参考资料:
六步搞定centos 6下l2tp + ipsec VPN服务器配置
背景介绍:
近期,墙屏蔽了所有的Google服务,也加强了对翻墙工具的屏蔽,例如使用goagent和修改hosts的方法都很难奏效。
因为我一直使用着PPTP VPN,本以为可以高枕无忧了,结果可恶的中国电信竟对PPTP VPN协议开始了干扰,导致连接非常不稳定,频繁的断开。
这也促使了我在VPS再搭建一个L2TP over IPSec VPN的想法,以下便是我的整个安装与配置过程。
安装与配置:
环境介绍:
OS:CentOS 6.4 x86_64 Minimal
1. 修改 /etc/sysctl.conf,新增如下配置:
# vim /etc/sysctl.conf
# For xl2tpd net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1
# sysctl -p
2. 安装EPEL扩展库
# yum install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
3. 安装所需软件包
# yum install wget bind-utils lsof
# yum install openswan xl2tpd ppp
# yum downgrade openswan
4. 通过如下脚本完成配置文件的修改
# vim l2tpvpn.sh
#!/bin/sh IPSEC_PSK=SharedSecret #修改以上变量的值,作为共享密码 PRIVATE_IP=`wget -q -O - 'http://instance-data/latest/meta-data/local-ipv4'` PUBLIC_IP=`wget -q -O - 'http://instance-data/latest/meta-data/public-ipv4'` #修改以上变量的值,我通过命令来自动获取服务器的本地内网IP和公网IP,但仅适用于EC2 cat > /etc/ipsec.conf <<EOF version 2.0 config setup dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 oe=off protostack=netkey nhelpers=0 interfaces=%defaultroute plutostderrlog=/var/log/pluto.log conn vpnpsk auto=add left=$PRIVATE_IP leftid=$PUBLIC_IP leftsubnet=$PRIVATE_IP/32 leftnexthop=%defaultroute leftprotoport=17/1701 rightprotoport=17/%any right=%any rightsubnetwithin=0.0.0.0/0 forceencaps=yes authby=secret pfs=no type=transport auth=esp ike=3des-sha1 phase2alg=3des-sha1 dpddelay=30 dpdtimeout=120 dpdaction=clear EOF cat > /etc/ipsec.secrets <<EOF $PUBLIC_IP %any : PSK "$IPSEC_PSK" EOF cat > /etc/xl2tpd/xl2tpd.conf <<EOF [global] port = 1701 ;debug avp = yes ;debug network = yes ;debug state = yes ;debug tunnel = yes [lns default] ip range = 172.192.169.10-172.192.169.250 local ip = 172.192.169.1 ;修改以上虚拟地址范围 require chap = yes refuse pap = yes require authentication = yes name = l2tpd ;ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes EOF cat > /etc/ppp/options.xl2tpd <<EOF ipcp-accept-local ipcp-accept-remote ms-dns 172.31.0.2 ;修改以上DNS服务器 noccp auth crtscts idle 1800 mtu 1280 mru 1280 lock connect-delay 5000 EOF
# chmod +x l2tpvpn.sh
# ./l2tpvpn.sh
5. 配置用户名与密码
# vim /etc/ppp/chap-secrets
# 修改以下用户名与密码 # Secrets for authentication using CHAP # client server secret IP addresses "username" * "password" *
6. 配置NAT共享上网(修改如下虚拟地址范围与配置文件中相匹配)
# iptables -t NAT -A POSTROUTING -s 172.192.169.0/24 -o eth0 -j MASQUERADE
7. 开放如下端口(EC2需要在SecurityGroup中配置)
# iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 1194 -j ACCEPT
# iptables -A INPUT -p udp -m state –state NEW -m udp –dport 1701 -j ACCEPT
# iptables -A INPUT -p udp -m state –state NEW -m udp –dport 500 -j ACCEPT
# iptables -A INPUT -p udp -m state –state NEW -m udp –dport 4500 -j ACCEPT
8. 启动相关服务,并设置为自动启动
# service ipsec restart
# service xl2tpd restart
# chkconfig ipsec on
# chkconfig xl2tpd on
9. 结束
转载请注明:爱开源 » 在EC2上搭建L2TP over IPSec VPN服务器