在 CentOS 上搭建 L2TP VPN

**2014 年 12 月 6 日再次更新**

“Layer Two Tunneling Protocol,缩写为 L2TP,是一种虚拟隧道协议,通常用于虚拟专用网。L2TP 协议自身不对传输的数据进行加密,但是可以和加密协议搭配使用,从而实现数据的加密传输。”

引用于相当不靠谱的维基百科。

由于 PPTP 在部分运营商下无法连接,而我也换上了 KVM,所以就一直打算搭建 L2TP。对于我这种懒人,如果有一键包的那是最好不过,可惜的是,网上的一键包我都试了个遍,没有一个可以用,没办法,只要自己手动搭建了。

此教程在 32 位 CentOS 6.3 下通过

1. 更新系统

1
yum -y update

2. 安装必要的组件

1
yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man

3. 安装 Openswan 和 PPP

1
yum install openswan ppp

4. 安装 xl2tpd (http://pkgs.org/ 请寻找对应系统相应的版本)

1
2
3
wget http://dl.fedoraproject.org/pub/epel/6/i386/xl2tpd-1.3.6-1.el6.i686.rpm
rpm -Uvh xl2tpd-1.3.6-1.el6.i686.rpm
yum install xl2tpd

5. 配置

编辑 /etc/ipsec.conf

1
nano /etc/ipsec.conf

在最后添加

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left= IP 地址
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

编辑 /etc/ipsec.secrets

1
nano /etc/ipsec.secrets

添加

1
IP 地址 %any: PSK "共享密钥"

修改 /etc/sysctl.conf

1
nano /etc/sysctl.conf

在最后添加

1
2
3
4
5
6
7
8
9
10
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

让 sysctl.conf 生效

1
sysctl -p

验证 ipsec 运行状态

1
2
3
ipsec setup stop
ipsec setup start
ipsec verify

如果显示一下内容就是成功了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-431.11.2.el6.i686 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

编辑 /etc/xl2tpd/xl2tpd.conf

1
nano /etc/xl2tpd/xl2tpd.conf

修改

1
2
listen-addr = IP 地址
force userspace = yes

编辑 /etc/ppp/options.xl2tpd

1
nano /etc/ppp/options.xl2tpd

修改 DNS

1
2
ms-dns 8.8.8.8
ms-dns 8.8.4.4

编辑 /etc/ppp/chap-secrets

1
nano /etc/ppp/chap-secrets

添加自己的账号密码

1
username * userpass *

重启 xl2tp

1
service xl2tpd restart

开放端口以及转发

1
2
3
4
5
6
7
8
9
10
11
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -m policy --dir out --pol none -j MASQUERADE
iptables -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
service iptables save
service iptables restart

添加自启动

1
2
3
chkconfig xl2tpd on
chkconfig iptables on
chkconfig ipsec on

6. 至此,搭建完成,重启

1
reboot