Linuxword Global
当前位置: 通信协议 > 在CentOS 7中搭建PPTP、L2TP、IPSec服务

在CentOS 7中搭建PPTP、L2TP、IPSec服务

2022-05-17 分类:通信协议 作者:Linux网站管理员 阅读(2863)

在百度搜索了很多关于CentOS7搭建VPN的教程,但是有很多走不完全套的,因此浪费了很多时间,在这里我把查到能走通的教程整理了一遍,分享给大家。

更新组件

整个安装过程不用经过编译,组件都是在yum中下载,首先我们更新一下所有组件:

Protocol-Info
 
 
 

PHP

 
1
yum update -y

这里有个地方需要注意的是:有些主机的硬件并不支持最新内核,因此在不确定的情况下就不要升级内核了,用以下的命令:

 
 
 
 

PHP

 
1
yum –exclude=kernel* update -y

更新需要较长时间,请耐心等待。

非常重要的小插曲

撰写这篇文章并且共享出来,主要是为了能和大家互相学习和交流,但是正在看这篇文章的不乏一些现在就有自己的服务器或VPS,急着马上搭建好一台自己的VPN服务器的同学,如果你是这类同学,请不用心急,因为我制作好了自动运行脚本,脚本的内容和文章内容是一样的,把脚本下载到服务器,运行并配置自己的账号密码、ip和客户端ip即可。

脚本下载地址:https://github.com/BoizZ/PPTP-L2TP-IPSec-VPN-auto-installation-script-for-CentOS-7

运行脚本: sh vpn-script-for-centos7.sh

好,那么希望继续学习的同学请往下看。

安装epel源

为什么要安装epel源呢?是因为必要组件xl2tpd在基础的yum源里面是没有的。

 
 
 
 

PHP

 
1
yum install epel-release -y

 

安装依赖组件

安装完epel源以后就可以直接安装依赖组件了。

 
 
 
 

PHP

 
1
yum install -y openswan ppp pptpd xl2tpd wget

 

修改配置文件

需要等待所有依赖组件安装完成才能执行以下步骤(小标题括号内是文件路径)。

ipsec.conf配置文件([crayon-627d356a16e9b854579888-i/])

 

PPTP-vs-L2TP-vs-SSTP-vs-IKEv2-vs-IPSec-vs-OpenVPN-700x411-1
 
 
 

PHP

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# /etc/ipsec.conf - Libreswan IPsec configuration file
# This file:  /etc/ipsec.conf
#
# Enable when using this configuration file with openswan instead of libreswan
#version 2
#
# Manual:     ipsec.conf.5
# basic configuration
config setup
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    # OE is now off by default. Uncomment and change to on, to enable.
    oe=off
    # which IPsec stack to use. auto will try netkey, then klips then mast
    protostack=netkey
    force_keepalive=yes
    keep_alive=1800
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=$serverip
    leftid=$serverip
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=40
    dpdtimeout=130
    dpdaction=clear
# For example connections, see your distribution's documentation directory,
# or the documentation which could be located at
#  /usr/share/docs/libreswan-3.*/ or look at https://www.libreswan.org/
#
# There is also a lot of information in the manual page, "man ipsec.conf"
# You may put your configuration (.conf) file in the "/etc/ipsec.d/" directory
# by uncommenting this line
#include /etc/ipsec.d/*.conf

 

设置预共享密钥配置文件([crayon-627d356a16ea1142743689-i/])

 

 
 
 
 

PHP

 
1
2
#include /etc/ipsec.d/*.secrets
$serverip username PSK password

注解:第二行中username为登录名,password为登录密码

pptpd.conf配置文件([crayon-627d356a16ea6141731281-i/])

 

 
 
 
 

PHP

 
1
2
3
4
5
6
7
8
9
10
11
12
#ppp /usr/sbin/pppd
option /etc/ppp/options.pptpd
#debug
# stimeout 10
#noipparam
logwtmp
#vrf test
#bcrelay eth1
#delegate
#connections 100
localip 10.0.1.2
remoteip 10.0.1.200-254

 

xl2tpd.conf配置文件([crayon-627d356a16eaa455381999-i/])

 

 
 
 
 

PHP

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
;
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24.  A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.
[global]
; ipsec saref = yes
listen-addr = 104.171.165.91
auth file = /etc/ppp/chap-secrets
port = 1701
[lns default]
ip range = 10.0.1.100-10.0.1.254
local ip = 10.0.1.1
refuse chap = yes
refuse pap = yes
require authentication = yes
name = L2TPVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

 

options.pptpd配置文件([crayon-627d356a16eb7244306712-i/])

 

 
 
 
 

PHP

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Authentication
name pptpd
#chapms-strip-domain
# Encryption
# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}
# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
#-chap
#-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
#+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40    # enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}
ms-dns 8.8.4.4
ms-dns 8.8.8.8
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
proxyarp
#10.8.0.100
# Logging
#debug
#dump
lock
nobsdcomp
novj
novjccomp
nologfd

 

options.xl2tpd配置文件([crayon-627d356a16ebd859697861-i/])

 

 
 
 
 

PHP

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
rm -f /etc/ppp/options.xl2tpd
cat >>/etc/ppp/options.xl2tpd<<EOF
#require-pap
#require-chap
#require-mschap
ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
mtu 1400
noccp
connect-delay 5000
# To allow authentication against a Windows domain EXAMPLE, and require the
# user to be in a group "VPN Users". Requires the samba-winbind package
# require-mschap-v2
# plugin winbind.so
# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\VPN Users"'
# You need to join the domain on the server, for example using samba:
# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html

 

创建chap-secrets配置文件,即用户列表及密码([crayon-627d356a16ec2025067494-i/])

 

 
 
 
 

PHP

 
1
2
3
4
# Secrets for authentication using CHAP
# client     server     secret               IP addresses
username          pptpd     password               *
username          l2tpd     password               *

注解:第三第四行中username为登录名,password为登录密码

系统配置

允许IP转发

 

 
 
 
 

PHP

 
1
2
3
4
5
6
7
8
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.conf.default.rp_filter=0
sysctl -w net.ipv4.conf.$eth.rp_filter=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0

注解:以上均是命令,复制上去运行即可
也可以修改配置文件( /etc/sysctl.conf):

 
 
 
 

PHP

 
1
2
3
4
5
6
7
8
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.$eth.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

 

允许防火墙端口

创建文件 /usr/lib/firewalld/services/pptpd.xml并修改:

 
 
 
 

PHP

 
1
2
3
4
5
6
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>pptpd</short>
  <description>PPTP</description>
  <port protocol="tcp" port="1723"/>
</service>

创建文件 /usr/lib/firewalld/services/l2tpd.xml并修改:

 
 
 
 

PHP

 
1
2
3
4
5
6
7
8
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>l2tpd</short>
  <description>L2TP IPSec</description>
  <port protocol="udp" port="500"/>
  <port protocol="udp" port="4500"/>
  <port protocol="udp" port="1701"/>
</service>

 

初始化并重启防火墙:

 

 
 
 
 

PHP

 
1
2
3
4
5
6
7
firewall-cmd --reload
firewall-cmd --permanent --add-service=pptpd
firewall-cmd --permanent --add-service=l2tpd
firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -p tcp -i ppp+ -j TCPMSS --syn --set-mss 1356
firewall-cmd --reload

这里是由于CentOS7自带firewall,并且不预装iptables,因此自己也不多此一举去安装了,因为效果都是一样的。

启动并设置开机自启动服务

 

 
 
 
 

PHP

 
1
2
systemctl enable pptpd ipsec xl2tpd
systemctl restart pptpd ipsec xl2tpd

 

大功告成

最后一步,并且是最重要的一步,当然是连接一下自己刚建好的VPN服务器啦!

「梦想一旦被付诸行动,就会变得神圣,如果觉得我的文章对您有用,请帮助本站成长」

赞(0) 打赏
一分也是爱

支付宝扫一扫打赏

微信扫一扫打赏

标签:

上一篇:

下一篇:

相关推荐

博客简介

本站CDN采用VmShell免费提供离中国大陆最近的香港CMI高速网络做支撑,ToToTel打造全球最快速的边沿网络支撑服务,具体详情请见 :https://vmshell.com/ 以及 https://tototel.com/,网站所有的文件和内容禁止大陆网站搬迁复制,谢谢,VPS营销投稿邮箱: admin@linuxxword.com,我们免费帮大家发布,不收取任何费用,请提供完整测试文稿!

最近更新

热门标签

news(120) soledad(120) VPS(63) 安装(43) vmshell(37) 搭建(37) 使用(36) 美国(33) 如何(33) linux(32) 教程(32) 日本(28) 服务器(27) 系统(22) 香港(21) 下载(20) GOOGLE(19) Wordpress(19) 中国(19) MYsql(18) 脚本(18) 免费(18) tototel(17) cloudflare(16)

精彩评论

友情链接

他们同样是一群网虫,却不是每天泡在网上游走在淘宝和网游之间、刷着本来就快要透支的信用卡。他们或许没有踏出国门一步,但同学却不局限在一国一校,而是遍及全球!申请交换友链

站点统计

  • 文章总数: 2612 篇
  • 草稿数目: 23 篇
  • 分类数目: 6 个
  • 独立页面: 0 个
  • 评论总数: 2 条
  • 链接总数: 0 个
  • 标签总数: 16076 个
  • 注册用户: 139 人
  • 访问总量: 8,648,531 次
  • 最近更新: 2024年12月2日