Vpn-based pptp server for remote access
We have introduced how to remotely access the company's intranet through openvpn. However, the openvpn server is difficult to configure and client software needs to be installed. pptp is easy to configure and the client can directly create a vpn connection, it is much easier to use.
Let's introduce it as follows:
Company Public ip Address: 222.12.45.11 (hypothesis)
Pptp server: 192.168.3.16
Before deploying pptp, you need to know:
1. dkms: it can maintain drivers outside the kernel and dynamically load and uninstall required modules.
2. kernel_ppp_mppe: the pptp and mppe technologies provide vpn servers for encapsulating and encrypting confidential data. Mppe encrypts ppp frames using the secret key generated during the authentication process of ms-chap and ms-chap v2
3. ppp: pptp uses this Protocol to encapsulate user data, then encapsulates ppp data frames into ip data packets, and transmits them through the ip network.
4. pptpd: Server Software
5.ppt p Protocol No.: 47
6.ppt p port: 1723
7. tup/tap: Tunnel package Encapsulation
Deployment:
1. Check whether the server supports the ppp protocol.
[yanggd@vpn ~]$ modprobe ppp-compress-18 && echo ok ok
OK indicates support
2. Check whether ppp supports mppe.
[yanggd@vpn ~]$ strings '/usr/sbin/pppd'|grep -i mppe|wc --lines42
0 indicates not supported. 30 or a greater number indicates supported.
3. Check whether the server supports tup/tap
[Root @ MyServer ~] # Cat/dev/net/tuncat:/dev/net/tun: File descriptor in bad state # The returned result indicates that TUN/TAPcat has been correctly installed and configured: /dev/net/tun: No such device # returns this result, indicating that TUN/TAP is not correctly assembled. please assemble it yourself.
4. download and install the yum Source
[root@vpn yanggd]# rpm -Uvh http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm [root@vpn yanggd]# yum install pptp dkms ppp
Configure pptp
1. Set the Client ip Address
[Root @ vpn yanggd] # vim/etc/pptpd. confoption/etc/ppp/options.ppt pddebuglogwtmplocalip 192.168.3.2 # pptp server-side virtual ipremoteip 192.168.3.3-225 # pptp client address pool
2. Modify the pptp encryption protocol and client dns
[Root @ vpn yanggd] # vim/etc/ppp/options.ppt pd name pptpd # service name, if the modification needs to be consistent with other configurations refuse-paprefuse-chaprefuse-mschaprequire-mschap-v2 # Use mschap-v2 encryption require-mppe-128 # Use mppe encryption ms-dns 8.8.8.8 # Add master dnsms-dns 8.8.4.4 # Add backup dnsproxyarplocknobsdcomp for the client
3.ppt p User Password allocation and access restrictions
[Root @ vpn yanggd] # vim/etc/ppp/chap-secrets # Secrets for authentication using CHAP # clientserversecretIP addressestest * test_123 192.168.3.44test1 * test_456 * # user name-defined logon ip address and password Client Connection ip address allocated successfully
5. Enable the server's system routing mode and support packet forwarding
[root@vpn yanggd]# vim /etc/sysctl.conf net.ipv4.ip_forward = 1 [root@vpn yanggd]# sysctl -p
6. Set firewall policies
/Sbin/iptables-a input-I eth0-p gre-m comment -- comment "pptp -- gre"-j ACCEPT # Allow pptp Protocol no. 47: gre, note that port 47/sbin/iptables-a input-I eth0-p tcp-m multiport -- dport 1723-m comment -- comment "pptp -- gre"-j ACCEPT # enable pptp port 1723/sbin/iptables-a forward-p tcp -- syn-I ppp +-j TCPMSS -- set-mss 1356 # If pptp is successfully connected, it cannot access the Internet normally or some webpages on the Internet. yes, message Problems
7. Perform port ing on the Intranet gateway to map port 1723 of the Intranet pptp to the public ip address, so that we can establish a vpn through remote connection to pptp.
Some Intranet users need snat to access the Internet:
/Sbin/iptables-t nat-a postrouting-s 192.168.3.0/24-p tcp -- dport 1723-j SNAT -- to-source 222.12.45.11
Client Configuration:
1. Create a connection
2. Select the encryption protocol
After normal connection, we can see that the pptp server has established a connection and generated a virtual ip address.
[root@vpn yanggd]# ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:50:56:87:3b:96 brd ff:ff:ff:ff:ff:ff inet 192.168.3.16/24 brd 10.10.255.255 scope global eth0 inet6 fe80::250:56ff:fe87:3b96/64 scope link valid_lft forever preferred_lft forever36: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1396 qdisc pfifo_fast state UNKNOWN qlen 3 link/ppp inet 192.168.3.2 peer 192.168.3.2/32 scope global ppp0
Of course, the client will also generate a virtual ip address, which won't be mapped here.
OK. Now vpn is ready. We can easily access the company's intranet for office work at home.