搞定CentOS的l2tp + ipsec VPN服务器配置
因为OpenVPN经常被GFW封杀,不得已,选用L2TP了,下面是配置过程
服务器配置是centos 5.8 X64
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
#安装epel扩展库 rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm #centos5版本 rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm #centos6版本 #安装所需库 yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof #下载openswan并解压编译安装 wget http://download.openswan.org/openswan/openswan-2.6.38.tar.gz tar zxvf openswan-2.6.38.tar.gz cd openswan-2.6.38 make programs install #安装xl12tpd yum install xl2tpd -y |
编辑/etc/ipsec.conf,在最下面添加以下内容
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=xxx.com #这里写公网IP,没固定IP的就到花生壳弄个动态域名解析。 leftid=xxx.com leftprotoport=17/1701 right=%any |
下面设置路由转发,编辑/etc/sysctl.conf
1 2 |
net.ipv4.ip_forward = 1 #此值改为1 net.ipv4.conf.default.rp_filter = 0 #此值改为0 |
保存退出后,查看是否更改成功
1 |
sysctl -p |
还需要设置禁用icmp
1 2 3 4 5 6 7 8 9 10 |
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects |
可以建立一个开机启动的脚步
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
vi /root/disable_send_accept_redirects.sh #!/bin/bash # Disable send redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects # Disable accept redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects #保存退出后,授予脚本执行权限 chmod +x /root/disable_send_accept_redirects.sh vi /etc/rc.local #编辑启动文件,加入脚本 /root/disable_send_accept_redirects.sh |
完成后运行ipsec试试
1 2 |
service ipsec start ipsec verify |
如果出现SAref kernel support [N/A]的错误,则需要修改/etc/xl2tpd/xl2tpd.conf的
1 2 3 |
#此处我们在下面也会再次编辑 [global] ipsec saref = no |
如果出现Please enable /proc/sys/net/core/xfrm_larval_drop~ 的错误,则需要修改/proc/sys/net/core/xfrm_larval_drop
1 |
echo 1 > /proc/sys/net/core/xfrm_larval_drop |
综合起来,可以加到其他启动程序里
1 2 3 4 5 6 7 8 9 10 11 12 13 |
vim /etc/bashrc 在最下面加入以下内容 echo 1 > /proc/sys/net/core/xfrm_larval_drop echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects |
这样开机后会自动执行
下面开始编辑 /etc/xl2tpd/xl2tpd.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
[global] listen-addr = xxx.com ;这里写内网IP。或者加;注释掉也问题不大。 ipsec saref = no ;这里一般都让写yes,但如果刚才你的ipsec verify中,有报SAref kernel support[N/A]的话,这里就写no [lns default] ip range = 192.168.7.128-192.168.7.254 ;这里写客户端需要获取的ip段 local ip = 192.168.7.1 require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes |
大家看到上面的内容需要一个pppopfile,所以我们来编辑options.xl2tpd
vim /etc/ppp/options.xl2tpd
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
require-mschap-v2 ipcp-accept-local ipcp-accept-remote ms-dns 8.8.4.4 ms-dns 8.8.8.8 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 |
再编辑vi /etc/ppp/chap-secrets
1 2 3 |
# user server password ip username * userpass * #改成你的用户名 密码 *号这里是不限定的意思 |
最重要是配置防火墙
1 2 3 4 5 6 7 8 9 |
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -o eth0 -j MASQUERADE iptables -I FORWARD -s 192.168.7.0/24 -j ACCEPT iptables -I FORWARD -d 192.168.7.0/24 -j ACCEPT #保存防火墙规则 service iptables save #查看防火墙规则 iptables-save #重启防火墙 service iptables restart |
最后一步,设置服务开机启动
1 2 3 4 5 6 |
service ipsec restart service xl2tpd restart service iptables restart chkconfig xl2tpd on chkconfig iptables on chkconfig ipsec on |
windows客户端的配置就很简单了,主要是选定L2TP验证,密码选择可选加密即可
版权声明:
作者:心飞翔
链接:https://www.faystar.com/techshare/linux/892.html
来源:心飞翔
文章版权归作者所有,未经允许请勿转载。
共有 0 条评论