CentOS 搭建L2TP

一、解決依賴

1. 開啟tun

cat /dev/net/tun

(1) 如果返回如下表名已經開啟

cat: /dev/net/tun: File descriptor in bad state

(2) 如果返回

The TUN device is not available You need to enable TUN before running this script

則，執行

cd /dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun

2. 安裝依賴

yum install -y epel-release libreswan

3. 安裝L2TP

有兩個軟件支持L2TP協議，一個是xl2tpd，另一個選擇是StrongSwan。

yum install -y xl2tpd

二、配置

1. Kernel配置

vi /etc/sysctl.conf

如下:

vm.swappiness = 0
kernel.sysrq = 1

net.ipv4.neigh.default.gc_stale_time = 120

# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0

# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_slow_start_after_idle = 0

net.ipv4.ip_forward=1

保存修改

sysctl -p

2. 配置IPsec

(1) 配置加密鏈接

IPsec可對流量進行加密，保護VPN通信安全。

vi /etc/ipsec.d/l2tp_ipsec.conf

保存內容如下:

conn L2TP-PSK-NAT
     rightsubnet=0.0.0.0/0
     also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
     authby=secret
     pfs=no
     auto=add
     keyingtries=3
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     rekey=no
     ikelifetime=8h
     keylife=1h
     type=transport
     left=[本機的虛擬網段地址]
     leftprotoport=17/1701
     right=%any
     rightprotoport=17/%any

(2). 配置PSK共享密鑰

vi /etc/ipsec.secrets

添加

: PSK "123456789"

運行檢查

ipsec setup start
ipsec verify

需要一切OK

(3) 啟動IPsec

systemctl enable ipsec

3. 配置xl2tpd

(1) 備份配置文件

cp /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.bak

(2) 打開配置文件

vi /etc/xl2tpd/xl2tpd.conf

這里主要需要修改是虛擬網絡的地址段，注意local ip就是本機的虛擬地址，以下是默認值

[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99

此外，在同文件中需要注意PPP的配置文件地址

pppoptfile = /etc/ppp/options.xl2tpd

4. 配置PPP

(1) 備份配置文件

cp /etc/ppp/options.xl2tpd /etc/ppp/options.xl2tpd.bak

(2) 打開配置文件

vi /etc/ppp/options.xl2tpd

主要修改dns服務器:

ms-dns  8.8.8.8
ms-dns  8.8.4.4
ms-dns  4.2.2.4

如下:

name xl2tpd
ipcp-accept-local
ipcp-accept-remote

# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
ms-dns  8.8.8.8
ms-dns  4.2.2.4
ms-dns  8.8.4.4

# ms-wins 192.168.1.2
# ms-wins 192.168.1.4

#noccp
auth
#obsolete: crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
#obsolete: lock
proxyarp
connect-delay 5000
refuse-pap
refuse-mschap
refuse-mschap-v2
persist
logfile /var/log/xl2tpd.log

(3). 設置用戶名和密碼

vi /etc/ppp/chap-secrets

格式為

# client        server  secret                  IP addresses
用戶名 * 密碼 *

5. 啟動xl2tpd

systemctl start xl2tpd
systemctl enable xl2tpd
systemctl status xl2tpd

6. 配置防火牆

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd --permanent --zone=public --add-masquerade
firewall-cmd --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --permanent --add-rich-rule='rule protocol value="ah" accept'
firewall-cmd --permanent --add-port=1701/udp
firewall-cmd --permanent --add-port=500/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --reload

7. 配置雲環境

務必開通UDP協議端口，而不是TCP。