VPS L2TP配置

原文地址:https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_14.04.html

只要保证ipsec verify没错,基本都可以成功。再也不相信一键安装,之前遇到DDos,也怀疑是不是脚本的后门。

Install ppp openswan and xl2tpd

First we will install the required packages:

apt-get install openswan xl2tpd ppp lsof

The openswan installation will ask some questions, this tutorial works with the default answers (just enter through it).

Firewall and sysctl

We are going to set the firewall and make sure the kernel forwards IP packets:

Execute this command to enable the iptables firewall to allow vpn traffic:

iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+

Replace %SERVERIP% with the external IP of your VPS. If your external interface is not named ethX (+ is a wildcard) then rename appropriately.

Execute the below commands to enable kernel IP packet forwarding and disable ICP redirects.

echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" |  tee -a /etc/sysctl.conf

Set these settings for other network interfaces:

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

Apply them:

sysctl -p
Persistent settings via /etc/rc.local

To make sure this keeps working at boot you might want to add the following to /etc/rc.local:

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+

Add it before the exit 0 line and replace %SERVERIP% with the external IP of your VPS.

Configure Openswan (IPSEC)

Use your favorite editor to edit the following file:

/etc/ipsec.conf

Replace the contents with the following:

(Most lines have a comment below it explaining what it does.)

version 2 # conforms to second version of ipsec.conf specification

config setup
    dumpdir=/var/run/pluto/
    #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?

    nat_traversal=yes
    #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec

    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
    #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.

    protostack=netkey
    #decide which protocol stack is going to be used.

    force_keepalive=yes
    keep_alive=60
    # Send a keep-alive packet every 60 seconds.

conn L2TP-PSK-noNAT
    authby=secret
    #shared secret. Use rsasig for certificates.

    pfs=no
    #Disable pfs

    auto=add
    #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

    keyingtries=3
    #Only negotiate a conn. 3 times.

    ikelifetime=8h
    keylife=1h

    ike=aes256-sha1,aes128-sha1,3des-sha1
    phase2alg=aes256-sha1,aes128-sha1,3des-sha1
    # https://lists.openswan.org/pipermail/users/2014-April/022947.html
    # specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why ‘modp‘ instead of dh? DH2 is a 1028 bit encryption algorithm that modulo‘s a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.

    type=transport
    #because we use l2tp as tunnel protocol

    left=%SERVERIP%
    #fill in server IP above

    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

    dpddelay=10
    # Dead Peer Dectection (RFC 3706) keepalives delay
    dpdtimeout=20
    #  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
    dpdaction=clear
    # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

Replace %SERVERIP% with the external IP of your server. You can find it out by:

curl http://ip.mtak.nl

Do note that the config file has changed with this Ubuntu release. If you have upgraded Ubuntu or followed an earlier tutorial, make sure you change the config for ipsec.

The shared secret

The shared secret is defined in the /etc/ipsec.secrets file. Make sure it is long and random:

%SERVERIP%  %any:   PSK "69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44"

Yet again, replace %SERVERIP% with the IP of your server here. If you want to generate a random key you can use the following openssl command:

openssl rand -hex 30

Example output:

c12cf75b47c210b9d7094ce10e3b3544c6927ff49ca2d949252b5a94ccf5
Verify IPSEC Settings

Now to make sure IPSEC works, execute the following command:

ipsec verify

My output looks like this:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K3.13.0-24-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
    [OK]
    [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for ‘ip‘ command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for ‘iptables‘ command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

The /bin/sh and Opportunistic Encryption warnings can be ignored. The first one is a openswan bug and the second one causes xl2tpd to trip.

Configure xl2tpd

Use your favorite editor to edit the following file:

/etc/xl2tpd/xl2tpd.conf

Replace the contents with the following:

[global]
ipsec saref = yes
saref refinfo = 30

;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes

[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
  • ip range = range of IPs to give to the connecting clients
  • local ip = IP of VPN server
  • refuse pap = refure pap authentication
  • ppp debug = yes when testing, no when in production

Local user (PAM / /etc/passwd) authentication

To use local user accounts via pam (or /etc/passwd), and thus not having plain text user passwords in a text file you have to do a few extra steps.

In your /etc/xl2tpd/xl2tpd.conf add the following line:

unix authentication = yes

and remove the following line:

refuse pap = yes

In the file /etc/ppp/options.xl2tpd make sure you do not add the following line (below it states to add it, but not if you want to use UNIX authentication):

require-mschap-v2

Also in that file (/etc/ppp/options.xl2tpd) add the following extra line:

login

Change /etc/pam.d/ppp to this:

auth    required        pam_nologin.so
auth    required        pam_unix.so
account required        pam_unix.so
session required        pam_unix.so

(As in, remove existing lines and add these)

Add the following to /etc/ppp/pap-secrets:

*       l2tpd           ""              *

(And, skip the chap-secrets file below (adding users).)

Configuring PPP

Use your favorite editor to edit the following file:

/etc/ppp/options.xl2tpd

Replace the contents with the following:

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
  • ms-dns = The dns to give to the client. I use googles public DNS.
  • proxyarp = Add an entry to this systems ARP [Address Resolution Protocol] table with the IP address of the peer and the Ethernet address of this system. This will have the effect of making the peer appear to other systems to be on the local ethernet.
  • name l2tpd = is used in the ppp authentication file.

Adding users

Every user should be defined in the /etc/ppp/chap-secrets file. Below is an example file.

# Secrets for authentication using CHAP
# client       server  secret                  IP addresses
alice          l2tpd   0F92E5FC2414101EA            *
bob            l2tpd   DF98F09F74C06A2F             *
  • client = username for the user
  • server = the name we define in the ppp.options file for xl2tpd
  • secret = password for the user
  • IP Addresses = leave to * for any address or define addresses from were a user can login.

Testing it

To make sure everything has the newest config files restart openswan and xl2tpd:

/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart

On the client connect to the server IP address (or add a DNS name) with a valid user, password and the shared secret. Test if you have internet access and which IP you have (via for example http://whatsmyip.org. If it is the VPN servers IP then it works.

If you experience problems make sure to check the client log files and the ubuntu /var/log/syslog and /var/log/auth.log files. If you google the error messages you most of the time get a good answer.

最后是我的配置,我的配置跟上面的有不同的。现在的运行环境是(ubuntu 14.04 LTS)

ipsec.conf

version 2.0

config setup
  dumpdir=/var/run/pluto/
  nat_traversal=yes
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
  oe=off
  protostack=netkey
  nhelpers=0
  interfaces=%defaultroute

conn vpnpsk
  connaddrfamily=ipv4
  auto=add
  left=108.61.180.230
  leftid=108.61.180.230
  leftprotoport=17/1701
  rightprotoport=17/%any
  right=%any
  rightsubnetwithin=0.0.0.0/0
  forceencaps=yes
  authby=secret
  pfs=no
  type=transport
  auth=esp
  ike=3des-sha1,aes-sha1
  phase2alg=3des-sha1,aes-sha1
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear

rc.local

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
/usr/sbin/service ipsec restart
/usr/sbin/service xl2tpd restart
echo 1 > /proc/sys/net/ipv4/ip_forward  #如果设置了转发就不用
ssserver -c /etc/shadowsocks.json -d start # ss开机启动
exit 0

optios.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
auth
crtscts
idle 1800
mtu 1280
mru 1280
lock
lcp-echo-failure 10
lcp-echo-interval 60
connect-delay 5000

xl2tpd.config

[global]
port = 1701

;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes

[lns default]
ip range = 192.168.42.10-192.168.42.250
local ip = 192.168.42.1
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

时间: 2024-08-14 04:41:53

VPS L2TP配置的相关文章

Linux VPS 安全配置:禁用22端口、root用户以及配置Denyhosts防暴力破解

最近租用了一台Vultr东京机房的VPS,每天都会生成许多异常登录失败的日志,疑似受到扫描软件的暴力破解,遂Google了一下服务器安全防护方面的知识. 废话不多说,下面将操作过程记录下来: 注意:以下操作基于CentOS 7,不同系统下的具体操作可能会有区别 一.修改SSH服务默认端口 SSH服务的默认端口是22,扫描软件首先会通过此端口尝试登录,因此把它改成一个不易猜到的端口(推荐使用10000~65535之间的,复杂度最高也不易和其他进程发生冲突) 1 vim /etc/ssh/sshd_

【记录】haphost免费vps初始配置

1.配置德国epel源 yum install yum-priorities rpm -Uvh http://ftp-stud.hs-esslingen.de/pub/epel/6/i386/epel-release-6-8.noarch.rpm rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 在[epel]最

cisco L2tp配置命令

R6 interface fastethernet 0/0 ip addr 10.0.0.1 255.255.255.0 no shut interface Serial0/0 ip addr 200.0.0.5 255.255.255.252 no shutdown ip route 0.0.0.0 0.0.0.0 200.0.0.6 R6 l2tp config t username user1 password 0(加密级别)user1(有几个帐号登陆写几个) username user2

VPS上配置NGINX+UWSGI+DJANGO+MYSQL

1.安装Django 参见:http://djangobook.py3k.cn/2.0/chapter02/ 2.安装pip $ sudo apt-get install python-pip python-dev build-essential $ sudo pip install --upgrade pip $ sudo pip install --upgrade virtualenv $ sudo apt-get install libmysqld-dev 3.安装MySQL $ apt-

L2TP配置(VPN)

第一步:开启L2tp l2tp enable       开启l2tp 第二步:定义拨号地址段interface Virtual-Template10                         建立虚拟模板     ppp authentication-mode chap                   认证采用chap认证      remote address pool 1                                  远程登录地址池1     ip addre

USG 5160 L2tp 配置实例

l2tp enable interface Virtual-Template1 ppp authentication-mode chap ip address 10.1.1.1 255.255.255.0 remote address pool 1 l2tp-group 1 allow l2tp virtual-template 1 remote client1 tunnel name LNS tunnel password cipher [email protected]! aaa local

Ubuntu VPS上配置rsync服务器

安装rsync 执行如下命令安装: apt-get install -y rsync 然后可以用如下命令看看安装了哪些文件: dpkg -L rsync 配置rsync 修改配置文件/etc/default/rsync中的相应内容为: RSYNC_ENABLE=true 增加配置文件/etc/rsyncd.conf,内容为: port = 873 uid = root gid = root use chroot = yes read only = yes hosts allow=204.74.0

2014.1.23 Discuz论坛迁移+VPS配置手记

虽说这也不是我第一次转移这个论坛了,但毕竟还是第一次自己配置VPS,写点东西记一下 一:关于VPS的配置 1.用TeamViewer连接服务器 这个VPS的IDC自己带有一个远程控制的页面,用浏览器打开之后感觉非常的卡,并且好像没有给RDP,于是我就想到了TeamViewer,以前帮别人修电脑远程控制时就是用的这个,软件体积很小,并且自带中文.我也考虑过VNC,但是VNC控制内网里的主机是非常麻烦的,于是我就选择了TeamViewer作为远程控制的工具. TeamViewer对于维护服务器之类的

初识vps,域名与购买,初步配置

终于还是到了这一天,不管我们是不是程序员,当我们想拥有自己的一个的博客,当我们想有自己的一个空间,当我们想在网上有一个自己可以随心所欲编写任何不被限制的仅仅是酷炫的效果,当我们想收录自己的技术,经历,过往时.我们想拥有一个网站,随之而来的是像vps, 域名, 云存储等一些列内容. 当然,这并难不倒我们,像域名获取的方式有很多种,不管是腾讯云,阿里云,万网等等,都可以进行购买你想要的未被注册的域名.再深入些,像 GoDaddy, name.com. nameCheap等等.那么我们购买域名的目标是