本站以分享各种运维经验和运维所需要的技能为主
《python零基础入门》:python零基础入门学习
《python运维脚本》: python运维脚本实践
《shell》:shell学习
《terraform》持续更新中:terraform_Aws学习零基础入门到最佳实战
《k8》暂未更新
《docker学习》暂未更新
《ceph学习》ceph日常问题解决分享
《日志收集》ELK+各种中间件
《运维日常》运维日常
《linux》运维面试100问
背景:
公司需要通内网,故此部署vpn
流程:
1.安装所需要的包:---这次部署使用的是腾讯云机器centos7.3
centos7 使用libreswan代替了以往的openswan
yum install -y make gcc gmp-devel xmlto bison flex xmlto libpcap-devel lsof vim-enhanced man
yum install xl2tpd
yum install libreswan
2.修改ipsec的配置文件
[root@yyf ~]# vim /etc/ipsec.conf(只添加一行nat_traversal=yes即可)
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
nat_traversal=yes ###在配置文件里加入这一行,充许传透nat建立l2tp连接
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
3.建立ipsec 与 l2tp 服务关联的配置文件
#因为这个文件没有所以需要手动创建
[root@yyf ~]# vim /etc/ipsec.d/l2tp_psk.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=10.40.1.91 ###10.40.1.91 是自己的网卡Ip地址
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
4.当建立l2tp连接时,需要输入预共享密匙,以下为预共享密匙的配置文件。
[root@yyf ~]# vim /etc/ipsec.d/ipsec.secrets
#include /etc/ipsec.d/*.secrets
10.40.1.91 %any: PSK "123456789"
#111.81.11.5 是外网网卡地址,PSK是预存共享密匙
5.修改内核支持,可以对照以下配置修改,修改完后运行sysctl -p 使配置生效
[root@yyf ~]# cat /etc/sysctl.conf
vm.swappiness = 0
net.ipv4.ip_forward = 1
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
[root@yyf ~]# sysctl -p
6.检验ipsec服务配置
#重启ipsec systemctl restart ipsec#检验ipsec服务配置 ipsec verify
[root@yyf ~]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 3.10.0-1160.88.1.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD]
Warning: ignored obsolete keyword 'nat_traversal'
ipsec verify: encountered 3 errors - see 'man ipsec_verify' for help
//报错处理,当出现以上几个[ENABLED]错误提示时 ,不用在意,可以继续。当然全部OK更好。
7.启动服务
#启动ipsec systemctl start ipsec #设置为开机自启 systemctl enable ipsec
8.修改L2tp的配置文件
[root@yyf ~]# vim /etc/xl2tpd/xl2tpd.conf
[global]
listen-addr = 10.40.1.91 ###本机外网网卡IP
ipsec saref = yes ###取消注释
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = Linux×××server
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
9.修改xl2tpd属性配置文件
[root@yyf ~]# vim /etc/ppp/options.xl2tpd
require-mschap-v2 ###添加此行
ipcp-accept-local
ipcp-accept-remote
#dns 写自己的网卡DNS ,写成8.8.8.8也行
ms-dns 172.26.2.21
#ms-dns 8.8.8.8
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
10.添加用户名和密码(**登录的用户名和密码)
建立xl2tpd连接的用户,建立l2tp连接需要输入的用户名和密码就在该文件里配置:
vim /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses test * 123 *
11.iptables安装配置
CentOS7默认的防火墙不是iptables,而是firewalle.
检查firewall是否stop
iptables -F
iptables -X
iptables -Z
-地址转换:
iptables -t nat -A POSTROUTING -s 10.40.1.0/24 -o eth0 -j MASQUERADE iptables -I FORWARD -s 10.40.1.0/24 -j ACCEPT iptables -I FORWARD -d 10.40.1.0/24 -j ACCEPT iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT iptables -A INPUT -p esp -j ACCEPT iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #这条比较关键,因为这条是转发访问流量的。 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE service iptables save /bin/systemctl restart iptables.service
12.完成服务配置,启动服务
systemctl start xl2tpd
systemctl enable xl2tpd
客户端连上,如果需要打通与服务端想通的网段,需要自行在客户端添加路由
如mac上:
sudo route -n add 172.26.0.0/16 192.169.42.10
#172.26.0.0/16 这个是想要跳过去的下一跳路由网段
#192.169.42.10 这个是你vpn获取的ip
补:自定义客户访问登陆log信息:---通过man可以查看到信息
原理就是用户登录时会执行ip-up,这时保存一部分登录日志到一个用户单独的文件,到登录注销时会执行ip-down,再保存另外一部分的日志到用户单独文件,最后把这个用户单独文件内的日志添加到总日志内。最后的日志效果如下:
修改脚本 /etc/ppp/ip-up :
#!/bin/sh
echo "****************************************************" > /var/log/pptpd-${1}.log
echo "username: $PEERNAME" >> /var/log/pptpd-${1}.log
echo "clientIP: $6" >> /var/log/pptpd-${1}.log
echo "device: $1" >> /var/log/pptpd-${1}.log
echo "vpnIP: $4" >> /var/log/pptpd-${1}.log
echo "assignIP: $5" >> /var/log/pptpd-${1}.log
echo "logintime: `date -d today +%F_%T`" >> /var/log/pptpd-${1}.log
/etc/ppp/ip-down:
#!/bin/sh
echo "downtime: `date -d today +%F_%T`" >> /var/log/pptpd-${1}.log
echo "bytes sent: $BYTES_SENT" >> /var/log/pptpd-${1}.log
echo "bytes received: $BYTES_RCVD" >> /var/log/pptpd-${1}.log
echo "connect time: $CONNECT_TIME" >> /var/log/pptpd-${1}.log
echo "****************************************************" >> /var/log/pptpd-${1}.log
cat /var/log/pptpd-${1}.log >> /var/log/pptpd.log
结果:
# cat /var/log/pptpd-ppp3.log
****************************************************
username: tt
clientIP:
device: ppp3
vpnIP: 192.169.1.99
assignIP: 192.169.1.131
logintime: 2024-04-01_11:00:55
downtime: 2024-04-01_11:02:05
bytes sent: 129369
bytes received: 181571
connect time: 70
****************************************************