Centos 6.x 搭建L2TP VPN

苹果从OS 10.12 以及IOS10开始禁用了PPTP,下文介绍如何搭建L2TP

一、安装
yum install openswan ppp xl2tpd

二、修改配置文件
2.1 编辑IPSEC配置 ipsec.conf

vim /etc/ipsec.conf

//在ipsec.conf的最后边添加如下内容

config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=公网IP
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

2.2 配置共享密钥 ipsec.secrets

vim /etc/ipsec.secrets
公网IP %any: PSK “VPN共享密钥”
2.3 开启转发等 /etc/sysctl.conf

vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

生效
sysctl -p
2.4 验证ipsec状态

service ipsec start
ipsec verify
2.5 编辑L2TP配置

vim /etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
listen-addr = 公网IP
[lns default]
ip range = 192.168.1.2-192.168.1.100 VPN用户获取的IP
local ip = 192.168.1.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = y

2.6 编辑L2TP配置

vim /etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

2.7 建立VPN账号

vim /etc/ppp/chap-secrets

username * password *

2.8 开启NAT
//eth1 为公网IP所配置的网卡
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
iptables-save

2.9启动 xl2tpd 服务
service xl2tpd start

三、配置开机启动等
chkconfig ipsec on
chkconfig xl2tpd on

vim /etc/rc.local
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
iptables-save

1 条评论

  • MichaelGates 2017年4月4日 回复

    还在更新,不容易啊。

发表评论

电子邮件地址不会被公开。 必填项已用*标注