首页  编辑  

L2TP VPN服务器搭建

Tags: /计算机文档/Linux & Unix/   Date Created:

在Ubuntu12.04上安装l2tp/ipsec VPN服务器

http://lesca.me/archives/how-to-setup-l2tp-over-ipsec-on-ubuntu.html
安装相关软件,默认配置即可,后面另有详细介绍。
sudo apt-get install openswan xl2tpd ppp
配置ipsec
sudo vi /etc/ipsec.conf
version 2.0
config setup
   nat_traversal=yes
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
   oe=off
   protostack=netkey
conn L2TP-PSK-NAT
   rightsubnet=vhost:%priv
   also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
   authby=secret
   pfs=no
   auto=add
   keyingtries=3
   rekey=no
   ikelifetime=8h
   keylife=1h
   type=transport
   left=YOUR_SERVER_IP_ADDRESS,这里输入VPN服务器端的虚拟地址即可,不是你的物理网卡地址!
   leftprotoport=17/1701
   right=%any
   rightprotoport=17/%any
sudo vi /etc/ipsec.secrets
YOUR_SERVER_IP_ADDRESS %any: PSK "YOUR_IPSEC_SHARED_KEY"
重启并检查ipsec配置
sudo service ipsec restart
sudo ipsec verify
配置xl2tpd
/etc/xl2tpd/xl2tpd.conf
sudo cat >/etc/xl2tpd/xl2tpd.conf<<EOF
[global]
ipsec saref = yes
[lns default]
local ip = 10.10.11.1
ip range = 10.10.11.2-10.10.11.245
refuse chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/xl2tpd-options
length bit = yes
EOF
/etc/ppp/xl2tpd-options
sudo cat >/etc/ppp/xl2tpd-options<<EOF
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
EOF
添加ppp用户和密码
将USER和PASSWORD改为你的用户名和密码即可。
sudo cat >>/etc/ppp/chap-secrets<<EOF
USER * PASSWORD *
EOF
如果VPN客户端无法上网,则需要配置数据包转发,调整系统配置
for each in /proc/sys/net/ipv4/conf/*
do
   echo 0 > $each/accept_redirects
   echo 0 > $each/send_redirects
done
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sysctl -p
配置iptables规则
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -p tcp --syn -i ppp+ -j TCPMSS --set-mss 1356
重启xl2tpd服务器
service xl2tpd restart
修改/etc/rc.local
如果/etc/rc.loal无法正常自动执行,尝试将shebang换成#!/bin/bash。
#!/bin/bash
# for xl2tpd
for each in /proc/sys/net/ipv4/conf/*
do
   echo 0 > $each/accept_redirects
   echo 0 > $each/send_redirects
done
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -p tcp --syn -i ppp+ -j TCPMSS --set-mss 1356
exit 0