PPTPD實現VPN簡單中轉應用服務 作者:linuxpf
網上關於原理講解很多,我就不多說,其它當你遇到一些問題的時候,往往試著分析下原理,主要是要知道ppp封裝原理及gre路由知識.有關原理請看底下鏈接,本文能夠實現vpn中轉,基本能夠應用於vpn代理上網,比如解決國內用戶訪問國外網站速度慢等一些應用,當然訪問vpn網內資源自然不在話下
註:已經修訂部分內容:合理設置ppp會話MTU為1359,避免造成一些網頁無法顯示,MSN無法登陸,經測試基本能夠提供中轉服務:包括以下:HTTP HTTPS SSL DNS SMTP POP3 DNS FTP MSN QQ
原文地址:http://www.linuxpf.com.cn/bbs/viewthread.php?tid=482&extra=page%3D1
http://bbs.chinaunix.net/attachment.php?checkimg=ok&aid=301665&noupdate=yes
如圖
1.下載到/home/download
site:http://poptop.sourceforge.net/yum/stable/rhel4/i386/
#cd /home/download
#wget http://poptop.sourceforge.net/yum/stable/rhel4/i386/ppp-2.4.3-7.rhel4.i386.rpm
#wget http://poptop.sourceforge.net/yum/stable/rhel4/i386/pptpd-1.3.4-1.rhel4.i386.rpm
#wget http://poptop.sourceforge.net/yum/stable/rhel4/i386/dkms-2.0.17.5-1.noarch.rpm
#wget http://poptop.sourceforge.net/yum/stable/rhel4/i386/kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
2.安裝pptpd
#yum install kernel kernel-devel
部分最小安裝系統上沒有安裝kernel源代碼,所以重新編譯過程中會出錯
#vi /etc/grub.conf
-----------------------------------------------------
default=0
------------------------------------------------------
#uname -a
Linux squid.x.com 2.6.9-78.0.1.EL #1 Tue Aug 5 10:49:42 EDT 2008 i686 i686 i386 GNU/Linux
#cd /home/download
#rpm -Uvh ppp-2.4.3-7.rhel4.i386.rpm
#rpm -ivh pptpd-1.3.4-1.rhel4.i386.rpm
#rpm -ivh dkms-2.0.17.5-1.noarch.rpm
#rpm -ivh kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
3.載入內核模塊
檢查kernel module是否正常
#modprobe ppp-compress-18 && echo ok
ok
#modprobe ppp-compress-18 && echo ok
FATAL: Module ppp_mppe not found.
Install them with command "rpm -ivh".
出現此提示,表明模塊沒有載入成功,或者內核源代碼沒有安裝,按照以上步驟應該是不會出現此錯誤
4.vpn伺服器設置
定製網路設置,注意如果存在多個內網網卡,則需要在vpn中設定路由表,否則過別情況無法訪問到內網
內網卡:172.16.12.1
外網卡:x.x.x.x
#cd /etc/sysconfig/network-scripts
#cp ifcfg-eth0 ifcfg-eth0:1
#vi ifcfg-eth0:1
---------------------------------------------------
DEVICE=eth0:1
BOOTPROTO=static
BROADCAST=172.16.12.255
HWADDR=00:0C:2F:58:F4:4E
IPADDR=172.16.12.1
NETMASK=255.255.255.0
NETWORK=172.16.12.0
ONBOOT=yes
TYPE=Ethernet
---------------------------------------------------
5.配置pptpd
#vi /etc/pptpd.conf
___________________________________
ppp /usr/sbin/pppd
option /etc/ppp/options.pptpd
localip 172.16.12.1
remoteip 172.16.12.100-250,172.16.12.252
netmask 255.255.255.0
--------------------------------------------------------------
#vi /etc/ppp/options.pptpd
-----------------------------------
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 202.177.2.166
proxyarp
-----------------------------------
注:一般只需修改ms-dns
#vi /etc/ppp/chap-secrets
---------------------------------------------------------------
# Secrets for authentication using CHAP
# client server secret IP addresses
"username" pptpd "yourpassword" "*"
"admin" pptpd "password" "172.16.12.85"
---------------------------------------------------------------
每行一個用戶信息,分別採用以上格式,用""引用,雖然是明文,但最好設置讓此文件非屬主不能夠讀
如果一個用戶分配一個固定ip,則可以進一步進行行為控制,方便你的管理
6:create a a file
#vi vpn_forward#!/bin/bash
#2008.11.19
echo "Starting................."
#configured to forward packets,using echo or sysctl
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Allow input and output on port 1723 for protocol tcp"
echo "Allow input and output on protocol gre 47, required for vpn"
echo "Enable time rsync"
iptables -I INPUT -p tcp --dport 123 -j ACCEPT
iptables -I INPUT -p udp --dport 123 -j ACCEPT
iptables -I INPUT -p gre -j ACCEPT
iptables -I INPUT -p tcp --dport 1723 -j ACCEPT
iptables -I OUTPUT -p gre -j ACCEPT
iptables -I OUTPUT -p tcp --sport 1723 -j ACCEPT
echo "Insert the rule to forward all data!"
iptables -I FORWARD -p udp --dport 8000 -s 172.16.12.0/24 -j ACCEPT
iptables -I FORWARD -p tcp --dport 1024:8000 -j ACCEPT
iptables -I FORWARD -p tcp --dport 20:22 -s 172.16.12.0/24 -j ACCEPT
iptables -I FORWARD -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -p tcp --dport 69 -j ACCEPT
iptables -I FORWARD -p tcp --dport 110 -j ACCEPT
iptables -I FORWARD -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -o eth0 -s 172.16.12.0/24 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -p tcp -s 172.16.12.0/24 --dport 1723 -j ACCEPT
echo "Set the session MTU with 1356"
iptables -I FORWARD -p tcp --syn -s 172.16.12.0/24 -j TCPMSS --set-mss 1356
echo "Enable NAT"
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.12.0/24 -j SNAT --to-source 202.177.24.X
echo "Now ,Enabled Firewall Access rule Successfull"#chmod +x vpn_forward.sh
#cp vpn_forward /etc/rc.d/init.d/vpn_forward
#ln -s /etc/rc.d/init.d/vpn_forward /etc/rc.d/rc3.d/S94vpn_forward
說明:
(1)啟用ntp時間同步
iptables -I INPUT -p tcp --dport 123 -j ACCEPT
iptables -I INPUT -p udp --dport 123 -j ACCEPT
(2)允許vpn連接
iptables -I INPUT -p gre -j ACCEPT
iptables -I INPUT -p tcp --dport 1723 -j ACCEPT
iptables -I OUTPUT -p gre -j ACCEPT
iptables -I OUTPUT -p tcp --sport 1723 -j ACCEPT
(3)啟用內核ip轉發功能
#configured to forward packets,using echo or sysctl
echo 1 > /proc/sys/net/ipv4/ip_forward
(4)開放forward功能,注意為了提高轉發效率,只需對tcp新會話驗行,已經建立起連接的會話數據包直接通行
iptables -I FORWARD -p tcp --dport 20:8000 -s 172.16.12.0/24 -j ACCEPT \\定製開戶的服務
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT \\已經建立起連接tcp數據包直接通行
iptables -I FORWARD -o eth0 -s 172.16.12.0/24 -m state --state NEW -j ACCEPT \\只需對tcp新會話驗行
iptables -I FORWARD -p tcp --dport 80 -j ACCEPT \\開戶http轉發
iptables -I FORWARD -p tcp --dport 53 -j ACCEPT \\開戶DNS服務
iptables -I FORWARD -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -p tcp -s 172.16.12.0/24 --dport 1723 -j ACCEPT \\轉發vpn數據包
iptables -I FORWARD -p tcp --syn -s 172.16.12.0/24 -j TCPMSS --set-mss 1356 \\協商tcp會話MTU為1359,防止過別ip包不能夠分片造成問題
(5)啟用NAT功能
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.12.0/24 -j SNAT --to-source 202.177.14.X
如果vpn service 為動態IP對應語句修改為:iptables --table nat --append POSTROUTING --out-interface eth0 --jump MASQUERADE
7.啟用日常工作管理需要
#chkconfig pptpd on
#crontab -e
*/5 * * * * /usr/sbin/ntpdate 203.129.68.14 ; /sbin/hwclock -w
0,30 8 * * 1-5 /etc/rc.d/init.d/pptpd start
0,30 18 * * 1-5 /etc/rc.d/init.d/pptpd restart-kill ;/etc/rc.d/init.d/pptpd stop
8.確保已經載入以下模塊,主要針對內核版本而言,否則NAT將不能夠很好工作,在有些版本中可能存在問題
# modprobe -l >/home/modprode
# less modprode |grep ip_tables
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_tables.ko
# less modprode |grep ip_conntrack_ftp
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
# less modprode |grep ip_conntrack
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_conntrack_tftp.ko
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_conntrack_proto_sctp.ko
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_conntrack_amanda.ko
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_conntrack.ko
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_conntrack_irc.ko
/lib/modules/2.6.9-78.0.8.EL/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko
9.完整iptables表,以上腳本定製於centos4.6,其它系統請結合起來修改
#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT gre -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:ntp
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- 172.16.12.0/24 anywhere tcp flags:SYN,RST,ACK/SYN TCPMSS set 1356
ACCEPT tcp -- 172.16.12.0/24 anywhere tcp dpt:1723
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- 172.16.12.0/24 anywhere state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:tftp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- 172.16.12.0/24 anywhere tcp dpts:ftp-data:ssh
ACCEPT tcp -- anywhere anywhere tcp dpts:1024:8000
ACCEPT udp -- 172.16.12.0/24 anywhere udp dpt:8000
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:1723
ACCEPT gre -- anywhere anywhere
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:3128 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:3128 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:22 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:32100 state NEW
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.12.0/24 anywhere to:202.177.24.x
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
測試:
http://bbs3.chinaunix.net/attachment.php?checkimg=ok&aid=302358&noupdate=yes
http://bbs3.chinaunix.net/images/default/attachimg.gif
http://bbs3.chinaunix.net/attachment.php?checkimg=ok&aid=302359&noupdate=yes
http://bbs3.chinaunix.net/images/default/attachimg.gif
http://bbs3.chinaunix.net/attachment.php?checkimg=ok&aid=302360&noupdate=yes
http://bbs3.chinaunix.net/images/default/attachimg.gif
pptpd包封裝格式:
http://bbs3.chinaunix.net/attachment.php?checkimg=ok&aid=302362&noupdate=yes
相關:
分析pptpd轉發測試
http://poptop.sourceforge.net/dox/diagnose-forwarding.phtml
pptpd內核補丁安裝問題
http://members.optushome.com.au/~wskwok/poptop_ads_howto_a1.htm
http://bbs.chinaunix.net/viewthread.php?tid=847612
關於MTU問題分析
http://bbs.chinaunix.net/thread-694733-1-1.html
關於GRE封裝原理分析
http://www.linuxpf.com.cn/bbs/vi ... =page%3D1&frombbs=1
點對點隧道協議PPTP
http://www.linuxpf.com.cn/bbs/vi ... =page%3D1&frombbs=1
PPTP流量分析
http://www.microsoft.com/china/t ... ableguy/cg0103.mspx測試
採用windows自帶新建一個VPN連接成功后
如圖:
pptpd包封裝格式:
原始鏈接:http://www.linuxpf.com.cn/bbs/viewthread.php?tid=482&page=1&extra=page%3D1
相關:
分析pptpd轉發測試
http://poptop.sourceforge.net/dox/diagnose-forwarding.phtml
pptpd內核補丁安裝問題
http://members.optushome.com.au/~wskwok/poptop_ads_howto_a1.htm
http://bbs.chinaunix.net/viewthread.php?tid=847612
關於MTU問題分析
http://bbs.chinaunix.net/thread-694733-1-1.html
關於GRE封裝原理分析
http://www.linuxpf.com.cn/bbs/vi ... =page%3D1&frombbs=1
點對點隧道協議PPTP
http://www.linuxpf.com.cn/bbs/vi ... =page%3D1&frombbs=1
PPTP流量分析
http://www.microsoft.com/china/t ... ableguy/cg0103.mspx
[火星人 ] PPTPD實現VPN中轉應用服務已經有400次圍觀