[Fedora 14-17] 架設VPN Server (pptpd)

安裝PPTPD及相關服務

yum install -y rp-pppoe gcc pptp pptp-setup  ppp ppp-devel
 
安裝方式有二種:
 
RPM安裝(要依照Linux的版本安裝)
 
例如Fedora 14 (32bit)
wget http://poptop.sourceforge.net/yum/stable/fc14/i386/pptpd-1.3.4-2.fc14.i686.rpm
rpm -ivh pptpd-1.3.4-2.fc14.i686.rpm
 
Fedora 14 (64bit)
wget http://poptop.sourceforge.net/yum/stable/fc14/x86_64/pptpd-1.3.4-2.fc14.x86_64.rpm
rpm -ivh pptpd-1.3.4-2.fc14.x86_64.rpm
 
YUM安裝(要依照Linux的版本安裝)
 
rpm -ivh http://poptop.sourceforge.net/yum/stable/fc14/pptp-release-current.noarch.rpm
yum install pptpd
 
 
下載並安裝核心模組
 
 
wget http://sourceforge.net/projects/poptop/files/mppe%20module%20builder/kernel_ppp_mppe-1.0.2%20dkms-2.0.6/kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm/download
 
wget http://downloads.sourceforge.net/project/poptop/mppe%20module%20builder/kernel_ppp_mppe-1.0.2%20dkms-2.0.6/kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fpoptop%2Ffiles%2Fmppe%2520module%2520builder%2Fkernel_ppp_mppe-1.0.2%2520dkms-2.0.6%2F&ts=1341655470&use_mirror=nchc
 
wget http://downloads.sourceforge.net/project/poptop/mppe%20module%20builder/kernel_ppp_mppe-1.0.2%20dkms-2.0.6/dkms-2.0.6-1.noarch.rpm?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fpoptop%2Ffiles%2Fmppe%2520module%2520builder%2Fkernel_ppp_mppe-1.0.2%2520dkms-2.0.6%2F&ts=1341655518&use_mirror=nchc
 
rpm -ivh dkms-2.0.6-1.noarch.rpm
rpm -ivh kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
 
 
若沒有按照版本安裝會有類似以下錯誤: 
Error! Bad return status for module build on kernel: 3.4.2-1.fc16.x86_64 (x86_64)
Consult the make.log in the build directory
/var/lib/dkms/kernel_ppp_mppe/1.0.2/build/ for more information.
 
Error! Could not locate ppp_generic.ko for module kernel_ppp_mppe in the DKMS tree.
You must run a dkms build for kernel 3.4.2-1.fc16.x86_64 (x86_64) first.
 
========================================================
 
設定PPTPD
 
 
設定Client看到的伺服器IP,以及DHCP分發的IP範圍
vi /etc/pptpd.conf
加入以下:
localip 10.0.0.1
remoteip 10.0.0.10-100
 
—————————————————-
 
設定pptpd的加密方式和發給Client的DNS
vi /etc/ppp/options.pptpd
refuse-pap
refuse-chap
refuse-mschap
 
require-mschap-v2
require-mppe-128
 
ms-dns 168.95.1.1
 
—————————————————-
 
設定帳號密碼(若使用ppp撥號(xDSL),撥號的帳密也會在這裡)
格式為:
帳號、使用的服務、密碼、接受的IP(通常為*號)
中間用空格隔開
 
vi /etc/ppp/chap-secrets
內容大致為:
# client        server           secret             IP addresses
[email protected]”      *         “your password”
test pptpd 12345 *
 
 
—————————————————- 
 
設定系統IP轉發
vi /etc/sysctl.conf
修改
net.ipv4.ip_forward = 1
 
讓系統重新載入設定值
sysctl -p
 
—————————————————-
 
設定防火牆
 
主要是設定讓PPTP的Client能夠NAT上網
請依照對外連線的網路卡代號取代掉ppp0
ppp+的代表用來連接VPN Client的網卡,不需更動
vi /etc/sysconfig/iptables
 
 
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
# 其他要開啟服務的port依照格式寫在這裡
 
#—-vpn—-
-A INPUT -i ppp0 -p tcp –dport 1723 -j ACCEPT
-A INPUT -i ppp0 -p gre -j ACCEPT
-A FORWARD -i ppp+ -o ppp0 -j ACCEPT
-A FORWARD -i ppp0 -o ppp+ -j ACCEPT
#—-vpn—-
 
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
 
—————————————————-
 
重啟防火牆(Fedora 14以上使用)
systemctl restart iptables.service
systemctl restart ip6tables.service
 
重啟防火牆(Fedora 14含以下使用)
/etc/init.d/iptables restart

 

 
========================================================
 
啟動PPTPD等服務
 
 
啟動PPTPD服務
/etc/init.d/pptpd start
重啟PPTPD服務
/etc/init.d/pptpd restart
斷除所有VPN連線
/etc/init.d/pptpd restart-kill
 
 
查看相關的Log
tail -n 30 /var/log/messages
 
查看連線情況
netstat -an | grep :1723 | sort
 
========================================================