标签为 L2TP 的文章

在CentOS 6上部署L2TP over IPSec VPN Server

参考资料:
https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_on_CentOS_-_Red_Hat_Enterprise_Linux_or_Scientific_-_Linux_6.html
http://www.stormacq.com/build-a-private-vpn-server-on-amazons-ec2/
http://www.esojourn.org/blog/post/setup-l2tp-vpn-server-with-ipsec-in-centos6.php?page=2&part=1

背景介绍:
近期,墙屏蔽了所有的Google服务,也加强了对翻墙工具的屏蔽,例如使用goagent和修改hosts的方法都很难奏效。
因为我一直使用着PPTP VPN,本以为可以高枕无忧了,结果可恶的中国电信竟对PPTP VPN协议开始了干扰,导致连接非常不稳定,频繁的断开。
这也促使了我在VPS再搭建一个L2TP over IPSec VPN的想法,以下便是我的整个安装与配置过程。

安装与配置:
环境介绍:
OS:CentOS 6.4 x86_64 Minimal

1. 修改 /etc/sysctl.conf,新增如下配置:
# vim /etc/sysctl.conf

# For xl2tpd
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

# sysctl -p

2. 安装EPEL扩展库
# yum install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

3. 安装所需软件包
# yum install wget bind-utils lsof
# yum install openswan xl2tpd ppp
# yum downgrade openswan

4. 通过如下脚本完成配置文件的修改
# vim l2tpvpn.sh

#!/bin/sh

IPSEC_PSK=SharedSecret
#修改以上变量的值,作为共享密码

PRIVATE_IP=`wget -q -O - 'http://instance-data/latest/meta-data/local-ipv4'`
PUBLIC_IP=`wget -q -O - 'http://instance-data/latest/meta-data/public-ipv4'`
#修改以上变量的值,我通过命令来自动获取服务器的本地内网IP和公网IP,但仅适用于EC2

cat > /etc/ipsec.conf <<EOF
version 2.0

config setup
 dumpdir=/var/run/pluto/
 nat_traversal=yes
 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
 oe=off
 protostack=netkey
 nhelpers=0
 interfaces=%defaultroute
 plutostderrlog=/var/log/pluto.log

conn vpnpsk
 auto=add
 left=$PRIVATE_IP
 leftid=$PUBLIC_IP
 leftsubnet=$PRIVATE_IP/32
 leftnexthop=%defaultroute
 leftprotoport=17/1701
 rightprotoport=17/%any
 right=%any
 rightsubnetwithin=0.0.0.0/0
 forceencaps=yes
 authby=secret
 pfs=no
 type=transport
 auth=esp
 ike=3des-sha1
 phase2alg=3des-sha1
 dpddelay=30
 dpdtimeout=120
 dpdaction=clear
EOF

cat > /etc/ipsec.secrets <<EOF
$PUBLIC_IP %any : PSK "$IPSEC_PSK"
EOF

cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[global]
 port = 1701
 
 ;debug avp = yes
 ;debug network = yes
 ;debug state = yes
 ;debug tunnel = yes

[lns default]
 ip range = 10.192.169.10-10.192.169.250
 local ip = 10.192.169.1
 ;修改以上虚拟地址范围
 require chap = yes
 refuse pap = yes
 require authentication = yes
 name = l2tpd
 ;ppp debug = yes
 pppoptfile = /etc/ppp/options.xl2tpd
 length bit = yes
EOF

cat > /etc/ppp/options.xl2tpd <<EOF
ipcp-accept-local
ipcp-accept-remote
ms-dns 172.31.0.2
;修改以上DNS服务器
noccp
auth
crtscts
idle 1800
mtu 1280
mru 1280
lock
connect-delay 5000
EOF

# chmod +x l2tpvpn.sh
# ./l2tpvpn.sh

5. 配置用户名与密码
# vim /etc/ppp/chap-secrets

# 修改以下用户名与密码
# Secrets for authentication using CHAP
# client	server	  secret	IP addresses
"username"    *      "password"      * 

6. 编辑/etc/sysconfig/iptables(默认eth0为公网IP地址所在网口)
# vim /etc/sysconfig/iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1194 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1701 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT
-A INPUT -s 10.192.169.0/255.255.255.0 -m state --state NEW -m tcp -p tcp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.192.169.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT

注解:在以上iptables脚本中,
对TCP端口1194放行;
对UDP端口1701,500,4500放行;
对整个PPTP VPN的局域网地址段10.192.169.0/24放行;
将整个PPTP VPN的局域网地址段10.192.169.0/24通过NAT映射到eth0网口,实现共享上网;

7. 启动相关服务,并设置为自动启动
# service ipsec restart
# service xl2tpd restart
# service iptables restart

# chkconfig ipsec on
# chkconfig xl2tpd on
# chkconfig iptables on

8. 结束

, , , ,

1 Comment