最近发现GFW又升级了,而使用google是我们IT人员必须的工具,没有办法只有自己动手部署squid服务器,结果发现squid不是很稳定,经常说出现一会能打开,一会又打不开的情况(具体原因未知),为避免麻烦干脆在Azure上部署了一套L2TP VPN服务器,在这里将部署过程写下,希望对各位博友有帮助;
L2TP是常用的一种point-site的VPN。而目前在Azure上的VPN Gateway只支持IPsec和SSTP两种。如果客户需要L2TP服务器,需要自己在VM中搭建。本文将介绍如何在Azure上搭建基于CentOS65的L2TP服务器。
情况说明:我这里采用的是CentOS6.8操作系统,其它操作系统的操作方法大概相同;
1、购买Azure VM虚拟机
注意:不要买错了哦,NO Made in China,是.com,不是.cn
2、安装L2TP服务器
1)配置yum源
vi /etc/yum.repos.d/epel.repo [epel] name=epel baseurl=http://mirrors.sohu.com/fedora-epel/6/$basearch enabled=1 gpgcheck=0
2)yum安装PPP等
yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof
3)安装IPSEC
wget https://download.openswan.org/openswan/openswan-2.6.49.tar.gz --no-check-certificate tar vxf openswan-2.6.49.tar.gz cd openswan-2.6.49 make programs install
注:如果在安装之后发现无法启动ipsec服务,可以yum install -y ipsec,它会安装一些依懒上去,就可以正常启动对应服务了;
4)安装xl2tpd
yum install -y xl2tpd
3、配置相关服务
1)配置IPSEC
vi /etc/ipsec.conf conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=100.104.172.10 #这里的IP地址为Azure VM的内网地址; leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=30 dpdtimeout=120 dpdaction=clear
2)配置IPSEC的Security(配置共享密钥)
vi /etc/ipsec.secrets %any %any: PSK "www.obayun.com" #引号中间为密钥; 或者写成 100.104.172.10 %any: PSK "www.obayun.com" #其中100.104.172.10 为Azure VM的内网地址;
3)配置sysctl.conf文件
vi /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1
通过下面的命令生效配置:
#配置内核生效NAT转发
sysctl -p #启动IPSEC服务 service ipsec start ipsec verify #检测IPSEC是否正常 Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.15 (netkey) on 2.6.32-642.6.2.el6.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] rp_filter is not fully aware of IPsec and should be disabled Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking ‘ip‘ command [OK] Checking ‘iptables‘ command [OK] Checking ‘prelink‘ command does not interfere with FIPS [PRESENT] Checking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED]
4)配置xl2tpd
[global] ipsec saref = no [lns default] #设置建立连接后,分配给客户端的ip地址 ip range = 192.168.1.128-192.168.1.254 local ip = 192.168.1.99 require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
5)配置ppp的用户名密码
vi /etc/ppp/chap-secrets obayun * "www.obayun.com " * #前面为用户名,引号中间为密码;
6)配置Win7连接支持[可略过...]
vi /etc/ppp/options.xl2tpd require-mschap-v2
7)配置iptables
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT service iptables save
8)启动服务
service ipsec restart service xl2tpd restart service iptables restart chkconfig xl2tpd on chkconfig iptables on chkconfig ipsec on
4、配置终结点(配置NAT)
这个名字我怎么听都不对,我更愿意叫它NAT或防火墙,感觉更容易理解,作用就是将你的虚拟机端口映射到公网;
5、客户端配置
1)修改注册表
这里以Windows7为例,新建1.reg,将对应内容复制至此文件,双击导入注册表,然后重启电脑即可;
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent] "AssumeUDPEncapsulationContextOnSendRule"=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters] "ProhibitIpSec"=dword:00000000
2)配置预设密钥
配置VPN客户端,设置对应的预设密钥为:前面服务器端配置的密钥即可;
3)测试连接
从此通往自由之门的路已经打开....
时间: 2024-08-02 11:00:50