2014年1月28日 星期二

[Linux] 架設 VPN Server (PPTP/IPSEC/L2TP) @ Ubuntu 12.04

研究上需要架設一台 VPN,於是架了 PPTP 後,也順便把 IPSEC、L2TP 補齊。流程:

安裝需要的軟體:

$ sudo apt-get install pptpd openswan xl2tpd ppp

PPTP:

$ sudo vim /etc/pptpd.conf
# (Recommended)
localip 192.168.0.1
remoteip 192.168.0.234-238,192.168.0.245

$ sudo vim /etc/ppp/pptpd-options
# …
ms-dns 8.8.8.8
# …
logfile /var/log/pptpd.log

$ sudo touch /var/log/pptpd.log

$ sudo vim /etc/ppp/chap-secrets
# PPTP
username pptpd password *
# L2TP
username l2tpd password *

其中 username, password 都是明碼


IPSEC/L2TP:

$ sudo su
$ echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
$ echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
$ echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
$ for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
$ sysctl -p


$ sudo vim /etc/rc.local
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables --table nat --append POSTROUTING --jump MASQUERADE


$ sudo vim /etc/ipsec.conf
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=SERVER_IP
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any


$ sudo vim /etc/ipsec.secrets
SERVER_IP  %any:  PSK "L2TP_PRIVATE_KEY"


$ sudo vim /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes

[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


$ sudo vim /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4


重啟相關服務:

$ sudo service pptpd restart
Restarting PPTP:
Stopping PPTP: pptpd.
Starting PPTP Daemon: pptpd.

$ sudo service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.37...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY

$ sudo service xl2tpd restart
Restarting xl2tpd: xl2tpd.


服務驗證:

$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.2.0-58-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

沒有留言:

張貼留言