一、解决依赖
1. 开启tun
cat /dev/net/tun
(1) 如果返回如下表名已经开启
cat: /dev/net/tun: File descriptor in bad state
(2) 如果返回
The TUN device is not available You need to enable TUN before running this script
则,执行
cd /dev mkdir net mknod net/tun c 10 200 chmod 0666 net/tun
2. 安装依赖
yum install -y epel-release libreswan
3. 安装L2TP
有两个软件支持L2TP协议,一个是xl2tpd,另一个选择是StrongSwan。
yum install -y xl2tpd
二、配置
1. Kernel配置
vi /etc/sysctl.conf
如下:
vm.swappiness = 0
kernel.sysrq = 1
net.ipv4.neigh.default.gc_stale_time = 120
# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.ip_forward=1
保存修改
sysctl -p
2. 配置IPsec
(1) 配置加密链接
IPsec可对流量进行加密,保护VPN通信安全。
vi /etc/ipsec.d/l2tp_ipsec.conf
保存内容如下:
conn L2TP-PSK-NAT rightsubnet=0.0.0.0/0 also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear rekey=no ikelifetime=8h keylife=1h type=transport left=[本机的虚拟网段地址] leftprotoport=17/1701 right=%any rightprotoport=17/%any
(2). 配置PSK共享密钥
vi /etc/ipsec.secrets
添加
: PSK "123456789"
运行检查
ipsec setup start
ipsec verify
需要一切OK
(3) 启动IPsec
systemctl enable ipsec
3. 配置xl2tpd
(1) 备份配置文件
cp /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.bak
(2) 打开配置文件
vi /etc/xl2tpd/xl2tpd.conf
这里主要需要修改是虚拟网络的地址段,注意local ip就是本机的虚拟地址,以下是默认值
[lns default] ip range = 192.168.1.128-192.168.1.254 local ip = 192.168.1.99
此外,在同文件中需要注意PPP的配置文件地址
pppoptfile = /etc/ppp/options.xl2tpd
4. 配置PPP
(1) 备份配置文件
cp /etc/ppp/options.xl2tpd /etc/ppp/options.xl2tpd.bak
(2) 打开配置文件
vi /etc/ppp/options.xl2tpd
主要修改dns服务器:
ms-dns 8.8.8.8 ms-dns 8.8.4.4
ms-dns 4.2.2.4
如下:
name xl2tpd ipcp-accept-local ipcp-accept-remote # ms-dns 192.168.1.1 # ms-dns 192.168.1.3 ms-dns 8.8.8.8 ms-dns 4.2.2.4 ms-dns 8.8.4.4 # ms-wins 192.168.1.2 # ms-wins 192.168.1.4 #noccp auth #obsolete: crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug #obsolete: lock proxyarp connect-delay 5000 refuse-pap refuse-mschap refuse-mschap-v2 persist logfile /var/log/xl2tpd.log
(3). 设置用户名和密码
vi /etc/ppp/chap-secrets
格式为
# client server secret IP addresses
用户名 * 密码 *
5. 启动xl2tpd
systemctl start xl2tpd
systemctl enable xl2tpd
systemctl status xl2tpd
6. 配置防火墙
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT firewall-cmd --permanent --zone=public --add-masquerade firewall-cmd --permanent --add-rich-rule='rule protocol value="esp" accept' firewall-cmd --permanent --add-rich-rule='rule protocol value="ah" accept' firewall-cmd --permanent --add-port=1701/udp firewall-cmd --permanent --add-port=500/udp firewall-cmd --permanent --add-port=4500/udp firewall-cmd --permanent --add-service="ipsec" firewall-cmd --reload
7. 配置云环境
务必开通UDP协议端口,而不是TCP。