L2TP类型的VPN配置

  VPN       2017-01-08

VPS可以使用 Digital Ocean,注册地址:DigitalOcean官网
本文基于Centos7配置,请留意;

yum 初始化

在正式配置之前,先对系统环境进行一下升级;

  1. // 更新yum
  2. yum y undate
  3. // 安装程序/库
  4. yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers
  5. // 安装libevent(事件触发的网络库),(memcached需要)
  6. yum -y install libevent libevent-devel
  7. // 列出已安装列表
  8. yum info installed
  9. // 移除已安装
  10. yum remove "tsclient"

安装openswan xltpd 配置ipsec

  1. yum install epel-release openswan -y
  2. // xl2tpd必须放在下面单独安装,因为CentOS原本的yum源里面是没有xl2tpd的,要安装epel后才有;
  3. yum install xl2tpd

修改ipsec.conf配置文件

  1. vim /etc/ipsec.conf

内容,可以直接用下面的替换,并用VPS实例的公网IP地址替换left=your.vps.ip.addr中的your.vps.ip.addr

  1. # /etc/ipsec.conf - Libreswan IPsec configuration file
  2. # This file: /etc/ipsec.conf
  3. #
  4. # Enable when using this configuration file with openswan instead of libreswan
  5. #version 2
  6. #
  7. # Manual: ipsec.conf.5
  8. # basic configuration
  9. config setup
  10. # NAT-TRAVERSAL support, see README.NAT-Traversal
  11. nat_traversal=yes
  12. # exclude networks used on server side by adding %v4:!a.b.c.0/24
  13. virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
  14. # OE is now off by default. Uncomment and change to on, to enable.
  15. oe=off
  16. # which IPsec stack to use. auto will try netkey, then klips then mast
  17. protostack=netkey
  18. force_keepalive=yes
  19. keep_alive=1800
  20. conn L2TP-PSK-NAT
  21. rightsubnet=vhost:%priv
  22. also=L2TP-PSK-noNAT
  23. conn L2TP-PSK-noNAT
  24. authby=secret
  25. pfs=no
  26. auto=add
  27. keyingtries=3
  28. rekey=no
  29. ikelifetime=8h
  30. keylife=1h
  31. type=transport
  32. left=your.vps.ip.addr
  33. leftprotoport=17/1701
  34. right=%any
  35. rightprotoport=17/%any
  36. dpddelay=40
  37. dpdtimeout=130
  38. dpdaction=clear
  39. # For example connections, see your distribution's documentation directory,
  40. # or the documentation which could be located at
  41. # /usr/share/docs/libreswan-3.*/ or look at https://www.libreswan.org/
  42. #
  43. # There is also a lot of information in the manual page, "man ipsec.conf"
  44. # You may put your configuration (.conf) file in the "/etc/ipsec.d/" directory
  45. # by uncommenting this line
  46. #include /etc/ipsec.d/*.conf

设置预共享密钥

修改ipsec.secrets配置文件

  1. vim /etc/ipsec.secrets
  2. // 增加一行
  3. // 公网IP地址替换 your.vps.ip.addr,用自己设定的密码替换your.pre_shared_key
  4. your.vps.ip.addr %any: PSK "your.pre_shared_key"

修改sysctl.conf配置文件

  1. // 添加如下内容:
  2. net.ipv4.ip_forward = 1
  3. net.ipv4.conf.all.rp_filter = 0
  4. net.ipv4.conf.default.rp_filter = 0
  5. net.ipv4.conf.eth0.rp_filter = 0
  6. net.ipv4.conf.eth1.rp_filter = 0
  7. net.ipv4.conf.all.send_redirects = 0
  8. net.ipv4.conf.default.send_redirects = 0
  9. net.ipv4.conf.all.accept_redirects = 0
  10. net.ipv4.conf.default.accept_redirects = 0

此时执行:

  1. for each in /proc/sys/net/ipv4/conf/*; do cat $each/accept_redirects; cat $each/send_redirects; done
  2. // 输出中有0和1;

创建脚本修改/proc/sys/net/ipv4/conf/中的内容,脚本名为:modify.sh

  1. // modify.sh
  2. for each in /proc/sys/net/ipv4/conf/*
  3. do
  4. echo 0 > $each/accept_redirects
  5. echo 0 > $each/send_redirects
  6. done
  7. // 保存执行
  8. sh modify.sh

再次执行:

  1. for each in /proc/sys/net/ipv4/conf/*; do cat $each/accept_redirects; cat $each/send_redirects; done
  2. // 输出中只有0;

重启ipsec

  1. systemctl restart ipsec

检验ipsec的配置

  1. ipsec verify

验证

此时系统的输出如果是这样就说明到此为止都是正确的;

  1. Verifying installed system and configuration files
  2. Version check and ipsec on-path [OK]
  3. Libreswan 3.15 (netkey) on 3.10.0-327.28.3.el7.x86_64
  4. Checking for IPsec support in kernel [OK]
  5.  NETKEY: Testing XFRM related proc values
  6.     ICMP default/send_redirects [OK]
  7.     ICMP default/accept_redirects [OK]
  8.     XFRM larval drop [OK]
  9. Pluto ipsec.conf syntax [OK]
  10. Hardware random device [N/A]
  11. Two or more interfaces found, checking IP forwarding [OK]
  12. Checking rp_filter [OK]
  13. Checking that pluto is running [OK]
  14. Pluto listening for IKE on udp 500 [OK]
  15. Pluto listening for IKE/NAT-T on udp 4500 [OK]
  16. Pluto ipsec.secret syntax [OK]
  17. Checking 'ip' command [OK]
  18. Checking 'iptables' command [OK]
  19. Checking 'prelink' command does not interfere with FIPSChecking for obsolete > ipsec.conf options [OK]
  20. Opportunistic Encryption [DISABLED]

如果看到下面这样的输出

  1. Checking rp_filter [ENABLED]
  2. /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
  3. /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]

那么就根据提供的路径,修改文件的内容为0

  1. sh -c "echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter"

再次重启ipsec和验证

  1. systemctl restart ipsec
  2. ipsec verify

配置VPN登陆的账号和密码

  1. // vim /etc/ppp/chap-secrets
  2. // account为要设置的账号,password为要设置的密码
  3. # Secrets for authentication using CHAP
  4. # client server secret IP addresses
  5. account l2tpd your.password *

测试

到这里我们已经完成一部分了,可以测试一下到此为止是否一切顺利。

  1. // 在PC上设置VPN进行验证,Mac和Window都有对应的设置,可自行百度;

保存配置并连接,此时还是连不上的,但是服务器端我们可以查看连接日志

  1. vim /var/log/secure
  2. // 在打开的日志文件中搜索 IPsec SA established 或 IPSec connection established
  3. // 如果能搜索到这样的字样,则说明到此为止一切顺利。

安装和配置xl2tp

安装

  1. yum install xl2tpd

配置/etc/xl2tpd/xl2tpd.conf

  1. ;
  2. ; This is a minimal sample xl2tpd configuration file for use
  3. ; with L2TP over IPsec.
  4. ;
  5. ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
  6. ; clients connect. In this example, the internal (protected) network
  7. ; is 192.168.1.0/24. A special IP range within this network is reserved
  8. ; for the remote clients: 192.168.1.128/25
  9. ; (i.e. 192.168.1.128 ... 192.168.1.254)
  10. ;
  11. ; The listen-addr parameter can be used if you want to bind the L2TP daemon
  12. ; to a specific IP address instead of to all interfaces. For instance,
  13. ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
  14. ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
  15. ; will be used by xl2tpd as its address on pppX interfaces.
  16. [global]
  17. ; listen-addr = 192.168.1.98
  18. ;
  19. ; requires openswan-2.5.18 or higher - Also does not yet work in combination
  20. ; with kernel mode l2tp as present in linux 2.6.23+
  21. ; ipsec saref = yes
  22. ; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
  23. ; when using any of the SAref kernel patches for kernels up to 2.6.35.
  24. ; saref refinfo = 30
  25. ;
  26. ; force userspace = yes
  27. ;
  28. ; debug tunnel = yes
  29. ipsec saref = yes
  30. [lns default]
  31. ip range = 192.168.1.128-192.168.1.254
  32. local ip = 192.168.1.99
  33. require chap = yes
  34. refuse pap = yes
  35. require authentication = yes
  36. name = LinuxVPNserver
  37. ppp debug = yes
  38. pppoptfile = /etc/ppp/options.xl2tpd
  39. length bit = yes

配置/etc/ppp/options.xl2tpd

  1. ipcp-accept-local
  2. ipcp-accept-remote
  3. require-mschap-v2
  4. ms-dns 8.8.8.8
  5. ms-dns 8.8.4.4
  6. # ms-dns 192.168.1.1
  7. # ms-dns 192.168.1.3
  8. # ms-wins 192.168.1.2
  9. # ms-wins 192.168.1.4
  10. asyncmap 0
  11. noccp
  12. auth
  13. crtscts
  14. idle 1800
  15. mtu 1410
  16. mru 1410
  17. nodefaultroute
  18. hide-password
  19. debug
  20. lock
  21. name l2tpd
  22. proxyarp
  23. lcp-echo-interval 30
  24. lcp-echo-failure 4
  25. connect-delay 5000
  26. # To allow authentication against a Windows domain EXAMPLE, and require the
  27. # user to be in a group "VPN Users". Requires the samba-winbind package
  28. # require-mschap-v2
  29. # plugin winbind.so
  30. # ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\VPN Users"'
  31. # You need to join the domain on the server, for example using samba:
  32. # http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html

设置防火墙

编辑文件 /usr/lib/firewalld/services/l2tpd.xml

  1. <?xml version="1.0" encoding="utf-8"?>
  2. <service>
  3. <short>l2tpd</short>
  4. <description>L2TP IPSec</description>
  5. <port protocol="udp" port="500"/>
  6. <port protocol="udp" port="4500"/>
  7. <port protocol="udp" port="1701"/>
  8. </service>

设置并重启防火墙

  1. // 如果firewalld没启动,先运行 systemctl start firewalld
  2. firewall-cmd --permanent --add-service=l2tpd
  3. firewall-cmd --permanent --add-service=ipsec
  4. firewall-cmd --permanent --add-masquerade
  5. firewall-cmd --reload

测试

现在以debug模式启动xl2tpd

  1. xl2tpd -D

此时可以在控制台看到输出,客户端再次连接VPN,就可以连接上并访问网络了, 百度搜索ip会显示你的IP地址为你VPS实例的IP地址。

设置开机自启

  1. systemctl enable ipsec xl2tpd
  2. systemctl restart ipsec xl2tpd

DNS设置

国内的网站无需走VPN,这是利用chnroutes就好;

Mac下的设置:

  1. // 1. 在终端中执行python chnroutes.py -p mac,这将生成ip-up和ip-down两个文件;
  2. // 2. 将这两个文件移入/etc/ppp/;
  3. // 3. 重新连接VPN,观察测试。

流量统计

如果要统计CentOS的流量适用情况, 推荐使用vnstat

  1. yum install vnstat
  2. // 启动服务
  3. vnstatd -d
  4. // 创建要统计的网卡的数据库
  5. vnstat --create -i eth0
  6. // 具体使用
  7. vnstat // 输出本月和本日的统计信息
  8. vnstat -l //显示实时网络状态
  9. vnstat --help //查看vnstat所有支持参数
  10. 可以通过修改配置文件来修改写入数据库的频率和显示时的流量单位
  11. vi /etc/vnstat.conf

参考资料

本文最后更新于2017-01-08 20:52:58