科学上网利器(二)CentOS安装PPTP VPN、IPSec/L2TP VPN

一、安装PPTP
1.测试是否支持,返回“ok”说明测试通过

modprobe ppp-compress-18 && echo ok
cat /dev/ppp

如果提示Permission denied,应该是不支持了。

modprobe20160204152807

2.安装ppp 和 iptables

yum install -y perl ppp iptables

阿里云ecs,默认iptables是已经安装的。
listppp20160204154440

3.安装PPTP
选择对应平台稳定版本http://poptop.sourceforge.net/yum/stable/

wget http://poptop.sourceforge.net/yum/stable/rhel6/x86_64/pptpd-1.4.0-1.el6.x86_64.rpm
rpm -ivh pptpd-1.4.0-1.el6.x86_64.rpm 

pptp20160204154957

4.开启IPv4 包转发
vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

执行 sysctl -p,使内核配置生效

5.修改配置文件
cp /etc/ppp/options.pptpd /etc/ppp/options.pptpd.bak

echo "ms-dns 8.8.8.8" >> /etc/ppp/options.pptpd
echo "ms-dns 8.8.4.4" >> /etc/ppp/options.pptpd

6.增加账号

vi /etc/ppp/chap-secrets
username pptpd password *

austgl pptpd 123456 * #* 表示任意ip

7.配置文件/etc/pptpd.conf
cp /etc/pptpd.conf /etc/pptpd.conf.bak
vi /etc/pptpd.conf

localip 192.168.220.1
remoteip 192.168.220.234-238,192.168.220.245

8.添加转发

iptables -t nat -A POSTROUTING -s 192.168.220.0/24 -o eth1 -j SNAT --to-source 58.96.173.134
service iptables save
service pptpd restart
service iptables restart

注:–to-source 58.96.173.134 ip地址需要换成自己的ecs、vps的公网IP;eth1 改成对应的公网地址网口
Warning: a pptpd restart does not terminate existing
connections, so new connections may be assigned the same IP
address and cause unexpected results. Use restart-kill to
destroy existing connections during a restart.
#service pptpd restart-kill
#service pptpd start
modify20160204162420

9.开机启动

chkconfig pptpd on
chkconfig iptables on

二、安装IPSec/L2TP
1.安装编译工具
yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof
https://download.openswan.org/openswan/找自己想要的版本

2.下载编译安装openswan
https://download.openswan.org/openswan/openswan-latest.tar.gz
tar zxvf openswan-2.6.24.tar.gz
cd openswan-2.6.46
make programs install

发现编译报错:
https://github.com/xelerance/Openswan/issues/171
换了2.6.43,成功装上

3.安装xl2tpd
yum install xl2tpd

4.修改配置

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Do not set debug options to debug configuration issues!
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
	# eg:
	# plutodebug="control parsing"
	# Again: only enable plutodebug or klipsdebug when asked by a developer
	#
	# enable to get logs per-peer
	# plutoopts="--perpeerlog"
	#
	# Enable core dumps (might require system changes, like ulimit -C)
	# This is required for abrtd to work properly
	# Note: incorrect SElinux policies might prevent pluto writing the core
	dumpdir=/var/run/pluto/
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	nat_traversal=yes
	# exclude networks used on server side by adding %v4:!a.b.c.0/24
	# It seems that T-Mobile in the US and Rogers/Fido in Canada are
	# using 25/8 as "private" address space on their 3G network.
	# This range has not been announced via BGP (at least upto 2010-12-21)
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
	# OE is now off by default. Uncomment and change to on, to enable.
	oe=off
	# which IPsec stack to use. auto will try netkey, then klips then mast
	protostack=netkey
	# Use this to log to a file, or disable logging on embedded systems (like openwrt)
	#plutostderrlog=/dev/null
	plutostderrlog=/var/log/ipsec.log

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#		# Left security gateway, subnet behind it, nexthop toward right.
#		left=10.0.0.1
#		leftsubnet=172.16.0.0/24
#		leftnexthop=10.22.33.44
#		# Right security gateway, subnet behind it, nexthop toward left.
#		right=10.12.12.1
#		rightsubnet=192.168.0.0/24
#		rightnexthop=10.101.102.103
#		# To authorize this connection, but not actually start it, 
#		# at startup, uncomment this.
#		#auto=add
#
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
 
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=5
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=58.96.173.134
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=15
    dpdtimeout=30
    dpdaction=clear

left 为服务器ip

修改 IP 范围和本地 IP 地址,注意这些地址和内网 IP 地址不能冲突或者重复:
vi /etc/xl2tpd/xl2tpd.conf

vi /etc/ppp/options.xl2tpd修改 ms-dns 的值

添加VPN账号信息
vi /etc/ppp/chap-secrets
vpn20160204181046

[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables --table nat --append POSTROUTING --jump MASQUERADE
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -t nat -A POSTROUTING -s 192.168.140.0/24 -o eth0 -j MASQUERADE^C
[root@iZ62nfbnzj5Z openswan-2.6.43]# vi /etc/ppp/options.xl2tpd
[root@iZ62nfbnzj5Z openswan-2.6.43]# vi /etc/ipsec.secrets
[root@iZ62nfbnzj5Z openswan-2.6.43]# vi /etc/ppp/chap-secrets
[root@iZ62nfbnzj5Z openswan-2.6.43]# vi /etc/xl2tpd/xl2tpd.conf 
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -A FORWARD -j REJECT
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
[root@iZ62nfbnzj5Z openswan-2.6.43]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@iZ62nfbnzj5Z openswan-2.6.43]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter nat      [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
[root@iZ62nfbnzj5Z openswan-2.6.43]# /etc/init.d/pppd-dns restart
-bash: /etc/init.d/pppd-dns: No such file or directory
[root@iZ62nfbnzj5Z openswan-2.6.43]# /etc/init.d/pppd restart
-bash: /etc/init.d/pppd: No such file or directory
[root@iZ62nfbnzj5Z openswan-2.6.43]# /etc/init.d/xl2tpd restart
Stopping xl2tpd:                                           [FAILED]
Starting xl2tpd:                                           [  OK  ]
[root@iZ62nfbnzj5Z openswan-2.6.43]# /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting Openswan IPsec U2.6.43/K2.6.32-431.23.3.el6.x86_64...
[root@iZ62nfbnzj5Z openswan-2.6.43]# ipsec verify
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                   	[OK]
Openswan U2.6.43/K2.6.32-431.23.3.el6.x86_64 (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[OK]
         ICMP default/accept_redirects            	[OK]
         XFRM larval drop                         	[OK]
Hardware random device check                      	[N/A]
Two or more interfaces found, checking IP forwarding	[OK]
Checking rp_filter                                	[OK]
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE on tcp 500               	[NOT IMPLEMENTED]
 Pluto listening for IKE/NAT-T on udp 4500        	[OK]
 Pluto listening for IKE/NAT-T on tcp 4500        	[NOT IMPLEMENTED]
 Pluto listening for IKE on tcp 10000 (cisco)     	[NOT IMPLEMENTED]
Checking NAT and MASQUERADEing                    	[TEST INCOMPLETE]
Checking 'ip' command                             	[IP XFRM BROKEN]
Checking 'iptables' command                       	[OK]

ipsec verify: encountered errors

chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on

未经允许不得转载:ganlei的个人博客 » 科学上网利器(二)CentOS安装PPTP VPN、IPSec/L2TP VPN

赞 (0)
分享到:更多 ()