雨田博客

2024
雨田博客
首页 » 技术文档 » CENTOS 下搭建L2TP VPN

CENTOS 下搭建L2TP VPN

CENTOS 下搭建L2TP VPN 

因为路由器用 OPENWRT,用PPTP无法穿过路由,所以改L2TP了。

一键脚本如下

#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
#===================================================================
#   SYSTEM REQUIRED:  CentOS 6 (32bit/64bit)
#   DESCRIPTION:  Auto install L2TP for CentOS 6
#   Author: Teddysun <[email protected]>
#===================================================================

if [[ $EUID -ne 0 ]]; then
    echo "Error:This script must be run as root!"
    exit 1
fi

if [[ ! -e /dev/net/tun ]]; then
    echo "TUN/TAP is not available!"
    exit 1
fi

clear
echo ""
echo "#############################################################"
echo "# Auto install L2TP for CentOS 6                            #"
echo "# System Required: CentOS 6(32bit/64bit)                    #"
echo "# Intro: http://teddysun.com/135.html                       #"
echo "# Author: Teddysun <[email protected]>                         #"
echo "#############################################################"
echo ""

tmpip=`ip addr | egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | egrep -v "^192\.168|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-2]\.|^10\.|^127\.|^255\." | head -n 1`
if [[ "$tmpip" = "" ]]; then
    tmpip=`curl -s -4 icanhazip.com`
fi

echo "Please input IP-Range:"
read -p "(Default Range: 10.1.2):" iprange
if [ "$iprange" = "" ]; then
    iprange="10.1.2"
fi

echo "Please input PSK:"
read -p "(Default PSK: vpn):" mypsk
if [ "$mypsk" = "" ]; then
    mypsk="vpn"
fi

clear
get_char(){
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
echo ""
echo "ServerIP:"
echo "$tmpip"
echo ""
echo "Server Local IP:"
echo "$iprange.1"
echo ""
echo "Client Remote IP Range:"
echo "$iprange.2-$iprange.254"
echo ""
echo "PSK:"
echo "$mypsk"
echo ""
echo "Press any key to start...or Press Ctrl+c to cancel"
char=`get_char`
clear

mknod /dev/random c 1 9
# Install some necessary tools
yum install -y ppp iptables make gcc gmp-devel xmlto bison flex libpcap-devel lsof vim-enhanced
#
cur_dir=`pwd`
mkdir -p $cur_dir/l2tp
cd $cur_dir/l2tp
# Download openswan-2.6.38.tar.gz
if [ -s openswan-2.6.38.tar.gz ]; then
  echo "openswan-2.6.38.tar.gz [found]"
else
  echo "openswan-2.6.38.tar.gz not found!!!download now......"
  if ! wget http://lamp.teddysun.com/files/openswan-2.6.38.tar.gz;then
    echo "Failed to download openswan-2.6.38.tar.gz, please download it to $cur_dir directory manually and retry."
    exit 1
  fi
fi
# Download rp-l2tp-0.4.tar.gz
if [ -s rp-l2tp-0.4.tar.gz ]; then
  echo "rp-l2tp-0.4.tar.gz [found]"
else
  echo "rp-l2tp-0.4.tar.gz not found!!!download now......"
  if ! wget http://lamp.teddysun.com/files/rp-l2tp-0.4.tar.gz;then
    echo "Failed to download rp-l2tp-0.4.tar.gz, please download it to $cur_dir directory manually and retry."
    exit 1
  fi
fi
# Download xl2tpd-1.2.4.tar.gz
if [ -s xl2tpd-1.2.4.tar.gz ]; then
  echo "xl2tpd-1.2.4.tar.gz [found]"
else
  echo "xl2tpd-1.2.4.tar.gz not found!!!download now......"
  if ! wget http://lamp.teddysun.com/files/xl2tpd-1.2.4.tar.gz;then
    echo "Failed to download xl2tpd-1.2.4.tar.gz, please download it to $cur_dir directory manually and retry."
    exit 1
  fi
fi

# untar all files
rm -rf $cur_dir/l2tp/untar
mkdir -p $cur_dir/l2tp/untar
echo "======untar all files,please wait a moment====="
tar -zxf openswan-2.6.38.tar.gz -C $cur_dir/l2tp/untar
tar -zxf rp-l2tp-0.4.tar.gz -C $cur_dir/l2tp/untar
tar -zxf xl2tpd-1.2.4.tar.gz -C $cur_dir/l2tp/untar
echo "=====untar all files completed!====="
# Install openswan-2.6.38
cd $cur_dir/l2tp/untar/openswan-2.6.38
make programs install

# Configuation ipsec
rm -rf /etc/ipsec.conf
touch /etc/ipsec.conf
cat >>/etc/ipsec.conf<<EOF
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=$tmpip
    leftid=$tmpip
    leftprotoport=17/1701
    right=%any
    rightid=%any
    rightprotoport=17/%any
EOF
cat >>/etc/ipsec.secrets<<EOF
$tmpip %any: PSK "$mypsk"
EOF
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sed -i 's/net.ipv4.conf.default.rp_filter = 1/net.ipv4.conf.default.rp_filter = 0/g' /etc/sysctl.conf
sysctl -p
iptables --table nat --append POSTROUTING --jump MASQUERADE
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done

# Install rp-l2tp-0.4
cd $cur_dir/l2tp/untar/rp-l2tp-0.4
./configure
make
cp handlers/l2tp-control /usr/local/sbin/
mkdir -p /var/run/xl2tpd/
ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control
# Install xl2tpd-1.2.4.tar.gz
cd $cur_dir/l2tp/untar/xl2tpd-1.2.4
make install
mkdir -p /etc/xl2tpd
rm -rf /etc/xl2tpd/xl2tpd.conf
touch /etc/xl2tpd/xl2tpd.conf
cat >>/etc/xl2tpd/xl2tpd.conf<<EOF
[global]
ipsec saref = yes
[lns default]
ip range = $iprange.2-$iprange.254
local ip = $iprange.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF
rm -rf /etc/ppp/options.xl2tpd
touch /etc/ppp/options.xl2tpd
cat >>/etc/ppp/options.xl2tpd<<EOF
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
EOF

# Set default user & password
pass=`openssl rand 6 -base64`
if [ "$1" != "" ]; then
    pass=$1
fi
echo "vpn l2tpd ${pass} *" >> /etc/ppp/chap-secrets

touch /usr/bin/l2tpset
echo "#/bin/bash" >>/usr/bin/l2tpset
echo "for each in /proc/sys/net/ipv4/conf/*" >>/usr/bin/l2tpset
echo "do" >>/usr/bin/l2tpset
echo "echo 0 > \$each/accept_redirects" >>/usr/bin/l2tpset
echo "echo 0 > \$each/send_redirects" >>/usr/bin/l2tpset
echo "done" >>/usr/bin/l2tpset
chmod +x /usr/bin/l2tpset
iptables --table nat --append POSTROUTING --jump MASQUERADE
l2tpset
xl2tpd
cat >>/etc/rc.local<<EOF
iptables --table nat --append POSTROUTING --jump MASQUERADE
/etc/init.d/ipsec restart
/usr/bin/l2tpset
/usr/local/sbin/xl2tpd
EOF
clear
ipsec verify
printf "
#############################################################
# Auto install L2TP for CentOS 6                            #
# System Required: CentOS 6(32bit/64bit)                    #
# Intro: http://teddysun.com/135.html                       #
# Author: Teddysun <[email protected]>                         #
#############################################################
if there are no [FAILED] above, then you can connect to your 
L2TP VPN Server with the default user/password below:

ServerIP:$tmpip
username:vpn
password:${pass}
PSK:$mypsk
"
exit 0

使用L2TP需要设置密钥,出现789错误导入注册表。

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters]
"ProhibitIPSec"=dword:00000001

 

文章如无特别注明均为原创! 作者: cache, 转载或复制请以 超链接形式 并注明出处 雨田博客
原文地址《 CENTOS 下搭建L2TP VPN》发布于2015年8月16日

分享到:
打赏

评论

游客

看不清楚?点图切换