1. 概述
1.1 简介
VPN(Virtual Private Network,即“虚拟私人网络”)是一种通过在数据传输过程中加密的方式来保障数据传输安全的通信方式,L2TP是其中的一种加密方式。
L2TP 的搭建比较繁琐,涉及的部件较多,所以本文也略长,如有任何疑问或看不懂的地方,欢迎留言。
1.2 环境
- Cent OS 7.3
1.3 验证环境
搭建L2TP需要环境支持,所以需要提前查看是否支持,不支持的自行Google
# 查看主机是否支持pptp,返回结果为yes就表示通过
modprobe ppp-compress-18 && echo yes
# 查看是否开启了TUN
# 有的虚拟机主机需要开启,返回结果为**cat: /dev/net/tun: File descriptor in bad state**。就表示通过。
cat /dev/net/tun
2. 安装配置
2.1 安装依赖
yum install -y epel-release
yum update
yum install -y libreswan ppp pptp pptpd xl2tpd wget libreswan lsof
2.2 修改 ipsec.conf 配置文件(/etc/ipsec.conf)
# /etc/ipsec.conf - Libreswan IPsec configuration file
#
# Manual: ipsec.conf.5
config setup
# Normally, pluto logs via syslog. If you want to log to a file,
# specify below or to disable logging, eg for embedded systems, use
# the file name /dev/null
# Note: SElinux policies might prevent pluto writing to a log file at
# an unusual location.
#logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
# plutodebug "all", "none" or a combation from below:
# "raw crypt parsing emitting control controlmore kernel pfkey
# natt x509 dpd dns oppo oppoinfo private".
# Note: "private" is not included with "all", as it can show confidential
# information. It must be specifically specified
# examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
# Again: only enable plutodebug when asked by a developer
#plutodebug=none
#
# NAT-TRAVERSAL support
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
force_keepalive=yes
keep_alive=1800
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
# your IP addr
left=your IP addr
leftid=your IP addr
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=40
dpdtimeout=130
dpdaction=clear
# For example connections, see your distribution's documentation directory,
# or https://libreswan.org/wiki/
#
# There is also a lot of information in the manual page, "man ipsec.conf"
#
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf
注意:
- 第一行
config setup必须左对齐,即前面不能有空格,否则会报错conn开头的两行必须左对齐,开头不能有空格。- 其他每一行必须以 Tab 开头
- 如果安装的是
openswan,可能需要在config setup之前添加version 2.0
2.3 设置预共享密钥配置文件(/etc/ipsec.secrets)
设置预共享密钥PSK
# include /etc/ipsec.d/*.secrets
192.168.1.100 %any: PSK "password"
格式为 : 服务器IP %any: PSK “预共享密钥”,其中 %any: 和 PSK 之间有空格
注解:第二行中username为登录名,password为登录密码
2.4 修改 pptpd.conf 配置文件(/etc/pptpd.conf)
找到 localip 和 remoteip 去掉前面的#号
localip 192.168.0.1
remoteip 192.168.0.234-238,192.168.0.245
这些是默认的,一般不需要去修改,分配给客户端的ip就是234到245之间,你也可以往大了写,看你的客户端有多少。
2.5 修改 xl2tpd.conf 配置文件(/etc/xl2tpd/xl2tpd.conf)
[global]
listen-addr = 192.168.1.100 # 去掉前面的分号,并将=后面改为服务器本地IP
auth file = /etc/ppp/chap-secrets
;port = 1701
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
; when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes
; 一般不需要特殊配置以下内容不需要改动
[lns default]
ip range = 192.168.1.128-192.168.1.254 #设置ip池,ip range是分配给用户的ip,有多少个用户就需要分配多少ip,所以建议分配多一点
local ip = 192.168.1.99 # local ip是分配给本机的ip
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
2.6 修改 options.pptpd 配置文件(/etc/ppp/options.pptpd)
配置 dns ,在文件末尾添加如下
ms-dns 8.8.4.4
ms-dns 8.8.8.8
这里的 dns 配置通常都会使用 Google 的 dns 服务
2.7 修改 options.xl2tpd 配置文件(/etc/ppp/options.xl2tpd)
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
# ms-dns 192.168.1.1
# ms-dns 192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
noccp
auth
hide-password
name l2tpd
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noccp
connect-delay 5000
2.8 创建 chap-secrets 配置文件,即用户列表及密码(/etc/ppp/chap-secrets)
# Secrets for authentication using CHAP
# client server secret IP addresses
username pptpd password *
username l2tpd password *
格式为:用户名+服务类型(可用*代替表示全部)+密码+IP(可用*代替表示全部Ip)
3. 系统配置
3.1 允许IP转发
修改配置文件(/etc/sysctl.conf)
net.ipv4.ip_forward = 1 // 此处的值改为1,开启内核转发
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
执行 sysctl -p 使内核修改生效
3.2 允许防火墙端口
因为Cent OS 7 采用的是 firewalld 防火墙,所以我们这里只看 firewalld 的配置
创建文件 /usr/lib/firewalld/services/pptpd.xml 并修改如下:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>pptpd</short>
<description>PPTP</description>
<port protocol="tcp" port="1723"/>
</service>
创建文件 /usr/lib/firewalld/services/l2tpd.xml 并修改如下:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>l2tpd</short>
<description>L2TP IPSec</description>
<port protocol="udp" port="500"/>
<port protocol="udp" port="4500"/>
<port protocol="udp" port="1701"/>
</service>
3.3 初始化并重启防火墙
sudo firewall-cmd --reload
sudo firewall-cmd --permanent --add-service=pptpd
sudo firewall-cmd --permanent --add-service=l2tpd
sudo firewall-cmd --permanent --add-service=ipsec
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -p tcp -i ppp+ -j TCPMSS --syn --set-mss 1356
sudo firewall-cmd --reload
4. 启动
4.1 验证 xl2tpd
Debug 启动 sudo xl2tpd -D 查看状态如下,说明已经成功启动并监听 1701 端口
xl2tpd[18684]: Enabling IPsec SAref processing for L2TP transport mode SAs
xl2tpd[18684]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
xl2tpd[18684]: setsockopt recvref[30]: Protocol not available
xl2tpd[18684]: Not looking for kernel support.
xl2tpd[18684]: xl2tpd version xl2tpd-1.3.8 started on lingfeng PID:18684
xl2tpd[18684]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[18684]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[18684]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[18684]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[18684]: Listening on IP address 0.0.0.0, port 1701
4.2 确认 IPSec 状态
执行 ipsec verify,输出如下
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.23 (netkey) on 3.10.0-862.9.1.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/br-9170defe050d/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/docker0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/vethabd2823/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [UNKNOWN]
(run ipsec verify as root to test ipsec.secrets)
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD]
Warning: ignored obsolete keyword 'nat_traversal'
Warning: ignored obsolete keyword 'oe'
Warning: ignored obsolete keyword 'force_keepalive'
ipsec verify: encountered 11 errors - see 'man ipsec_verify' for help
注 :
如果出现以下情况, 先执行
ipsec setup start, 再执行ipsec verifyChecking for IPsec support in kernel [FAILED] The ipsec service should be started before running 'ipsec verify' Pluto ipsec.conf syntax [OK] Checking rp_filter [OK] Checking that pluto is running [FAILED]解释一下出现这种情况的原因 :
ipsec如果没有启动,它是暂时不会知道自己将会使用哪种内核栈的,有三种KLIPS,netkey和no stack。选择的依据是你的ipsec.conf文件里的protostack后边的选项,如果是auto, 那么首选netkey, 然后是KLIPS。否则就是protostack的结果。
4.3 设置开机启动
systemctl enable pptpd ipsec xl2tpd
4.4 启动
systemctl restart pptpd ipsec xl2tpd
5. 后记
5.1 配置文件
| 配置文件路径 | 设置内容 |
|---|---|
| /etc/xl2tpd/xl2tpd.conf | ip池、内网IP |
| /etc/ppp/options.xl2tpd | mtu、dns |
| /etc/ipsec.conf | IPSec主配置文件 |
| /etc/ipsec.secrets | 预共享密钥 |
| /etc/ipsec.d/l2tp_psk.conf | 服务器IP |
| /etc/ppp/chap-secrets | 帐号密码 |
| /etc/sysctl.conf | 开启内核转发 |
| /var/log/secure | 日志 |
5.2 所需要安装的软件
| 软件 | 作用 |
|---|---|
| libreswan(ipsec) | 提供一个密钥 |
| ppp | 拨号软件,提供用户名和密码 |
| xl2tpd | 提供L2TP服务 |
| sysctl | 提供服务器内部转发 |
| iptables | 提供请求从服务器内部转向外部,外部响应转向服务器内部 |
参考资料
转载请注明出处:
文章地址:CentOS 7 中使用 PPTP、L2TP、IPSec 搭建 VPN 服务
文章作者:凌风
原始连接:https://lingfeng.me/blog/cent%20os/centos-l2tp/
许可协议:转载请注明原文链接及作者。
