centos6.4搭建VPN服务器

admin

根据这个教程来的,尤其是有一键安装包,非常方便
http://blog.csdn.net/ownfire/article/details/8051349

1.安装wget
yum install wget

2.下载一键安装脚本,默认下载到当前目录
wget http://www.hi-vps.com/shell/vpn_centos6.sh

3.赋予执行权限
chmod 777 vpn_centos6.sh

4.执行脚本
./vpn_centos6.sh

5.有3个提示,按需要选择

6.防火墙设置,这个等于是完全放开,很不安全,有需要的按需设置就行了(nat表不要操作)
iptables -t filter -I OUTPUT 1 -j ACCEPT
iptables -t filter -I INPUT 1 -j ACCEPT
在防火墙配置的文件里里面有具体的防火墙配置列表

7.连接VPN
请看2008R2的那个VPN教程

8.问题
访问https失败 原因是MTU不一样
在centos上执行netstat -i 发现VPN默认的MTU是1396
在win7上执行netsh interface ipv4 show subinterfaces发现MTU是1400

解决方法
连接以后更改改客户端的MTU,更改 WIN7的MTU就行了
改服务器只适合于当前的会话,重新 连接的人还是1396
ifconfig ppp0 mtu 1400




centos服务端永久修改新建的连接的MTU的方法见这个帖子的板凳那一层
http://www.ryzl.com.cn/forum.php?mod=viewthread&tid=335

admin

下面这几条是搭建了VPN以后的防火墙设置
nat表只需要这一条就够了,其他的都不需要
而且前面不能有任何语句
iptables -t nat -A POSTROUTING -s 172.16.36.0/24 -j SNAT --to-source `ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk 'NR==1 { print $1}'`
       



filter表需要开启这个协议和这些端口
GRE协议  53 67 68 137 443 1723

iptables -t filter -I INPUT 1 -p tcp --sport 138 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --sport 138 -j ACCEPT
iptables -t filter -I INPUT 1 -p tcp --sport 47 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --sport 47 -j ACCEPT
iptables -t filter -I INPUT 1 -p tcp --sport 53 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --sport 53 -j ACCEPT
iptables -t filter -I INPUT 1 -p tcp --sport 67 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --sport 67 -j ACCEPT
iptables -t filter -I INPUT 1 -p tcp --sport 68 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --sport 68 -j ACCEPT
iptables -t filter -I INPUT 1 -p tcp --sport 137 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --sport 137 -j ACCEPT
iptables -t filter -I INPUT 1 -p tcp --sport 1723 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --sport 1723 -j ACCEPT
iptables -t filter -I INPUT 1 -p tcp --sport 443 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --sport 443 -j ACCEPT


iptables -t filter -I INPUT 1 -p tcp --dport 138 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --dport 138 -j ACCEPT

iptables -t filter -I INPUT 1 -p tcp --dport 47 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --dport 47 -j ACCEPT
iptables -t filter -I INPUT 1 -p tcp --dport 53 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --dport 53 -j ACCEPT
iptables -t filter -I INPUT 1 -p tcp --dport 67 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --dport 67 -j ACCEPT
iptables -t filter -I INPUT 1 -p tcp --dport 68 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --dport 68 -j ACCEPT
iptables -t filter -I INPUT 1 -p tcp --dport 137 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --dport 137 -j ACCEPT
iptables -t filter -I INPUT 1 -p tcp --dport 1723 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --dport 1723 -j ACCEPT
iptables -t filter -I INPUT 1 -p tcp --dport 443 -j ACCEPT
iptables -t filter -I INPUT 1 -p udp --dport 443 -j ACCEPT
iptables -t filter -I INPUT 1 -p gre -j ACCEPT

iptables -t filter -I FORWARD 1 -j ACCEPT
iptables -t filter -I OUTPUT 1 -j ACCEPT

admin

WIN7修改MTU看这里
http://www.ryzl.com.cn/forum.php ... ;tid=254&extra=

admin

VPN限速看这里 我没试验过 不知道是否可用
http://www.zhukun.net/archives/7406
http://blog.csdn.net/wangpengqi/article/details/17218361

admin

极壹S自动连接VPN

admin

#!/bin/bash

function installVPN(){
        echo "begin to install VPN services";
        #check wether vps suppot ppp and tun
       
        yum remove -y pptpd ppp
        iptables --flush POSTROUTING --table nat
        iptables --flush FORWARD
        rm -rf /etc/pptpd.conf
        rm -rf /etc/ppp
       
        arch=`uname -m`
       
        wget http://www.hi-vps.com/downloads/dkms-2.0.17.5-1.noarch.rpm
        wget http://wty.name/linux/sources/ke ... .2-3dkms.noarch.rpm
        wget http://www.hi-vps.com/downloads/ ... .2-3dkms.noarch.rpm
        wget http://www.hi-vps.com/downloads/pptpd-1.3.4-2.el6.$arch.rpm
        wget http://www.hi-vps.com/downloads/ppp-2.4.5-17.0.rhel6.$arch.rpm


        yum -y install make libpcap iptables gcc-c++ logrotate tar cpio perl pam tcp_wrappers
        rpm -ivh dkms-2.0.17.5-1.noarch.rpm
        rpm -ivh kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
        rpm -qa kernel_ppp_mppe
        rpm -Uvh ppp-2.4.5-17.0.rhel6.$arch.rpm       
        rpm -ivh pptpd-1.3.4-2.el6.$arch.rpm

        mknod /dev/ppp c 108 0
        echo 1 > /proc/sys/net/ipv4/ip_forward
        echo "mknod /dev/ppp c 108 0" >> /etc/rc.local
        echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.local
        echo "localip 172.16.36.1" >> /etc/pptpd.conf
        echo "remoteip 172.16.36.2-254" >> /etc/pptpd.conf
        echo "ms-dns 8.8.8.8" >> /etc/ppp/options.pptpd
        echo "ms-dns 8.8.4.4" >> /etc/ppp/options.pptpd

        pass=`openssl rand 6 -base64`
        if [ "$1" != "" ]
        then pass=$1
        fi

        echo "vpn pptpd ${pass} *" >> /etc/ppp/chap-secrets

        iptables -t nat -A POSTROUTING -s 172.16.36.0/24 -j SNAT --to-source `ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk 'NR==1 { print $1}'`
        iptables -A FORWARD -p tcp --syn -s 172.16.36.0/24 -j TCPMSS --set-mss 1356
        service iptables save

        chkconfig iptables on
        chkconfig pptpd on

        service iptables start
        service pptpd start

        echo "VPN service is installed, your VPN username is vpn, VPN password is ${pass}"
       
}

function repaireVPN(){
        echo "begin to repaire VPN";
        mknod /dev/ppp c 108 0
        service iptables restart
        service pptpd start
}

function addVPNuser(){
        echo "input user name:"
        read username
        echo "input password:"
        read userpassword
        echo "${username} pptpd ${userpassword} *" >> /etc/ppp/chap-secrets
        service iptables restart
        service pptpd start
}

echo "which do you want to?input the number."
echo "1. install VPN service"
echo "2. repaire VPN service"
echo "3. add VPN user"
read num

case "$num" in
[1] ) (installVPN);;
[2] ) (repaireVPN);;
[3] ) (addVPNuser);;
*) echo "nothing,exit";;
esac



这个是一楼那个shell文件的内容

admin

从服务器主动断开某一个连接  一般不看这个
http://bbs.chinaunix.net/thread-1057695-1-1.html

脚本如下
[root@vpn html]# more kick_user


#!/bin/sh
######################################################################
#
# Determine the device to be terminated.
#
if [ "$1" = "" ]; then
        echo "ERROR: Please assign VPN interface"
        exit 1
else
        DEVICE=$1
fi

######################################################################
#
# If the ppp0 pid file is present then the program is running. Stop it.
if [ -r /var/run/$DEVICE.pid ]; then
        kill -INT `cat /var/run/$DEVICE.pid`
#
# If the kill did not work then there is no process running for this
# pid. It may also mean that the lock file will be left. You may wish
# to delete the lock file at the same time.
        if [ ! "$?" = "0" ]; then
                rm -f /var/run/$DEVICE.pid
                echo "ERROR: Removed stale pid file"
                exit 1
        fi
#
# Success. Let pppd clean up its own junk.
        echo "VPN link to $DEVICE terminated."
        exit 0
fi
#
# The ppp process is not running for ppp0
echo "ERROR: VPN link is not active on $DEVICE"
exit 1


然后运行kick_user ppp0 就是断开PPP0这个连接

admin

服务器主动检测VPN连接

while(true)
do

result=`ping 172.16.36.2 -c 3 | grep ttl`

if [ -z "$result" ]
then
echo VPN不存在,开始断开所有连接

/home/testvpn/kickuser.sh ppp0
/home/testvpn/kickuser.sh ppp1
/home/testvpn/kickuser.sh ppp2
/home/testvpn/kickuser.sh ppp3
/home/testvpn/kickuser.sh ppp4
/home/testvpn/kickuser.sh ppp5
/home/testvpn/kickuser.sh ppp6
/home/testvpn/kickuser.sh ppp7
/home/testvpn/kickuser.sh ppp8
/home/testvpn/kickuser.sh ppp9
/home/testvpn/kickuser.sh ppp10
else
echo 连接正常
fi


sleep 1

done


这个脚本是在服务器端使用的,用来检测的
脚本的断开那里懒得一个一个的写检测了,直接暴力断可能的连接由于我只有1个用户拨号,10个绝对是包括了所有可能了,如果你那里有多个用户连接,请自行决定大小,或者自己写判断语句


因为我遇到一个问题,用户设置了静态IP ADSL重新换了IP 虽然拨上去了,但是ping不通,我需要从服务器主动断开连接,然后让客户端重新连接

admin

客户端的连接和断开看这里
http://www.ryzl.com.cn/forum.php ... 5&highlight=vpn