 VPN 配置：
+
+```bash
+docker run --rm -it \
+    --name ipsec-vpn-server \
+    --env-file ./vpn.env \
+    -v $PWD/config/ikev2-vpn-data:/etc/ipsec.d \
+    -v /lib/modules:/lib/modules:ro \
+    -p 500:500/udp \
+    -p 4500:4500/udp \
+    --privileged \
+    hwdsl2/ipsec-vpn-server
+```
+
+最终 config 目录结构如下：
+
+```txt
+config
+├── ikev2-vpn-data
+│   ├── .vpnconfig
+│   ├── cert9.db
+│   ├── ikev2.conf
+│   ├── ikev2setup.log
+│   ├── key4.db
+│   ├── passwd
+│   ├── pkcs11.txt
+│   ├── roc.mobileconfig
+│   ├── roc.p12
+│   └── roc.sswan
+└── vpn.env
+```
+
+## 准备 daemonset.yaml
+
+<FileBlock showLineNumbers title="daemonset.yaml" file="home-network/ikev2.yaml" />
+
+## 准备 kustomization.yaml
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - daemonset.yaml
+
+namespace: default
+
+secretGenerator:
+  - name: ikev2-secret
+    envs:
+      - config/vpn.env
+  - name: ikev2-vpn-data
+    files:
+      - config/ikev2-vpn-data/.vpnconfig
+      - config/ikev2-vpn-data/cert9.db
+      - config/ikev2-vpn-data/ikev2.conf
+      - config/ikev2-vpn-data/ikev2setup.log
+      - config/ikev2-vpn-data/key4.db
+      - config/ikev2-vpn-data/passwd
+      - config/ikev2-vpn-data/pkcs11.txt
+      - config/ikev2-vpn-data/roc.mobileconfig
+      - config/ikev2-vpn-data/roc.p12
+      - config/ikev2-vpn-data/roc.sswan
+```

content/sidebars.ts

@@ -541,6 +541,7 @@ const sidebars: SidebarsConfig = {
             'cases/home-network/prepare',
             'cases/home-network/dnsmasq',
             'cases/home-network/ddns',
+            'cases/home-network/ikev2',
           ]
         }
       ],