VPN (Virtual Private Network) is an extension of a Private Network. It can simulate a point-to-point Private connection through a shared Internet or public Network connection, send data between a local computer and a remote computer.
It has good confidentiality and is not subject to authorization, so that both parties can establish a free and secure point-to-point connection.
There are two common VPN services in Linux: pptp and openvpn. The former is simpler, but only independent servers and xen vps can be built. The latter has no restrictions. The VPN built by the former does not require a special VPN Client. You can directly create a VPN dial-up connection in Windows. The latter requires a client to be installed for dialing.
Network lab environment:
Server version: CentOS 5.9
VPN Server: eth0 = 199.68.199.121
Intranet IP address: 192.168.1.100-200 (allocated to users through NAT)
Internet IP address: 199.68.199.121
1. Check the server for necessary support.
If the check results do not support these features, pptp cannot be installed. Execute command:
# Modprobe ppp-compress-18 & echo OK
After this execution, "OK" indicates that the execution is successful. However, another check is required. Enter the following command:
# Cat/dev/net/tun
If the result of this command is the following text, it indicates that:
Cat:/dev/net/tun: File descriptor in bad state
You can install pptp only after both of the preceding steps are passed. Otherwise, you can only consider openvpn, or ask your service provider to solve this problem.
Cent OS 5.5 kernel version is later than 2.6.15, so the following check can be ignored:
Check whether the PPP supports MPPE (the ppp must be installed before running, otherwise the result is 0)
Run the following command to check whether PPP supports MPPE:
# Strings '/usr/sbin/pppd' | grep-I mppe | wc-lines
If the above command output is "0", it means not supported; if the output is "30" or a larger number, it means support, MPPE (Microsoft Point to Point Encryption, Microsoft Point-to-Point Encryption ).
II. Install ppp and iptables.
By default, the complete CentOS comes with these two components, but the lite version of the system may not. Run the following command to confirm the installation. If not, the system will not perform any operations:
# Yum install-y ppp iptables
3. Install pptp.
This software does not exist in the yum source. We need to download it manually. Switch to the tmp directory first:
# Cd/tmp
Run the following command to download the pptp installation package:
# Wget http://acelnmp.googlecode.com/files/pptpd-1.3.4-1.rhel5.1.i386.rpm (for 32-bit systems)
# Wget http://acelnmp.googlecode.com/files/pptpd-1.3.4-1.rhel5.1.x86_64.rpm (for 64-bit systems)
If your CentOS is 32-bit, execute the 32-bit command. If it is a 64-bit CentOS, execute the 64-bit command. Be sure not to make a mistake, the error will be reported after the client fails to connect to 619 or 800, and prompt the pptpd-logwtmp.so cannot be found.
Next, install pptp, which is also divided into 32-bit and 64-bit systems:
# Rpm-ivh pptpd-1.3.4-1.rhel5.1.i386.rpm (32-bit system used)
# Rpm-ivh pptpd-1.3.4-1.rhel5.1.x86_64.rpm (64-bit system used)
4. Configure pptp.
First, edit the/etc/pptpd. conf file:
# Vim/etc/pptpd. conf
Find the "locapip" and "remoteip" configuration items, remove the ";" comment, and change the value of the expected IP segment. Localip indicates the IP address of the server, and remoteip indicates the IP address assigned to the client, which can be set as a range. Here we use the default pptp configuration:
Localip 199.68.199.121
Remoteip 192.168.1.100-200
Note that the IP segment settings will directly affect the command for adding iptables rules. Please pay attention to the correctness of the matching. If you are too troublesome, we recommend that you use the configuration in this article to copy commands and text.
Next, edit the/etc/ppp/options.ppt pd file and add Google DNS for the VPN:
# Vim/etc/ppp/options.ppt pd
Add the following two lines at the end:
Generally, you only need to modify the ms-dns and assign the IP address of the DNS server to the VPN client.
Name pptpd
Refuse-pap
Refuse-chap
Refuse-mschap
Require-mschap-v2
Require-mppe-128
Proxyarp
Lock
Nobsdcomp
Novj
Novjccomp
Nologfd
Idle 2592000 idle disconnection in 72 hours
Ms-dns 8.8.8.8
5. Set the pptp VPN account password.
Edit the/etc/ppp/chap-secrets file:
# Vim/etc/ppp/chap-secrets
In this file, follow the "user name pptpd password *" format, one account and one password line. For example, if you want to add a user with the username test and password 1234, edit the following content:
Test pptpd 1234 * (ip address assigned to the test user)
6. Modify the kernel settings to support forwarding.
Edit the/etc/sysctl. conf file:
# Vim/etc/sysctl. conf
Change "net. ipv4.ip _ forward" to 1, which is in the following format:
Net. ipv4.ip _ forward = 1
Save and exit, and execute the following command to take effect:
# Sysctl-p
7. Add iptables forwarding rules.
After the previous six steps, we can dial the VPN, but we cannot access any web page. The last step is to add iptables forwarding rules. Enter the following command:
# Iptables-t nat-a postrouting-o eth0-s 192.168.1.0/24-j SNAT-to 199.68.199.121
Note that the "192.168.1.0/24" in this command is changed according to the "remoteip" network segment in the previous configuration file, for example, the "10.0.0.1" network segment you set, change to "10.0.0.0/24 ". In addition, you need to note that eth0, if your internet nic is not eth0, but eth1 (such as the SoftLayer server, you can use the ifconfig command to view the Ethernet port name). Remember to change eth0 to the corresponding NIC number. Otherwise, the network cannot be connected!
Then, enter the following command to allow iptables to save the forwarding rule we just added so that you do not need to add it again after restarting the system:
#/Etc/init. d/iptables save
Restart iptables:
#/Etc/init. d/iptables restart
8. Restart the pptp service.
Enter the following command to restart pptp:
#/Etc/init. d/pptpd restart
Now you can connect to your VPN and browse the web page. However, we still need to make the final step.
9. Set the service to run automatically upon startup.
The last step is to set pptp and iptables to automatically run upon startup, so you do not need to manually start the service after each restart of the server. Of course, you can ignore this step if you do not need to start the service automatically. Input command:
# Chkconfig pptpd on
# Chkconfig iptables on
10. I won't say much about connecting devices.
Osx is like this: