CentOS安装L2TP VPN笔记

  1. 1. 安装ipsec
  2. 2. 安装必须的模块
  3. 3. 配置ipsec
  4. 4. 配置密钥
  5. 5. 配置转发
  6. 6. 验证ipsec配置
  7. 7. 安装x2ltpd
  8. 8. 配置xl2tpd
  9. 9. 配置转发规则
  10. 10. 启动xl2tp
  11. 11. 自启动配置

换了个新vps,之前一直用pptp和openvpn,这次准备尝试下l2tp,记录下安装过程

ip里也就能通过NCSetting快速启动vpn了,openvpn没有在NCSetting里的设置
L2TP VPN
首先需要卸载已安装的openswan,我因为yum install安装的openswan版本有bug,导致我折腾一天也没连接成功,所以建议直接下载指定版本的源码编译安装

安装ipsec

1
2
3
4
5
 
yum remove -y openswan
wget http://www.openswan.org/download/openswan-2.6.24.tar.gz
tar zxvf openswan-2.6.24.tar.gz
cd openswan-2.6.24
make programs install

安装必须的模块

1
 
yum install ppp iptables libpcap-devel

配置ipsec

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 
rm -rf /etc/ipsec.conf
touch /etc/ipsec.conf
cat >>/etc/ipsec.conf< <EOF
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=$ip  #替换成vps的ip
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
EOF

配置密钥

替换vipip和key

1
 
echo "$your_vps_ip %any: PSK \"$your_key\"" >/etc/ipsec.d/l2tp.secrets

配置转发

1
2
3
4
5
6
7
8
 
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sysctl -p
for each in /proc/sys/net/ipv4/conf/*                                                                                                      
do                                                                                                                                         
echo 0 > $each/accept_redirects                                                                                                            
echo 0 > $each/send_redirects                                                                                                              
done 
iptables -t nat -A POSTROUTING -j MASQUERADE

验证ipsec配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 
/etc/init.d/ipsec restart                                                                                                                  
ipsec verify 
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.24/K2.6.32-71.29.1.el6.i686 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

安装x2ltpd

1
2
3
4
5
6
 
wget http://www.xelerance.com/wp-content/uploads/software/xl2tpd/xl2tpd-1.3.0.tar.gz
tar xvf xl2tpd-1.3.0.tar.gz
make install
mkdir /var/run/xl2tpd
ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control
mkdir /etc/xl2tpd

配置xl2tpd

修改/etc/xl2tpd/xl2tpd.conf 

1
2
3
4
5
6
7
8
9
10
11
12
 
[global]
listen-addr = $your_vps_ip #替换成你的vpsip
ipsec saref = yes
[lns default]
ip range = 192.168.30.10-192.168.30.20
local ip = 192.168.30.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

编辑 /etc/ppp/options.xl2tpd 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
ms-dns  8.8.4.4
asyncmap 0
noccp
auth
crtscts
hide-password
debug
modem
lock
proxyarp
name l2tpd
lcp-echo-interval 30
lcp-echo-failure 4

配置用户和密码 /etc/ppp/chap-secrets 

1
2
3
 
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
name         l2tpd   password                *

配置转发规则

1
2
 
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -o eth0 -j MASQUERADE 
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -j SNAT --to-source $your_vps_ip

启动xl2tp

1
 
xl2tpd -D &

现在应该已经正常运行了,可以在你的手机或者电脑上新建一个l2tp连接测试

自启动配置

为了保证每次vps重启后都正常启动l2tp服务,我们还需做下面操作 

1
2
3
4
5
 
iptables-save > /etc/iptables
echo "iptables-restore /etc/iptables" >> /etc/rc.local
echo "/usr/local/sbin/xl2tpd -D &" >> /etc/rc.local
chkconfig --add ipsec
chkconfig --level 2345 ipsec on

参考文章:
CentOS上L2TP安装与配置

声明: 除非注明,小峰网络遨游记文章均为原创,转载请以链接形式标明本文地址

本博客原创文字只代表本人某一时间内的观点或结论,与本人所在公司没有任何关系。

本作品采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可。

第三方若用于商业用途的转载,须取得本人授权。

本文作者:

本文地址:http://xfeng.me/centos-install-l2tp-vpn-note/

你可能还对下面文章感兴趣: