Liunx搭建VPN

//www.xiukee.com/show_530564.html

接下来怎么办？不懂Linux会不会死？不会滴。
命令都在这里了。
先安装pptpd服务，就是VPN连接的软件模块。
输入：yum install ppp iptables pptpd

安装完成之后，你就得开始好好干活了：
A：编辑pptpd.conf：

输入：vi /etc/pptpd.conf

找到localip，去掉下面字段前面的#，然后保存退出。

localip 192.168.0.1
remoteip 192.168.0.234-238,192.168.0.245

Tips：
不会用vi编辑器怎么办？用上下键移动光标到需要修的那一行，按“i”键进入插入编辑状态，修改完成之后，按“esc”键退出编辑，直接在键盘上输入“:wq”即可保存退出。
编辑options.pptpd

vi /etc/ppp/options.pptpd

搜索ms-dns，去掉搜索到的两行ms-dns前面的#，并修改为下面的字段

ms-dns 8.8.8.8
ms-dns 8.8.4.4

然后是加入VPN的帐号密码，需要编辑/etc/ppp/chap-secrets设置：

vi /etc/ppp/chap-secrets

添加一行，按照下面格式输入：

用户名 pptpd 密码 *

保存退出，配置内核。

vi /etc/sysctl.conf

在这个文件里面加入一行：net.ipv4.ip_forward=1，然后保存退出。

输入：sysctl -p 让刚才的设置生效。

输入：

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 47.93.56.87

请注意最后的参数并不是那一段中文哦，而是你的服务器的IP地址。去阿里云的管理平台看。

然后输入：chmod +x /etc/rc.d/rc.local
编辑系统配置：vi /etc/rc.d/rc.local
把刚才那个iptables的命令加入进去。保存退出。
启动vpn链接的服务：systemctl start pptpd

让它开机自启动：

chkconfig pptpd on

万事大吉，整个过程大概30分钟就能搞定。
之后的VPN设置也很容易，你有了IP地址和用户名密码，直接设置好了就行。

我总结了一个shell脚本

#!/bin/bash
#############################################################
#                                                           #
# This is a PPTP and L2TP VPN installation for CentOS 7     #
# Version: 1.1.1 20160507                                   #
# Author: Bon Hoo                                           #
# Website: //www.ccwebsite.com                         #
#                                                           #
#############################################################
#检测是否是root用户
if [[ $(id -u) != "0" ]]; then
    printf "\e[42m\e[31mError: You must be root to run this install script.\e[0m\n"
    exit 1
fi
#检测是否是CentOS 7或者RHEL 7
if [[ $(grep "release 7." /etc/redhat-release 2>/dev/null | wc -l) -eq 0 ]]; then
    printf "\e[42m\e[31mError: Your OS is NOT CentOS 7 or RHEL 7.\e[0m\n"
    printf "\e[42m\e[31mThis install script is ONLY for CentOS 7 and RHEL 7.\e[0m\n"
    exit 1
fi
clear
printf "
#############################################################
#                                                           #
# This is a PPTP and L2TP VPN installation for CentOS 7     #
# Version: 1.1.1 20160507                                   #
# Author: Bon Hoo                                           #
# Website: //www.ccwebsite.com                         #
#                                                           #
#############################################################
"
#获取服务器IP
serverip=$(ifconfig -a |grep -w "inet"| grep -v "127.0.0.1" |awk '{print $2;}')
printf "\e[33m$serverip\e[0m is the server IP?"
printf "If \e[33m$serverip\e[0m is \e[33mcorrect\e[0m, press enter directly."
printf "If \e[33m$serverip\e[0m is \e[33mincorrect\e[0m, please input your server IP."
printf "(Default server IP: \e[33m$serverip\e[0m):"
read serveriptmp
if [[ -n "$serveriptmp" ]]; then
    serverip=$serveriptmp
fi
#获取网卡接口名称
ethlist=$(ifconfig | grep ": flags" | cut -d ":" -f1)
eth=$(printf "$ethlist\n" | head -n 1)
if [[ $(printf "$ethlist\n" | wc -l) -gt 2 ]]; then
    echo ======================================
    echo "Network Interface list:"
    printf "\e[33m$ethlist\e[0m\n"
    echo ======================================
    echo "Which network interface you want to listen for ocserv?"
    printf "Default network interface is \e[33m$eth\e[0m, let it blank to use default network interface: "
    read ethtmp
    if [ -n "$ethtmp" ]; then
        eth=$ethtmp
    fi
fi
#设置VPN拨号后分配的IP段
iprange="10.0.1"
echo "Please input IP-Range:"
printf "(Default IP-Range: \e[33m$iprange\e[0m): "
read iprangetmp
if [[ -n "$iprangetmp" ]]; then
    iprange=$iprangetmp
fi
#设置预共享密钥
mypsk="ueibo.cn"
echo "Please input PSK:"
printf "(Default PSK: \e[33mueibo.cn\e[0m): "
read mypsktmp
if [[ -n "$mypsktmp" ]]; then
    mypsk=$mypsktmp
fi
#设置VPN用户名
username="ueibo.com"
echo "Please input VPN username:"
printf "(Default VPN username: \e[33mueibo.com\e[0m): "
read usernametmp
if [[ -n "$usernametmp" ]]; then
    username=$usernametmp
fi
#随机密码
randstr() {
    index=0
    str=""
    for i in {a..z}; do arr[index]=$i; index=$(expr ${index} + 1); done
    for i in {A..Z}; do arr[index]=$i; index=$(expr ${index} + 1); done
    for i in {0..9}; do arr[index]=$i; index=$(expr ${index} + 1); done
    for i in {1..10}; do str="$str${arr[$RANDOM%$index]}"; done
    echo $str
}
#设置VPN用户密码
password=$(randstr)
printf "Please input \e[33m$username\e[0m's password:\n"
printf "Default password is \e[33m$password\e[0m, let it blank to use default password: "
read passwordtmp
if [[ -n "$passwordtmp" ]]; then
    password=$passwordtmp
fi
clear
#打印配置参数
clear
echo "Server IP:"
echo "$serverip"
echo
echo "Server Local IP:"
echo "$iprange.1"
echo
echo "Client Remote IP Range:"
echo "$iprange.10-$iprange.254"
echo
echo "PSK:"
echo "$mypsk"
echo
echo "Press any key to start..."
get_char() {
    SAVEDSTTY=`stty -g`
    stty -echo
    stty cbreak
    dd if=/dev/tty bs=1 count=1 2> /dev/null
    stty -raw
    stty echo
    stty $SAVEDSTTY
}
char=$(get_char)
clear
mknod /dev/random c 1 9
#更新组件
yum update -y
#安装epel源
yum install epel-release -y
#安装依赖的组件
yum install -y openswan ppp pptpd xl2tpd wget
#创建ipsec.conf配置文件
rm -f /etc/ipsec.conf
cat >>/etc/ipsec.conf<<EOF
# /etc/ipsec.conf - Libreswan IPsec configuration file
# This file:  /etc/ipsec.conf
#
# Enable when using this configuration file with openswan instead of libreswan
#version 2
#
# Manual:     ipsec.conf.5
# basic configuration
config setup
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    # OE is now off by default. Uncomment and change to on, to enable.
    oe=off
    # which IPsec stack to use. auto will try netkey, then klips then mast
    protostack=netkey
    force_keepalive=yes
    keep_alive=1800
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=$serverip
    leftid=$serverip
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=40
    dpdtimeout=130
    dpdaction=clear
    leftnexthop=%defaultroute
    rightnexthop=%defaultroute
    ike=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256
    phase2alg=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256
    sha2-truncbug=yes
# For example connections, see your distribution's documentation directory,
# or the documentation which could be located at
#  /usr/share/docs/libreswan-3.*/ or look at //www.libreswan.org/
#
# There is also a lot of information in the manual page, "man ipsec.conf"
# You may put your configuration (.conf) file in the "/etc/ipsec.d/" directory
# by uncommenting this line
#include /etc/ipsec.d/*.conf
EOF
#设置预共享密钥配置文件
rm -f /etc/ipsec.secrets
cat >>/etc/ipsec.secrets<<EOF
#include /etc/ipsec.d/*.secrets
$serverip %any: PSK "$mypsk"
EOF
#创建pptpd.conf配置文件
rm -f /etc/pptpd.conf
cat >>/etc/pptpd.conf<<EOF
#ppp /usr/sbin/pppd
option /etc/ppp/options.pptpd
#debug
# stimeout 10
#noipparam
logwtmp
#vrf test
#bcrelay eth1
#delegate
#connections 100
localip $iprange.2
remoteip $iprange.200-254
EOF
#创建xl2tpd.conf配置文件
mkdir -p /etc/xl2tpd
rm -f /etc/xl2tpd/xl2tpd.conf
cat >>/etc/xl2tpd/xl2tpd.conf<<EOF
;
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24.  A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.
[global]
; ipsec saref = yes
listen-addr = $serverip
auth file = /etc/ppp/chap-secrets
port = 1701
[lns default]
ip range = $iprange.10-$iprange.199
local ip = $iprange.1
refuse chap = yes
refuse pap = yes
require authentication = yes
name = L2TPVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF
#创建options.pptpd配置文件
mkdir -p /etc/ppp
rm -f /etc/ppp/options.pptpd
cat >>/etc/ppp/options.pptpd<<EOF
# Authentication
name pptpd
#chapms-strip-domain
# Encryption
# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}
# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
#-chap
#-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
#+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40    # enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}
ms-dns 8.8.4.4
ms-dns 8.8.8.8
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
proxyarp
#10.8.0.100
# Logging
#debug
#dump
lock
nobsdcomp
novj
novjccomp
nologfd
EOF
#创建options.xl2tpd配置文件
rm -f /etc/ppp/options.xl2tpd
cat >>/etc/ppp/options.xl2tpd<<EOF
#require-pap
#require-chap
#require-mschap
ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
mtu 1400
noccp
connect-delay 5000
# To allow authentication against a Windows domain EXAMPLE, and require the
# user to be in a group "VPN Users". Requires the samba-winbind package
# require-mschap-v2
# plugin winbind.so
# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\VPN Users"'
# You need to join the domain on the server, for example using samba:
# //rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
EOF
#创建chap-secrets配置文件，即用户列表及密码
rm -f /etc/ppp/chap-secrets
cat >>/etc/ppp/chap-secrets<<EOF
# Secrets for authentication using CHAP
# client     server     secret               IP addresses
$username          pptpd     $password               *
$username          l2tpd     $password               *
EOF
ServerIP: 47.93.56.87
username: ueibo.com
password: K872ozFAY5
PSK: ueibo.cn
#修改系统配置，允许IP转发
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.conf.default.rp_filter=0
sysctl -w net.ipv4.conf.$eth.rp_filter=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0
cat >>/etc/sysctl.conf<<EOF
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.$eth.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
EOF
#允许防火墙端口
cat >>/usr/lib/firewalld/services/pptpd.xml<<EOF
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>pptpd</short>
  <description>PPTP and Fuck the GFW</description>
  <port protocol="tcp" port="1723"/>
</service>
EOF
cat >>/usr/lib/firewalld/services/l2tpd.xml<<EOF
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>l2tpd</short>
  <description>L2TP IPSec</description>
  <port protocol="udp" port="500"/>
  <port protocol="udp" port="4500"/>
  <port protocol="udp" port="1701"/>
</service>
EOF
#centos7.0版本的防火墙
#systemctl start firewalld
#firewall-cmd --reload
#firewall-cmd --permanent --add-service=pptpd
#firewall-cmd --permanent --add-service=l2tpd
#firewall-cmd --permanent --add-service=ipsec
#firewall-cmd --permanent --add-masquerade
#firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -p tcp -i ppp+ -j TCPMSS --syn --set-mss 1356
#firewall-cmd --reload
#centos7.0以下版本的防火墙
iptables --table nat --append POSTROUTING --jump MASQUERADE
iptables -t nat -A POSTROUTING -s $iprange.0/24 -o $eth -j MASQUERADE
iptables -t nat -A POSTROUTING -s $iprange.0/24 -j SNAT --to-source $serverip
iptables -I FORWARD -p tcp –syn -i ppp+ -j TCPMSS –set-mss 1356
service iptables save
#允许开机启动
systemctl enable pptpd ipsec xl2tpd
systemctl restart pptpd ipsec xl2tpd
clear
#测试ipsec
ipsec verify
printf "
#############################################################
#                                                           #
# This is a PPTP and L2TP VPN installation for CentOS 7     #
# Version: 1.1.1 20160507                                   #
# Author: Bon Hoo                                           #
# Website: //www.ccwebsite.com                         #
#                                                           #
#############################################################
if there are no [FAILED] above, then you can
connect to your L2TP VPN Server with the default
user/password below:
ServerIP: $serverip
username: $username
password: $password
PSK: $mypsk
"

把以上代码放在shell文件中,执行!