您现在的位置是:首页 > 个人博客日记 个人博客日记

Liunx搭建VPN

2017-06-17 15:22:23

http://www.xiukee.com/show_530564.html

接下来怎么办?不懂Linux会不会死?不会滴。
命令都在这里了。
先安装pptpd服务,就是VPN连接的软件模块。
输入:yum install ppp iptables pptpd

安装完成之后,你就得开始好好干活了:
A:编辑pptpd.conf:

  1. 输入:vi /etc/pptpd.conf

找到localip,去掉下面字段前面的#,然后保存退出。

  1. localip 192.168.0.1
  2. remoteip 192.168.0.234-238,192.168.0.245

Tips:
不会用vi编辑器怎么办?用上下键移动光标到需要修的那一行,按“i”键进入插入编辑状态,修改完成之后,按“esc”键退出编辑,直接在键盘上输入“:wq”即可保存退出。
编辑options.pptpd

  1. vi /etc/ppp/options.pptpd

搜索ms-dns,去掉搜索到的两行ms-dns前面的#,并修改为下面的字段

  1. ms-dns 8.8.8.8
  2. ms-dns 8.8.4.4

然后是加入VPN的帐号密码,需要编辑/etc/ppp/chap-secrets设置:

  1. vi /etc/ppp/chap-secrets

添加一行,按照下面格式输入:

  1. 用户名 pptpd 密码 *

保存退出,配置内核。

  1. vi /etc/sysctl.conf

在这个文件里面加入一行:net.ipv4.ip_forward=1,然后保存退出。

输入:sysctl -p 让刚才的设置生效。

输入:

  1. iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 47.93.56.87

请注意最后的参数并不是那一段中文哦,而是你的服务器的IP地址。去阿里云的管理平台看。

  1. 然后输入:chmod +x /etc/rc.d/rc.local
  2. 编辑系统配置:vi /etc/rc.d/rc.local
  3. 把刚才那个iptables的命令加入进去。保存退出。
  4. 启动vpn链接的服务:systemctl start pptpd

让它开机自启动:

  1. chkconfig pptpd on

万事大吉,整个过程大概30分钟就能搞定。
之后的VPN设置也很容易,你有了IP地址和用户名密码,直接设置好了就行。

我总结了一个shell脚本

  1. #!/bin/bash
  2. #############################################################
  3. # #
  4. # This is a PPTP and L2TP VPN installation for CentOS 7 #
  5. # Version: 1.1.1 20160507 #
  6. # Author: Bon Hoo #
  7. # Website: http://www.ccwebsite.com #
  8. # #
  9. #############################################################
  10. #检测是否是root用户
  11. if [[ $(id -u) != "0" ]]; then
  12. printf "\e[42m\e[31mError: You must be root to run this install script.\e[0m\n"
  13. exit 1
  14. fi
  15. #检测是否是CentOS 7或者RHEL 7
  16. if [[ $(grep "release 7." /etc/redhat-release 2>/dev/null | wc -l) -eq 0 ]]; then
  17. printf "\e[42m\e[31mError: Your OS is NOT CentOS 7 or RHEL 7.\e[0m\n"
  18. printf "\e[42m\e[31mThis install script is ONLY for CentOS 7 and RHEL 7.\e[0m\n"
  19. exit 1
  20. fi
  21. clear
  22. printf "
  23. #############################################################
  24. # #
  25. # This is a PPTP and L2TP VPN installation for CentOS 7 #
  26. # Version: 1.1.1 20160507 #
  27. # Author: Bon Hoo #
  28. # Website: http://www.ccwebsite.com #
  29. # #
  30. #############################################################
  31. "
  32. #获取服务器IP
  33. serverip=$(ifconfig -a |grep -w "inet"| grep -v "127.0.0.1" |awk '{print $2;}')
  34. printf "\e[33m$serverip\e[0m is the server IP?"
  35. printf "If \e[33m$serverip\e[0m is \e[33mcorrect\e[0m, press enter directly."
  36. printf "If \e[33m$serverip\e[0m is \e[33mincorrect\e[0m, please input your server IP."
  37. printf "(Default server IP: \e[33m$serverip\e[0m):"
  38. read serveriptmp
  39. if [[ -n "$serveriptmp" ]]; then
  40. serverip=$serveriptmp
  41. fi
  42. #获取网卡接口名称
  43. ethlist=$(ifconfig | grep ": flags" | cut -d ":" -f1)
  44. eth=$(printf "$ethlist\n" | head -n 1)
  45. if [[ $(printf "$ethlist\n" | wc -l) -gt 2 ]]; then
  46. echo ======================================
  47. echo "Network Interface list:"
  48. printf "\e[33m$ethlist\e[0m\n"
  49. echo ======================================
  50. echo "Which network interface you want to listen for ocserv?"
  51. printf "Default network interface is \e[33m$eth\e[0m, let it blank to use default network interface: "
  52. read ethtmp
  53. if [ -n "$ethtmp" ]; then
  54. eth=$ethtmp
  55. fi
  56. fi
  57. #设置VPN拨号后分配的IP段
  58. iprange="10.0.1"
  59. echo "Please input IP-Range:"
  60. printf "(Default IP-Range: \e[33m$iprange\e[0m): "
  61. read iprangetmp
  62. if [[ -n "$iprangetmp" ]]; then
  63. iprange=$iprangetmp
  64. fi
  65. #设置预共享密钥
  66. mypsk="ueibo.cn"
  67. echo "Please input PSK:"
  68. printf "(Default PSK: \e[33mueibo.cn\e[0m): "
  69. read mypsktmp
  70. if [[ -n "$mypsktmp" ]]; then
  71. mypsk=$mypsktmp
  72. fi
  73. #设置VPN用户名
  74. username="ueibo.com"
  75. echo "Please input VPN username:"
  76. printf "(Default VPN username: \e[33mueibo.com\e[0m): "
  77. read usernametmp
  78. if [[ -n "$usernametmp" ]]; then
  79. username=$usernametmp
  80. fi
  81. #随机密码
  82. randstr() {
  83. index=0
  84. str=""
  85. for i in {a..z}; do arr[index]=$i; index=$(expr ${index} + 1); done
  86. for i in {A..Z}; do arr[index]=$i; index=$(expr ${index} + 1); done
  87. for i in {0..9}; do arr[index]=$i; index=$(expr ${index} + 1); done
  88. for i in {1..10}; do str="$str${arr[$RANDOM%$index]}"; done
  89. echo $str
  90. }
  91. #设置VPN用户密码
  92. password=$(randstr)
  93. printf "Please input \e[33m$username\e[0m's password:\n"
  94. printf "Default password is \e[33m$password\e[0m, let it blank to use default password: "
  95. read passwordtmp
  96. if [[ -n "$passwordtmp" ]]; then
  97. password=$passwordtmp
  98. fi
  99. clear
  100. #打印配置参数
  101. clear
  102. echo "Server IP:"
  103. echo "$serverip"
  104. echo
  105. echo "Server Local IP:"
  106. echo "$iprange.1"
  107. echo
  108. echo "Client Remote IP Range:"
  109. echo "$iprange.10-$iprange.254"
  110. echo
  111. echo "PSK:"
  112. echo "$mypsk"
  113. echo
  114. echo "Press any key to start..."
  115. get_char() {
  116. SAVEDSTTY=`stty -g`
  117. stty -echo
  118. stty cbreak
  119. dd if=/dev/tty bs=1 count=1 2> /dev/null
  120. stty -raw
  121. stty echo
  122. stty $SAVEDSTTY
  123. }
  124. char=$(get_char)
  125. clear
  126. mknod /dev/random c 1 9
  127. #更新组件
  128. yum update -y
  129. #安装epel源
  130. yum install epel-release -y
  131. #安装依赖的组件
  132. yum install -y openswan ppp pptpd xl2tpd wget
  133. #创建ipsec.conf配置文件
  134. rm -f /etc/ipsec.conf
  135. cat >>/etc/ipsec.conf<<EOF
  136. # /etc/ipsec.conf - Libreswan IPsec configuration file
  137. # This file: /etc/ipsec.conf
  138. #
  139. # Enable when using this configuration file with openswan instead of libreswan
  140. #version 2
  141. #
  142. # Manual: ipsec.conf.5
  143. # basic configuration
  144. config setup
  145. # NAT-TRAVERSAL support, see README.NAT-Traversal
  146. nat_traversal=yes
  147. # exclude networks used on server side by adding %v4:!a.b.c.0/24
  148. virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
  149. # OE is now off by default. Uncomment and change to on, to enable.
  150. oe=off
  151. # which IPsec stack to use. auto will try netkey, then klips then mast
  152. protostack=netkey
  153. force_keepalive=yes
  154. keep_alive=1800
  155. conn L2TP-PSK-NAT
  156. rightsubnet=vhost:%priv
  157. also=L2TP-PSK-noNAT
  158. conn L2TP-PSK-noNAT
  159. authby=secret
  160. pfs=no
  161. auto=add
  162. keyingtries=3
  163. rekey=no
  164. ikelifetime=8h
  165. keylife=1h
  166. type=transport
  167. left=$serverip
  168. leftid=$serverip
  169. leftprotoport=17/1701
  170. right=%any
  171. rightprotoport=17/%any
  172. dpddelay=40
  173. dpdtimeout=130
  174. dpdaction=clear
  175. leftnexthop=%defaultroute
  176. rightnexthop=%defaultroute
  177. ike=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256
  178. phase2alg=3des-sha1,aes-sha1,aes256-sha1,aes256-sha2_256
  179. sha2-truncbug=yes
  180. # For example connections, see your distribution's documentation directory,
  181. # or the documentation which could be located at
  182. # /usr/share/docs/libreswan-3.*/ or look at https://www.libreswan.org/
  183. #
  184. # There is also a lot of information in the manual page, "man ipsec.conf"
  185. # You may put your configuration (.conf) file in the "/etc/ipsec.d/" directory
  186. # by uncommenting this line
  187. #include /etc/ipsec.d/*.conf
  188. EOF
  189. #设置预共享密钥配置文件
  190. rm -f /etc/ipsec.secrets
  191. cat >>/etc/ipsec.secrets<<EOF
  192. #include /etc/ipsec.d/*.secrets
  193. $serverip %any: PSK "$mypsk"
  194. EOF
  195. #创建pptpd.conf配置文件
  196. rm -f /etc/pptpd.conf
  197. cat >>/etc/pptpd.conf<<EOF
  198. #ppp /usr/sbin/pppd
  199. option /etc/ppp/options.pptpd
  200. #debug
  201. # stimeout 10
  202. #noipparam
  203. logwtmp
  204. #vrf test
  205. #bcrelay eth1
  206. #delegate
  207. #connections 100
  208. localip $iprange.2
  209. remoteip $iprange.200-254
  210. EOF
  211. #创建xl2tpd.conf配置文件
  212. mkdir -p /etc/xl2tpd
  213. rm -f /etc/xl2tpd/xl2tpd.conf
  214. cat >>/etc/xl2tpd/xl2tpd.conf<<EOF
  215. ;
  216. ; This is a minimal sample xl2tpd configuration file for use
  217. ; with L2TP over IPsec.
  218. ;
  219. ; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
  220. ; clients connect. In this example, the internal (protected) network
  221. ; is 192.168.1.0/24. A special IP range within this network is reserved
  222. ; for the remote clients: 192.168.1.128/25
  223. ; (i.e. 192.168.1.128 ... 192.168.1.254)
  224. ;
  225. ; The listen-addr parameter can be used if you want to bind the L2TP daemon
  226. ; to a specific IP address instead of to all interfaces. For instance,
  227. ; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
  228. ; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
  229. ; will be used by xl2tpd as its address on pppX interfaces.
  230. [global]
  231. ; ipsec saref = yes
  232. listen-addr = $serverip
  233. auth file = /etc/ppp/chap-secrets
  234. port = 1701
  235. [lns default]
  236. ip range = $iprange.10-$iprange.199
  237. local ip = $iprange.1
  238. refuse chap = yes
  239. refuse pap = yes
  240. require authentication = yes
  241. name = L2TPVPN
  242. ppp debug = yes
  243. pppoptfile = /etc/ppp/options.xl2tpd
  244. length bit = yes
  245. EOF
  246. #创建options.pptpd配置文件
  247. mkdir -p /etc/ppp
  248. rm -f /etc/ppp/options.pptpd
  249. cat >>/etc/ppp/options.pptpd<<EOF
  250. # Authentication
  251. name pptpd
  252. #chapms-strip-domain
  253. # Encryption
  254. # BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
  255. # {{{
  256. refuse-pap
  257. refuse-chap
  258. refuse-mschap
  259. # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
  260. # Challenge Handshake Authentication Protocol, Version 2] authentication.
  261. require-mschap-v2
  262. # Require MPPE 128-bit encryption
  263. # (note that MPPE requires the use of MSCHAP-V2 during authentication)
  264. require-mppe-128
  265. # }}}
  266. # OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
  267. # {{{
  268. #-chap
  269. #-chapms
  270. # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
  271. # Challenge Handshake Authentication Protocol, Version 2] authentication.
  272. #+chapms-v2
  273. # Require MPPE encryption
  274. # (note that MPPE requires the use of MSCHAP-V2 during authentication)
  275. #mppe-40 # enable either 40-bit or 128-bit, not both
  276. #mppe-128
  277. #mppe-stateless
  278. # }}}
  279. ms-dns 8.8.4.4
  280. ms-dns 8.8.8.8
  281. #ms-wins 10.0.0.3
  282. #ms-wins 10.0.0.4
  283. proxyarp
  284. #10.8.0.100
  285. # Logging
  286. #debug
  287. #dump
  288. lock
  289. nobsdcomp
  290. novj
  291. novjccomp
  292. nologfd
  293. EOF
  294. #创建options.xl2tpd配置文件
  295. rm -f /etc/ppp/options.xl2tpd
  296. cat >>/etc/ppp/options.xl2tpd<<EOF
  297. #require-pap
  298. #require-chap
  299. #require-mschap
  300. ipcp-accept-local
  301. ipcp-accept-remote
  302. require-mschap-v2
  303. ms-dns 8.8.8.8
  304. ms-dns 8.8.4.4
  305. asyncmap 0
  306. auth
  307. crtscts
  308. lock
  309. hide-password
  310. modem
  311. debug
  312. name l2tpd
  313. proxyarp
  314. lcp-echo-interval 30
  315. lcp-echo-failure 4
  316. mtu 1400
  317. noccp
  318. connect-delay 5000
  319. # To allow authentication against a Windows domain EXAMPLE, and require the
  320. # user to be in a group "VPN Users". Requires the samba-winbind package
  321. # require-mschap-v2
  322. # plugin winbind.so
  323. # ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\VPN Users"'
  324. # You need to join the domain on the server, for example using samba:
  325. # http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
  326. EOF
  327. #创建chap-secrets配置文件,即用户列表及密码
  328. rm -f /etc/ppp/chap-secrets
  329. cat >>/etc/ppp/chap-secrets<<EOF
  330. # Secrets for authentication using CHAP
  331. # client server secret IP addresses
  332. $username pptpd $password *
  333. $username l2tpd $password *
  334. EOF
  335. ServerIP: 47.93.56.87
  336. username: ueibo.com
  337. password: K872ozFAY5
  338. PSK: ueibo.cn
  339. #修改系统配置,允许IP转发
  340. sysctl -w net.ipv4.ip_forward=1
  341. sysctl -w net.ipv4.conf.all.rp_filter=0
  342. sysctl -w net.ipv4.conf.default.rp_filter=0
  343. sysctl -w net.ipv4.conf.$eth.rp_filter=0
  344. sysctl -w net.ipv4.conf.all.send_redirects=0
  345. sysctl -w net.ipv4.conf.default.send_redirects=0
  346. sysctl -w net.ipv4.conf.all.accept_redirects=0
  347. sysctl -w net.ipv4.conf.default.accept_redirects=0
  348. cat >>/etc/sysctl.conf<<EOF
  349. net.ipv4.ip_forward = 1
  350. net.ipv4.conf.all.rp_filter = 0
  351. net.ipv4.conf.default.rp_filter = 0
  352. net.ipv4.conf.$eth.rp_filter = 0
  353. net.ipv4.conf.all.send_redirects = 0
  354. net.ipv4.conf.default.send_redirects = 0
  355. net.ipv4.conf.all.accept_redirects = 0
  356. net.ipv4.conf.default.accept_redirects = 0
  357. EOF
  358. #允许防火墙端口
  359. cat >>/usr/lib/firewalld/services/pptpd.xml<<EOF
  360. <?xml version="1.0" encoding="utf-8"?>
  361. <service>
  362. <short>pptpd</short>
  363. <description>PPTP and Fuck the GFW</description>
  364. <port protocol="tcp" port="1723"/>
  365. </service>
  366. EOF
  367. cat >>/usr/lib/firewalld/services/l2tpd.xml<<EOF
  368. <?xml version="1.0" encoding="utf-8"?>
  369. <service>
  370. <short>l2tpd</short>
  371. <description>L2TP IPSec</description>
  372. <port protocol="udp" port="500"/>
  373. <port protocol="udp" port="4500"/>
  374. <port protocol="udp" port="1701"/>
  375. </service>
  376. EOF
  377. #centos7.0版本的防火墙
  378. #systemctl start firewalld
  379. #firewall-cmd --reload
  380. #firewall-cmd --permanent --add-service=pptpd
  381. #firewall-cmd --permanent --add-service=l2tpd
  382. #firewall-cmd --permanent --add-service=ipsec
  383. #firewall-cmd --permanent --add-masquerade
  384. #firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -p tcp -i ppp+ -j TCPMSS --syn --set-mss 1356
  385. #firewall-cmd --reload
  386. #centos7.0以下版本的防火墙
  387. iptables --table nat --append POSTROUTING --jump MASQUERADE
  388. iptables -t nat -A POSTROUTING -s $iprange.0/24 -o $eth -j MASQUERADE
  389. iptables -t nat -A POSTROUTING -s $iprange.0/24 -j SNAT --to-source $serverip
  390. iptables -I FORWARD -p tcp –syn -i ppp+ -j TCPMSS –set-mss 1356
  391. service iptables save
  392. #允许开机启动
  393. systemctl enable pptpd ipsec xl2tpd
  394. systemctl restart pptpd ipsec xl2tpd
  395. clear
  396. #测试ipsec
  397. ipsec verify
  398. printf "
  399. #############################################################
  400. # #
  401. # This is a PPTP and L2TP VPN installation for CentOS 7 #
  402. # Version: 1.1.1 20160507 #
  403. # Author: Bon Hoo #
  404. # Website: http://www.ccwebsite.com #
  405. # #
  406. #############################################################
  407. if there are no [FAILED] above, then you can
  408. connect to your L2TP VPN Server with the default
  409. user/password below:
  410. ServerIP: $serverip
  411. username: $username
  412. password: $password
  413. PSK: $mypsk
  414. "

把以上代码放在shell文件中,执行!



关注TinyMeng博客,更多精彩分享,敬请期待!
 

上一篇:上一篇

下一篇:下一篇

站点信息