阿里云服务器ECS专有网络上部署VPN(L2TP)

安装程序

yum install -y ppp iptables make gcc gmp-devel xmlto bison flex libpcap-devel lsof vim-enhanced

yum install -y openswan

yum install -y xl2tpd

 

修改配置 /etc/ipsec.conf

config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=专有网络内网IP
leftid=
leftprotoport=17/1701
right=%any
rightid=%any
rightprotoport=17/%any

 

 

修改配置 /etc/ipsec.secrets

公网IP %any: PSK “密码”

 

修改配置 /etc/sysctl.conf

sed -i ‘s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g’ /etc/sysctl.conf
sed -i ‘s/net.ipv4.conf.default.rp_filter = 1/net.ipv4.conf.default.rp_filter = 0/g’ /etc/sysctl.conf
sysctl -p

 

iptables –table nat –append POSTROUTING –jump MASQUERADE

 

for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done

修改配置 /etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
[lns default]
ip range = 192.168.111.2-192.168.111.254
local ip = 192.168.111.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

修改配置 /etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

修改配置 /etc/ppp/chap-secrets

vpn l2tpd ${pass} *

 

vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p

 

放行流量

#Allow ipsec traffic
iptables -A INPUT -m policy –dir in –pol ipsec -j ACCEPT
iptables -A FORWARD -m policy –dir in –pol ipsec -j ACCEPT
#Do not NAT VPN traffic
iptables -t nat -A POSTROUTING -m policy –dir out –pol none -j MASQUERADE
#Forwarding rules for VPN
iptables -A FORWARD -i ppp+ -p all -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
#Ports for Openswan / xl2tpd
iptables -A INPUT -m policy –dir in –pol ipsec -p udp –dport 1701 -j ACCEPT
iptables -A INPUT -p udp –dport 500 -j ACCEPT
iptables -A INPUT -p udp –dport 4500 -j ACCEPT

 

 

 

粗暴放行：

iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -o eth0 -j MASQUERADE