VPS L2TP配置
原文地址:https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_14.04.html
只要保证ipsec verify没错,基本都可以成功。再也不相信一键安装,之前遇到DDos,也怀疑是不是脚本的后门。
Install ppp openswan and xl2tpd
First we will install the required packages:
第一步,安装下面的几个,配置全部默认就好。
apt-get install openswan xl2tpd ppp lsof
The openswan installation will ask some questions, this tutorial works with the default answers (just enter through it).
Firewall and sysctl
We are going to set the firewall and make sure the kernel forwards IP packets:
Execute this command to enable the iptables firewall to allow vpn traffic:
第二步,%SERVERIP%自己替换成自己的服务器ip,然后配置网络参数。iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
Replace %SERVERIP% with the external IP of your VPS. If your external interface is not named ethX (+ is a wildcard) then rename appropriately.
Execute the below commands to enable kernel IP packet forwarding and disable ICP redirects.
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf
Set these settings for other network interfaces:
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
Apply them:
sysctl -p
Persistent settings via /etc/rc.local
To make sure this keeps working at boot you might want to add the following to /etc/rc.local:
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
Add it before the exit 0 line and replace %SERVERIP% with the external IP of your VPS.
Configure Openswan (IPSEC)
Use your favorite editor to edit the following file:
/etc/ipsec.conf
到这一步可以直接到我下面的配置了,注意把/etc/ipsec.conf的ip换成你自己的服务器IP。
Replace the contents with the following:
(Most lines have a comment below it explaining what it does.)
version 2 # conforms to second version of ipsec.conf specification
config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
nat_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
protostack=netkey
#decide which protocol stack is going to be used.
force_keepalive=yes
keep_alive=60
# Send a keep-alive packet every 60 seconds.
conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.
pfs=no
#Disable pfs
auto=add
#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.
keyingtries=3
#Only negotiate a conn. 3 times.
ikelifetime=8h
keylife=1h
ike=aes256-sha1,aes128-sha1,3des-sha1
phase2alg=aes256-sha1,aes128-sha1,3des-sha1
# https://lists.openswan.org/pipermail/users/2014-April/022947.html
# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.
type=transport
#because we use l2tp as tunnel protocol
left=%SERVERIP%
#fill in server IP above
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.
Replace %SERVERIP% with the external IP of your server. You can find it out by:
curl http://ip.mtak.nl
Do note that the config file has changed with this Ubuntu release. If you have upgraded Ubuntu or followed an earlier tutorial, make sure you change the config for ipsec.
The shared secret
The shared secret is defined in the /etc/ipsec.secrets file. Make sure it is long and random:
%SERVERIP% %any: PSK "69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44"
Yet again, replace %SERVERIP% with the IP of your server here. If you want to generate a random key you can use the following openssl command:
openssl rand -hex 30
Example output:
c12cf75b47c210b9d7094ce10e3b3544c6927ff49ca2d949252b5a94ccf5
Verify IPSEC Settings
Now to make sure IPSEC works, execute the following command:
ipsec verify
My output looks like this:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.13.0-24-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
The /bin/sh and Opportunistic Encryption warnings can be ignored. The first one is a openswan bug and the second one causes xl2tpd to trip.
Configure xl2tpd
Use your favorite editor to edit the following file:
/etc/xl2tpd/xl2tpd.conf
Replace the contents with the following:
[global]
ipsec saref = yes
saref refinfo = 30
;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes
[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
ip range = range of IPs to give to the connecting clients
local ip = IP of VPN server
refuse pap = refure pap authentication
ppp debug = yes when testing, no when in production
Local user (PAM / /etc/passwd) authentication
To use local user accounts via pam (or /etc/passwd), and thus not having plain text user passwords in a text file you have to do a few extra steps.
In your /etc/xl2tpd/xl2tpd.conf add the following line:
unix authentication = yes
and remove the following line:
refuse pap = yes
In the file /etc/ppp/options.xl2tpd make sure you do not add the following line (below it states to add it, but not if you want to use UNIX authentication):
require-mschap-v2
Also in that file (/etc/ppp/options.xl2tpd) add the following extra line:
login
Change /etc/pam.d/ppp to this:
auth required pam_nologin.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
(As in, remove existing lines and add these)
Add the following to /etc/ppp/pap-secrets:
* l2tpd "" *
(And, skip the chap-secrets file below (adding users).)
Configuring PPP
Use your favorite editor to edit the following file:
/etc/ppp/options.xl2tpd
Replace the contents with the following:
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
ms-dns = The dns to give to the client. I use googles public DNS.
proxyarp = Add an entry to this systems ARP [Address Resolution Protocol] table with the IP address of the peer and the Ethernet address of this system. This will have the effect of making the peer appear to other systems to be on the local ethernet.
name l2tpd = is used in the ppp authentication file.
Adding users
Every user should be defined in the /etc/ppp/chap-secrets file. Below is an example file.
# Secrets for authentication using CHAP
# client server secret IP addresses
alice l2tpd 0F92E5FC2414101EA *
bob l2tpd DF98F09F74C06A2F *
client = username for the user
server = the name we define in the ppp.options file for xl2tpd
secret = password for the user
IP Addresses = leave to * for any address or define addresses from were a user can login.
Testing it
To make sure everything has the newest config files restart openswan and xl2tpd:
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
On the client connect to the server IP address (or add a DNS name) with a valid user, password and the shared secret. Test if you have internet access and which IP you have (via for example http://whatsmyip.org. If it is the VPN servers IP then it works.
If you experience problems make sure to check the client log files and the ubuntu /var/log/syslog and /var/log/auth.log files. If you google the error messages you most of the time get a good answer.
最后是我的配置,我的配置跟上面的有不同的。现在的运行环境是(ubuntu 14.04 LTS)
ipsec.conf
version 2.0 config setup dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24 oe=off protostack=netkey nhelpers=0 interfaces=%defaultroute conn vpnpsk connaddrfamily=ipv4 auto=add left=108.61.180.230 leftid=108.61.180.230 leftprotoport=17/1701 rightprotoport=17/%any right=%any rightsubnetwithin=0.0.0.0/0 forceencaps=yes authby=secret pfs=no type=transport auth=esp ike=3des-sha1,aes-sha1 phase2alg=3des-sha1,aes-sha1 rekey=no keyingtries=5 dpddelay=30 dpdtimeout=120 dpdaction=clear
rc.local
#!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. /usr/sbin/service ipsec restart /usr/sbin/service xl2tpd restart ssserver -c /etc/shadowsocks.json -d start # ss开机启动 exit 0
optios.xl2tpd
ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 ms-dns 8.8.4.4 noccp auth crtscts idle 1800 mtu 1280 mru 1280 lock lcp-echo-failure 10 lcp-echo-interval 60 connect-delay 5000
xl2tpd.config
[global] port = 1701 ;debug avp = yes ;debug network = yes ;debug state = yes ;debug tunnel = yes [lns default] ip range = 192.168.42.10-192.168.42.250 local ip = 192.168.42.1 require chap = yes refuse pap = yes require authentication = yes name = l2tpd ;ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes
设置VPN帐号 /etc/ppp/chap-secrets
# Secrets for authentication using CHAP # client server secret IP addresses alice l2tpd 0F92E5FC2414101EA * bob l2tpd DF98F09F74C06A2F *
设置共享密钥 /etc/ipsec.secrets
YOUR_SERVER_IP %any: PSK "www.coolicer.com"
