VPS L2TP配置
原文地址:https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_14.04.html
只要保证ipsec verify没错,基本都可以成功。再也不相信一键安装,之前遇到DDos,也怀疑是不是脚本的后门。
Install ppp openswan and xl2tpd
First we will install the required packages:
第一步,安装下面的几个,配置全部默认就好。
apt-get install openswan xl2tpd ppp lsof
The openswan installation will ask some questions, this tutorial works with the default answers (just enter through it).
Firewall and sysctl
We are going to set the firewall and make sure the kernel forwards IP packets:
Execute this command to enable the iptables firewall to allow vpn traffic:
第二步,%SERVERIP%自己替换成自己的服务器ip,然后配置网络参数。
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
Replace %SERVERIP% with the external IP of your VPS. If your external interface is not named ethX (+
is a wildcard) then rename appropriately.
Execute the below commands to enable kernel IP packet forwarding and disable ICP redirects.
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf
Set these settings for other network interfaces:
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
Apply them:
sysctl -p
Persistent settings via /etc/rc.local
To make sure this keeps working at boot you might want to add the following to /etc/rc.local:
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
Add it before the exit 0
line and replace %SERVERIP% with the external IP of your VPS.
Configure Openswan (IPSEC)
Use your favorite editor to edit the following file:
/etc/ipsec.conf
到这一步可以直接到我下面的配置了,注意把/etc/ipsec.conf的ip换成你自己的服务器IP。
Replace the contents with the following: (Most lines have a comment below it explaining what it does.) version 2 # conforms to second version of ipsec.conf specification config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core? nat_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects. protostack=netkey
#decide which protocol stack is going to be used. force_keepalive=yes
keep_alive=60
# Send a keep-alive packet every 60 seconds. conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates. pfs=no
#Disable pfs auto=add
#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts. keyingtries=3
#Only negotiate a conn. 3 times. ikelifetime=8h
keylife=1h ike=aes256-sha1,aes128-sha1,3des-sha1
phase2alg=aes256-sha1,aes128-sha1,3des-sha1
# https://lists.openswan.org/pipermail/users/2014-April/022947.html
# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested. type=transport
#because we use l2tp as tunnel protocol left=%SERVERIP%
#fill in server IP above leftprotoport=17/1701
right=%any
rightprotoport=17/%any dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.
Replace %SERVERIP% with the external IP of your server. You can find it out by: curl http://ip.mtak.nl
Do note that the config file has changed with this Ubuntu release. If you have upgraded Ubuntu or followed an earlier tutorial, make sure you change the config for ipsec. The shared secret The shared secret is defined in the /etc/ipsec.secrets file. Make sure it is long and random: %SERVERIP% %any: PSK "69EA16F2C529E74A7D1B0FE99E69F6BDCD3E44"
Yet again, replace %SERVERIP% with the IP of your server here. If you want to generate a random key you can use the following openssl command: openssl rand -hex 30
Example output: c12cf75b47c210b9d7094ce10e3b3544c6927ff49ca2d949252b5a94ccf5
Verify IPSEC Settings Now to make sure IPSEC works, execute the following command: ipsec verify
My output looks like this: Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.13.0-24-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
The /bin/sh and Opportunistic Encryption warnings can be ignored. The first one is a openswan bug and the second one causes xl2tpd to trip. Configure xl2tpd Use your favorite editor to edit the following file: /etc/xl2tpd/xl2tpd.conf
Replace the contents with the following: [global]
ipsec saref = yes
saref refinfo = 30 ;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes [lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
ip range = range of IPs to give to the connecting clients
local ip = IP of VPN server
refuse pap = refure pap authentication
ppp debug = yes when testing, no when in production
Local user (PAM / /etc/passwd) authentication To use local user accounts via pam (or /etc/passwd), and thus not having plain text user passwords in a text file you have to do a few extra steps. In your /etc/xl2tpd/xl2tpd.conf add the following line: unix authentication = yes
and remove the following line: refuse pap = yes
In the file /etc/ppp/options.xl2tpd make sure you do not add the following line (below it states to add it, but not if you want to use UNIX authentication): require-mschap-v2
Also in that file (/etc/ppp/options.xl2tpd) add the following extra line: login
Change /etc/pam.d/ppp to this: auth required pam_nologin.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
(As in, remove existing lines and add these) Add the following to /etc/ppp/pap-secrets: * l2tpd "" *
(And, skip the chap-secrets file below (adding users).) Configuring PPP Use your favorite editor to edit the following file: /etc/ppp/options.xl2tpd
Replace the contents with the following: require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
ms-dns = The dns to give to the client. I use googles public DNS.
proxyarp = Add an entry to this systems ARP [Address Resolution Protocol] table with the IP address of the peer and the Ethernet address of this system. This will have the effect of making the peer appear to other systems to be on the local ethernet.
name l2tpd = is used in the ppp authentication file.
Adding users Every user should be defined in the /etc/ppp/chap-secrets file. Below is an example file. # Secrets for authentication using CHAP
# client server secret IP addresses
alice l2tpd 0F92E5FC2414101EA *
bob l2tpd DF98F09F74C06A2F *
client = username for the user
server = the name we define in the ppp.options file for xl2tpd
secret = password for the user
IP Addresses = leave to * for any address or define addresses from were a user can login.
Testing it To make sure everything has the newest config files restart openswan and xl2tpd: /etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
On the client connect to the server IP address (or add a DNS name) with a valid user, password and the shared secret. Test if you have internet access and which IP you have (via for example http://whatsmyip.org. If it is the VPN servers IP then it works. If you experience problems make sure to check the client log files and the ubuntu /var/log/syslog and /var/log/auth.log files. If you google the error messages you most of the time get a good answer.
原文内容
最后是我的配置,我的配置跟上面的有不同的。现在的运行环境是(ubuntu 14.04 LTS)
ipsec.conf
version 2.0 config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/,%v4:192.168.0.0/,%v4:172.16.0.0/,%v4:!192.168.42.0/
oe=off
protostack=netkey
nhelpers=
interfaces=%defaultroute conn vpnpsk
connaddrfamily=ipv4
auto=add
left=108.61.180.230
leftid=108.61.180.230
leftprotoport=/
rightprotoport=/%any
right=%any
rightsubnetwithin=0.0.0.0/
forceencaps=yes
authby=secret
pfs=no
type=transport
auth=esp
ike=3des-sha1,aes-sha1
phase2alg=3des-sha1,aes-sha1
rekey=no
keyingtries=
dpddelay=
dpdtimeout=
dpdaction=clear
rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
/usr/sbin/service ipsec restart
/usr/sbin/service xl2tpd restart ssserver -c /etc/shadowsocks.json -d start # ss开机启动
exit
optios.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
auth
crtscts
idle
mtu
mru
lock
lcp-echo-failure
lcp-echo-interval
connect-delay
xl2tpd.config
[global]
port = ;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes [lns default]
ip range = 192.168.42.10-192.168.42.250
local ip = 192.168.42.1
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
设置VPN帐号 /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
alice l2tpd 0F92E5FC2414101EA *
bob l2tpd DF98F09F74C06A2F *
设置共享密钥 /etc/ipsec.secrets
YOUR_SERVER_IP %any: PSK "www.coolicer.com"
VPS L2TP配置的更多相关文章
- 亚马逊云服务器VPS Amazon EC2 免费VPS主机配置CentOS及其它内容
Amazon目前提供为期一年的免费VPS服务,可到地址http://aws.amazon.com 进行申请. 现在对账号申请成功后,对VPS主机配置CentOS的过程做个图文介绍 1.创建实例(Ins ...
- VPS安全配置
VPS安全配置 购买VPS后重装操作系统,以windows server 2008为例. 1 登录服务器 重装操作系统后,第一时间登录服务器,迅速进行安全配置. VPN-->Remote Des ...
- 【记录】haphost免费vps初始配置
1.配置德国epel源 yum install yum-priorities rpm -Uvh http://ftp-stud.hs-esslingen.de/pub/epel/6/i386/epel ...
- VPS环境配置预备篇
VPS买到手了,在配置环境前要做哪些操作呢?老谢说一下自己的习惯,希望对和老谢一样的菜鸟有帮助更新系统内核和rpm包#安装yum-fastestmirror插件yum -y install yum-f ...
- Ubuntu 14.04 VPS安装配置***的方法
#安装*** $ sudo apt-get update $ sudo apt-get install python-gevent python-pip $ sudo pip install shad ...
- pfsense 2.2RC下的L2TP配置
还不有测试完成,不过,基本上应该差不多了. 主要参考以下文档: http://blog.sina.com.cn/s/blog_541a3cf10101ard3.html http://thepract ...
- 2014.1.23 Discuz论坛迁移+VPS配置手记
虽说这也不是我第一次转移这个论坛了,但毕竟还是第一次自己配置VPS,写点东西记一下 一:关于VPS的配置 1.用TeamViewer连接服务器 这个VPS的IDC自己带有一个远程控制的页面,用浏览器打 ...
- Ubuntu下配置L2TP
发现PPTP已经不可用了,不知是不是又被墙了.只能尝试L2TP了. Ubuntu可视化配置界面network-manager默认是没有L2TP配置选项的,需要安装第三方插件软件: sudo apt-a ...
- 初识vps,域名与购买,初步配置
终于还是到了这一天,不管我们是不是程序员,当我们想拥有自己的一个的博客,当我们想有自己的一个空间,当我们想在网上有一个自己可以随心所欲编写任何不被限制的仅仅是酷炫的效果,当我们想收录自己的技术,经历, ...
随机推荐
- java read读取方法 之 指定读取大小,根据返回值判断是否读取所有的内容 -1表示读取完毕
当读取的内容小于指定的长度时候 字符数组里面会出现一部分字符是上一次遗留下来的情况
- 【bzoj2654】tree 二分+Kruscal
题目描述 给你一个无向带权连通图,每条边是黑色或白色.让你求一棵最小权的恰好有need条白色边的生成树.题目保证有解. 输入 第一行V,E,need分别表示点数,边数和需要的白色边数. 接下来E行,每 ...
- Kingdom and its Cities - CF613D
Meanwhile, the kingdom of K is getting ready for the marriage of the King's daughter. However, in or ...
- Oracle 转义字符
id sfds_V_SF ASD_V_DSAF SD_V_DSAD 下划线是Oracle特殊字符,需要转移,如下 select * from systab t where t.id like ...
- [NOIP2012 TG D2T1]同余方程
题目大意:求关于 x 的同余方程 ax ≡ 1 (mod b)的最小正整数解. 题解:即求a在mod b意义下的逆元,这里用扩展欧几里得来解决 C++ Code: #include<cstdio ...
- bzoj2165: 大楼 (矩阵快速幂)
//========================== 蒟蒻Macaulish:http://www.cnblogs.com/Macaulish/ 转载要声明! //=============== ...
- BZOJ5300:[CQOI2018]九连环——题解
一种打表的方法,适用于知道如何解九连环的人. 我们知道,解九(n)连环必须先解第九(n)环,然后解八(n-1).七(n-2)-- 根据这个我们飞快的写出了一个递推式,设\(f[i]\)为\(i\)连环 ...
- React setState和修改props触发的钩子
1. setState的改变会触发4个生命周期钩子 shouldComponentUpdatecomponentWillUpdaterendercomponentDidUpdate 2. props的 ...
- 【树形DP】【P1351】 【NOIP2014D1T2】联合权值
传送门 Description 无向连通图 \(G\) 有 \(n\) 个点, \(n-1\) 条边.点从 \(1\) 到 \(n\) 依次编号,编号为 \(i\) 的点的权值为 \(W_i\) ,每 ...
- 2017-7-18-每日博客-关于Linux下的history的常用命令.doc
History history命令可以用来显示曾执行过的命令.执行过的命令默认存储在HOME目录中的.bash_history文件中,可以通过查看该文件来获取执行命令的历史记录.需要注意的是.bash ...