为了方便不在公司网络上网的个人用户能访问公司内网资源,需要搭建各种VPN服务器供使用,可通过在网络设备上配置pptp/l2tp/ipsec/ssl等协议的VPN,也可以通过在Windows server服务器上搭建各种VPN服务,比如sstp vpn,也可以在Linux服务器上搭建 pptp/l2tp/ipsec VPN,其中网络设备上SSL VPN和pptp协议的VPN在MAC电脑上的兼容性极差。
下面的案例以在Linux 上搭建xl2tpd/ipsec VPN
- 查看服务器是否支持pptp
# modprobe ppp-compress-18 && echo yes
返回结果为yes就表示通过
- 查看服务器是否开启了TUN,有的虚拟机主机需要开启
# cat /dev/net/tun && echo yes
返回结果为cat: /dev/net/tun: File descriptor in bad state就表示通过
- 安装EPEL源(CentOS7官方源中已经去掉了xl2tpd)
# yum install -y epel-release
- 安装xl2tpd和libreswan(openswan已经停止维护)
# yum install -y xl2tpd libreswan
- 编辑xl2tpd配置文件
# vi /etc/xl2tpd/xl2tpd.conf
[global]
listen-addr = 192.168.80.250
[lns default]
ip range = 192.168.1.128-192.168.1.135
local ip = 192.168.80.250
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
- 编辑xl2tpd ppp options file文件
# vi /etc/ppp/options.xl2tpd
name xl2tpd
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
ms-dns 202.106.0.20
ms-dns 8.8.4.4
#noccp
auth
idle 1800
mtu 1400
mru 1400
nodefaultroute
debug
proxyarp
refuse-pap
refuse-mschap
persist
lcp-echo-failure 4
lcp-echo-interval 30
connect-delay 5000
logfile /var/log/ppp/xl2tpd.log
- 编辑ipsec配置文件
vim /etc/ipsec.conf # 只修改以下项,其他默认
--------------------------------------------------------
config setup
protostack=netkey
dumpdir=/var/run/pluto/
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
include /etc/ipsec.d/*.conf
--------------------------------------------------------
8 编辑include的conn文件
# vi /etc/ipsec.conf
version 2.0
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24,%v4:!192.168.43.0/24
protostack=netkey
interfaces=%defaultroute
uniqueids=no
conn shared
left=%defaultroute
leftid=211.103.172.114
right=%any
encapsulation=yes
authby=secret
pfs=no
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
sha2-truncbug=yes
conn l2tp-psk
auto=add
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
phase2=esp
also=shared
conn xauth-psk
auto=add
leftsubnet=0.0.0.0/0
rightaddresspool=192.168.1.128-192.168.1.135
modecfgdns="202.106.0.20, 8.8.4.4"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=file
ike-frag=yes
ikev2=never
cisco-unity=yes
also=shared
- 设置用户名密码
# vi /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
user1 xl2tpd p@9865321 *
user2 xl2tpd p@9865321 *
# 格式: 用户名 类型 密码 允许访问的ip
# 这个配置文件,也是pptpd的用户密码配置文件,直接类型上用*表示所有,因为这里我们只搭建l2tp/ipsec
- 设置预共享密钥PSK
# vi /etc/ipsec.d/ipsec.secrets
%any %any : PSK "K2hUWLpiGtDTdPMcezME"
自定义的PSK,客户端拨号连接时需要填写
- CentOS7 防火墙设置
# firewall-cmd --permanent --add-service=ipsec
# firewall-cmd --permanent --add-port=1701/udp
# firewall-cmd --permanent --add-port=4500/udp
# firewall-cmd --permanent --add-masquerade
# firewall-cmd --reload
- 修改内核参数
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.ppp0.accept_redirects = 0
net.ipv4.conf.ppp0.rp_filter = 0
net.ipv4.conf.ppp0.send_redirects = 0
#sysctl -p
- 启动xl2tpd
# systemctl enable xl2tpd
# systemctl start xl2tpd
# syatemctl status xl2tpd
- 检查配置
# ipsec verify
- 启动ipsec
# systemctl enable ipsec
# systemctl start ipsec
# systemctl status ipsec
到此,服务端的搭建已经完成