Objective: to build a Linux Gateway (transparent proxy) with a single NIC, which is used to dial an overseas VPN server. after the client sets the gateway, the network egress is an overseas VPN server, to accelerate access to some websites. Environment Information: Hardware: one DELL machine, single NIC (IP: 10.39.100.253); machine name: VpnGW Operating system: CentOS6 objective:
Build a Linux Gateway (transparent proxy) with a single NIC. The Gateway dials an overseas VPN server. after the client sets the gateway, the network egress is an overseas VPN server, to accelerate access to some websites.
Environment Information:
Hardware: one DELL machine, single NIC (IP: 10.39.100.253 );
Machine name: VpnGW
Operating system: CentOS 6.0 Kernel Linux 2.6.32-71. el6.i686
Network Environment: The Lan firewall must allow the machine to use the PPTP protocol to dial a public IP address.
Installation steps:
1. install the operating system and set the IP address and machine name. firewall and SELinux can be disabled;
Modify host name: Set the CentOS host name to/etc/sysconfig/network.
Modify the hosts file: modify the/etc/hosts file
Disable SELinux: modify/etc/sysconfig/selinux
SELINUX = disabled # This is the most standard method
Set the system to use the EPEL Source:
CentOS 6.x 32-bit (x86/i386 ):
Rpm? Uvhhttp: // download.fedoraproject.org/pub/epel/6/ I #/epel-release-6-5.noarch.rpm
CentOS 6.x 64-bit (x64 ):
Rpm? Uvhhttp: // download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm
2. install software;
Check the installation of ppp, pptp, and pptp-setup. if not, run yum install;
3. use the pptpsetup command to create a VPN node;
Pptpsetup command usage and description:
Pptpsetup -- create -- Server [-- Domain ] -- U sername [-- Password ] [-- Encrypt] [-- start]
Pptpsetup? Delete Delete a node
Options:
* The name of the created connection.
* The IP address or domain name of the pptp server.
* Many Windows servers use the "domain" to manage the authentication.
* VPN user name (domain user name)
* The user password on the VPN can also be left blank. the command will be automatically asked later to ensure account security.
*? Encrypt indicates that encryption is enabled. you do not need to specify the encryption method. the command reads the encryption method from the configuration file.
* When not used? When the following error occurs during the encrypt connection, it indicates that encryption is used. you can also contact the VPN administrator to confirm the problem. you can add this parameter in the following cases.
* CHAP authentication succeeded
* LCP terminated by peer (ZM-76-^ @ *? Start is connected immediately after the connection is created.
After running this command, two configuration files are created:
/Etc/ppp/chap-secrets
/Etc/ppp/peers/connection name
The configuration file/etc/ppp/peers/connection name must be modified as follows:
# Written by pptpsetup
Pty "pptp 10.39.100.2 -- nolaunchpppd"
Lock
Noauth
Nobsdcomp
Nodeflate
Name csnj \ administrator
Remotename csvpn
Ipparam csvpn
# Defaultroute # Use this connection as the default route. This article does not make sense for a single NIC. you can leave it empty. For more information, see the appendix.
Persist # When the connection is lost, make pppd dial again, verified
Require-mppe-128
Refuse-pap
Refuse-chap
Refuse-eap
Refuse-mschap
When I was doing this step, I couldn't connect. I suspected that the encryption method and handshake protocol were useless. Finally, I found that the username should be changed.
Change "DOMAIN \ username" in the above two configuration files to "DOMAIN \ username.
This is also described in the official documentation, link: http://pptpclient.sourceforge.net/howto-redhat.phtml#setup
Reference:
* The script displays your choice, together with information about specifying a local name:
Add a new chap secret.
NOTE: Any backslashes (\) must be doubled (\\).
Local Name:
This is the 'local' identifier for CHAP authentication.
NOTE: If the server is a Windows NT machine, the local name
Shocould be your Windows NT username including domain.
For example:
Domain \ username
Local Name: your_domain \ your_username
4. set the dialing script;
The dialing script pon and poff are in the directory/usr/share/doc/ppp-*/scripts/below:
Cp/usr/share/doc/ppp-2.4.5/scripts/pon/usr/sbin
Cp/usr/share/doc/ppp-2.4.5/scripts/poff/usr/sbin
Chmod + x/usr/sbin/pon/usr/sbin/poff # grant the permission to run the pon and poff scripts.
In this way, you can use pon/poff To start or stop a VPN connection.
You can also use pppd call /Killall pppd to start/stop.
5. set automatic dialing upon startup and change the route after dialing;
Add the start dialing command to the/etc/rc. d/rc. local file:
6. view the VPN Log;
You can view the corresponding logs in/var/LOG/message.
To further diagnose a failure, add options to thecommand (use the command line to dial and view the screen log ):
Pppd call vpn_name debug dump logfd 2 nodetach 7. install squid;
Yum? Y install squid
Start squid:/etc/rc. d/init. d/squid start
8. configure squid;
Modify the configuration file/etc/squid. conf
Configure as transparent proxy:
# Squid normally listens to port 3128
Http_port 10.39.100.253: 3128 transparent
Configure squid to automatically start upon startup:
Chkconfig squid on
9. access control;
After the configuration is complete, the key and important task is access control. Squid supports many management methods and is also very simple to use (this is also a Squid that someone would rather use without any caching, and is not willing to use it independently
Iptables).
Squid can identify users by IP address, host name, MAC address, user/password authentication, etc, you can also control user access through domain name, domain suffix, file type, IP address, port, URL matching, etc. you can also use time intervals to manage users, therefore, access control is the focus of Squid configuration.
Squid divides Access types with ACL (Access Control List) and controls them with http_access deny or allow.
This article uses the Mac address for control and modifies it in the configuration file.
Acl allowuser arp mac1 mac2
Http_access allow allowuser
Note that Squid will use allow-deny-allow-deny ...... Apply rules in this order. For example, when a user accesses the proxy server, Squid sequentially tests the list of all rules defined in Squid. if none of the Rules match, Squid uses the opposite rule.
Iptables? T filter? A input? S 10.39.101.152? I eth0? J ACCEPT
Iptables? T filter? A input? S 10.39.0.0/16? I eth0? J DROP
10. enable Kernel IP forwarding;
Method 1: modify the kernel parameter file in/proc
Directly modify the kernel parameter ip_forward to the file/proc/sys/net/ipv4/ip_forward under/proc. Run the following command to view the ip_forward file:
# Cat/proc/sys/net/ipv4/ip_forward
The default value 0 of this file indicates that ip forwarding is prohibited. if it is changed to 1, the ip forwarding function is enabled. The modification command is as follows:
# Echo 1>/proc/sys/net/ipv4/ip_forward
The modification takes effect immediately, that is, the kernel has enabled the ip forwarding function. However, if the default value is 0 after the system is restarted, you must modify the content of the/etc/sysctl. conf file to enable it permanently.
Method 2: modify the/etc/sysctl. conf file.
By default, one variable in the sysctl. conf file is
Net. ipv4.ip _ forward = 0
Change the nominal value to 1 and save the file. Because the initialization script/etc/rc every time the system starts. d/rc. sysinit reads/etc/sysctl. conf file, so the ip forwarding function is enabled every time the system starts. However, modifications to the sysctl file do not take effect immediately. if you want the modifications to take effect immediately, run the following command:
# Sysctl? P
11. configure iptables;
1. forward the client's request NAT method to the Internet for routing;
Iptables-t nat-a postrouting-s 10.39.0.0/16-o ppp0-jMASQUERADE
2. forward requests from the client to Web port 80 to Squid 3128, which is claimed by Squid;
Iptables-t nat-a prerouting-s 10.39.0.0/16-I eth0-p tcp -- dport 80-j REDIRECT -- to-port 3128
Save:/etc/rc. d/init. d/iptables save
Restart: service iptables restart
12. during the installation process, I learned a number of blog articles on the network (> 20) and the knowledge base, which cannot be listed one by one. thank you.
Many articles on the Internet use scripts to enable automatic dial-up and disconnection redial functions. because I don't know the script, I will try again later.
PDF notes Download: http://down.51cto.com/data/416640
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.