在CentOS 7中搭建PPTP、L2TP、IPSec服务

在百度搜索了很多关于CentOS7搭建VPN的教程,但是有很多走不完全套的,因此浪费了很多时间,在这里我把查到能走通的教程整理了一遍,分享给大家。

更新组件

整个安装过程不用经过编译,组件都是在yum中下载,首先我们更新一下所有组件:

yum update -y

这里有个地方需要注意的是:有些主机的硬件并不支持最新内核,因此在不确定的情况下就不要升级内核了,用以下的命令:

yum –exclude=kernel* update -y

更新需要较长时间,请耐心等待。

非常重要的小插曲

撰写这篇文章并且共享出来,主要是为了能和大家互相学习和交流,但是正在看这篇文章的不乏一些现在就有自己的服务器或VPS,急着马上搭建好一台自己的VPN服务器的同学,如果你是这类同学,请不用心急,因为我制作好了自动运行脚本,脚本的内容和文章内容是一样的,把脚本下载到服务器,运行并配置自己的账号密码、ip和客户端ip即可。

脚本下载地址:https://github.com/BoizZ/PPTP-L2TP-IPSec-VPN-auto-installation-script-for-CentOS-7

运行脚本:sh vpn-script-for-centos7.sh

好,那么希望继续学习的同学请往下看。

安装epel源

为什么要安装epel源呢?是因为必要组件xl2tpd在基础的yum源里面是没有的。

yum install epel-release -y

安装依赖组件

安装完epel源以后就可以直接安装依赖组件了。

yum install -y openswan ppp pptpd xl2tpd wget

修改配置文件

需要等待所有依赖组件安装完成才能执行以下步骤(小标题括号内是文件路径)。

ipsec.conf配置文件(/etc/ipsec.conf)

# /etc/ipsec.conf - Libreswan IPsec configuration file# This file:  /etc/ipsec.conf# # Enable when using this configuration file with openswan instead of libreswan# version 2# # Manual:     ipsec.conf.5# basic configurationconfig setup    # NAT-TRAVERSAL support, see README.NAT-Traversal    nat_traversal=yes    # exclude networks used on server side by adding %v4:!a.b.c.0/24    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12    # OE is now off by default. Uncomment and change to on, to enable.    oe=off    # which IPsec stack to use. auto will try netkey, then klips then mast    protostack=netkey    force_keepalive=yes    keep_alive=1800conn L2TP-PSK-NAT    rightsubnet=vhost:%priv    also=L2TP-PSK-noNATconn L2TP-PSK-noNAT    authby=secret    pfs=no    auto=add    keyingtries=3    rekey=no    ikelifetime=8h    keylife=1h    type=transport    left=$serverip    leftid=$serverip    leftprotoport=17/1701    right=%any    rightprotoport=17/%any    dpddelay=40    dpdtimeout=130    dpdaction=clear# For example connections, see your distribution's documentation directory,# or the documentation which could be located at# /usr/share/docs/libreswan-3.*/ or look at https://www.libreswan.org/# # There is also a lot of information in the manual page, "man ipsec.conf"# You may put your configuration (.conf) file in the "/etc/ipsec.d/" directory# by uncommenting this line# include /etc/ipsec.d/*.conf

设置预共享密钥配置文件(/etc/ipsec.secrets)

# include /etc/ipsec.d/*.secrets$serverip username PSK password

注解:第二行中username为登录名,password为登录密码

pptpd.conf配置文件(/etc/pptpd.conf)

# ppp /usr/sbin/pppdoption /etc/ppp/options.pptpd# debug# stimeout 10# noipparamlogwtmp# vrf test# bcrelay eth1# delegate# connections 100localip 10.0.1.2remoteip 10.0.1.200-254

xl2tpd.conf配置文件(/etc/xl2tpd/xl2tpd.conf)

;; This is a minimal sample xl2tpd configuration file for use; with L2TP over IPsec.;; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec; clients connect. In this example, the internal (protected) network; is 192.168.1.0/24.  A special IP range within this network is reserved; for the remote clients: 192.168.1.128/25; (i.e. 192.168.1.128 ... 192.168.1.254);; The listen-addr parameter can be used if you want to bind the L2TP daemon; to a specific IP address instead of to all interfaces. For instance,; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99); will be used by xl2tpd as its address on pppX interfaces.[global]; ipsec saref = yeslisten-addr = 104.171.165.91auth file = /etc/ppp/chap-secretsport = 1701[lns default]ip range = 10.0.1.100-10.0.1.254local ip = 10.0.1.1refuse chap = yesrefuse pap = yesrequire authentication = yesname = L2TPVPNppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes

options.pptpd配置文件(/etc/ppp/options.pptpd)

# Authenticationname pptpd# chapms-strip-domain# Encryption# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o# {{{refuse-paprefuse-chaprefuse-mschap# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft# Challenge Handshake Authentication Protocol, Version 2] authentication.require-mschap-v2# Require MPPE 128-bit encryption# (note that MPPE requires the use of MSCHAP-V2 during authentication)require-mppe-128# }}}# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o# {{{# -chap# -chapms# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft# Challenge Handshake Authentication Protocol, Version 2] authentication.# +chapms-v2# Require MPPE encryption# (note that MPPE requires the use of MSCHAP-V2 during authentication)# mppe-40    # enable either 40-bit or 128-bit, not both# mppe-128# mppe-stateless# }}}ms-dns 8.8.4.4ms-dns 8.8.8.8# ms-wins 10.0.0.3# ms-wins 10.0.0.4proxyarp# 10.8.0.100# Logging# debug# dumplocknobsdcomp novjnovjccompnologfd

options.xl2tpd配置文件(/etc/ppp/options.xl2tpd)

rm -f /etc/ppp/options.xl2tpdcat >>/etc/ppp/options.xl2tpd/etc/ppp/chap-secrets)

Secrets for authentication using CHAP

client server secret IP addresses

username pptpd password
username l2tpd password

注解:第三第四行中username为登录名,password为登录密码### 系统配置#### 允许IP转发

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.conf.default.rp_filter=0
sysctl -w net.ipv4.conf.$eth.rp_filter=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0

注解:以上均是命令,复制上去运行即可也可以修改配置文件(/etc/sysctl.conf):

net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.$eth.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

#### 允许防火墙端口创建文件/usr/lib/firewalld/services/pptpd.xml并修改:

pptpd
PPTP

创建文件/usr/lib/firewalld/services/l2tpd.xml并修改:

l2tpd
L2TP IPSec

#### 初始化并重启防火墙:

firewall-cmd --reload
firewall-cmd --permanent --add-service=pptpd
firewall-cmd --permanent --add-service=l2tpd
firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -p tcp -i ppp+ -j TCPMSS --syn --set-mss 1356
firewall-cmd --reload

这里是由于CentOS7自带firewall,并且不预装iptables,因此自己也不多此一举去安装了,因为效果都是一样的。### 启动并设置开机自启动服务

systemctl enable pptpd ipsec xl2tpd
systemctl restart pptpd ipsec xl2tpd

### 大功告成最后一步,并且是最重要的一步,当然是连接一下自己刚建好的VPN服务器啦!现在估计你和我有同样的喜悦,当然如果中间出现什么问题的话,交流区在下方,很乐意大家踊跃参与!#pptp、l2tp、vpn、ipsec#

版权声明

本文来自互联网用户投稿,文章观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处。如若内容有涉嫌抄袭侵权/违法违规/事实不符,请点击 举报 进行投诉反馈!

相关文章

立即
投稿

微信公众账号

微信扫一扫加关注

返回
顶部