This article describes how to build a PPTP VPN service on a Xen VPS that installs the CentOS operating system. Includes the installation, configuration, and corresponding iptables rules for PPTP. This article temporarily does not involve the PPTP traffic control part, waits for the time to learn to understand the Freeradius, then writes the sequel. July 20, 2011 Update: In the security recommendations section, there is an increase in the use of different IP addresses, providing separate VPN services and other general services such as the Web, and how to write iptables rules when using different IP addresses.
It's written in front.
In GoDaddy a dollar COM domain name egged on, these days first got this gnailuy.com, and then coveted a long time VPS also by the way. So say everything, always have a beginning.
According to the previous idea, this VPS will be the next month from me and a few good friends to rent, configure the virtual host, each set up their own small web site, but also to share the VPN services on the VPS. From the cost of consideration, as long as some of the spirit of technology, coupled with a number of like-minded friends, and rent a not too high-end VPS self-built server, should still be below the same time to buy the domain name, web hosting and VPN the cost of the sum. This is the first month, we will be familiar with the technology, do a variety of tests, learn more to send some technical articles, for the same idea of friends for reference.
Body
In Google's misery swim two days and nights, and finally completed the PPTP VPN and this WordPress station basic configuration, today first write VPN. These days because the Google Chinese homepage is too ugly, most of the search materials in English, was also intended to write this article in English, but given the following two reasons, so forget: first to their English writing ability, really bad; the other is likely to be interested in building VPN individuals or groups, Probably basically in mainland China Internet, O (∩∩) o ...
The reason to choose PPTP VPN is to consider the convenience of the client connection. Several of us are using VPNs primarily on Linux Desktop, Windows, and Android, which have clients connected to PPTP. Of course there is another reason, is that we buy VPS based on Xen PV technology, can build PPTP. This is actually the result, the original to buy based on Xen PV rather than OpenVZ, is because of the plan to build PPTP services. Btw,xen PV is a kind of semi virtualization technology that cannot run Windows, but is said to be more efficient than a fully virtualized Xen HVM run Linux.
Platform Introduction
- "Hard" piece Platform: Xen PV, 215M Memory, 512M Swap, 1T Transfer
- Operating system: CentOS release 5.6 (Final)
- Kernel: 2.6.18-194.32.1.el5xen i686 i386 Gnu/linux
- Network: 1 IP, 1 network Adapter (eth0)
Configuration Overview
The configuration of PPTP consists of the following five steps:
- Verify that the kernel is loading the MPPE module
- Install the required packages
- Configure PPP and PPTP configuration files
- Turn on IP forwarding for the kernel
- Start the pptpd daemon
- Configuring iptables firewall release and forwarding rules
Detailed steps
After the boot, the first is to login VPS. I usually use Linux, direct SSH command to log on. If it is under the WINODWS, recommend the use of putty, there is a point to note that is the best to connect the character set to UTF-8, because the Linux default locale are UTF-8, if non-ASCII characters, do not set character sets will appear garbled, The specific setting method Google knows.
All of the following configuration actions require root permissions, and all commands are executed in the home directory of root without special instructions. By the way, it is best to disable root on the VPS directly login, try to establish a common user then su to root, specific details off, also please Google.
1, verify that the kernel is loaded with the MPPE module:
The kernel's MPPE module is used to support Microsoft Point-to-Point encryption. This encryption is used by Windows ' own VPN clients, and the mainstream Linux desktop have MPPE support. In fact, to our kernel version, the default has been loaded MPPE, only need to use the following command to verify, show MPPE OK:
Modprobe ppp-compress-18 && echo MPPE is ok
2, the installation of the required software packages:
–ppp–
PPTP encapsulates user data using the PPP protocol, and then encapsulates PPP data frames in IP datagrams and spreads over IP networks. So first you need to support the PPP protocol, we use the full version of the CentOS has a PPP this package, if you install a minial CentOS such as a streamlined system, you may need to install the following command PPP:
As a lazy person, if there is no special customization requirements, I generally try to use Yum to install the software. As long as the source of the software, yum more convenient, but also can automatically resolve the dependency relationship.
–pptpd-
With the PPP protocol support, next install PPTPD. First come here to find the latest version of the PPTPD for your platform. CentOS and Rhel general, Fedora System can use the suffix with FC typeface, and then also need to select 32-bit or 64-bit package based on the kernel. After you find the correct package, copy its URL and download it to the home directory of root (or install it directly with the RPM-IVH URL) with wget. For example, my 32-bit kernel CentOS 5, use the following command to download:
wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-2.rhel5.i386.rpm
This article defaults to not consider "Wget:command not found" such elementary errors. If you see a similar error, one is to check whether the command is misspelled, the second is Yum install it, and the third is Google it. In fact, there are not a few commands in this article that are easy to not found in total.
After the download is complete, install:
RPM-IVH pptpd-1.3.4-2.rhel5.i386.rpm
–iptables–
Similarly, if it is not a minial system, there should be no iptables installed. This is the most popular firewall under Linux, should be found by default, if not, then:
Then, software like iptables is very important to the server. Although there is no rules to configure the firewall, the installation of the open bar (as long as the default release of SSH 22 port will be OK), open the next need to set up, at the main run level automatically start:
/etc/init.d/iptables start Chkconfig--level iptables on
3. Configure PPP and PPTP configuration files:
Next you need to configure PPP and PPTPD to edit several of their configuration files. If you have a Linux base, it is certainly recommended that you use Vi/vim to edit the configuration file. If you are unfamiliar and don't want to be familiar with VI, then you can replace the VI command that I am going to use with the more accessible nano. This article does not cover the basics of text editors, just need to know how to open the file, edit the file, save the file, and exit the text editor.
These configuration files, #号开头的行均为注释, have no effect on the configuration. We don't have to care about annotations, so below I will use a similar
grep ^[^#]/etc/ppp/options.pptpd
Such a command that filters out the valid rows in the configuration file is displayed in the body of this article. When you edit, you only need to add or modify these valid lines, and then put the unwanted lines in front of the # comment out.
–ppp–
Configuring PPP requires editing its two profiles, one option (options) file and one user account file. First edit Option file:
When I edit this file, it already exists, and there is little need to edit it, and if the file does not exist, create it yourself and fill in the following valid configuration. The following are valid lines in this file:
Name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
Ms-dns 8
ms-dns 4
proxyarp
lock
nobsdcomp
novj
novjccomp NOLOGFD
The pptpd behind the name is the name of the service, which can be changed to the name you like, and in the later configuration, replace the corresponding pptpd with the name you modified here.
The next few lines, which begin with refuse or require, are configured for rejected and accepted encryption, where the MSCHAP-V2 and mppe-128 are newer, more secure encryption methods, where mppe-128 requires kernel module support that is validated in the first step.
The other two more important lines are Ms-dns, which specifies the DNS servers that the VPN uses. After all, VPS is located abroad, so it is recommended to use Google public DNS above and, of course, to modify the DNS provided for your VPS's ISP.
The rest of the options are not described here, and children's shoes that need to know their meaning can refer to the annotations in this sample file.
Next, modify another file that stores the user account:
This file is very simple, where the VPN client's username, service name, password, and IP address range are stored in clear text, one account per line:
UserName1 pptpd passwd1 *
username2 pptpd passwd2 *
The first and third columns are user names and passwords; the second column should match the service name specified after name in the file/etc/ppp/options.pptpd above, and the last column restricts the client IP address, and the asterisk indicates that there is no limit.
–pptpd–
Edit the PPTPD configuration file below:
There are also few valid rows in this file:
OPTION/ETC/PPP/OPTIONSPPTPD
logwtmp
localip 1
remoteip 207-217
Where option specifies to use the configuration in/ETC/PPP/OPTIONS.PPTPD; logwtmp indicates that the WTMP log is used.
The next two lines are the more important two lines. VPN can be understood in this way, Linux clients use a virtual network device PPP0 (Windows clients can also be understood as a VPN Virtual network card), connected to the server's virtual networking device Ppp0, so that the client joined the server-side ppp0 on the network. Localip is the IP address that can be assigned to the server-side ppp0, and REMOTEIP will be assigned to the client ppp0 (or virtual network card).
These two can be multiple IP, general localip set an IP on the line, Remoteip is depending on the number of clients, assigning a section of IP. The IP segment of REMOTEIP needs to be consistent with the IP segment of Localip.
Localip and REMOTEIP IP segments can be specified at will, but the range does not contain the actual network card eth0 IP address. In general, use the configuration in the above configuration to make it work, all you have to do is change the IP range of 192.168.0.207-217 to your favorite 192.168.0.a-b, which 1<a<b<255.
4, turn on the kernel IP forwarding function:
To enable the VPN server to act as a transit agent for network requests, to enable clients to access the Internet via VPN, you also need to turn on the IP forwarding capabilities of the kernel. You can edit the configuration file:
Locate the line:
Modified to:
Then execute the following command to make the above modifications effective:
5. Start the pptpd daemon process:
Once the configuration is complete, the PPTPD process can be started and set to start automatically, similar to the example above iptables:
/ETC/INIT.D/PPTPD start Chkconfig--level pptpd on
6, configure iptables firewall release and forwarding rules:
Finally, you need to configure the firewall. There are three purposes to configure the firewall: one is to set the default discard rules, to protect the security of the server; the second is to release the data packets we allow to provide services; third, by configuring the postrouting chain of the NAT table, the VPN client can access the Internet through the server. In short, our principle is to release only the services we need, and all others refuse.
First, there are several items related to PPTP VPN:
- The GRE (Generic Route Encapsulation) protocol is allowed, and PPTP uses the GRE protocol to encapsulate PPP packets and then encapsulate them into IP packets
- Release 1723-Port PPTP service
- Inbound packets with a release status of Related,established (the firewall should have already been configured on the normally serviced machine)
- Release packet forwarding between the 192.168.0.0/24 network segment of the VPN virtual network device and the server network card eth0
- NAT for outbound packets from VPN network segment 192.168.0.0/24 to network card eth0
If your other firewall rules are configured so that you do not need to change, just add the above related VPN-related rules, then execute the following commands (the third is generally not required, unless your original firewall does not allow this rule, but do it anyway):
Iptables-a input-p gre-j ACCEPT
iptables-a input-p tcp-m tcp--dport 1723-j ACCEPT iptables-a input-m
STA Te--state related,established-j ACCEPT
iptables-a forward-s 0/24-o eth0-j ACCEPT iptables-a forward-d
0/24 -I eth0-j ACCEPT
iptables-t nat-a postrouting-s 0/24-o eth0-j Masquerade
The above IP segment 192.168.0.1/24 may need to be modified to the Localip and REMOTEIP location IP segment that you configured in/etc/pptp.conf.
There are a few other services that are needed on our server:
- 22-Port SSH (very important!) If not careful to even forget this, the basic can only be sent to the VPS service ticket.
- 21-Port FTP control
- 80-Port Web Services
- Allow response to various ICMP requests
Based on the above requirements, plus the basic requirements of the server, I wrote the following shell script. This script defaults to dropping rules that are not explicitly allowed, and then allows you to include the above VPN-related rules and the rules required for the other services listed above. You can modify the script to suit your actual needs, and then execute this script to quickly deploy the iptables rule.
#!/bin/bash ### clear old Rules iptables-f iptables-x iptables-z iptables-t nat-f Ables-t nat-x iptables-t Nat-z ### * Filter # Default drop iptables-p INPUT DROP iptables-p FORWARD Drop Iptab Les-p OUTPUT DROP # INPUT Chain iptables-a input-p gre-j ACCEPT iptables-a input-i lo-p all-j ACCEPT iptables -A input-p tcp-m tcp--dport 21-j ACCEPT iptables-a input-p tcp-m tcp--dport 22-j ACCEPT iptables-a input-p TC P-m TCP--dport 80-j ACCEPT iptables-a input-p tcp-m tcp--dport 1723-j ACCEPT iptables-a input-p icmp-m ICMP- -icmp-type any-j ACCEPT iptables-a input-m State--state related,established-j ACCEPT # OUTPUT Chain iptables-a OU Tput-m State--state new,related,established-j ACCEPT # FORWARD Chain iptables-a forward-s 0/24-o eth0-j ACCEPT I Ptables-a forward-d 0/24-i eth0-j ACCEPT ### * nat # postrouting Chain iptables-t nat-a postrouting-s-0/24-o et H0-j Masquerade
It should be noted that this script first clears all iptables rules before deploying new rules, and if you need to keep the existing rules on your machine, do not execute the previous purge statements, or do a backup of the old rule to do the experiment:
Iptables-save > Iptables.backup
If you want to restore a backup that is done with the command above, you can:
Iptables-resotre Iptables.backup
Finally, if you decide that all the iptables rules are in your mind, you can execute the following command to save the iptables rule.
/etc/init.d/iptables Save
Security recommendations
@alexwwang @helijohnny on Twitter, knowing that a VPN might not be safe with the site. They suggested that I add an IP to the VPS that would allow the VPN service and the Web to take a different IP, so that the IP of the VPN server would not be easily exposed because of the content published by the Web site. I just tested it on a test machine, and today I finally got a new IP address to make up this part.
Single NIC configuration multiple IP addresses
CentOS a single network adapter to configure multiple IP is easy. For example, suppose now that the NIC Eth0 already has an IP address is 123.123.123.123/24, want to add an IP is 123.123.123.124/24, you can/etc/sysconfig/network-scripts/ Add a new virtual NIC configuration file ifcfg-eth0:0 to the directory. If you want to save the words can directly copy ifcfg-eth0 into ifcfg-eth0:0. Then edit its contents, for example:
device=eth0:0
bootproto=static
onboot=yes
ipaddr=124
netmask=0
The virtual NIC eth0:0 configuration information looks a little, in fact it will share the actual device eth0 configuration information, so as the simple configuration is enough. In addition, if you need to add more IP address on this Web card, this example adds Eth0:1, Eth0:2, and so on virtual devices.
Iptables Configuration for multiple IP
Then about iptables configuration, the idea is in the input chain use-D differentiated destination IP, only in the Web services such as the use of IP on the release of several ports 22 and 80, the VPN service IP on the release of only 1723 ports.
If you like the new IP can also be binding a different domain name, as long as the firewall configured, and then the VPN use of IP domain names are not public, theoretically it is very difficult to find the VPN service address, which is a self-built VPN benefits. A configuration script for the iptables rule is provided here, similar to the script above, with a few modifications that apply to multiple IP situations:
#!/bin/bash # Clear Old Rules iptables-f iptables-x iptables-z iptables-t nat-f iptables-t nat-x -T Nat-z ### * Filter # Default Drop and ACCEPT iptables-p INPUT drop iptables-p FORWARD DROP iptables-p OUTPUT D ROP # INPUT Chain iptables-a input-p gre-j ACCEPT iptables-a input-i lo-p all-j ACCEPT iptables-a input-p tcp -m tcp -d 123 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -d 123 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -d 123 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -d 123 --dport 443 -j ACCEPT
iptables -A INPUT -p Tcp-m tcp-d 124--dport 1723-j ACCEPT iptables-a input-p icmp-m ICMP--icmp-type any-j ACCEPT iptables-a INPUT -M State--state related,established-j ACCEPT # OUTPUT Chain iptables-a output-m State--state New,related,establi Shed-j ACCEPT # FORWARD Chain iptables-a forward-s 0/24-o eth0-j ACCEPT iptables-a forward-d 0/24-i eth0-j
ACCEPT ### * NAT
# postrouting Chain iptables-t nat-a postrouting-s 0/24-o eth0-j Masquerade
This configuration is complete, the public web domain name for the port scan, you can only scan to 80 ports, and VPN services using the domain name IP is not public, to ensure security. My hand has scanned our server, and the result is this:
[Root@sheldon ~]# nmap-ss gnailuycom
starting Nmap (http://nmaporg) at 2011-07-20 20:46 CST
nmap Scan For gnailuycom (one of our IP addresses)
Host is up (31s latency) not
shown:996 filtered ports
PORT State SERVICE
21/tcp Open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done:1 IP Address (1 host up) scanned in seconds
[Root@sheldon ~]# nmap-ss Vpnserversdomainname starting Nmap
(http://nmap ORG) at 2011-07-20 20:53 CST
Nmap Scan A for vpnserversdomainname (we another IP address)
Host was up (32s Latency) Not
shown:999 filtered ports
PORT State SERVICE
1723/tcp open PPTP
Nmap done:1 IP Add Ress (1 host up) scanned in seconds
Postscript
This article is to climb the search engine side of the experiment written, in the groping process of learning, did learn a lot of things. Learning and configuring the server process, I constantly google to the relevant articles, Chinese English has been a lot, so I was thinking, I write this article, should complete what the existing information is not perfect place. Technically I am just a beginner, in addition to search, thinking, organization, there is no possibility to create a new technology, so have to from the language organization, information and informative degree and to configure the details of the explanation to maximize the value of this article, hoping to become a more useful article in Chinese, can provide some small guidelines for other friends who have this idea.