L2TP通俗的说就是一种VPN隧道技术。
VPN就是一种网络穿透技术,可以让你链接到一处网络,同时本身的流量限制就会失效变成链接处的网络规则。所以如果你在外网服务器上搭建后连接上去,你的网络就可以变成没有国内限制,可以自由的访问外网。但是在国际上搭建信道是犯法的!!!
一、这是检测服务器支不支持搭建的方法
先看看你的主机是否支持pptp,返回结果为yes就表示通过。
modprobe ppp-compress-18 && echo yes是否开启了TUN,有的虚拟机主机需要开启,返回结果为cat: /dev/net/tun: File descriptor in bad state,就表示通过。
cat /dev/net/tun二、正式搭建命令
1.首先一台全新的服务器记得换源
2.安装必要程序
3.编辑pppoptfile文件
4.修改L2tp的配置文件
5.添加账号密码
6.创建预共享密钥
7.修改内核参数
8.建立ipsec 与 l2tp 服务关联的配置文件
9.iptables安装配置
10.启动
1.首先一台全新的服务器记得换源
yum install -y epel-release2.安装这一堆花里胡哨的必要程序
yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man xl2tpd libreswan nano3.编辑pppoptfile文件
nano /etc/ppp/options.xl2tpdrequire-mschap-v2 #加上这个
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 1.1.1.1
# ms-dns 192.168.1.1
# ms-dns 192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
noccp
auth
#obsolete: crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
#obsolete: lock
proxyarp
connect-delay 5000
# To allow authentication against a Windows domain EXAMPLE, and require the
# user to be in a group "VPN Users". Requires the samba-winbind package
# require-mschap-v2
# plugin winbind.so
# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"'
# You need to join the domain on the server, for example using samba:
# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html4.修改L2tp的配置文件
nano /etc/xl2tpd/xl2tpd.conf ;
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network
; is 192.168.1.0/24. A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.
[global]
listen-addr = 192.168.5.243 #改成自己的外网IP
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
ipsec saref = yes #去掉;注释号
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
; when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes
[lns default]
ip range = 192.168.1.100-192.168.1.200 #分配给VPN客户端的IP,这个可以随便用,但是后面对应的要改
local ip = 192.168.1.99 #本地的IP网段一致不要被分配就行
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes5.添加账号密码
nano /etc/ppp/chap-secrets# Secrets for authentication using CHAP
#client server secret IP addresses
test * 123456 *6.创建预共享密钥
nano /etc/ipsec.d/ipsec.secrets#include /etc/ipsec.d/*.secrets
%any %any: PSK "123456"7.修改内核参数
nano /etc/sysctl.confnet.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0 #每三句对应一个网卡
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0sysctl -p8.建立ipsec 与 l2tp 服务关联的配置文件
nano /etc/ipsec.d/l2tp_psk.confconn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=10.20.120.2 #也是网卡IP
leftprotoport=17/1701
right=%any
rightprotoport=17/%any9.iptables安装配置
yum install -y iptables
yum install -y iptables-servicessystemctl stop firewalld
systemctl mask firewalldiptables -L -niptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Ziptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
service iptables save
/bin/systemctl restart iptables.service10.启动,分开执行,看看有没有错
systemctl start ipsec
systemctl enable ipsec
ipsec verifysystemctl start xl2tpd
systemctl enable xl2tpd
systemctl status xl2tpd使用预共享密钥的L2TP/IPsec
服务器地址:
预共享密钥:123456
账号一:test
密码:123456三、连接教程
四、其他问题
错误描述:
无法建立计算机与VPN服务器之间的网络连接,因为远程服务器未响应。这可能是因为未将计算机与远程服务器之间的某种网络设备(如防火墙、NAT、路由器等)配置为允许VPN连接。请与管理员或服务提供商联系以确定哪种设备可能 产生此问题。
解决办法:
首先分析原因:原因是L2TP连接需要IPSec加密,可能是IPSec加密被禁用了,需要在注册表启用它,具体步骤如下:
win+r键打开运行框,输入 regedit 打开注册表;
找到 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters 将ProhibitIPSec的值改为0;
找到 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent 将 AssumeUDPEncapsulationContextOnSendRule的值改为2;
重启计算机;
错误描述:
L2TP连接尝试失败,因为安全层在初始化与远程计算机的协商时遇到了一个处理错误
解决办法:
win+r键打开运行框,输入 regedit 打开注册表;
找到 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters 将 AllowL2TPweakcryphto 的值改为1,重启计算机
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters 将ProhibitIPSec的值改为1;HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters 将 AllowL2TPweakcryphto 的值改为0,重启计算机