轉自:http://www.imooc.com/article/8659
在百度搜索了很多關於CentOS7搭建VPN的教程,但是有很多走不完全套的,因此浪費了很多時間,在這里我把查到能走通的教程整理了一遍,分享給大家。
更新組件
整個安裝過程不用經過編譯,組件都是在yum中下載,首先我們更新一下所有組件:
yum update -y這里有個地方需要注意的是:有些主機的硬件並不支持最新內核,因此在不確定的情況下就不要升級內核了,用以下的命令:
yum –exclude=kernel* update -y更新需要較長時間,請耐心等待。
非常重要的小插曲
撰寫這篇文章並且共享出來,主要是為了能和大家互相學習和交流,但是正在看這篇文章的不乏一些現在就有自己的服務器或VPS,急着馬上搭建好一台自己的VPN服務器的同學,如果你是這類同學,請不用心急,因為我制作好了自動運行腳本,腳本的內容和文章內容是一樣的,把腳本下載到服務器,運行並配置自己的賬號密碼、ip和客戶端ip即可。
腳本下載地址:https://github.com/BoizZ/PPTP-L2TP-IPSec-VPN-auto-installation-script-for-CentOS-7
運行腳本:sh vpn-script-for-centos7.sh
好,那么希望繼續學習的同學請往下看。
安裝epel源
為什么要安裝epel源呢?是因為必要組件xl2tpd在基礎的yum源里面是沒有的。
yum install epel-release -y安裝依賴組件
安裝完epel源以后就可以直接安裝依賴組件了。
yum install -y openswan ppp pptpd xl2tpd wget修改配置文件
需要等待所有依賴組件安裝完成才能執行以下步驟(小標題括號內是文件路徑)。
ipsec.conf配置文件(/etc/ipsec.conf)
# /etc/ipsec.conf - Libreswan IPsec configuration file # This file: /etc/ipsec.conf # # Enable when using this configuration file with openswan instead of libreswan #version 2 # # Manual: ipsec.conf.5 # basic configuration config setup # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey force_keepalive=yes keep_alive=1800 conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=$serverip leftid=$serverip leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=40 dpdtimeout=130 dpdaction=clear # For example connections, see your distribution's documentation directory, # or the documentation which could be located at # /usr/share/docs/libreswan-3.*/ or look at https://www.libreswan.org/ # # There is also a lot of information in the manual page, "man ipsec.conf" # You may put your configuration (.conf) file in the "/etc/ipsec.d/" directory # by uncommenting this line #include /etc/ipsec.d/*.conf設置預共享密鑰配置文件(/etc/ipsec.secrets)
#include /etc/ipsec.d/*.secrets $serverip username PSK password注解:第二行中username為登錄名,password為登錄密碼
pptpd.conf配置文件(/etc/pptpd.conf)
#ppp /usr/sbin/pppd option /etc/ppp/options.pptpd #debug # stimeout 10 #noipparam logwtmp #vrf test #bcrelay eth1 #delegate #connections 100 localip 10.0.1.2 remoteip 10.0.1.200-254xl2tpd.conf配置文件(/etc/xl2tpd/xl2tpd.conf)
; ; This is a minimal sample xl2tpd configuration file for use ; with L2TP over IPsec. ; ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec ; clients connect. In this example, the internal (protected) network ; is 192.168.1.0/24. A special IP range within this network is reserved ; for the remote clients: 192.168.1.128/25 ; (i.e. 192.168.1.128 ... 192.168.1.254) ; ; The listen-addr parameter can be used if you want to bind the L2TP daemon ; to a specific IP address instead of to all interfaces. For instance, ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98 ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99) ; will be used by xl2tpd as its address on pppX interfaces. [global] ; ipsec saref = yes listen-addr = 104.171.165.91 auth file = /etc/ppp/chap-secrets port = 1701 [lns default] ip range = 10.0.1.100-10.0.1.254 local ip = 10.0.1.1 refuse chap = yes refuse pap = yes require authentication = yes name = L2TPVPN ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yesoptions.pptpd配置文件(/etc/ppp/options.pptpd)
# Authentication name pptpd #chapms-strip-domain # Encryption # BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o # {{{ refuse-pap refuse-chap refuse-mschap # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. require-mschap-v2 # Require MPPE 128-bit encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) require-mppe-128 # }}} # OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o # {{{ #-chap #-chapms # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. #+chapms-v2 # Require MPPE encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) #mppe-40 # enable either 40-bit or 128-bit, not both #mppe-128 #mppe-stateless # }}} ms-dns 8.8.4.4 ms-dns 8.8.8.8 #ms-wins 10.0.0.3 #ms-wins 10.0.0.4 proxyarp #10.8.0.100 # Logging #debug #dump lock nobsdcomp novj novjccomp nologfdoptions.xl2tpd配置文件(/etc/ppp/options.xl2tpd)
rm -f /etc/ppp/options.xl2tpd cat >>/etc/ppp/options.xl2tpd<<EOF #require-pap #require-chap #require-mschap ipcp-accept-local ipcp-accept-remote require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4 mtu 1400 noccp connect-delay 5000 # To allow authentication against a Windows domain EXAMPLE, and require the # user to be in a group "VPN Users". Requires the samba-winbind package # require-mschap-v2 # plugin winbind.so # ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\VPN Users"' # You need to join the domain on the server, for example using samba: # http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html創建chap-secrets配置文件,即用戶列表及密碼(/etc/ppp/chap-secrets)
# Secrets for authentication using CHAP # client server secret IP addresses username pptpd password * username l2tpd password *注解:第三第四行中username為登錄名,password為登錄密碼
系統配置
允許IP轉發
sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv4.conf.all.rp_filter=0 sysctl -w net.ipv4.conf.default.rp_filter=0 sysctl -w net.ipv4.conf.$eth.rp_filter=0 sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.conf.default.send_redirects=0 sysctl -w net.ipv4.conf.all.accept_redirects=0 sysctl -w net.ipv4.conf.default.accept_redirects=0注解:以上均是命令,復制上去運行即可
也可以修改配置文件(/etc/sysctl.conf):
net.ipv4.ip_forward = 1 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.$eth.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0允許防火牆端口
創建文件/usr/lib/firewalld/services/pptpd.xml並修改:
<?xml version="1.0" encoding="utf-8"?> <service> <short>pptpd</short> <description>PPTP</description> <port protocol="tcp" port="1723"/> </service>創建文件/usr/lib/firewalld/services/l2tpd.xml並修改:
<?xml version="1.0" encoding="utf-8"?> <service> <short>l2tpd</short> <description>L2TP IPSec</description> <port protocol="udp" port="500"/> <port protocol="udp" port="4500"/> <port protocol="udp" port="1701"/> </service>初始化並重啟防火牆:
firewall-cmd --reload firewall-cmd --permanent --add-service=pptpd firewall-cmd --permanent --add-service=l2tpd firewall-cmd --permanent --add-service=ipsec firewall-cmd --permanent --add-masquerade firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -p tcp -i ppp+ -j TCPMSS --syn --set-mss 1356 firewall-cmd --reload這里是由於CentOS7自帶firewall,並且不預裝iptables,因此自己也不多此一舉去安裝了,因為效果都是一樣的。
啟動並設置開機自啟動服務
systemctl enable pptpd ipsec xl2tpd systemctl restart pptpd ipsec xl2tpd大功告成
最后一步,並且是最重要的一步,當然是連接一下自己剛建好的VPN服務器啦!
現在估計你和我有同樣的喜悅,當然如果中間出現什么問題的話,交流區在下方,很樂意大家踴躍參與!
作者: Hooqii
鏈接:http://www.imooc.com/article/8659
來源:慕課網