在CentOS 6上部署PPTP VPN Server
时间:2016-06-04 18:52 来源:linux.it.net.cn 作者:IT
背景介绍:
搭建PPTP VPN Server应该是非常容易的,可身边有不少朋友在参考了一些文章后仍然来求助于我,走了不少的弯路。
因此,觉得自己有必要写一篇文章来讲解一下。毕竟我写文章的习惯是边操作边记录,所以一步一步照着做就可以完成,大家都喜欢看。
相关配置:
OS: CentOS 6.4 x86_64 Minimal
1. 安装EPEL扩展库
# yum install http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
2. 安装PPTP扩展库
# yum install http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm
3. 安装PPTP VPN Server
# yum install pptpd
4. 编辑/etc/pptpd.conf
# vim /etc/pptpd.conf
###############################################################################
# $Id: pptpd.conf,v 1.11 2011/05/19 00:02:50 quozl Exp $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################
# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/options.pptpd
# TAG: debug
# Turns on (more) debugging to syslog
#
debug
# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
stimeout 120
# TAG: noipparam
# Suppress the passing of the client's IP address to PPP, which is
# done by default otherwise.
#
#noipparam
# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
#logwtmp
# TAG: vrf <vrfname>
# Switches PPTP & GRE sockets to the specified VRF, which must exist
# Only available if VRF support was compiled into pptpd.
#
#vrf test
# TAG: bcrelay <if>
# Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1
# TAG: delegate
# Delegates the allocation of client IP addresses to pppd.
#
# Without this option, which is the default, pptpd manages the list of
# IP addresses for clients and passes the next free address to pppd.
# With this option, pptpd does not pass an address, and so pppd may use
# radius or chap-secrets to allocate an address.
#
#delegate
# TAG: connections
# Limits the number of client connections that may be accepted.
#
# If pptpd is allocating IP addresses (e.g. delegate is not
# used) then the number of connections is also limited by the
# remoteip option. The default is 100.
#connections 100
# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# These options are ignored if delegate option is set.
#
# Any addresses work as long as the local machine takes care of the
# routing. But if you want to use MS-Windows networking, you should
# use IP addresses out of the LAN address space and use the proxyarp
# option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than the value of connections,
# it will start at the beginning of the list and go until it
# gets connections IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
# (Recommended)
#localip 192.168.0.1
#remoteip 192.168.0.234-238,192.168.0.245
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
localip 10.192.168.1
remoteip 10.192.168.100-200
注解:在以上配置文件中,
指定了PPP配置文件路径:option /etc/ppp/options.pptpd
开启了调试日志:debug
设置了建立连接时的超时时间为120秒:stimeout 120
PPTP VPN Server的本地地址,即客户端会自动获取到的网关地址:localip 10.192.168.1
分配给客户端的地址范围:remoteip 10.192.168.100-200
5. 编辑/etc/ppp/options.pptpd
###############################################################################
# $Id: options.pptpd,v 1.11 2005/12/29 01:21:09 quozl Exp $
#
# Sample Poptop PPP options file /etc/ppp/options.pptpd
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################
# Authentication
# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name ec2-tokyo
# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)
# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}
# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
#-chap
#-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
#+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40 # enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}
# Network and Routing
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
#ms-dns 10.0.0.1
#ms-dns 10.0.0.2
ms-dns 172.31.0.2
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp
# Normally pptpd passes the IP address to pppd, but if pptpd has been
# given the delegate option in pptpd.conf or the --delegate command line
# option, then pppd will use chap-secrets or radius to allocate the
# client IP address. The default local IP address used at the server
# end is often the same as the address of the server. To override this,
# specify the local IP address here.
# (you must not use this unless you have used the delegate option)
#10.8.0.100
# Logging
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
dump
# Miscellaneous
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Disable BSD-Compress compression
nobsdcomp
# Disable Van Jacobson compression
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
novj
novjccomp
# turn off logging to stderr, since this may be redirected to pptpd,
# which may trigger a loopback
nologfd
# put plugins here
# (putting them higher up may cause them to sent messages to the pty)
logfile /var/log/pptpd.log
multilink
注解:在以上配置文件中,
定义了PPTP VPN Server的服务名:name ec2-tokyo
定义了加密的规则,如下:
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
定义了推送到客户端的DNS地址:ms-dns 172.31.0.2 (我通常选择PPTP VPN Server所在服务器的默认DNS设置)
允许相同局域网的主机在PPTP VPN Server上互相可见:proxyarp
开启了调试信息:debug
启用了一些通用的设置,如下:
dump
lock
nobsdcomp
novj
novjccomp
nologfd
指定了日志文件的位置:logfile /var/log/pptpd.log
允许把多个物理通道捆绑为单一逻辑信道:multilink
6. 编辑用户账号密码文件/etc/ppp/chap-secrets
# vim /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
"username" * "password" *
7. 编辑/etc/sysconfig/iptables-config
修改 IPTABLES_MODULES="" 为 IPTABLES_MODULES="ip_nat_pptp" 确保在启动iptables服务时自动加载模块。
8. 编辑/etc/sysconfig/iptables(默认eth0为公网IP地址所在网口)
# vim /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1723 -j ACCEPT
-A INPUT -s 10.192.168.0/255.255.255.0 -m state --state NEW -m tcp -p tcp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.192.168.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
注解:在以上iptables脚本中,
对所有GRE协议的数据包放行;
对TCP端口1723放行;
对整个PPTP VPN的局域网地址段10.192.168.0/24放行;
将整个PPTP VPN的局域网地址段10.192.168.0/24通过NAT映射到eth0网口,实现共享上网;
9. 开启数据转发,编辑/etc/sysctl.conf
修改 net.ipv4.ip_forward = 0 为 net.ipv4.ip_forward = 1
执行 sysctl -p
10. 启动PPTP VPN Server
# /etc/init.d/pptpd restart
# /etc/init.d/iptables restart
11. 设置PPTP VPN Server与iptables服务开机自启动
# chkconfig pptpd on
# chkconfig iptables on
12. 在本地PC上配置客户端并连接PPTP VPN Server
13. 结束
(责任编辑:IT)
背景介绍:
相关配置:
1. 安装EPEL扩展库
2. 安装PPTP扩展库
3. 安装PPTP VPN Server
4. 编辑/etc/pptpd.conf ############################################################################### # $Id: pptpd.conf,v 1.11 2011/05/19 00:02:50 quozl Exp $ # # Sample Poptop configuration file /etc/pptpd.conf # # Changes are effective when pptpd is restarted. ############################################################################### # TAG: ppp # Path to the pppd program, default '/usr/sbin/pppd' on Linux # #ppp /usr/sbin/pppd # TAG: option # Specifies the location of the PPP options file. # By default PPP looks in '/etc/ppp/options' # option /etc/ppp/options.pptpd # TAG: debug # Turns on (more) debugging to syslog # debug # TAG: stimeout # Specifies timeout (in seconds) on starting ctrl connection # stimeout 120 # TAG: noipparam # Suppress the passing of the client's IP address to PPP, which is # done by default otherwise. # #noipparam # TAG: logwtmp # Use wtmp(5) to record client connections and disconnections. # #logwtmp # TAG: vrf <vrfname> # Switches PPTP & GRE sockets to the specified VRF, which must exist # Only available if VRF support was compiled into pptpd. # #vrf test # TAG: bcrelay <if> # Turns on broadcast relay to clients from interface <if> # #bcrelay eth1 # TAG: delegate # Delegates the allocation of client IP addresses to pppd. # # Without this option, which is the default, pptpd manages the list of # IP addresses for clients and passes the next free address to pppd. # With this option, pptpd does not pass an address, and so pppd may use # radius or chap-secrets to allocate an address. # #delegate # TAG: connections # Limits the number of client connections that may be accepted. # # If pptpd is allocating IP addresses (e.g. delegate is not # used) then the number of connections is also limited by the # remoteip option. The default is 100. #connections 100 # TAG: localip # TAG: remoteip # Specifies the local and remote IP address ranges. # # These options are ignored if delegate option is set. # # Any addresses work as long as the local machine takes care of the # routing. But if you want to use MS-Windows networking, you should # use IP addresses out of the LAN address space and use the proxyarp # option in the pppd options file, or run bcrelay. # # You can specify single IP addresses seperated by commas or you can # specify ranges, or both. For example: # # 192.168.0.234,192.168.0.245-249,192.168.0.254 # # IMPORTANT RESTRICTIONS: # # 1. No spaces are permitted between commas or within addresses. # # 2. If you give more IP addresses than the value of connections, # it will start at the beginning of the list and go until it # gets connections IPs. Others will be ignored. # # 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238, # you must type 234-238 if you mean this. # # 4. If you give a single localIP, that's ok - all local IPs will # be set to the given one. You MUST still give at least one remote # IP for each simultaneous client. # # (Recommended) #localip 192.168.0.1 #remoteip 192.168.0.234-238,192.168.0.245 # or #localip 192.168.0.234-238,192.168.0.245 #remoteip 192.168.1.234-238,192.168.1.245 localip 10.192.168.1 remoteip 10.192.168.100-200
注解:在以上配置文件中, 5. 编辑/etc/ppp/options.pptpd ############################################################################### # $Id: options.pptpd,v 1.11 2005/12/29 01:21:09 quozl Exp $ # # Sample Poptop PPP options file /etc/ppp/options.pptpd # Options used by PPP when a connection arrives from a client. # This file is pointed to by /etc/pptpd.conf option keyword. # Changes are effective on the next connection. See "man pppd". # # You are expected to change this file to suit your system. As # packaged, it requires PPP 2.4.2 and the kernel MPPE module. ############################################################################### # Authentication # Name of the local system for authentication purposes # (must match the second field in /etc/ppp/chap-secrets entries) name ec2-tokyo # Strip the domain prefix from the username before authentication. # (applies if you use pppd with chapms-strip-domain patch) #chapms-strip-domain # Encryption # (There have been multiple versions of PPP with encryption support, # choose with of the following sections you will use.) # BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o # {{{ refuse-pap refuse-chap refuse-mschap # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. require-mschap-v2 # Require MPPE 128-bit encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) require-mppe-128 # }}} # OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o # {{{ #-chap #-chapms # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. #+chapms-v2 # Require MPPE encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) #mppe-40 # enable either 40-bit or 128-bit, not both #mppe-128 #mppe-stateless # }}} # Network and Routing # If pppd is acting as a server for Microsoft Windows clients, this # option allows pppd to supply one or two DNS (Domain Name Server) # addresses to the clients. The first instance of this option # specifies the primary DNS address; the second instance (if given) # specifies the secondary DNS address. #ms-dns 10.0.0.1 #ms-dns 10.0.0.2 ms-dns 172.31.0.2 # If pppd is acting as a server for Microsoft Windows or "Samba" # clients, this option allows pppd to supply one or two WINS (Windows # Internet Name Services) server addresses to the clients. The first # instance of this option specifies the primary WINS address; the # second instance (if given) specifies the secondary WINS address. #ms-wins 10.0.0.3 #ms-wins 10.0.0.4 # Add an entry to this system's ARP [Address Resolution Protocol] # table with the IP address of the peer and the Ethernet address of this # system. This will have the effect of making the peer appear to other # systems to be on the local ethernet. # (you do not need this if your PPTP server is responsible for routing # packets to the clients -- James Cameron) proxyarp # Normally pptpd passes the IP address to pppd, but if pptpd has been # given the delegate option in pptpd.conf or the --delegate command line # option, then pppd will use chap-secrets or radius to allocate the # client IP address. The default local IP address used at the server # end is often the same as the address of the server. To override this, # specify the local IP address here. # (you must not use this unless you have used the delegate option) #10.8.0.100 # Logging # Enable connection debugging facilities. # (see your syslog configuration for where pppd sends to) debug # Print out all the option values which have been set. # (often requested by mailing list to verify options) dump # Miscellaneous # Create a UUCP-style lock file for the pseudo-tty to ensure exclusive # access. lock # Disable BSD-Compress compression nobsdcomp # Disable Van Jacobson compression # (needed on some networks with Windows 9x/ME/XP clients, see posting to # poptop-server on 14th April 2005 by Pawel Pokrywka and followups, # http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 ) novj novjccomp # turn off logging to stderr, since this may be redirected to pptpd, # which may trigger a loopback nologfd # put plugins here # (putting them higher up may cause them to sent messages to the pty) logfile /var/log/pptpd.log multilink
注解:在以上配置文件中,
6. 编辑用户账号密码文件/etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses "username" * "password" *
7. 编辑/etc/sysconfig/iptables-config
8. 编辑/etc/sysconfig/iptables(默认eth0为公网IP地址所在网口) *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p gre -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 1723 -j ACCEPT -A INPUT -s 10.192.168.0/255.255.255.0 -m state --state NEW -m tcp -p tcp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 10.192.168.0/255.255.255.0 -o eth0 -j MASQUERADE COMMIT
注解:在以上iptables脚本中,
9. 开启数据转发,编辑/etc/sysctl.conf
10. 启动PPTP VPN Server
11. 设置PPTP VPN Server与iptables服务开机自启动 12. 在本地PC上配置客户端并连接PPTP VPN Server
13. 结束 |