Build an enterprise-level PPTP server and an enterprise-level pptp Server

Build an enterprise-level PPTP server and an enterprise-level pptp Server

This article is included in the Enterprise Project Practice Series

1. Introduction to VPN 1. Introduction

Virtual Private NetworkVirtual Private Network (VPN) is a common communication method used to connect a Private Network between a large enterprise or a group. Messages in a virtual private network are transmitted through a public network architecture (for example, the Internet. It uses encrypted Tunneling protocols to achieve private message security effects such as confidentiality, Sender authentication, and message accuracy. This technology can use insecure networks (such as the Internet) to send reliable and secure messages. It should be noted that messages can be encrypted or not. Messages without encrypted VPC are still at risk of being stolen.

The essence of VPN isA Data Communication tunnel is encapsulated on a public network using encryption technology.

As an example of daily life, A virtual private network is like A: A of A department of Company A wants to send A letter to B of A Department of Company B. A knows the address and Department of B, but the name of the Department cannot be indicated in the letter between the company and the company. Therefore, A asks his secretary to put the letter (A can choose whether to use the password to communicate with B) from the designated department B in the large envelope sent to Company B's address. When the secretary of Company B receives a letter from Company A sent to Company B, the Secretary will send the letter from the designated department placed in the large envelope to Company B via internal mail. Similarly, B will reply to A in the same way.

In the above example, A and B are computers (or related machines) in different companies (internal networks) and send messages to each other through A general mail (Public Network, then, the secretary of the other party (for example, a router or firewall supporting the virtual private network) sends a letter (internal network) from the company to the other party. Note that in the virtual private network, the secretary and recipient can be the same person in response to the network architecture. Many existing operating systems, such as Windows and Linux, have the ability to connect to a VPC without using other network devices.

2. vpn Classification

VPN can be classified according to different criteria:

(1) classification by VPN protocol:

There are three main VPN tunnel protocols,PPTP, L2TP and IPSec. The PPTP and L2TP protocols work on the second layer of the OSI model, also known as the second layer tunnel protocol. IPSec is the third layer tunnel protocol.

(2) classification by VPN application:

① Access VPN (Remote Access VPN): use the public network as the backbone network to transmit VPN data traffic between devices from the client to the gateway;

② Intranet VPN: the gateway connects to the gateway and connects resources from the same company through the company's network architecture;

③ Exclusive VPN: an exclusive with the partner's enterprise network, connecting one company to resources of another company.

(3) classification by device type:

Network equipment providers develop different VPN network devices for different customer needs, mainly for vswitches, routers and firewalls:

① Vro VPN: vrovpn VPN is easy to deploy. You only need to add the VPN service to the vro;

② Vswitch VPN: it is mainly used to connect VPN networks with fewer users;

(4) Division by implementation principle:

① Overlapping VPN: This VPN requires you to establish a VPN link between end nodes, including GRE, L2TP, IPSec, and many other technologies.

② Peer-to-peer VPN: the network operator establishes a VPN channel on the backbone network, including MPLS and VPN technologies.

3. There are many VPN implementation methods. The following four methods are commonly used:

(1) VPN Server: In a large Lan, you can build a VPN Server in the Network Center.

(2) software VPN: VPN can be implemented through dedicated software.

(3) Hardware VPN: VPN can be implemented through dedicated hardware.

(4) Integrated VPN: Many hardware devices, such as routers and firewalls, have VPN functions. However, hardware devices with VPN functions are generally more expensive than those without this function.

Ii. Experiment-set up pptp1 and check whether the system supports ppp

[Root @ centos6 ~] # Cat/dev/ppp

Cat:/dev/ppp: No such device or address

If the above prompt is displayed, the ppp is enabled and the pptp service can be set up normally. If there are other prompts such as Permission denied, you need to go to the VPS panel to see if there is any enable ppp function switch.

2. Set kernel forwarding and enable route forwarding.

[Root @ centos6 ~] # Vim/etc/sysctl. conf

Net. ipv4.ip _ forward = 1

[Root @ centos6 ~] # View sysctl-p

3. Install pptp

[Root @ centos6 ~] # Yum-y install pptpd

Depends on epel Source

4. Configure pptp

(1) configure the master configuration file

[Root @ centos6 ~] # Cp/etc/pptpd. conf {,. bak} backup before configuration

[Root @ centos6 ~] # Vim/etc/pptpd. conf

Option/etc/ppp/options.ppt pd logwtmp localip 39.106.xxx.xxx # local public ip remoteip 192.168.1.100-110 # address allocated to the VPN Client, usually Intranet segment address

(2) configure the account file

[Root @ along ~] # Vim/etc/ppp/chap-secrets

Client (client Logon account) server (service) secret (password) IP addresses (ip range)

Along pptpd 123456 * (allow all ip addresses)

(3) start the service

[Root @ along ~] # Systemctl start pptpd

Check whether the service is enabled

[Root @ along ~] # Ps-ef | grep pptpd

[Root @ along ~] # Ss-nutlp | the port opened by grep pptpd is 1723.

5. Set SNAT rules

[Root @ along ~] # Iptables-t nat-a postrouting-s 192.168.1.0/24-j MASQUERADE

6. Connect the client to the vpn

① Connect to a new work group = Zone

② VPN

③ Input IP Address

④ Enter the user name and password

⑤ Connection successful

8. Check the log to see if a client connection exists.

[Root @ along ~] # Tail-200/var/log/messages does have a client connection

9. Configuration after connection

Need to be disconnected. After setting, connect again

10. IP address after test connection