基于阿里云新加坡的centos6.x搭建l2tp+ipsec vpn
更新:(2018.12.19使用此文章在ucloud云使用centos6.5搭建成功)
更新:(2018.12.27使用此文章在腾讯云使用 centos7 搭建成功)
安装几个需要的软件包
yum install wget lsof vim nss -y【我是阿里云机器默认是阿里云的源不用修改】改下yum源,使用阿里云的yum源
centos|ubuntu更改yum源为阿里云的yum源#安装开发软件包组
yum groupinstall "Development tools" -y安装ipsec 和 xl2tpd
#openswan 也就是ipsec
yum install openswan -y
#由于yum源中没有,我们手动下载xl2tpd rpm包
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/Packages/x/xl2tpd-1.3.8-1.el6.x86_64.rpm
#这里安装xl2tpd 会自动把ppp和其他需要的包给安装上
yum install xl2tpd-1.3.8-1.el6.x86_64.rpm -y配置ipsec预共享秘钥,和修改配置文件
#添加预共享秘钥
vim /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
#下面一行为添加的: ip可以为任意也可以为你的外网ip地址,"vpn"就是连接时需要用的秘钥,自己定义即可
0.0.0.0 %any: PSK "vpn"
#修改ipsec.conf 配置文件
vim /etc/ipsec.conf
config setup
protostack=netkey
dumpdir=/var/run/pluto/
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
include /etc/ipsec.d/*.conf
#下面为新添加,注意left这个IP地址,如果你是云服务器且还只能看到内网ip看不到外网ip的,这里就填写内网ip地址。
conn l2tp-psk
rightsubnet=vhost:%priv
also=l2tp-psk-nonat
conn l2tp-psk-nonat
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=172.18.212.34
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=40
dpdtimeout=130
dpdaction=clear
sha2-truncbug=yes修改xl2tpd 相关配置文件
#修改vpn连接ip 和 分配客户端的地址池
vim /etc/xl2tpd/xl2tpd.conf
[global]
#连接ip地址,我用的弹性ip地址,机器内看不到外网ip这里就填写内网ip地址
listen-addr = 172.18.212.34
#分配的地址网段自定义即可
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
#修改拨入获取的dns
vim /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
#dns根据实际情况情况而定,你上国际网站那就默认的即可,加速的话用国内dns即可
ms-dns 8.8.8.8
ms-dns 114.114.114.114
noccp
auth
#注意:centos7下面要注释掉crtscts这个参数
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
#注意:centos7下面要注释掉lock这个参数
lock
proxyarp
connect-delay 5000配置连接的用户账号和密码
#按格式添加即可,中间用空格或者tab隔开
vim /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
jinc * 123456 *现在配置内核选项,linux的路由转发等
vim /etc/sysctl.conf
#如果有的直接修改,没有的添加
net.ipv4.ip_forward = 1 #修改为1 表示打开路由转发功能
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.eth0.accept_source_route=0
net.ipv4.conf.eth0.accept_redirects=0
net.ipv4.conf.eth0.send_redirects=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.lo.accept_source_route=0
net.ipv4.conf.lo.accept_redirects=0
net.ipv4.conf.lo.send_redirects=0
net.ipv4.conf.lo.rp_filter=0
#使修改的配置生效
sysctl -p
#启动服务 这里如果启动失败或者报错,请检查配置文件,或是否安装了需要的包
service xl2tpd start
service ipsec start
#验证ipsec 是否完全正确
ipsec verify
#一般来说 没有error 和fail 就可以了,对应有问题的可能是少装什么包或者哪里没有配置好
#ceneos6.5显示的结果:
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-696.10.1.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
#centos7 显示的结果:
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 3.10.0-514.26.2.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OBSOLETE]
003 WARNING: using a weak secret (PSK)
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
使用到的端口
开放UDP端口:1701、500、4500
手机端配置连接
#观察日志
Mar 6 12:05:32 debug010000002015 xl2tpd[23389]: Connection established to 210.123.73.45, 58164. Local: 65126, Remote: 50489 (ref=0/0). LNS session is 'default'
Mar 6 12:05:32 debug010000002015 xl2tpd[23389]: Call established with 210.123.73.45, Local: 8094, Remote: 17899, Serial: -1408866546
Mar 6 12:05:32 debug010000002015 pppd[24590]: pppd 2.4.5 started by root, uid 0
Mar 6 12:05:32 debug010000002015 pppd[24590]: Using interface ppp0
Mar 6 12:05:32 debug010000002015 pppd[24590]: Connect: ppp0 <--> /dev/pts/1
Mar 6 12:05:32 debug010000002015 pppd[24590]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
Mar 6 12:05:32 debug010000002015 pppd[24590]: Cannot determine ethernet address for proxy ARP
Mar 6 12:05:32 debug010000002015 pppd[24590]: local IP address 192.168.1.1
Mar 6 12:05:32 debug010000002015 pppd[24590]: remote IP address 192.168.1.129
如果以上的配置都没有问题,连接也是没问题的了,但是连接后不能上网的,接下来配置iptables转发
#我这里清空所有规则,只配置了转发的方便测试,注意:这里的网卡名称是否eth0,如果不是请修改为你的网卡名称
iptables -F
iptables -F -t nat
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT
service iptables save
service iptables restart手机访问测试[没有测试电脑连接]
总结:
1:安装几个包
2:安装ipsec和xl2tpd服务
3:修改ipsec.secrets/ipsec.conf/chap-secrets/sysctl.conf配置文件
4:启动ipsec和xl2tpd服务
5:使用iptables配置转发规则和开放使用到的UDP端口
5:连接使用
