root@Openwrt:/etc/config# cat /etc/swanctl/conf.d/20.acme.conf connections { acme { local_addrs = %any remote_addrs = %any vips = 0.0.0.0,:: fragmentation = yes pools = ipv4addr send_cert = always unique = never local { auth = pubkey id = "xyz.wuruxu.cn" certs = xyz.wuruxu.cn.cer } remote { auth = eap-mschapv2 eap_id=%any } children { sstun { local_ts = 0.0.0.0/0,::/0 remote_ts = dynamic,224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250 if_id_in = 666 if_id_out = 666 esp_proposals = chacha20poly1305-x25519,aes256gcm-modp2048,aes256-sha256,aes256-modp2048,aes256-sha1 mode = tunnel life_time = 2h rekey_time = 6h dpd_action = clear start_action = trap|start updown = sh /etc/config/updown.sh } } version = 2 mobike = yes rekey_time = 6h over_time = 36m proposals = chacha20poly1305-prfsha512-curve25519,aes256gcm16-prfsha512-curve25519,aes256gcm16-prfsha256-ecp256,aes256-sha256-prfsha256-modp2048,aes256gcm16-prfsha256-modp1024 keyingtries = 3 } } pools { ipv4addr { addrs = 192.168.166.50-192.168.166.200 dns = 192.168.228.1 } } root@Openwrt:/etc/config# cat /etc/swanctl/conf.d/10.EAP_MSCHAPv2.users.conf secrets { eap-user1 { id = username secret = "password" } } This topic created in 336 days ago, the information mentioned may be changed or developed.
9 replies 2025-07-21 19:07:08 +08:00
 | 1 yhcghjj Jun 30, 2025 via Android 用了 wireguard 就不想折腾这些东西了。。普通家用建议可以试试 |
 | 3 MacsedProtoss Jun 30, 2025 via iPhone @wuruxu 有点文艺复兴了 其实考虑到家里的宽带上行速率 以及现在的跨网问题 这样真的不是劣化使用体验吗 |
 | 4 Zimong Jun 30, 2025 via iPhone Android 自带的能不能配啊? |
 | 5 wuruxu OP @MacsedProtoss 对家宽有顾虑 可以部署在阿里云上 |
 | 7 shenguna Jul 15, 2025 wireguard 用了以后,都部署了,唯一的缺陷不支持 tcp ,国内的 qos 简直了 |
 | 9 mikaelson Jul 21, 2025 还有其他类似 ipsec tunnel 模式透传 IP 的组网方式吗? 最近 ipsec 被限流严重。。。 想换一个,试了一圈基本都是做 nat 地址转换的,没法保留真实源 IP ,这样所有安全组都得重新调整。。。 |
Select Language