盒子
盒子
文章目录
  1. 搭建L2TP+IPSec VPN
    1. 安装相应的软件
    2. 配置内核与防火墙
    3. 其他配置
    4. 最后

CentOS搭建VPN

搭建了一个L2TP+IPSec的VPN,对于小菜来说着实花了一番功夫…记录过程与此

搭建L2TP+IPSec VPN

搭建VPN的时候,仔细了解了下现在的三种VPN。分别是PPTP、IPSec/L2TP、OpenVPN,经过比较,我决定先尝试搭建一个IPSec/L2TP的VPN。
唉,网上资料好多,可是也好乱,自己搭建一边,做个整理吧

安装相应的软件

首先yum update更新下源.

1
2
3
4
5
6
7
yum install wget bind-utils
wget http://mirror.nl.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -ivh ./epel-release-6-8.noarch.rpm

yum install openswan
yum install ppp xl2tpd
yum install lsof man

ppp是用于管理VPN用户的,我这里出现了问题,xl2tpd找不到源,解决办法是:到pkgs.org这个网站去搜,我就找到了相应的最新版地址
接下来就是找到相应的文件下载,然后安装yum install xl2tpd-1.3.6-1.el6.i686.rpm

配置内核与防火墙

1
2
3
4
5
6
7
8
9
10
11
//设置 iptables 的数据包转发
iptables --table nat --append POSTROUTING --jump MASQUERADE
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf

//是否接受ICMP转发,如果不是路由器,该值需要设置为 0
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
//是否发送ICMP转发(redirect)如果服务器不作为网关/路由器,该值建议设置为0
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
sysctl -p

其他配置

  • 编辑/etc/rc.local在结尾添加
1
2
3
4
5
6
# Correct ICMP Redirect issues with OpenSWAN
for each in /proc/sys/net/ipv4/conf/*; do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
echo 0 > $each/rp_filter
done
  • 编辑 /etc/ipsec.conf ,我的配置如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
interfaces="%defaultroute"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug="none"
plutostderrlog=/var/log/pluto.log
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
forceencaps=yes
right=%any
rightsubnet=vhost:%any,%priv
rightprotoport=17/%any
left=%defaultroute

leftprotoport=17/1701
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
dpddelay=10
dpdtimeout=90
dpdaction=clear

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf
  • 编辑/etc/ipsec.secrets
1
2
3
vi /etc/ipsec.secrets
#include /etc/ipsec.d/*.secrets
你的公网IP %any:PSK "任意的密钥"

此时ipsec verify运行检查配置效果,我的如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-504.3.3.el6.i686 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

这里遇到问题则一定要先解决了.哪一项不过就google解决哪一项.

  • 编辑 /etc/xl2tpd/xl2tpd.conf

vi /etc/xl2tpd/xl2tpd.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
;
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24. A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.

[global]
; listen-addr = 192.168.1.98
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
ipsec saref = no
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
; when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes

[lns default]
ip range = 192.168.32.1-192.168.32.250
local ip = 192.168.32.252
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

  • 修改 /etc/ppp/options.xl2tpd

vi /etc/ppp/options.xl2tpd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
# ms-dns 192.168.1.1
# ms-dns 192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
# To allow authentication against a Windows domain EXAMPLE, and require the
# user to be in a group "VPN Users". Requires the samba-winbind package
require-mschap-v2
# plugin winbind.so
# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'
# You need to join the domain on the server, for example using samba:
# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
logfile /var/log/ppp.log

  • 添加用户

vi /etc/ppp/chap-secrets 在文件中按格式添加用户.

  • 使用的防火墙规则:

这里直接放出我配置好的防火墙规则,这里真的是卡了好久,对iptables不是非常熟悉.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Generated by iptables-save v1.4.7 on Mon Dec 22 21:49:43 2014
*nat
:PREROUTING ACCEPT [834:63397]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [5:365]
-A POSTROUTING -s 192.168.32.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Dec 22 21:49:43 2014
# Generated by iptables-save v1.4.7 on Mon Dec 22 21:49:43 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [300:44294]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.32.0/24 -j ACCEPT
-A FORWARD -s 192.168.32.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Dec 22 21:49:43 2014

最后

1
2
3
4
5
service xl2tpd restart
service iptables restart
chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on

参考链接:http://linux.die.net/man/5/xl2tpd.conf