CentOS 5.5下搭建pptp VPN

林继 VPS 知识 4,203 共写了1514个字 (2012-11-20 0:39:04) 没有评论 打印 扫描二维码 百度已收录

1、检查VPS是否有必要的支持。如果检查结果没有这些支持的话,是无法安装pptp的。
当然Buyvm的用户可以直接跳过。

  1. modprobe ppp-compress-18 && echo ok

如果显示“ok”表明通过。不过接下来还需要做另一个检查:

  1. cat /dev/net/tun

显示结果为下面的文本,表明通过:

  1. cat: /dev/net/tun: File descriptor in bad state

上述两条只需一条通过,即可安装pptp。如果还有其它问题,或者请你的服务商来解决这个问题。

2、安装ppp和iptables。

  1. yum install -y ppp iptables

3、安装pptp。

  1. rpm -ivh https://acelnmp.googlecode.com/files/pptpd-1.3.4-2.rhel5.i386.rpm (32位系统使用)
  2.  
  3. rpm -ivh https://acelnmp.googlecode.com/files/pptpd-1.3.4-2.rhel5.x86_64.rpm (64位系统使用)

有些小盆友喜欢先wget再执行rpm,没必要多此一举。

4、配置pptp。

首先我们要编辑/etc/pptpd.conf文件:

  1. vim /etc/pptpd.conf

把下面字段前面的#去掉即可:

  1. localip 192.168.0.1
  2. remoteip 192.168.0.234-238,192.168.0.245

接下来再编辑/etc/ppp/options.pptpd:

  1. vim /etc/ppp/options.pptpd

去掉ms-dns前面的#,并修改成如下字段:

  1. ms-dns 8.8.8.8
  2. ms-dns 8.8.4.4

5、设置pptp VPN账号密码。

我们需要编辑/etc/ppp/chap-secrets这个文件:

  1. vim /etc/ppp/chap-secrets

直接输入如下字段,zhujimi可以换成其他字段:

  1. zhujimi pptpd zhujimi *

6、修改内核设置,使其支持转发。

编辑/etc/sysctl.conf文件:

  1. vim /etc/sysctl.conf
  2.  
  3. 将“net.ipv4.ip_forward”改为1
  4.  
  5. net.ipv4.ip_forward=1
  6.  
  7. 同时在“net.ipv4.tcp_syncookies = 1”前面加# :
  8. # net.ipv4.tcp_syncookies = 1
  9.  
  10. 保存退出,并执行下面的命令来生效它:
  11. sysctl -p

7、添加iptables转发规则。

  1. iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT –to-source 12.34.56.78
  2. (OpenVZ,12.34.56.78为你的VPS的公网IP地址)
  3.  
  4. #iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
  5. (XEN)

保存iptables转发规则:

  1. /etc/init.d/iptables save

重启iptables:

  1. /etc/init.d/iptables restart

8、重启pptp服务。

  1. /etc/init.d/pptpd restart

9、设置开机自动运行服务。

  1. chkconfig pptpd on
  2. chkconfig iptables on

如果出现错误619则输入命令

  1. mknod /dev/ppp c 108 0

这样就大功告成了,赶快到Windows下建立一个VPN连接,IP填写自己的服务器IP,用户名和密码填写自己设置好的用户名和密码,点击“连接”,成功后就可以使用服务器去浏览网页啦!

注意:如果虚拟机内核不支持MPPE的话,无法使用加密,用WINDOWS默认VPN连接会显示“证书信任错误”。

解决方法:修改/etc/ppp/options.pptpd注释掉require-mppe-128这行,然后windows的vpn拨号的属性改为可选加密,再次连接就成功了。

  1. Last login: Fri Nov  2 05:43:15 2012 from 202.101.72.85
  2. [root@li388-228 ~]# cat /etc/issue
  3. CentOS release 5.6 (Final)
  4. Kernel \r on an \m
  5.  
  6. [root@li388-228 ~]# cat /dev/ppp
  7. cat: /dev/ppp: No such device or address
  8.  
  9. [root@li388-228 ~]# cat /dev/net/tun
  10. cat: /dev/net/tun: File descriptor in bad state
  11.  
  12. [root@li388-228 ~]# modprobe ppp-compress-18 && echo ok
  13. FATAL: Module ppp_mppe not found.
  14.  
  15. [root@li388-228 ~]# cat /dev/net/tun
  16. cat: /dev/net/tun: File descriptor in bad state
  17.  
  18. [root@li388-228 ~]# iptables -L
  19. Chain INPUT (policy ACCEPT)
  20. target     prot opt source               destination         
  21. ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pptp 
  22. ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ni-ftp 
  23. ACCEPT     gre  --  anywhere             anywhere            
  24.  
  25. Chain FORWARD (policy ACCEPT)
  26. target     prot opt source               destination         
  27.  
  28. Chain OUTPUT (policy ACCEPT)
  29. target     prot opt source               destination         
  30.  
  31. [root@li388-228 ~]# yum install -y ppp
  32. Loaded plugins: fastestmirror
  33. Loading mirror speeds from cached hostfile
  34.  * base: ftp.jaist.ac.jp
  35.  * extras: ftp.jaist.ac.jp
  36.  * updates: ftp.jaist.ac.jp
  37. Setting up Install Process
  38. Package ppp-2.4.4-2.el5.i386 already installed and latest version
  39. Nothing to do
  40. You have new mail in /var/spool/mail/root
  41. [root@li388-228 ~]# rpm -ivh https://acelnmp.googlecode.com/files/pptpd-1.3.4-2.rhel5.i386.rpm
  42. Retrieving https://acelnmp.googlecode.com/files/pptpd-1.3.4-2.rhel5.i386.rpm
  43. error: skipping https://acelnmp.googlecode.com/files/pptpd-1.3.4-2.rhel5.i386.rpm - transfer failed - Unknown or unexpected error
  44. You have new mail in /var/spool/mail/root
  45. [root@li388-228 ~]# rpm -ivh https://acelnmp.googlecode.com/files/pptpd-1.3.4-2.rhel5.i386.rpm
  46. Retrieving https://acelnmp.googlecode.com/files/pptpd-1.3.4-2.rhel5.i386.rpm
  47. error: skipping https://acelnmp.googlecode.com/files/pptpd-1.3.4-2.rhel5.i386.rpm - transfer failed - Unknown or unexpected error
  48. [root@li388-228 ~]# wget https://acelnmp.googlecode.com/files/pptpd-1.3.4-2.rhel5.i386.rpm
  49. --2012-11-19 09:17:52--  https://acelnmp.googlecode.com/files/pptpd-1.3.4-2.rhel5.i386.rpm
  50. Resolving acelnmp.googlecode.com... 74.125.31.82, 2404:6800:4008:c00::52
  51. Connecting to acelnmp.googlecode.com|74.125.31.82|:443... connected.
  52. HTTP request sent, awaiting response... 200 OK
  53. Length: 82778 (81K) [application/x-rpm]
  54. Saving to: `pptpd-1.3.4-2.rhel5.i386.rpm.1'
  55.  
  56. 100%[======================================>] 82,778       172K/s   in 0.5s    
  57.  
  58. 2012-11-19 09:17:53 (172 KB/s) - `pptpd-1.3.4-2.rhel5.i386.rpm.1' saved [82778/82778]
  59.  
  60. [root@li388-228 ~]# rpm -ivh pptpd-1.3.4-2.rhel5.i386.rpm
  61. warning: pptpd-1.3.4-2.rhel5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 862acc42
  62. Preparing...                ########################################### [100%]
  63.         package pptpd-1.3.4-2.rhel5.i386 is already installed
  64.  
  65. [root@li388-228 ~]# ls
  66. pptpd-1.3.4-2.rhel5.i386.rpm    zijidelu_install     zijidelu_install.tar.gz
  67. pptpd-1.3.4-2.rhel5.i386.rpm.1  zijidelu_install.sh
  68. [root@li388-228 ~]# sysctl -p
  69. net.ipv4.ip_forward = 1
  70. net.ipv4.conf.default.rp_filter = 1
  71. net.ipv4.conf.default.accept_source_route = 0
  72. kernel.sysrq = 0
  73. kernel.core_uses_pid = 1
  74. kernel.msgmnb = 65536
  75. kernel.msgmax = 65536
  76. kernel.shmmax = 4294967295
  77. kernel.shmall = 268435456
  78. kernel.shmmax = 67108864
  79. kernel.shmall = 32768
  80. fs.file-max = 65535
  81. net.ipv4.ip_forward = 1
  82. net.ipv4.tcp_fin_timeout = 30
  83. net.ipv4.tcp_max_syn_backlog = 10240
  84. net.ipv4.tcp_keepalive_time = 180
  85. net.ipv4.tcp_synack_retries = 3
  86. net.ipv4.tcp_syn_retries = 3
  87. net.ipv4.tcp_max_orphans = 8192
  88. net.ipv4.tcp_max_tw_buckets = 8192
  89. net.ipv4.tcp_window_scaling = 0
  90. net.ipv4.tcp_sack = 0
  91. net.ipv4.tcp_timestamps = 0
  92. net.ipv4.tcp_syncookies = 1
  93. net.ipv4.tcp_tw_reuse = 1
  94. net.ipv4.tcp_tw_recycle = 1
  95. net.ipv4.icmp_echo_ignore_all = 0
  96. net.nf_conntrack_max = 655360
  97. net.netfilter.nf_conntrack_tcp_timeout_established = 1200
  98.  
  99. [root@li388-228 ~]# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
  100.  
  101. [root@li388-228 ~]# /etc/init.d/iptables save
  102. Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
  103.  
  104. [root@li388-228 ~]# /etc/init.d/iptables restart
  105. Flushing firewall rules: [  OK  ]
  106. Setting chains to policy ACCEPT: security raw nat mangle filter [FAILED]
  107. Unloading iptables modules: [  OK  ]
  108. Applying iptables firewall rules: [  OK  ]
  109. Loading additional iptables modules: ip_conntrack_netbios_ns [FAILED]
  110.  
  111. [root@li388-228 ~]# /etc/init.d/pptpd restart
  112. Shutting down pptpd: [  OK  ]
  113. Starting pptpd: [  OK  ]
  114. Warning: a pptpd restart does not terminate existing 
  115. connections, so new connections may be assigned the same IP 
  116. address and cause unexpected results.  Use restart-kill to 
  117. destroy existing connections during a restart.
  118.  
  119. [root@li388-228 ~]# chkconfig pptpd on
  120.  
  121. [root@li388-228 ~]# chkconfig iptables on
  122.  
  123. [root@li388-228 ~]# mknod /dev/ppp c 108 0
  124. mknod: `/dev/ppp': File exists
  125.  
  126. [root@li388-228 ~]#

[level l=0,10]经常会被防火长城封锁的端口:

SSH的TCP协议22端口;
PPTP类型VPN使用的TCP协议1723端口,L2TP类型VPN使用的UDP协议1701端口,IPSec类型VPN使用的UDP协议500端口和4500端口,OpenVPN默认使用的TCP协议和UDP协议的1194端口
TLS/SSL/HTTPS的TCP协议443端口
在中国移动、中国联通等部分ISP(手机IP段),所有的PPTP类型的VPN都遭到封锁。[/level]

如果觉得我的文章对您有用,请随意赞赏。您的支持将鼓励我继续创作!

发表评论

电子邮件地址不会被公开。 必填项已用*标注

< >