欢迎访问 SJsir 圣杰博客

A Linux operation and maintenance engineer's Blogs

VPN安装

VPN基础知识:Virtual Private Network 在公用网络上面,建立专用网络进行加密通讯,VPN网关通过对于数据包的加密和数据包目标地址的转换,实现远程访问。

1.VPN搭建的前提:

        操作系统:CentOS 6.8(在6.8系统上面搭建成功的,其余Linux系统也是支持的)
        外网IP:123.206.51.xxx
        内网IP:10.141.21.59

2.安装的软件:

        openswan ppp xl2tpd wget (部分软件依赖于epel源,需要提前配置好epel源)
        [root@localhost ~]# yum -y install openswan ppp xl2tpd wget

3.配置IPsec协议安全性:

    (1)新建ipsec的配置文件:/etc/ipsec.d/ipv4.conf

        [root@localhost ~]# vim /etc/ipsec.d/ipv4.conf
        conn L2TP-PSK-NAT
            rightsubnet=vhost:%priv
            also=L2TP-PSK-noNAT
        conn L2TP-PSK-noNAT
            authby=secret
            pfs=no
            auto=add
            keyingtries=3
            rekey=no
            ikelifetime=8h
            keylife=1h
            type=transport
            left=10.141.21.59 (注意该处填写的IP应该为本服务器的私网IP)
            leftprotoport=17/1701
            right=%any
            rightprotoport=17/%any

    (2)创建VPN连接的密钥:/etc/ipsec.secrets

        [root@localhost ~]# vim /etc/ipsec.secrets
        10.141.21.59 %any: PSK "sjsir@wang"
        注意:
            10.141.21.59 :为服务器连接的私网IP
            sjsir@wang :为服务器连接时需要的私钥,用于PC端与服务器端连接的私钥验证

    (3)修改内核参数:设置ip转发:/etc/sysctl.conf

        (注意:应该确保sysctl.conf中下列配置都有)
        [root@localhost ~]# vim /etc/sysctl.conf
            net.ipv4.ip_forward = 1
            net.ipv4.conf.default.rp_filter = 0
            net.ipv4.conf.all.send_redirects = 0
            net.ipv4.conf.default.send_redirects = 0
            net.ipv4.conf.all.log_martians = 0
            net.ipv4.conf.default.log_martians = 0
            net.ipv4.conf.default.accept_source_route = 0
            net.ipv4.conf.all.accept_redirects = 0
            net.ipv4.conf.default.accept_redirects = 0
            net.ipv4.icmp_ignore_bogus_error_responses = 1
            配置完成后重启生效:[root@localhost ~]# sysctl -p

(4)启动与验证ipsec的运行状态,并设置开机自启动:

        启动ipsec:[root@localhost ~]# ipsec setup start
        查看状态:[root@localhost ~]# ipsec verify
        设置开机自启动:[root@localhost ~]# chkconfig ipsec on
        查看端口监听:[root@localhost ~]# ss -unl

4.设置L2TP协议与配置VPN账号信息:

    (1)配置主配置文件:/etc/xl2tpd/xl2tpd.conf

        [root@localhost ~]# vim /etc/xl2tpd/xl2tpd.conf
        [global]
            ipsec saref = yes
            listen-addr = 10.141.21.59 (该处应该设置为服务器的私网IP)
        [lns default]
            ip range = 192.168.1.2-192.168.1.100 (注意,此处分配的私网IP,最好和服务器使用相同的子网,方便直接连接,否则会报路由不可达的错误)
            local ip = 192.168.1.1
            refuse chap = yes
            refuse pap = yes
            require authentication = yes
            ppp debug = yes
            pppoptfile = /etc/ppp/options.xl2tpd
            length bit = yes

    (2)设置/etc/ppp/xl2tpd.conf:

        [root@localhost ~]# vim /etc/ppp/options.xl2tpd (注意,可以将已经存在的清空,后将此内容添加即可);
            require-mschap-v2    
            ms-dns 8.8.8.8 (该DNS设置根据需要进行修改,aws生产环境使用VPC的DHCP主机的IP)
            ms-dns 8.8.4.4
            asyncmap 0
            auth
            crtscts
            lock
            hide-password
            modem
            debug
            name l2tpd
            proxyarp
            lcp-echo-interval 30
            lcp-echo-failure 4

    (3)配置VPN的账号信息:/etc/ppp/chap-secrets:配置用户名和密码

        [root@localhost ~]# vim /etc/ppp/chap-secrets
        # Secrets for authentication using CHAP
        # client        server  secret                  IP addresses
            wsj          l2tpd     123123123                 *
        注意:生成用户密码的时候,一定不要使用 # 否则,会导致密码错误,无法登录;

    (4)启动xl2tpd与查看日志、设置自启动:

        启动:[root@localhost ~]# service xl2tpd start
        查看日志:[root@localhost ~]# tail -F /var/log/messages
        设置自启动:[root@localhost ~]# chkconfig xl2tpd on

5.Iptables防火墙设置:开放端口与转发

    (1)Allow ipsec traffic

        [root@localhost ~]# iptables -A INPUT -m policy –dir in –pol ipsec -j ACCEPT
        [root@localhost ~]# iptables -A FORWARD -m policy –dir in –pol ipsec -j ACCEPT

    (2)Do not NAT VPN traffic

        [root@localhost ~]# iptables -t nat -A POSTROUTING -m policy –dir out –pol none -j MASQUERADE

    (3)Forwarding rules for VPN

        [root@localhost ~]# iptables -A FORWARD -i ppp+ -p all -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
        [root@localhost ~]# iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT

    (4)Ports for Openswan / xl2tpd    

        [root@localhost ~]# iptables -A INPUT -m policy –dir in –pol ipsec -p udp –dport 1701 -j ACCEPT
        [root@localhost ~]# iptables -A INPUT -p udp –dport 500 -j ACCEPT
        [root@localhost ~]# iptables -A INPUT -p udp –dport 4500 -j ACCEPT
        [root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

    (5)保存、重启和自启动:

        [root@localhost ~]# service iptables save
        [root@localhost ~]# service iptables restart
        [root@localhost ~]# chkconfig iptables on

    (6)查看已经配置好的iptables策略表:

    [root@localhost ~]# cat /etc/sysconfig/iptables

    《VPN安装》

    6.配置安全组:

        如果使用的为AWS、阿里云或者腾讯云等云服务商需要配置安全组,打开UDP端口:1701/4500/500
        本文以配置AWS安全组为例进行展示:

        《VPN安装》

点赞