1. Install openswan
sudo apt-get install openswan
If an error occurs Package 'openswan' has no installation candidate, please execute the following command, if the installation is successful, please go directly to the second step
sudo vi /etc/apt/sources.list.d/lzu.list
#创建一个源
Paste the following code into the lzu.list file
deb http://mirror.lzu.edu.cn/ubuntu/ precise main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-security main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-updates main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-proposed main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-security main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-updates main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-proposed main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-backports main restricted universe multiverse
update the source
sudo apt-get update
install openswan
sudo apt-get install openswan
#安装出现提示框,选择NO回车
2. Install xl2tpd and configure IPSec service
sudo apt-get install xl2tpd
Modify the /etc/ipsec.conf configuration file
sudo vi /etc/ipsec.conf
Paste the following content into the ipsec.conf file
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
# 替换 IP 地址为你的公网IP
left=x.x.x.x
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
forceencaps=yes
conn passthrough-for-non-l2tp
type=passthrough
left=$IP
leftnexthop=$GATEWAY
#下面改成你主机以太网卡的IP
right=x.x.x.x
#下面改成该IP所在网段的网关地址如199.12.25.1/24
rightsubnet=x.x.x.1/23
auto=route
Pay attention to modify the IP and gateway in the # sign prompt
Modify the file /etc/ipsec.secrets
sudo vi /etc/ipsec.secrets
Fill in the configuration
*Here xxxx is replaced with the public IP address of your server, and the password in "" is replaced with the password you set by yourself, which will be used when the client connects.
x.x.x.x %any: PSK "mima1234567890"
After saving, execute the following code to modify the network policy to make IPSEC work normally
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
Start the IPSEC service and check if IPSEC is working properly
sudo /etc/init.d/ipsec start
#使用如下命令确认 ipsec 是否工作正常
sudo ipsec verify
#注意:只要没有Faild就可以了
If an error occurs, please refer to the following command
#错误1.Checking /bin/sh is not /bin/dash [WARNING] 输入以下代码
sudo dpkg-reconfigure dash
#按英文提示,选择no
#错误2.pluto is running [FAILED]
sudo /etc/init.d/ipsec start
#错误3:NETKEY: Testing XFRM related proc values [FAILED]
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
#错误4:Pluto listening for IKE on udp 500 [FAILED]
apt-get install lsof
#错误5:Hardware RNG detected, testing if used properly [FAILED]
sudo apt-get install rng-tools
Modify /etc/xl2tpd/xl2tpd.conf configuration
sudo vi /etc/xl2tpd/xl2tpd.conf
Paste the following
[global]
ipsec saref = yes
[lns default]
ip range = 10.10.20.100-10.10.20.254
local ip = 10.10.20.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
Modify PPP configuration
sudo vi /etc/ppp/options.xl2tpd
write the following
refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
mtu 1404
mru 1404
Add user
sudo vi /etc/ppp/chap-secrets
Fill in the username and password used by the client
yonghuming * mima1234567890 *
3. Set up forwarding
sudo vi /etc/sysctl.conf
#找到并去掉以下代码的#号
net.ipv4.ip_forward=1
Configuration takes effect
sysctl -p
Allows the gre protocol and ports 1723 and 47
sudo iptables -A INPUT -p gre -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 47 -j ACCEPT
Enable NAT forwarding
sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
#注意填写ens3,不同机器是不一样的,可以在终端输入ifconfig来查看网卡联网以及网卡的名称
4. Start the VPN
sudo /etc/init.d/xl2tpd restart