A-A+
CentOS6下搭建VPN服务器__PPTP配置和排错
一、配置前操作
之前由于公司重新装修,公司网络重新部署了。网络划分了多个VLAN。公网也是分几个IP出口的。由于我不是windows专业。对于网络也不是很熟悉,所以也不太会(现在在努力学习网络方面的知识)。公司网络部署好以后,肯定是需要VPN服务的。这个是处于安全考虑必须的问题。但是网络的具体配置是有设备提供商来操作的,路由具体是如何走的,这些都是无法及时沟通的。导致那时候VPN服务器一直没有配置好。也很郁闷,最后是在硬件设备上实现的。
这段时间空闲下来了,决定还是要研究下当时到底是哪里的问题。
于是重新配置了一遍。安装环境就是CentOS 6.2 64位。一些开发包组安装完全。pptp这些都是yum使用epel源安装的:
# yum -y install dkms ppp pptpd
安装完这三个包,查看mppe模块是否装载。
- [root@localhost ppp]# lsmod | grep mppe
- ppp_mppe 6404 0
- ppp_generic 25379 2 ppp_async,ppp_mppe
- # 如果没有装载,使用命令装载
- # modprobe ppp-compress-18
- # lsmod | grep mppe # 再次查看
以上装载完成后,打开内核转发功能:
- # grep "^[^#]" /etc/sysctl.conf
- net.ipv4.ip_forward = 1 # 这个的值改为1
- net.ipv4.conf.default.rp_filter = 1
- net.ipv4.conf.default.accept_source_route = 0
- kernel.sysrq = 0
- kernel.core_uses_pid = 1
- net.ipv4.tcp_syncookies = 1
- net.bridge.bridge-nf-call-ip6tables = 0
- net.bridge.bridge-nf-call-iptables = 0
- net.bridge.bridge-nf-call-arptables = 0
- kernel.msgmnb = 65536
- kernel.msgmax = 65536
- kernel.shmmax = 68719476736
- kernel.shmall = 4294967296
- # 执行下面命令生效
- # sysctl -p
二、配置PPTP
1、安装pptp生成以下文件:
- # rpm -ql pptpd
- /etc/ppp/options.pptpd # 配置文件
- /etc/pptpd.conf # 配置文件
- /etc/rc.d/init.d/pptpd # 启动脚本
- /etc/sysconfig/pptpd # 脚本配置文件
- /usr/bin/vpnstats.pl
- /usr/bin/vpnuser
- /usr/lib64/pptpd
- /usr/lib64/pptpd/pptpd-logwtmp.so
- /usr/sbin/bcrelay
- /usr/sbin/pptp-portslave
- /usr/sbin/pptpctrl
- /usr/sbin/pptpd
- ......
- # 安装ppp生成的以下文件
- # rpm -ql ppp
- /etc/logrotate.d/ppp
- /etc/pam.d/ppp
- /etc/ppp
- /etc/ppp/chap-secrets # 主要这个是pptpd的账号认证文件
- /etc/ppp/options
- /etc/ppp/pap-secrets
- .......
2、有了以上这些,我们来直接配置:
1、配置pptpd.conf
- # grep "^[^#]" /etc/pptpd.conf
- option /etc/ppp/options.pptpd
- localip 192.168.0.1
- remoteip 192.168.0.2-20
2、配置options.pptpd
- # grep "^[^#]" /etc/ppp/options.pptpd
- name pptpd
- refuse-pap
- refuse-chap
- refuse-mschap
- require-mschap-v2
- require-mppe-128
- proxyarp
- debug # 这两项是调试排错启用的选项
- dump #
- lock
- nobsdcomp
- novj
- novjccomp
- nologfd
- idle 2592000
- ms-dns 114.114.114.114 # DNS
- ms-dns 8.8.8.8
3、认证账号
- # cat /etc/ppp/chap-secrets
- # Secrets for authentication using CHAP
- # client server secret IP addresses
- test pptpd test *
- # 配置很简单。
- # 启动服务
- # service pptpd start
- # ss -tunl | grep 1723
- tcp 0 3 *:1723 *:*
3、配置iptables对pptpd放行
- # cat /etc/sysconfig/iptables
- # Generated by iptables-save v1.4.7 on Wed Jan 21 11:25:45 2015
- *nat
- :PREROUTING ACCEPT [5:539]
- :POSTROUTING ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 10.95.10.105 # 地址转换
- COMMIT
- # Completed on Wed Jan 21 11:25:45 2015
- # Generated by iptables-save v1.4.7 on Wed Jan 21 11:25:45 2015
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [223:27476]
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -p icmp -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p gre -j ACCEPT # 放行47端口
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
- -A INPUT -p tcp --dport 1723 -j ACCEPT # 放行1723端口
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 9000 -j ACCEPT
- -A INPUT -j REJECT --reject-with icmp-host-prohibited
- #-A FORWARD -j REJECT --reject-with icmp-host-prohibited
- COMMIT
- # Completed on Wed Jan 21 11:25:45 2015
- # 由于我使用的是默认策略,所以不符合规则的默认是DROP的,此时FORWARD链需要放行为ACCEPT,默认是不符合规则的都DROP。
到此就可以在windows下测试连接了。
三、连接和排错
配置好windows下的VPN连接后,测试连接是可以获取到IP地址的,并且QQ等服务是正常的。但是出现了除了百度其他的网页都可以访问。唯独百度域名的不能访问。接着又出现第二个问题,就是VPN连接一端时间后,自动断开。断开后重新连接时反复报错,内容如下:
- Jan 22 14:04:24 localhost pppd[22168]: nobsdcomp#011#011# (from /etc/ppp/options.pptpd)
- Jan 22 14:04:24 localhost pppd[22168]: require-mppe-128#011#011# (from /etc/ppp/options.pptpd)
- Jan 22 14:04:24 localhost pppd[22168]: pppd 2.4.5 started by root, uid 0
- Jan 22 14:04:24 localhost pppd[22168]: Using interface ppp0
- Jan 22 14:04:24 localhost pppd[22168]: Connect: ppp0 <--> /dev/pts/3
- Jan 22 14:04:24 localhost pptpd[22167]: GRE: read(fd=7,buffer=60a400,len=8260) from network failed: status = -1 error = Protocol not available
- Jan 22 14:04:24 localhost pptpd[22167]: CTRL: GRE read or PTY write failed (gre,pty)=(7,6)
- Jan 22 14:04:24 localhost pppd[22168]: Modem hangup
- Jan 22 14:04:24 localhost pppd[22168]: Connection terminated.
- Jan 22 14:04:25 localhost pppd[22168]: Exit.
- Jan 22 14:04:25 localhost pptpd[22167]: CTRL: Client 10.95.11.7 control connection finished
- Jan 22 14:04:25 localhost pptpd[22176]: CTRL: Client 10.95.11.7 control connection started
- Jan 22 14:04:25 localhost pptpd[22176]: CTRL: Starting call (launching pppd, opening GRE)
- Jan 22 14:04:25 localhost pppd[22177]: pppd options in effect:
- # ......
- # 中间都是debug的一些信息
- # ......
- Jan 22 14:04:25 localhost pppd[22177]: 192.168.0.1:192.168.0.2#011#011# (from command line)
- Jan 22 14:04:25 localhost pppd[22177]: nobsdcomp#011#011# (from /etc/ppp/options.pptpd)
- Jan 22 14:04:25 localhost pppd[22177]: require-mppe-128#011#011# (from /etc/ppp/options.pptpd)
- Jan 22 14:04:25 localhost pppd[22177]: pppd 2.4.5 started by root, uid 0
- Jan 22 14:04:25 localhost pppd[22177]: Using interface ppp0
- Jan 22 14:04:25 localhost pppd[22177]: Connect: ppp0 <--> /dev/pts/3
- Jan 22 14:04:25 localhost pptpd[22176]: GRE: read(fd=7,buffer=60a400,len=8260) from network failed: status = -1 error = Protocol not available
- Jan 22 14:04:25 localhost pptpd[22176]: CTRL: GRE read or PTY write failed (gre,pty)=(7,6)
- Jan 22 14:04:25 localhost pppd[22177]: Modem hangup
- Jan 22 14:04:25 localhost pppd[22177]: Connection terminated.
- Jan 22 14:04:25 localhost pppd[22177]: Exit.
根据提示是GRE的问题,但是上述已经放行GRE端口。于是baidu、google很久,有说版本问题的,有说内核补丁(未测试)、iptables、gre内核模块的。一一尝试后都不行,于是请教大神。截图过去后,大神说可能是MTU大小问题。于是再次连接后,查看ppp0的MTU,发现ppp0的MTU是1396,与eth0的和gre的确实不一样。于是就动态改了下MTU测试:
1、查看mtu:
- # ip a | grep mtu
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
- 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
- 254: gre0: <NOARP> mtu 1472 qdisc noop state DOWN
- # 可以查看到所有网卡的mtu值,此处可以看到eth0的是1500,gre0的是1472
2、 查看某个网卡的MTU,ppp0的需要连接VPN后才能查看
- # cat /sys/class/net/ppp0/mtu
- #
- # 更改其值
- # echo "1472" > /sys/class/net/ppp0/mtu
- # 改完以后测试立即就能访问百度了。看来真的是这个问题。于是把它添加到连接自动设置其值。
3、配置VPN连接自动设置MTU的值
- # 1. 网上有说放到options.pptpd配置文件中,但是测试写到里面还是不生效,不过我也写上了。
- # 在DNS下面添加:
- ms-dns 114.114.114.114
- ms-dns 8.8.8.8
- mtu 1472
- mru 1472
- # 2. 写到/etc/ppp/ip-up中
- # vim /etc/ppp/ip-up
- #!/bin/bash
- # This file should not be modified -- make local changes to
- # /etc/ppp/ip-up.local instead
- PATH=/sbin:/usr/sbin:/bin:/usr/bin
- export PATH
- LOGDEVICE=$6
- REALDEVICE=$1
- [ -f /etc/sysconfig/network-scripts/ifcfg-${LOGDEVICE} ] && /etc/sysconfig/network-scripts/ifup-post --realdevice ${REALDEVICE} ifcfg-${LOGDEVICE}
- /etc/ppp/ip-up.ipv6to4 ${LOGDEVICE}
- [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@"
- /sbin/ifconfig ppp0 mtu 1472 # 添加到这里
- exit 0
- # 断开VPN后重新测试连接,发现一切正常。
到目前测试都是正常的,如果还有问题,后续在补充......