linux vpn pptp

http://blog.csdn.net/mathewsking/article/details/8115863
1 下载所需软件

//rpm下载地址， 我常用的download URL
pkgs.org
wget http://poptop.sourceforge.net/yum/stable/packages/dkms-2.0.17.5-1.noarch.rpm
wget http://poptop.sourceforge.net/yum/stable/packages/kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
yum install ppp 必须安装2.4.3 2.4.4版本太高不支持

yum install pptp
pptpd-1.3.4-1.el5.sme.x86_64.rpm

按照如上顺序安装,其他别的顺序没有试过，下载rpm包的时候一定要注意和系统匹配，比如64bit的系统下载相应的64位的包，否则
会报error。
2.2.2 安装配置VPN

[root@POPTOP home]# rpm -ivh dkms-2.0.17.5-1.noarch.rpm
warning: dkms-2.0.17.5-1.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 862acc42
Preparing… ############################ [100%]
1:dkms ############################ [100%]
[root@POPTOP home]# rpm -ivh kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
warning: kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 862acc42
Preparing… ############################ [100%]
1:kernel_ppp_mppe ############################ [100%]

Creating symlink /var/lib/dkms/kernel_ppp_mppe/1.0.2/source ->
/usr/src/kernel_ppp_mppe-1.0.2
DKMS: add Completed.
Kernel preparation unnecessary for this kernel. Skipping…
Running the pre_build script:
Building module:
cleaning build area….
make KERNELRELEASE=2.6.18-194.el5 -C /lib/modules/2.6.18-194.el5/build M=/var/lib/dkms/kernel_ppp_mppe/1.0.2/build…..(bad exit status: 2)
Error! Bad return status for module build on kernel: 2.6.18-194.el5 (i686)
Consult the make.log in the build directory
/var/lib/dkms/kernel_ppp_mppe/1.0.2/build/ for more information.
Error! Could not locate ppp_generic.ko for module kernel_ppp_mppe in the DKMS tree.
You must run a dkms build for kernel 2.6.18-194.el5 (i686) first.
上面的错误好像没有影响
[root@POPTOP home]#
[root@POPTOP home]# rpm -qa kernel_ppp_mppe
kernel_ppp_mppe-1.0.2-3dkms
PPTP需要PPP支持，虽然系统本身有PPP功能，但它并不一定支持MPPE. 如果不支持则需要更新系统的PPP组件，参数-U就是更新的意思。
[root@POPTOP home]# rpm -Uvh ppp-2.4.4-14.1.rhel5.i386.rpm
warning: ppp-2.4.4-14.1.rhel5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 862acc42
Preparing… ######################################### [100%]
1:ppp ######################################### [100%]
要使用MPPE加密，还需要内核支持，Linux 2.6.14起Linux核心提供完整的PPTP支援《包括自由版本的MPPE》。查看内核版本可以使用命令：uname –r，如果内核版本低于 2.6.14则还要下载一个MPPE内核补丁：kernel-mppe-2.4.20-8.i686.rpm
查看系统版本：
[root@POPTOP ~]# uname -r
2.6.18-194.el5 所以不需要打补丁了。
[root@POPTOP home]#rpm -ivh pptpd-1.3.4-2.rhel5.i386.rpm
warning: pptpd-1.3.4-2.rhel5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 862acc42
Preparing… ########################################### [100%]
1:pptpd ########################################### [100%]
[root@POPTOP home]#
2.2.3 修改配置文件

需要修改如下3个配置文件： 带底纹的就是需要我们修改的地方，其他加了红色注释的是说明，确实设置的。
/etc/pptpd.conf
/etc/ppp/options.pptpd
/etc/ppp/chap-secrets
ll /etc/pptpd.conf服务pptpd运行时使用的配置文件

#

Id:pptpd.conf,v1.102006/09/0423:30:57quozlExp

#

Sample Poptop configuration file /etc/pptpd.conf

#

Changes are effective when pptpd is restarted.

#

TAG: ppp

Path to the pppd program, default ‘/usr/sbin/pppd’ on Linux

#
ppp /usr/sbin/pppd

TAG: option

Specifies the location of the PPP options file.

By default PPP looks in ‘/etc/ppp/options’

#
option /etc/ppp/options.pptpd#指定pptpd用到的选项文件

TAG: debug

Turns on (more) debugging to syslog

#

debug

TAG: stimeout

Specifies timeout (in seconds) on starting ctrl connection

#

stimeout 10

TAG: noipparam

Suppress the passing of the client’s IP address to PPP, which is

done by default otherwise.

#

noipparam

TAG: logwtmp

Use wtmp(5) to record client connections and disconnections.

#
logwtmp

TAG: bcrelay

Turns on broadcast relay to clients from interface

#

bcrelay eth2 #好像用不到，后面再研究

TAG: delegate

Delegates the allocation of client IP addresses to pppd.

#

Without this option, which is the default, pptpd manages the list of

IP addresses for clients and passes the next free address to pppd.

With this option, pptpd does not pass an address, and so pppd may use

radius or chap-secrets to allocate an address.

#

delegate

TAG: connections

Limits the number of client connections that may be accepted.

#

If pptpd is allocating IP addresses (e.g. delegate is not

used) then the number of connections is also limited by the

remoteip option. The default is 100.

connections 100

TAG: localip

TAG: remoteip

Specifies the local and remote IP address ranges.

#

These options are ignored if delegate option is set.

#

Any addresses work as long as the local machine takes care of the

routing. But if you want to use MS-Windows networking, you should

use IP addresses out of the LAN address space and use the proxyarp

option in the pppd options file, or run bcrelay.

#

You can specify single IP addresses seperated by commas or you can

specify ranges, or both. For example:

#

192.168.0.234,192.168.0.245-249,192.168.0.254

#

IMPORTANT RESTRICTIONS:

#

1. No spaces are permitted between commas or within addresses.

#

2. If you give more IP addresses than the value of connections,

it will start at the beginning of the list and go until it

gets connections IPs. Others will be ignored.

#

3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,

you must type 234-238 if you mean this.

#

4. If you give a single localIP, that’s ok - all local IPs will

be set to the given one. You MUST still give at least one remote

IP for each simultaneous client.

#

(Recommended)

Localip 10.10.1.240-250 #这个地址无所谓的，随便指定一个，不过用你拨号的服务器地址比较清晰
Remoteip 211.147.95.148 #你要分配给客户机的地址池

or

localip 192.168.0.234-238,192.168.0.245

remoteip 192.168.1.234-238,192.168.1.245

II /etc/ppp/options.pptpd
就是上面/etc/pptpd.conf中的option所指定的，它是PPP功能组件pppd将使用的配置文件，由于PPTP VPN的加密和验证都与PPP相关，所以PPTP的加密和验证选项都将在这个配置文件中进行配置。
[root@POPTOP ppp]# vi options.pptpd

#

Id:options.pptpd,v1.112005/12/2901:21:09quozlExp

#

Sample Poptop PPP options file /etc/ppp/options.pptpd

Options used by PPP when a connection arrives from a client.

This file is pointed to by /etc/pptpd.conf option keyword.

Changes are effective on the next connection. See “man pppd”.

#

You are expected to change this file to suit your system. As

packaged, it requires PPP 2.4.2 and the kernel MPPE module.

#

Authentication

Name of the local system for authentication purposes

(must match the second field in /etc/ppp/chap-secrets entries)

name POPTOP #相当于身份验证时的域，一定要和/etc/ppp/chap-secrets中的内容对应

Strip the domain prefix from the username before authentication.

(applies if you use pppd with chapms-strip-domain patch)

chapms-strip-domain

Encryption

(There have been multiple versions of PPP with encryption support,

choose with of the following sections you will use.)

BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o

{{{

refuse-pap #拒绝pap身份验证
refuse-chap #拒绝chap身份验证
refuse-mschap#拒绝mschap身份验证

Require the peer to authenticate itself using MS-CHAPv2 [Microsoft

Challenge Handshake Authentication Protocol, Version 2] authentication.

require-mschap-v2 #采用mschap-v2（Microsoft Challenge Handshake Authentication Protocol, Version 2）身份验证方式

Require MPPE 128-bit encryption

(note that MPPE requires the use of MSCHAP-V2 during authentication)

require-mppe-128 #要求128位MPPE加密

}}}

OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o

{{{

-chap

-chapms

Require the peer to authenticate itself using MS-CHAPv2 [Microsoft

Challenge Handshake Authentication Protocol, Version 2] authentication.

+chapms-v2

Require MPPE encryption

(note that MPPE requires the use of MSCHAP-V2 during authentication)

mppe-40 # enable either 40-bit or 128-bit, not both

mppe-128

mppe-stateless

}}}

Network and Routing

If pppd is acting as a server for Microsoft Windows clients, this

option allows pppd to supply one or two DNS (Domain Name Server)

addresses to the clients. The first instance of this option

specifies the primary DNS address; the second instance (if given)

specifies the secondary DNS address.

ms-dns 8.8.8.8 #分给客户机的DNS地址
ms-dns 8.8.4.4

If pppd is acting as a server for Microsoft Windows or “Samba”

clients, this option allows pppd to supply one or two WINS (Windows

Internet Name Services) server addresses to the clients. The first

instance of this option specifies the primary WINS address; the

second instance (if given) specifies the secondary WINS address.

ms-wins 10.0.0.3

ms-wins 10.0.0.4

Add an entry to this system’s ARP [Address Resolution Protocol]

table with the IP address of the peer and the Ethernet address of this

system. This will have the effect of making the peer appear to other

systems to be on the local ethernet.

(you do not need this if your PPTP server is responsible for routing

packets to the clients – James Cameron)

proxyarp #启用ARP代理，如果分配给客户端的IP与内网卡同一个子网

Normally pptpd passes the IP address to pppd, but if pptpd has been

given the delegate option in pptpd.conf or the –delegate command line

option, then pppd will use chap-secrets or radius to allocate the

client IP address. The default local IP address used at the server

end is often the same as the address of the server. To override this,

specify the local IP address here.

(you must not use this unless you have used the delegate option)

10.8.0.100

Logging

Enable connection debugging facilities.

(see your syslog configuration for where pppd sends to)

debug

Print out all the option values which have been set.

(often requested by mailing list to verify options)

dump

Miscellaneous

Create a UUCP-style lock file for the pseudo-tty to ensure exclusive

access.

lock

Disable BSD-Compress compression

nobsdcomp

Disable Van Jacobson compression

(needed on some networks with Windows 9x/ME/XP clients, see posting to

poptop-server on 14th April 2005 by Pawel Pokrywka and followups,

http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )

novj
novjccomp

turn off logging to stderr, since this may be redirected to pptpd,

which may trigger a loopback

nologfd

put plugins here

(putting them higher up may cause them to sent messages to the pty)

ll /etc/ppp/chap-secrets
客户机帐号和密码信息。

Secrets for authentication using CHAP

client server secret IP addresses

“123456” POPTOP “123456” “*”
“gxd” * “qwe123456” *

“gxd”是Client端的VPN用户名；
“server”对应的是VPN服务器的名字，该名字必须和/etc/ppp/options.pptpd文件中指明的一样，或者设置成“*”号来表示自动识别服务器；
“secret”对应的是登录密码；
“IP addresses”对应的是可以拨入的客户端IP地址，如果不需要做特别限制，可以将其设置为“*”号

2.3 pptpd服务管理

2.3.1启动pptpd

/sbin/service pptpd start
相关命令如下：
启动： service pptpd start
停止： service pptpd stop
重新启动： service pptpd restart
2.3.2 设置开机启动

chkconfig –level 345 pptpd on #保存启动项
pptpd服务使用的端口是1723，这个端口是系统固定分配的，可以通过查看该端口检查pptpd服务的运行情况，命令：netstat –ntpl
如果服务已经启动，会看到下面的内容
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 24981/pptpd

2.4 设置VPN服务器的防火墙

我们已经把VPN服务器部署好了，这一步的目的是制定一些约束规则，以便我们可以控制哪些请求可以被VPN服务器处理，哪些请求需要被拒绝。即：设定防火墙的参数。Linux下设定防火墙使用iptables命令，详细用法请参考
设置防火墙的net表，目的是为了实现数据包的伪装及转发，从内网发出的包通过VPN SERVER伪装后变成由外网发出。
iptables –t nat –F——-清除nat表中所有规则
将Linux服务器的1723端口和47端口打开，并打开GRE协议。

/sbin/iptables -A INPUT -p tcp –dport 1723 -j ACCEPT

/sbin/iptables -A INPUT -p tcp –dport 47 -j ACCEPT

/sbin/iptables -A INPUT -p gre -j ACCEPT

service iptables save #保存防火墙规则

2.5 开启NAT转发

echo “1” > /proc/sys/net/ipv4/ip_forward
或者
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1#在/etc/sysctl.conf里面添加该行
/sbin/sysctl -p
这一步很重要，否则只能拨号成功，但是不用访问内网信息资源；到这里配置基本就完成了
2.6 问题检查过程

检查pptpd服务是否起了：
[root@POPTOP ppp]# ps -ef | grep pptpd
root 7361 1 0 11:51 ? 00:00:00 /usr/sbin/pptpd
root 7429 7361 0 11:51 ? 00:00:00 pptpd [192.168.16.13:C000 - 0080]

检查iptables列表：
[root@POPTOP ppp]#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp – anywhere anywhere tcp dpt:pptp
ACCEPT tcp – anywhere anywhere tcp dpt:ni-ftp
ACCEPT gre – anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination

2.7 设置开机启动项：

上面配置正确，拨号成功后，重新启动机器
拨号出678错误
查看linux：
netstat -tcln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:1000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
没有端口号1723的服务，pptpd服务没有起来。
启动pptpd服务：
[root@POPTOP ~]# service pptpd start
Starting pptpd: [ OK ]
拨号成功，但是ping外面不通。估计是NAT转发没有开。执行：
[root@POPTOP ~]# echo “1” > /proc/sys/net/ipv4/ip_forward
后，马上就能ping得通了。所以，需要将这两个服务添加到开机启动服务中。
先将linux显示让其为英文，然后运行服务管理器
[root@POPTOP ~]# LANG=en 系统为英文显示
[root@POPTOP ~]# ntsysv 启动服务管理器
选中pptpd，然后ok就退出了； pptpd服务就能随机启动了。

路由转发服务 echo “1” > /proc/sys/net/ipv4/ip_forward需要将其添加到开机项目里：
vi /etc/rc.d/rc.local
[root@POPTOP rc.d]# vi rc.local

!/bin/sh

This script will be executed after all the other init scripts.

You can put your own initialization stuff in here if you don’t

want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

查看eth command ifconfig 映射网卡 ////暂时没用
iptables -t nat -A POSTROUTING -s 192.168.0.0/25 -o eth1 -jMASQUERADE

Linux下PPTPD搭建VPN服务器连接后无法上外网及619错误的解决办法
这个时候链接VPN的时候一般会报VPN服务器的此端口已关闭：
解决方法如下：
http://www.wanghailin.cn/lin ux-pptpd-619-internet/
我的直接就是第一种情况
logwtmp

设置iptables
这一步操作之后链接上VPN可以上外网也可以上大陆网
iptables -t nat -A PREROUTING -d 公网IP -p tcp –dport 80 -j DNAT –to 私网IP:80
iptables -t nat -A POSTROUTING -d 私网IP -p tcp –dport 80 -j SNAT –to 公网IP

–服务器启动之后执行如下命令
iptables -t nat -A PREROUTING -d 47.88.191.150 -p tcp –dport 80 -j DNAT –to 10.45.67.158:80
iptables -t nat -A PREROUTING -d 10.45.67.158 -p tcp –dport 80 -j SNAT –to 47.88.191.150

iptables -A INPUT -p tcp –dport 1723 -j ACCEPT
iptables -A INPUT -p tcp –dport 47 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.9.0/255-o eth0 -j MASQUERADE

service iptables save;
–如果能连接上但是不能上万网
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j SNAT –to-source 47.88.191.150
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
service iptables save;

service pptpd restart;
修改default的interface为ppp0，即所有的请求通过ppp0
route del default; route add default dev ppp0
route -n
如果要恢复route，执行
route del default dev ppp0; route add default gw 192.168.1.1 dev eth0

//路由设置
http://www.jiangmiao.org/blog/1914.html
//****************************************************************************************************
//**************** 常见问题
//****************************************************************************************************

//arp 异常断开 解决办法
https://www.lidaren.com/archives/1229

//GRE: read(fd=6,buffer=611860,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs

//查看VPN在线情况

last | grep still | grep ppp

tail -f /var/log/messages

VPN服务器实施方案.doc