L2TP类型的VPN配置

VPS可以使用 Digital Ocean，注册地址：DigitalOcean官网；
本文基于Centos7配置，请留意；

yum 初始化

// 更新yum
yum –y undate

// 安装程序/库
yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers

// 安装libevent（事件触发的网络库），（memcached需要）
yum -y install libevent libevent-devel

// 列出已安装列表
yum info installed

// 移除已安装
yum remove "tsclient"

安装openswan xltpd 配置ipsec

yum install epel-release openswan -y
// xl2tpd必须放在下面单独安装，因为CentOS原本的yum源里面是没有xl2tpd的，要安装epel后才有；
yum install xl2tpd

修改ipsec.conf配置文件

vim /etc/ipsec.conf

内容，可以直接用下面的替换，并用VPS实例的公网IP地址替换left=your.vps.ip.addr中的your.vps.ip.addr

# /etc/ipsec.conf - Libreswan IPsec configuration file
# This file:  /etc/ipsec.conf
#
# Enable when using this configuration file with openswan instead of libreswan
#version 2
#
# Manual:     ipsec.conf.5
# basic configuration
config setup
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
    # OE is now off by default. Uncomment and change to on, to enable.
    oe=off
    # which IPsec stack to use. auto will try netkey, then klips then mast
    protostack=netkey
    force_keepalive=yes
    keep_alive=1800
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=your.vps.ip.addr 
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=40
    dpdtimeout=130
    dpdaction=clear
# For example connections, see your distribution's documentation directory,
# or the documentation which could be located at
#  /usr/share/docs/libreswan-3.*/ or look at https://www.libreswan.org/
#
# There is also a lot of information in the manual page, "man ipsec.conf"
# You may put your configuration (.conf) file in the "/etc/ipsec.d/" directory
# by uncommenting this line
#include /etc/ipsec.d/*.conf

设置预共享密钥

修改ipsec.secrets配置文件

vim /etc/ipsec.secrets
// 增加一行
// 公网IP地址替换 your.vps.ip.addr，用自己设定的密码替换your.pre_shared_key 
your.vps.ip.addr %any: PSK "your.pre_shared_key"

修改sysctl.conf配置文件

// 添加如下内容：
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

此时执行：

for each in /proc/sys/net/ipv4/conf/*; do cat $each/accept_redirects; cat $each/send_redirects; done
// 输出中有0和1；

创建脚本修改/proc/sys/net/ipv4/conf/中的内容，脚本名为：modify.sh

// modify.sh
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done
// 保存执行
sh modify.sh

再次执行：

for each in /proc/sys/net/ipv4/conf/*; do cat $each/accept_redirects; cat $each/send_redirects; done
// 输出中只有0；

重启ipsec

systemctl restart ipsec

检验ipsec的配置

ipsec verify

验证

此时系统的输出如果是这样就说明到此为止都是正确的；

Verifying installed system and configuration files

Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 3.10.0-327.28.3.el7.x86_64
Checking for IPsec support in kernel [OK]
　NETKEY: Testing XFRM related proc values
　　　　ICMP default/send_redirects [OK]
　　　　ICMP default/accept_redirects [OK]
　　　　XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete > ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]

如果看到下面这样的输出

Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]

那么就根据提供的路径，修改文件的内容为0

sh -c "echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter"

再次重启ipsec和验证

systemctl restart ipsec 
ipsec verify

配置VPN登陆的账号和密码

// vim /etc/ppp/chap-secrets

// account为要设置的账号，password为要设置的密码
# Secrets for authentication using CHAP
# client          server     secret               IP addresses
  account         l2tpd      your.password        *

测试

到这里我们已经完成一部分了，可以测试一下到此为止是否一切顺利。

// 在PC上设置VPN进行验证，Mac和Window都有对应的设置，可自行百度；

保存配置并连接，此时还是连不上的，但是服务器端我们可以查看连接日志

vim /var/log/secure

// 在打开的日志文件中搜索 IPsec SA established 或 IPSec connection established 
// 如果能搜索到这样的字样，则说明到此为止一切顺利。

安装和配置xl2tp

安装

yum install xl2tpd 

配置/etc/xl2tpd/xl2tpd.conf

;
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24.  A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.

[global]
; listen-addr = 192.168.1.98
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
;  when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes
ipsec saref = yes

[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

配置 /etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns  8.8.8.8
ms-dns  8.8.4.4
# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
asyncmap 0
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
hide-password
debug
lock
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
connect-delay 5000
# To allow authentication against a Windows domain EXAMPLE, and require the
# user to be in a group "VPN Users". Requires the samba-winbind package
# require-mschap-v2
# plugin winbind.so
# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'
# You need to join the domain on the server, for example using samba:
# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html

设置防火墙

编辑文件 /usr/lib/firewalld/services/l2tpd.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>l2tpd</short>
  <description>L2TP IPSec</description>
  <port protocol="udp" port="500"/>
  <port protocol="udp" port="4500"/>
  <port protocol="udp" port="1701"/>
</service>

设置并重启防火墙

// 如果firewalld没启动，先运行 systemctl start firewalld
firewall-cmd --permanent --add-service=l2tpd
firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload

测试

现在以debug模式启动xl2tpd

xl2tpd -D

此时可以在控制台看到输出，客户端再次连接VPN，就可以连接上并访问网络了, 百度搜索ip会显示你的IP地址为你VPS实例的IP地址。

设置开机自启

systemctl enable ipsec xl2tpd
systemctl restart ipsec xl2tpd 

DNS设置

国内的网站无需走VPN，这是利用chnroutes就好；

Mac下的设置：

// 1. 在终端中执行python chnroutes.py -p mac，这将生成ip-up和ip-down两个文件；
// 2. 将这两个文件移入/etc/ppp/；
// 3. 重新连接VPN，观察测试。

流量统计

如果要统计CentOS的流量适用情况， 推荐使用vnstat；

yum install vnstat
// 启动服务
vnstatd -d
// 创建要统计的网卡的数据库 
vnstat --create -i eth0
// 具体使用
vnstat // 输出本月和本日的统计信息
vnstat -l //显示实时网络状态
vnstat --help //查看vnstat所有支持参数
可以通过修改配置文件来修改写入数据库的频率和显示时的流量单位
vi /etc/vnstat.conf

参考资料

• VPS+Centos 7搭建L2TP IPSec的VPN

• L2TP-VPN-installation-script-for-CentOS-7

• CentOS下安装vnStat监控服务器流量