Virtual Private Network (VPN) refers to the technology for establishing a Private Network on a public Network. It is called virtual network, mainly because the connection between any two nodes of the VPN network does not have the physical link from the end to the end required by the traditional private network, but is built on the network platform provided by the public network service provider.
In the past two days, we have been engaged in VPN, and the headers are all big. I have found many articles on the Internet, and 90% of them are the same, but I have tried none of them to be successfully configured. Then I asked someone else to solve the problem. The following describes the detailed configuration process.
1. Install ppp and pptpd
Yum install ppp
Wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-2.rhel5.i386.rpm
Rpm-ivh pptpd-1.3.4-2.rhel5.i386.rpm
You can choose different pptpd based on your linux version and number of digits. When I found this article on the Internet, I found the sh script for installing vpn, which is very convenient, but it is used on the 64-bit centos machine.
2. Configure pptpd
1. Modify the configuration file options.ppt pd
[Root @ localhost ~] # Cat/etc/ppp/options.ppt pd | awk '{if ($0 !~ /^ $/& $0 !~ /^ #/) {Print $0 }}'
Name ads
Refuse-pap
Refuse-chap
Refuse-mschap
Require-mschap-v2
Require-mppe-128
Proxyarp
Lock
Nobsdcomp
Novj
Novjccomp
Nologfd
Idle 2592000
Ms-dns 8.8.8.8
Ms-dns 8.8.4.4
2. Modify the configuration file chap-secrets.
[Root @ localhost ppp] # cat/etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# Client server secret IP addresses
Vpn analyticdb 11111 *
Vpn: indicates the logon user name.
Ads: Custom server name
11111: password
*: It is an ip address. Here it is a regular expression.
3. Modify the configuration file pptpd. conf.
[Root @ localhost ppp] # vim/etc/pptpd. conf // add the following content at the bottom of the file
Localip 192.168.10.108
Remoteip 192.168.10.11-33
I have been very entangled in the localip here. Some people say it is a public ip address. Some people say it is not. I first understood it as a public IP address, but later I thought it was wrong, when we create a vpn network connection in windows, you will be asked to fill in the public IP address, which is not required here.
Later, I want to enter the lan ip address corresponding to the vpn server from the localip address to the lan ip address. In this way, I can also talk about it. After this configuration, I can connect to the vpn but cannot access the network, the connection is successful, and packets are sent and received.
The correct method is: the localip and remoteip are both custom IP addresses, vpn means virtual private network, and private network is established on the public network.
3. Modify sysctl. conf.
[Root @ localhost ppp] # vim/etc/sysctl. conf
Net. ipv4.ip _ forward = 1 // find this line and change 0 to 1
// Save and exit for the parameter to take effect
[Root @ localhost ppp] # sysctl-p
4. iptables configuration
// Add forwarding rules
[Root @ localhost ppp] # iptables-t nat-I POSTROUTING 1-j SNAT-s 192.168.10.0/24 -- to 192.168.10.108 // VPS suitable for OpenVZ architecture
[Root @ localhost ppp] # iptables-t nat-a postrouting-s 192.168.10.0/24-o eth0-j MASQUERADE // VPS suitable for XEN architecture
// Open port 1723
[Root @ localhost ppp] # iptables-a input-p tcp-m state -- state NEW-m tcp -- dport 1723-j ACCEPT
192.168.1.108 is the IP address of the Lan corresponding to the vpn server. For example, hosting24 is the openvz architecture, and linode is the xen architecture.
5. Start pptpd and iptables
[Root @ localhost ppp] #/etc/init. d/pptpd start
[Root @ localhost ppp] #/etc/init. d/iptables start
6. Check whether the iptables port is enabled and whether the forwarding rule is normal.
[Root @ localhost ppp] # iptables-L-t nat-n -- line-num // The forwarding rule is OK.
Chain PREROUTING (policy ACCEPT)
Num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
Num target prot opt source destination
1 SNAT all -- 192.168.10.0/24 0.0.0.0/0 to: 192.168.1.108
Chain OUTPUT (policy ACCEPT)
Num target prot opt source destination
[Root @ localhost ppp] # iptables-L-n -- line-num | grep 1723 // port is enabled
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 1723
VII. Vro configuration
If a vro is used, open port 1723 on the vro, log on to the route management page, and add a new entry in forwarding rule = "virtual server =". Add port 1723, enter the LAN ip address corresponding to the vpn server. After the connection is successful, windows will get an IP address assigned by the vpn server.
Ip address allocated to the client by vpn
Ip address allocated to the client by vpn
At this point, the vpn can be used. If the vpn is connected to the Internet, what should I do? I will encounter this problem and block me from the whole day.
[Root @ localhost ppp] # iptables-L-n
Chain FORWARD (pllicy ACCETP)
Target prot opt source destination
Reject all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited // if this rule exists, delete it.
You can delete it directly in/etc/sysconfig/iptables. You can also run the command iptables-d forward 1. Here 1 corresponds to the rule number.
Then save/etc/init. d/iptables save
, Restart/etc/init. d/iptables restart