檢測是否支持
執行如下命令
cat /dev/net/tun
返回信息應該爲
cat: /dev/net/tun: File descriptor in bad state
再執行如下命令
cat /dev/ppp
返回信息應該爲
cat: /dev/ppp: No such device or address
如果返回信息不同 那麼請聯繫你的主機商開通TUN和PPP
軟件
1. openswan:提供IPSec加密
2. lsof:用於數據訪問
3. ppp:提供用戶名、密碼 認證
4. xl2tp:提供L2TP VPN服務
安裝相關軟件
openswan
首先之前openswan 如果裝過 建議先刪除 刪除方法如下
yum remove openswan
依賴包
然後安裝一些需要的依賴包
yum install -y iptables make ppp gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof
其次yum安裝openwan
yum install openswan
編輯ipsec.conf
然後編輯 /etc/ipsec.conf 這文件對格式要求很嚴格 縮進問題都會導致出錯 所以這個下面的這個代碼僅供參考 如果直接複製出現問題 請編輯原來的配置文件 修改成這樣子
# /etc/ipsec.conf - Libreswan IPsec configuration file
# This file: /etc/ipsec.conf
#
# Enable when using this configuration file with openswan instead of libreswan
#version 2
#
# Manual: ipsec.conf.5
# basic configuration
config setup
# which IPsec stack to use, "netkey" (the default), "klips" or "mast".
# For MacOSX use "bsd"
protostack=netkey
#
# Normally, pluto logs via syslog. If you want to log to a file,
# specify below or to disable logging, eg for embedded systems, use
# the file name /dev/null
# Note: SElinux policies might prevent pluto writing to a log file at
# an unusual location.
#logfile=/var/log/pluto.log
#
# The interfaces= line is only required for the klips/mast stack
#interfaces="%defaultroute"
#interfaces="ipsec0=eth0 ipsec1=ppp0"
#
# If you want to limit listening on a single IP - not required for
# normal operation
#listen=127.0.0.1
#
# Do not set debug options to debug configuration issues!
#
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control kernel pfkey natt x509 dpd
# private".
# Note: "crypt" is not included with "all", as it can show confidential
# information. It must be specifically specified
# examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#plutodebug=none
#klipsdebug=none
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: SElinux policies might prevent pluto writing the core at
# unusual locations
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least upto 2015)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
oe=off
nat_traversal=yes
# For example connections, see your distribution's documentation directory,
# or https://libreswan.org/wiki/
#
# There is also a lot of information in the manual page, "man ipsec.conf"
#
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
#include /etc/ipsec.d/*.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=107.19.15.162 ###設備公網IP
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
設置預共享密鑰(PSK)
vim /etc/ipsec.secrets
上面的文件應該要自己建立,內容編輯成這樣
SERVER-IP:服務器的IP地址
SharedKey:你自己設置的PSK
SERVER-IP%any: PSK"SharedKey"
線上配置:
#include /etc/ipsec.d/*.secrets
107.19.15.162 %any: PSK "vpn"
設置完畢以後ipsec就搞定了
修改/添加 /etc/sysctl.conf
vim /etc/sysctl.conf
確保下面的字段都有,對應的值或下面一樣。省事的話直接在/etc/sysctl.conf的末尾直接把下面內容的粘過去。
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
讓修改後的sysctl.conf生效:
sysctl -p
有可以報一些關於ipv6的error,不要管它,繼續下一步。
驗證ipsec的運行狀態
service ipsec start
# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-573.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/em1/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [PRESENT]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
ipsec verify: encountered 5 errors - see 'man ipsec_verify' for help
安裝依賴(xl2tpd)
查看系統是否安裝epel-release及其版本
rpm -q epel-release
正確返回的是6.8
epel-release-6-8.noarch
如無返回安裝對應版本的epel源
rpm -Uvh http://mirrors.ustc.edu.cn/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm
安裝完成後安裝xl2tpd
yum install xl2tpd -y
cd /etc/
mkdir xl2tpd/
cd xl2tpd/
touch xl2tpd.conf
chmod 666 xl2tpd.conf
編輯xl2tpd.conf成下面這個樣子設置以下你想分配給客戶端的地址以及虛擬服務器的IP
vim /etc/xl2tpd/xl2tpd.conf
[lns default]
ip range = 192.168.1.128-192.168.1.254 #這裏是VPN client的內網ip地址範圍
local ip = 192.168.1.99 #這裏是VPN server的內網地址
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
[global]
ipsec saref = no
修改xl2tp配置
vim /etc/ppp/options.xl2tpd
編輯成這樣
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
mtu 1400
noccp
connect-delay 5000
上面的noccp用來解決IOS連接問題
添加賬號密碼
vim /etc/ppp/chap-secrets
格式如下
賬號 l2tp密碼 *
賬號密碼用英文和數字 *可以改爲指定使用上面IP段中的IP地址
線上配置:
# Secrets for authentication using CHAP
# client server secret IP addresses
admin * admin *
test1 * test1 *
此設置表示,vpn的賬戶爲admin 密碼爲admin,可以在任何可以上網的客機上登陸此vpn賬戶,類似創建test1賬號,密碼爲test1,每次添加後重啓xl2tpd即可。
啓動 xl2tpd 服務
service xl2tpd start
開放端口及轉發
iptables -t nat -A POSTROUTING -m policy --dir out --pol none -j MASQUERADE
iptables -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o em1 -j MASQUERADE
iptables -I INPUT -p udp -m multiport --dport 1701,4500,500 -j ACCEPT
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT
vim /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Sep 1 17:02:17 2016
*nat
:PREROUTING ACCEPT [10:418]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -m policy --dir out --pol none -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -o em1 -j MASQUERADE
COMMIT
# Completed on Thu Sep 1 17:02:17 2016
# Generated by iptables-save v1.4.7 on Thu Sep 1 17:02:17 2016
*filter
:INPUT ACCEPT [23:1576]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [22:2834]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 23432 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m multiport --dports 1701,4500,500 -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -j ACCEPT
-A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Sep 1 17:02:17 2016
保存規則
service iptables save
IPsec/xl2tpd VPN 已全部配置完成
下面就可以測試了。
service xl2tpd restart
service iptables restart
chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on
下面我們直接創建VPN賬號開始登陸:至此,VPN搭建和使用完成!