准备工作,检查环境
1、先看看你的主机是否支持pptp,返回结果为yes就表示通过。
modprobe ppp-compress-18 && echo yes
2、检查是否开启了TUN,有的虚拟机主机需要开启,返回结果为cat: /dev/net/tun: File descriptor in bad state。就表示通过。
cat /dev/net/tun
正式开始安装配置
1、安装yum源,centos官方源已经去除xl2tpd,如果使用的官方镜像安装的服务器,则需要自己安装yum源。但是使用的阿里云或者腾讯云公共镜像安装的服务器可以不用。
yum install -y epel-release
2、安装xl2tpd
yum install -y xl2tpd libreswan lsof
3、配置xl2tpd
vim /etc/xl2tpd/xl2tpd.conf
[global]
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
4、配置ppp文件,注意其中被注释的选项,没有被注释的话,启动会报错,或者会导致连不上
vim /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
name xl2tpd
#noccp
auth
#crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
#lock
proxyarp
connect-delay 5000
refuse-pap
refuse-mschap
require-mschap-v2
persist
logfile /var/log/xl2tpd.log
5、配置ipsec文件
1) vim /etc/ipsec.conf
config setup
protostack=netkey
nat_traversal=yes
interfaces="%defaultroute" virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24
include /etc/ipsec.d/*.conf
2) vim /etc/ipsec.d/l2tp-ipsec.conf
conn l2tp-psk
authby=secret
pfs=no
auto=add
rekey=no
type=transport
left=47.75.104.65
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
6、设置用户名密码
vim /etc/ppp/chap-secrets
# client server secret IP addresses
userName * “123456” *
7、设置共享密钥
vim /etc/ipsec.d/default.secrets
: PSK "YourPSK"
8、防火墙设置
1) yum install iptables-services#下载iptables服务
2) vim /etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [2:104]
:INPUT ACCEPT [2:104]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -m policy --dir out --pol none -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [84:7150]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [49:10368]
-A INPUT -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
3) service iptables restart
4) iptables -S #查看iptables规则
9、修改内核参数
1) vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0
2) sysctl -p#使配置生效
10、重启检查服务
1) service ipsec restart#重启ipsec服务
service ipsec status #查看ipsec服务状态
systemctl enable ipsec #确定没有问题后,将服务设置成开机启动
2) ipsec verify##检查ipsec
[root@iZj6c7krv4f28m7t3p2f2tZ ~]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 3.10.0-957.5.1.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding[OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OBSOLETE]
003 WARNING: using a weak secret (PSK)
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS[OK]
Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD]
Warning: ignored obsolete keyword 'nat_traversal'
3) service xl2tpd restart#重启xl2tpd服务
service xl2tpd status #查看xl2tpd服务状态
systemctl enable xl2tpd #确定没有问题后,将服务设置成开机启动
11、服务器在阿里云或者腾讯云之类的平台,需要配置1701的端口开放,协议是udp
12、连接VPN。注意,如果是Mac系统,需要在/etc/ppp目录下新建options文件,否则会连不上:
sudo vim /etc/ppp/options
在options文件中输入:
plugin L2TP.ppp
l2tpnoipsec