Have you ever wanted to set up your own VPN server? By following the steps below, you can set up your own L2TP VPN server on CentOS 6. Note that an L2TP VPN, which we’re setting up here, is more secure than a PPTP VPN server. OpenVPN is another alternative to L2TP VPNs, but OpenVPN requires OpenVPN software on the client device. In contrast, L2TP VPNs are supported out of the box in most modern operating systems (Windows, Mac OS X, Ubuntu, RHEL, CentOS) as well as mobile devices (iOS [iPhones, iPads], Android, and Windows Phone).

Packages to install

yum install lsof man
yum install openswan
yum install ppp xl2tpd

Note: You need to have the epel repository installed to install xl2tpd. To install epel if you haven’t already, check this post.

Potential OpenSwan version issues with iOS devices behind NAT

OpenSwan version 2.6.32-18.el6_3 had a bug wherein iOS devices were unable to make a successful VPN connection if they were behind NAT, which includes attempting a VPN connection while connected to a cellular network. Downgrading to version 2.6.32-16.el6 allowed iOS devices to again connect.

It appears that this bug is fixed as of version 2.6.32-21.2.el6, but do note if you have trouble getting iOS devices to work behind NAT, it may be due to the version of OpenSwan you’ve installed.

For more information, see this page: http://bugs.centos.org/view.php?id=5832

IP Addresses in this example

 In the following configuration files, various IP addresses are listed. Change these IPs to match your environment

  • 10.0.100.0/24 – Internal LAN IP subnet: This is the IP subnet used on your local LAN that the VPN server resides upon.
  • 10.0.100.3 – Local IP used by VPN server for the L2TP tunnels: This is a completely made up number – you are assigning an IP address to the tunnel side of your VPN server. Make sure the IP you assign is not within your DHCP server’s DHCP scope.
  • 10.0.100.50-100 – Local IP range to be handed out to VPN-connected clients: You define your own range here – make sure it’s in the same subnet as your local LAN but not part of your DHCP scope.
  • 10.0.100.2 – IP address of VPN server: This is the primary IP address of the VPN server on your local LAN – this should be a static or statically assigned address.
  • 10.0.100.1 – DNS server: This is the DNS server that the L2TP VPN-connected clients will use.
  • 10.0.100.1 – Gateway/Router: This is the IP address of the border router on your internal network – it can be NAT’ed.

Configuration Files

/etc/sysctl.conf 

Edit the file to allow IP forwarding:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Reload sysctl with this command:

sysctl -p

/etc/rc.local

Add the following block to the bottom of the configuration file:

# Correct ICMP Redirect issues with OpenSWAN

for each in /proc/sys/net/ipv4/conf/*; do
        echo 0 > $each/accept_redirects
        echo 0 > $each/send_redirects
        echo 0 > $each/rp_filter
done

/etc/ipsec.conf

In the ipsec.conf file, you define a “left” and “right” side of the IPsec connection. In this example, the “left” side is your internal LAN, while the “right” side is the remote, client side which originates on port 1701.Make sure to change the virtual_private line to match your internal LAN subnet.

nehelpers is set to 0 to work around an error message when network helpers are not available.

plutodebug may be set to “control” if you wish to see messages logged in /var/log/pluto.log. Note: I do not suggest leaving this turned on as the log file will quickly grow to a massive size.

Additional lines are added at the bottom of the defined L2TP-PSK connection to better handle compatibility with Mac OS X and iOS clients.

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version       2.0    # conforms to second version of ipsec.conf specification

# basic configuration

config setup
       interfaces=%defaultroute
       klipsdebug=none
       nat_traversal=yes
       nhelpers=0
       oe=off
       plutodebug=none
       plutostderrlog=/var/log/pluto.log
       protostack=netkey
       virtual_private=%v4:10.0.100.0/24

conn L2TP-PSK
       authby=secret
       pfs=no
       auto=add
       keyingtries=3
       rekey=no
       type=transport
       forceencaps=yes
       right=%any
       rightsubnet=vhost:%any,%priv
       #rightprotoport=17/0       rightprotoport=17/%any  多客户端不同账号同一IP连接VPN,尝试过有问题
       # Using the magic port of "0" means "any one single port". This is
       # a work around required for Apple OSX clients that use a randomly
       # high port, but propose "0" instead of their port.
       left=%defaultroute
       leftprotoport=17/1701
       # Apple iOS doesn't send delete notify so we need dead peer detection
       # to detect vanishing clients
       dpddelay=10
       dpdtimeout=90
       dpdaction=clear

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf

/etc/ipsec.secrets 

First, create a new host key for the machine — this example is using a pre-shared key (PSK), but it’s still a good idea to generate the machine key:

    ipsec newhostkey --output /etc/ipsec.secrets --bits 2048 --verbose --configdir /etc/pki/nssdb/

Next, add a line with the internal LAN IP address of the server, the var %any:PSK to use the pre-shared key, and then define the pre-shared key in quotes.

    10.0.100.2      %any:     PSK     "yourPSKHere"

In the /etc/IPsec.secrets file, make sure you remove or uncomment the line “include /etc/ipsec.d/*.secrets,” or you’ll get an error and the VPN just won’t connect.

: RSA  {

# Your RSA generated machine key will be here after running the above IPsec newhostkey command

}

# do not change the indenting of that "}"
    10.0.100.2      %any:     PSK     "yourPSKHere"
Make sure you set the permissions on your secrets file to keep it private.
sudo chown root:root /etc/ipsec.secrets
sudo chmod 600 /etc/ipsec.secrets

/etc/xl2tpd/xl2tpd.conf

This is the xl2tpd configuration file. Make sure to change the listen-addr to that of your server, the ip range for your VPN clients, and the local IP of the VPN interface on the server.
[global]
listen-addr = 10.0.100.2
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
;  when using any of the SAref kernel patches for kernels up to 2.6.35.
; ipsec refinfo = 30
;
; works around bug: http://bugs.centos.org/view.php?id=5832

force userspace = yes

;
[lns default]
ip range = 10.0.100.50-10.0.100.100
local ip = 10.0.100.3
; leave chap unspecified for maximum compatibility with windows, iOS, etc
; require chap = yes
refuse pap = yes
require authentication = yes
name = CentOSVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

/etc/ppp/options.xl2tpd

ms-dns should be set to the DNS server you wish the VPN clients to use. You can specify multiple DNS servers by adding multiple ms-dns entries on separate lines.

ipcp-accept-local
ipcp-accept-remote
ms-dns  10.0.100.1
# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
logfile /var/log/ppp.log

/etc/ppp/chap-secrets

This is the file in which you define your user accounts for the VPN — they are in username and password pairs.

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
user1           *       sgrongPassword1         *
user2           *       strongPassword2         *

Secure the /etc/ppp/chap-secrets file

sudo chown root:root /etc/ppp/chap-secrets
sudo chmod 600 /etc/ppp/chap-secrets

IPTables Configuration

If you are running IPTables as the firewall on your VPN server, run the following commands to allow functioning VPN access

#Allow ipsec traffic
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT

#Do not NAT VPN traffic
iptables -t nat -A POSTROUTING -m policy --dir out --pol none -j MASQUERADE

#Forwarding rules for VPN
iptables -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#Ports for Openswan / xl2tpd
iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

#Save your configuration
iptables save

Note that if your current firewall configuration contains the following lines, your VPN connection will fail!

Remove these lines if they exist in your /etc/sysconfig/iptables file:

iptables -A INPUT -j REJECT –reject-with icmp-host-prohibited iptables -A FORWARD -j REJECT –reject-with icmp-host-prohibited, the VPN connection will fail!

Enable and Start Services

chkconfig xl2tpd on
chkconfig ipsec on
service ipsec start
service xl2tpd start

Optional configuration

Ignore ICMP Redirects:

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done

Don’t send ICMP Redirects:

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done

Troubleshooting

To see if your IPsec configuration looks OK, run the following command:

ipsec verify

You can also enable logging in /etc/ipsec.conf by setting plutodebug to “control”. This will log messages to /var/log/pluto.log.

There is an additional log file in /var/log/ppp.log.

Helpful links

http://confoundedtech.blogspot.com/2011/08/android-nexus-one-ipsec-psk-vpn-with.html

http://coding.zencoffee.org/2012/10/ipsecl2tp-vpn-server-on-centos-6-psk.html

http://amadys.blogspot.com/2010/06/openswan-2626-ipsec-for-linux.html

http://comments.gmane.org/gmane.network.openswan.user/20373

http://www.drlongghost.com/wordpress/2011/04/22/trying-to-get-iphone-to-ubuntu-vpn-working-with-openswan/

http://www.pariahzero.net/Blog/files/e7d5abf84a96640d5cd70dd0dfb3d200-71.html

http://agit8.turbulent.ca/bwp/2011/01/setting-up-a-vpn-server-with-ubuntu-1004-and-strongswan/

Categories: CentOS, Linux, VPN

How to: Set up Openswan L2TP VPN Server on CentOS 6的更多相关文章

  1. 通过openswan基于Azure平台搭建VPN server

    用过Azure的读者都知道,Vnet一直是Azure比较自豪的地方,尤其是VPN,Azure提供了两种VPN以及专线来保证客户数据的安全性,S2S vpn(站点到站点的,基于IPsec的),P2S v ...

  2. CentOS Linux VPS安装IPSec+L2TP VPN

    CentOS Linux VPS安装IPSec+L2TP VPN 时间 -- :: 天使羊波波闪耀光芒 相似文章 () 原文 http://www.live-in.org/archives/818.h ...

  3. setting up a IPSEC/L2TP vpn on CentOS 6 or Red Hat Enterprise Linux 6 or Scientific Linux

    This is a guide on setting up a IPSEC/L2TP vpn on CentOS 6 or Red Hat Enterprise Linux 6 or Scientif ...

  4. Win10 连接L2TP VPN 失败解决方法

    Win10 连接L2TP VPN 失败解决方法 iOS系统不知道在什么时候,已经不支持PPTP VPN.偶尔的机会刚好看到github上的一键式VPN服务器部署脚本setup-ipsec-vpn,就在 ...

  5. 如何在Ubuntu 11.10上连接L2TP VPN

    要在家继续项目的开发,但架设的GitLab只能校内访问,更悲催的是学校架设的SSL VPN不支持Linux,好在想起学校以前架设的L2TP VPN,应该可以支持Linux,于是便一通谷歌百度,然而发现 ...

  6. Andorid 6连接Libreswan L2TP VPN

    手机升级到Android 6以后,以前正常使用的L2TP VPN却无法连接了.服务器端日志: "vpnpsk"[119] 114.249.245.192 #240: no acce ...

  7. Centos6一键搭建L2TP VPN服务器

    用VPS在墙上打洞还有一种叫L2TP,也是常见的一种方式.本脚本结合了L2TP(Layer Tunneling Protocol)和IPSec(Internet Protocol Security), ...

  8. juniper防火墙 L2TP VPN配置

    juniper防火墙 L2TP  VPN配置 建立L2TP_POOL 创建连接的用户: 创建用户组: 更改L2TP的连接池: 更改L2TP的隧道: 设置防火墙的策略: Win7连接:

  9. Installing MySQL Server on CentOS

    MySQL is an open-source relational database. For those unfamiliar with these terms, a database is wh ...

随机推荐

  1. Javascript基础系列之(七)函数(argument访问函数参数)

    argument是javascript中函数的一个特殊参数,例如下文,利用argument访问函数参数,判断函数是否执行 <script type="text/javascript&q ...

  2. DOM(七)使用DOM控制表格

    表格的css控制就先不说了,首先分享下表格常用的DOM 表格添加操作的方法常用的为insertRow()和insertCell()方法. row是从零开始计算起的,例如: var oTr = docu ...

  3. 第六章:javascript:字典

    字典是一种以键-值对应形式存储的数据结构,就像电话薄里的名字和电话号码一样.只要找一个电话,查找名字,名字找到后,电话号码也就找到了.这里的键值是你用来查找的东西,值就是要查的到的结果. javasc ...

  4. ansible 常用模块

    http://www.linuxidc.com/Linux/2015-02/113068.htm

  5. ansible 的组件inventory

    P44 Ansible 的默认的inventory的是一个静态的ini格式的文件/etc/ansible/hosts. 我们还可以通过ansible_hosts环境变脸指定或者运行ansible和an ...

  6. DML语言练习,数据增删改查,复制清空表

    Connected Connected as TEST@ORCL SQL> select * from t_hq_bm; BUMBM BUMMC DIANH ---------- ------- ...

  7. Winform中的PictureBox读取图像文件无法释放的问题

    今天做一拍照程序,相机SDK什么都搞定,就为了显示图像并且保存照片的步骤卡了半天. 原因是预览图像使用了PictureBox,载入图片文件的方式为: pictureBoxPhoto.Image = I ...

  8. 【Gym 100712A】Who Is The Winner?

    题 题意 解题数目越多越排前,解题数目相同罚时越少越排前,求排第一的队伍名字. 分析 用结构体排序. 代码 #include<cstdio> #include<algorithm&g ...

  9. MySql与Java的时间类型

    MySql的时间类型有          Java中与之对应的时间类型date                                           java.sql.DateDatet ...

  10. slf4j和log4j配置

    SLF4J即简单日志门面(Simple Logging Facade for Java),不是具体的日志解决方案,它只服务于各种各样的日志系统.按照官方的说法,SLF4J是一个用于日志系统的简单Fac ...