orangeの博客

L2TP

发表于 更新于 分类于 Valine:
本文字数: 4.8k 阅读时长 ≈ 4 分钟

[toc]

L2TP

全程注意!!!不要把我的注释弄进配置里面,绝对会报错!!!

L2TP通俗的说就是一种VPN隧道技术。

VPN就是一种网络穿透技术,可以让你链接到一处网络,同时本身的流量限制就会失效变成链接处的网络规则所以如果你在外网服务器上搭建后连接上去,你的网络就可以变成没有国内限制,可以自由的访问外网。但是在国际上搭建VPN是犯法的,本章节教授的技术也无指导国际上搭建VPN的内容,仅内网网段实验可用。

检测服务器

查看系统是否支持PPP

1
modprobe ppp-compress-18 && echo yes

检查是否开启了TUN

1
cat /dev/net/tun

有的虚拟机主机需要开启,返回结果为cat: /dev/net/tun: File descriptor in bad state(cat: /dev/net/tun: 文件描述符处于错误状态),就表示通过。

换源

更换yum源

1
2
3
4
5
6
7
rm -f /var/run/yum.pid

yum install -y wget

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

yum clean all && yum makecache

安装epel源

1
yum install -y epel-release

安装必要程序

1
yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim vim-enhanced man xl2tpd libreswan

修改配置

options.xl2tpd

编辑编辑/etc/ppp/options.xl2tpd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
vim /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 10

xl2tpd.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
vim /etc/xl2tpd/xl2tpd.conf
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network 
; is 192.168.1.0/24.  A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.

[global]
# 这个去掉listen-addr前面的注释,后面写上自己的网卡ip
listen-addr = 192.168.241.130
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
ipsec saref = yes #去掉注释
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
;  when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes

[lns default]
# ip range 分配给VPN客户端的IP,这个可以随便用,但是后面对应的local ip要改,然后防火墙也要改
ip range = 192.168.2.2-192.168.2.20
local ip = 192.168.2.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

编辑内核参数

修改/etc/sysctl.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.ens33.accept_redirects = 0 #注意这里网卡名称ens33,如果你的网卡不是这个名字的话请注意修改!!!
net.ipv4.conf.ens33.rp_filter = 0 #注意这里网卡名称ens33,如果你的网卡不是这个名字的话请注意修改!!!
net.ipv4.conf.ens33.send_redirects = 0 #注意这里网卡名称ens33,如果你的网卡不是这个名字的话请注意修改!!!
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0

加载内核参数

1
sysctl -p

设置vpn账号密码

1
2
3
4
[root@localhost ~]# vim /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client	server	secret			IP addresses
test              *     test                       *

创建预共享密钥

1
2
[root@localhost ~]# vim /etc/ipsec.d/ipsec.secrets
192.168.241.130  %any: PSK "test"

192.168.241.130:是服务器网卡ip地址

PSK:PSK是预存共享密匙

建立ipsec 与 l2tp 服务关联的配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
vim /etc/ipsec.d/l2tp_psk.conf
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.241.130  #也是网卡IP
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

防火墙配置

安装iptables

1
2
yum install -y iptables
yum install iptables-services

永久关闭防火墙

1
2
systemctl stop firewalld
systemctl mask firewalld

iptables配置

1
2
3
4
5
iptables -L -n
iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
1
2
3
4
5
6
7
8
9
10
11
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o ens33 -j MASQUERADE
iptables -I FORWARD -s 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.2.0/24 -j ACCEPT
iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

开启ipsec

1
2
systemctl start ipsec
systemctl enable ipsec

排错

1
ipsec verify

image-20221209210709274

粘贴这两句命令就行了

1
2
3
echo "0" > /proc/sys/net/ipv4/conf/virbr0-nic/rp_filter

echo "0" > /proc/sys/net/ipv4/conf/virbr0/rp_filter

image-20221209210806496

1
2
3
systemctl restart xl2tpd
systemctl enable xl2tpd
systemctl status xl2tpd

登录vpn

测试!!!本人树莓派上成功搭建出L2TP,并且通过window系统和华为手机连接vpn都没有问题。

比较遗憾的是,无论是多账号还是单一账号,都只能一个设备登陆,原因可能是端口被占用了。

image-20221209211314458

image-20221209211632696

image-20221209211703852

image-20221209211744310

图左边是我看的直播VTB,右边是nload命令监控到服务器在帮我转发着流量

image-20221210012919413

补充

重启服务器发现无法连接…真的无语

经过一段排错操作之后,原来是防火墙配置被还原了。

安装

1
apt install -y netfilter-persistent iptables-persistent  # centos的话把前面的apt换yum

保存防火墙配置

1
sudo netfilter-persistent save