科学上网利器(二)CentOS安装PPTP VPN、IPSec/L2TP VPN

一、安装PPTP
1.测试是否支持,返回“ok”说明测试通过

modprobe ppp-compress-18 && echo ok
cat /dev/ppp
如果提示Permission denied,应该是不支持了。 [![modprobe20160204152807](http://www.iganlei.cn/wp-content/uploads/2016/02/modprobe20160204152807.jpg)](http://www.iganlei.cn/wp-content/uploads/2016/02/modprobe20160204152807.jpg) 2.安装ppp 和 iptables 
yum install -y perl ppp iptables
阿里云ecs,默认iptables是已经安装的。 [![listppp20160204154440](http://www.iganlei.cn/wp-content/uploads/2016/02/listppp20160204154440.jpg)](http://www.iganlei.cn/wp-content/uploads/2016/02/listppp20160204154440.jpg) 3.安装PPTP 选择对应平台稳定版本`http://poptop.sourceforge.net/yum/stable/` 
wget http://poptop.sourceforge.net/yum/stable/rhel6/x86_64/pptpd-1.4.0-1.el6.x86_64.rpm
rpm -ivh pptpd-1.4.0-1.el6.x86_64.rpm
[![pptp20160204154957](http://www.iganlei.cn/wp-content/uploads/2016/02/pptp20160204154957.jpg)](http://www.iganlei.cn/wp-content/uploads/2016/02/pptp20160204154957.jpg) 4.开启IPv4 包转发 `vi /etc/sysctl.conf` 
net.ipv4.ip_forward = 1
执行 sysctl -p,使内核配置生效 5.修改配置文件 `cp /etc/ppp/options.pptpd /etc/ppp/options.pptpd.bak ` 
echo "ms-dns 8.8.8.8" >> /etc/ppp/options.pptpd
echo "ms-dns 8.8.4.4" >> /etc/ppp/options.pptpd

6.增加账号

vi /etc/ppp/chap-secrets
username pptpd password *
austgl pptpd 123456 * #* 表示任意ip 7.配置文件/etc/pptpd.conf `cp /etc/pptpd.conf /etc/pptpd.conf.bak vi /etc/pptpd.conf` 
localip 192.168.220.1
remoteip 192.168.220.234-238,192.168.220.245

8.添加转发

iptables -t nat -A POSTROUTING -s 192.168.220.0/24 -o eth1 -j SNAT --to-source 58.96.173.134
service iptables save
service pptpd restart
service iptables restart

注:–to-source 58.96.173.134 ip地址需要换成自己的ecs、vps的公网IP;eth1 改成对应的公网地址网口
Warning: a pptpd restart does not terminate existing
connections, so new connections may be assigned the same IP
address and cause unexpected results. Use restart-kill to
destroy existing connections during a restart.

#service pptpd restart-kill

#service pptpd start
modify20160204162420

9.开机启动

chkconfig pptpd on
chkconfig iptables on

二、安装IPSec/L2TP
1.安装编译工具
yum install -y ppp iptables make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof
https://download.openswan.org/openswan/找自己想要的版本

2.下载编译安装openswan
https://download.openswan.org/openswan/openswan-latest.tar.gz tar zxvf openswan-2.6.24.tar.gz cd openswan-2.6.46 make programs install
发现编译报错:
https://github.com/xelerance/Openswan/issues/171
换了2.6.43,成功装上

3.安装xl2tpd
yum install xl2tpd

4.修改配置

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version    2.0    # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # Do not set debug options to debug configuration issues!
    # plutodebug / klipsdebug = "all", "none" or a combation from below:
    # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
    # eg:
    # plutodebug="control parsing"
    # Again: only enable plutodebug or klipsdebug when asked by a developer
    #
    # enable to get logs per-peer
    # plutoopts="--perpeerlog"
    #
    # Enable core dumps (might require system changes, like ulimit -C)
    # This is required for abrtd to work properly
    # Note: incorrect SElinux policies might prevent pluto writing the core
    dumpdir=/var/run/pluto/
    #
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    # It seems that T-Mobile in the US and Rogers/Fido in Canada are
    # using 25/8 as "private" address space on their 3G network.
    # This range has not been announced via BGP (at least upto 2010-12-21)
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    # OE is now off by default. Uncomment and change to on, to enable.
    oe=off
    # which IPsec stack to use. auto will try netkey, then klips then mast
    protostack=netkey
    # Use this to log to a file, or disable logging on embedded systems (like openwrt)
    #plutostderrlog=/dev/null
    plutostderrlog=/var/log/ipsec.log

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#        # Left security gateway, subnet behind it, nexthop toward right.
#        left=10.0.0.1
#        leftsubnet=172.16.0.0/24
#        leftnexthop=10.22.33.44
#        # Right security gateway, subnet behind it, nexthop toward left.
#        right=10.12.12.1
#        rightsubnet=192.168.0.0/24
#        rightnexthop=10.101.102.103
#        # To authorize this connection, but not actually start it, 
#        # at startup, uncomment this.
#        #auto=add
#
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=5
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=58.96.173.134
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=15
    dpdtimeout=30
    dpdaction=clear
left 为服务器ip 修改 IP 范围和本地 IP 地址,注意这些地址和内网 IP 地址不能冲突或者重复: vi /etc/xl2tpd/xl2tpd.conf vi /etc/ppp/options.xl2tpd修改 ms-dns 的值 添加VPN账号信息 vi /etc/ppp/chap-secrets [![vpn20160204181046](http://www.iganlei.cn/wp-content/uploads/2016/02/vpn20160204181046.jpg)](http://www.iganlei.cn/wp-content/uploads/2016/02/vpn20160204181046.jpg) 
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables --table nat --append POSTROUTING --jump MASQUERADE
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -t nat -A POSTROUTING -s 192.168.140.0/24 -o eth0 -j MASQUERADE^C
[root@iZ62nfbnzj5Z openswan-2.6.43]# vi /etc/ppp/options.xl2tpd
[root@iZ62nfbnzj5Z openswan-2.6.43]# vi /etc/ipsec.secrets
[root@iZ62nfbnzj5Z openswan-2.6.43]# vi /etc/ppp/chap-secrets
[root@iZ62nfbnzj5Z openswan-2.6.43]# vi /etc/xl2tpd/xl2tpd.conf 
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -A FORWARD -j REJECT
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
[root@iZ62nfbnzj5Z openswan-2.6.43]# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
[root@iZ62nfbnzj5Z openswan-2.6.43]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@iZ62nfbnzj5Z openswan-2.6.43]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter nat      [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
[root@iZ62nfbnzj5Z openswan-2.6.43]# /etc/init.d/pppd-dns restart
-bash: /etc/init.d/pppd-dns: No such file or directory
[root@iZ62nfbnzj5Z openswan-2.6.43]# /etc/init.d/pppd restart
-bash: /etc/init.d/pppd: No such file or directory
[root@iZ62nfbnzj5Z openswan-2.6.43]# /etc/init.d/xl2tpd restart
Stopping xl2tpd:                                           [FAILED]
Starting xl2tpd:                                           [  OK  ]
[root@iZ62nfbnzj5Z openswan-2.6.43]# /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting Openswan IPsec U2.6.43/K2.6.32-431.23.3.el6.x86_64...
[root@iZ62nfbnzj5Z openswan-2.6.43]# ipsec verify
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                       [OK]
Openswan U2.6.43/K2.6.32-431.23.3.el6.x86_64 (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel                  [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                  [OK]
         ICMP default/accept_redirects                [OK]
         XFRM larval drop                             [OK]
Hardware random device check                          [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                    [OK]
Checking that pluto is running                        [OK]
 Pluto listening for IKE on udp 500                   [OK]
 Pluto listening for IKE on tcp 500                   [NOT IMPLEMENTED]
 Pluto listening for IKE/NAT-T on udp 4500            [OK]
 Pluto listening for IKE/NAT-T on tcp 4500            [NOT IMPLEMENTED]
 Pluto listening for IKE on tcp 10000 (cisco)         [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing                        [TEST INCOMPLETE]
Checking 'ip' command                                 [IP XFRM BROKEN]
Checking 'iptables' command                           [OK]

ipsec verify: encountered errors

chkconfig xl2tpd on chkconfig iptables on chkconfig ipsec on

谢谢你请我吃糖果

支付宝
微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true