vultr服务器L2TP搭建
阅读原文时间:2023年07月09日阅读:2

  前期准备,购买外服,选择vultr服务商,可选择洛杉矶的,系统为Ubuntu 14.04 x64

一、安装L2TP/IPSec

wget --no-check-certificate https://raw.githubusercontent.com/teddysun/across/master/l2tp.sh

chmod +x l2tp.sh

./l2tp.sh

Please input IP-Range:
(Default Range: 192.168.18):
输入本地IP段范围(本地电脑连接到VPS后给分配的一个本地IP地址),直接回车意味着输入默认值192.168.18

Please input PSK:
(Default PSK: teddysun.com):
PSK意为预共享密钥,即指定一个密钥将来在连接时需要用到,直接回车意味着输入默认值teddysun.com

Please input Username:
(Default Username: teddysun):
Username意为用户名,即第一个默认用户。直接回车意味着输入默认值teddysun

Please input teddysun’s password:
(Default Password: Q4SKhu2EXQ):
输入用户的密码,默认会随机生成一个10位包含大小写字母和数字的密码,当然你也可以指定密码。

ServerIP:your_server_main_IP
显示你的 VPS 的主 IP(如果是多 IP 的 VPS 也只显示一个)

Server Local IP:192.168.18.1
显示你的 VPS 的本地 IP(默认即可)

Client Remote IP Range:192.168.18.2-192.168.18.254
显示 IP 段范围

PSK:teddysun.com
显示 PSK

Press any key to start…or Press Ctrl+c to cancel
按下任意按键继续,如果想取消安装,请按Ctrl+c键

默认设置,全部回车安装

apt-get install openswan xl2tpd ppp lsof

二、设置防火墙和sysctl

iptables -t nat -A POSTROUTING -j SNAT --to-source VPS的ip -o eth+

echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

 使sysctl生效

sysctl -p

 开机自启

将如下内容加入到/etc/rc.local(需要加载exit 0前面)

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables -t nat -A POSTROUTING -j SNAT --to-source VPS的ip -o eth+

三、配置Openswan (IPSEC)

将/etc/ipsec.conf替换为如下内容(推荐备份原文件)

version 2 # conforms to second version of ipsec.conf specification

config setup
dumpdir=/var/run/pluto/
#in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?

nat\_traversal=yes
#whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec

virtual\_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.

protostack=netkey
#decide which protocol stack is going to be used.

force\_keepalive=yes
keep\_alive=60
# Send a keep-alive packet every 60 seconds.

conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.

pfs=no
#Disable pfs

auto=add
#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

keyingtries=3
#Only negotiate a conn. 3 times.

ikelifetime=8h
keylife=1h

ike=aes256-sha1,aes128-sha1,3des-sha1
phase2alg=aes256-sha1,aes128-sha1,3des-sha1
# https://lists.openswan.org/pipermail/users/2014-April/022947.html
# specifies the phase 1 encryption scheme, the hashing algorithm, and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why 'modp' instead of dh? DH2 is a 1028 bit encryption algorithm that modulo's a prime number, e.g. modp1028. See RFC 5114 for details or the wiki page on diffie hellmann, if interested.

type=transport
#because we use l2tp as tunnel protocol

left=45.63.48.198你的Vpn地址
#fill in server IP above

leftprotoport=17/1701
right=%any
rightprotoport=17/%any

dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
#  length of time (in seconds) we will idle without hearing either an R\_U\_THERE poll from our peer, or an R\_U\_THERE\_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

四、设置shared secret

修改文件/etc/ipsec.secrets

VPS的ip %any: PSK "你的L2Tp的共享密钥"

五、检验IPSEC

ipsec verify

  如果没错误的话,会返回如下内容

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.13.0-24-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

实际出错

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.13.0-132-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Hardware RNG detected, testing if used properly [FAILED]

Hardware RNG is present but 'rngd' or 'clrngd' is not running.
No harware random used!

Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

【解决问题】

Hardware RNG detected, testing if used properly [FAILED]

安装rng-tools
apt-get install rng-tools

Two or more interfaces found, checking IP forwarding [FAILED]

  检查以上配置文件中的vps的ip是否写错

六、配置xl2tpd

配置文件/etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
saref refinfo = 30

;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes

[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

 七、本地用户授权

修改文件/etc/xl2tpd/xl2tpd.conf,加入如下内容

unix authentication = yes

  移除如下内容

refuse pap = yes

  修改文件/etc/ppp/options.xl2tpd,加入如下内容

login

  修改文件/etc/pam.d/ppp

auth required pam_nologin.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so

  修改文件/etc/ppp/pap-secrets,加入如下内容

* l2tpd "" *

八、修改ppp

修改文件/etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

  九、增加用户

修改文件/etc/ppp/chap-secrets

# Secrets for authentication using CHAP

client server secret IP addresses

用户名 l2tpd 你的连接密码 *

十、重启生效

/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart