Overview
MacOS, Windows, iOS都内置支持PPTP,L2TP;OpenVPN需要安装客户端,手机上一般不支持。
先打开内核的IP转发,修改 /etc/sysctl.conf
net.ipv4.ip_forward=1
执行下面命令以生效
sudo sysctl -p
PPTP
安装pptpd
apt-get install pptpd
编辑 /etc/pptpd.conf,下面两行取消注释
localip 192.168.0.1
remoteip 192.168.0.234-238,192.168.0.245
这行注释掉
#logwtmp
从文件 /etc/pptpd.conf 中找到配置选项文件,如下为:/etc/ppp/pptpd-options
grep options /etc/pptpd.conf
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
option /etc/ppp/pptpd-options
# option in the pppd options file, or run bcrelay.
编辑 /etc/ppp/pptpd-options,增加以下内容,最后两项为推给VPN客户端的DNS服务器IP
mtu 1492
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
ms-dns 8.8.8.8
ms-dns 8.8.4.4
修改 /etc/ppp/chap-secrets, 增加一个VPN用户: foo ,密码设置为: bar
# Secrets for authentication using CHAP
# client server secret IP addresses
foo pptpd bar *
修改 iptable,注意eth0可能要修改成实际的网络接口名(用 ifconfig 可以列出)
iptables -F
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -P FORWARD ACCEPT
L2TP Over IPSec
假设你的服务器IP是:1.2.3.4
首先更新一下源
sudo apt-get update
安装openswan
sudo apt-get install openswan
sudo cp /etc/ipsec.d/examples/l2tp-psk.conf /etc/ipsec.d/l2tp-psk.conf
修改文件 /etc/ipsec.d/l2tp-psk.conf
left=1.2.3.4 #机器的外部IP
leftnexthop=1.2.3.1 #机器的Gateway
如果机器直接连接网络,不需要NAT,需要注释下面几行
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
修改 /etc/ipsec.conf,在文件最后增加:
include /etc/ipsec.d/l2tp-psk.conf
如果机器直接连接网络,确认 /etc/ipsec.conf 中nat_traversal是yes
nat_traversal=yes
修改 /etc/ipsec.secrets
1.2.3.4 %any: "yourSharedPSK!"
安装 xl2tpd
apt-get install xl2tpd
修改 /etc/xl2tpd/xl2tpd.conf , 其中1.2.3.4改成服务器的外部IP
[global]
ipsec saref = yes
listen-addr = 1.2.3.4
[lns default]
ip range = 192.168.1.10-192.168.1.20
local ip = 192.168.1.1
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/xl2tpd-options
length bit = yes
配置 /etc/ppp/xl2tpd-options
cp /etc/ppp/options /etc/ppp/xl2tpd-options
修改 /etc/ppp/xl2tpd-options
asyncmap 0
auth
crtscts
lock
hide-password
modem
mru 1280
netmask 255.255.255.0
mtu 1280
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noipx
ms-dns 8.8.8.8
ms-dns 8.8.4.4
修改 /etc/ppp/chap-secrets, 增加一个VPN用户: foo ,密码设置为: bar
# Secrets for authentication using CHAP
# client server secret IP addresses
foo l2tpd bar *
修改 iptable,注意eth0可能要修改成实际的网络接口名(用 ifconfig 可以列出), 其中1.2.3.4改成服务器的外部IP
iptables -F
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p udp -d 1.2.3.4 --dport 500 -j ACCEPT
iptables -A INPUT -p udp -d 1.2.3.4 --dport 4500 -j ACCEPT
OpenVPN
安装Openvpn
sudo apt-get install openvpn
cp -r /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/
生成CA证书
cd /etc/openvpn/easy-rsa/2.0
source vars
./clean-all
./build-ca
./build-key-server server
./build-key client
./build-dh
编辑/etc/openvpn/server.conf
local 116.251.211.71
port 56788
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 10 120
comp-lzo
max-clients 50
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20
设置iptable,其中1.2.3.4改成服务器的外部IP
iptables -F
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination 8.8.8.8
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -s 10.8.0.0/24 -p all -j ACCEPT
iptables -A FORWARD -d 10.8.0.0/24 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 1.2.3.4