IT is in its infancy-deploying PPTPVPN servers in CentOS6.4

Before introducing pptpVPN, let's take a look at the tunneling technology. The basic process of tunnel technology is to encapsulate data (data link layer or network layer data in the ISO 7-layer model) at the interface of the source Lan and the public network as load in a number that can be transmitted on the public network.

Before introducing pptp VPN, let's take a look at the tunneling technology. The basic process of tunnel technology is to transfer data at the interface between the source Lan and the public network (it can be the data link layer or network layer data in the seven-layer ISO model) as the load is encapsulated in a data format that can be transmitted on the public network, the data is unencapsulated at the interface between the destination Lan and the public network, and the load is taken out. The logical path of encapsulated data packets transmitted over the Internet is called a "tunnel ".

Currently, there are four VPN tunnel protocols: point-to-point tunnel protocol PPTP, layer-2 tunnel protocol L2TP, network layer tunnel protocol IPSec, and SOCKSv5. here we only introduce point-to-point tunnel protocol PPTP.

I. Principles of PPTP protocol

PPTP uses a TCP connection to maintain the tunnel, and uses the universal route encapsulation (GRE) technology to encapsulate data into PPP data frames for tunnel transmission. You can encrypt or compress the load data in the encapsulated PPP frames.

The following describes the encapsulation and unblocking steps involved in the PPTP process.

Encapsulation

1. data is encapsulated in IP (or IPX and NetBEUI) packets.

2. this IP address (or IPX and NetBEUI) is encapsulated in a PPP frame.

3. the PPP frame is encapsulated in the GRE frame (and encrypted ).

4. the GRE frame is encapsulated in an IP packet.

Unseal

1. remove the IP header.

2. remove the GRE header (decryption process ). The GRE load is a PPP frame.

3. remove the PPP header.

4. route the IP address (or IPX and NetBEUI) packet to its final destination.

MPPE encrypts the PPP frame through an encryption key generated by the MS-CHAP, MS-CHAP v2, or EAP-TLS authentication process. To encrypt valid data contained in a PPP frame, virtual private network clients must use MS-CHAP, MS-CHAP v2, or EAP-TLS authentication protocols. PPTP uses the underlying PPP encryption function and directly encapsulates the previously encrypted PPP frames.

The PPTP protocol separates control packets from data packets. the control packets adopt TCP control. the client connects to the port TCP1723 of the VPN server to control and manage the VPN tunnel function. The data packets are first encapsulated in the PPP protocol, then it is encapsulated in the GRE V2 protocol and finally transmitted in the IP protocol.

Due to business needs, employees of the company need to access foreign websites through VPN, and the following installation instances are available.

II. preparations before pptp vpn installation

Environment: CentOS release 6.4 (Final) i386

Protocol: GRE, PPTP

Port: PPTP/TCP/1723 (server), GRE/TCP/47

Encryption: MPPE (Microsoft point-to-point encryption protocol to protect the confidentiality of the data link layer)

Certification: MS-CHAP v2

Service: pptpd

Software package:

(1). ppp-2.4.5-33.0.rhel6.i686.rpm

PPTP requires PPP support. generally, PPP software packages are installed in linux systems. it is best to install a newer ppp software package and use Uvh to update the PPP components of the system. You can also run the # yum-y install ppp command to install the tool.

Pptpd-1.4.0-1.el6.i686.rpm (pptpd server software)

(3). dkms-2.0.17.5-1.noarch.rpm CentOS6x/RHEL6x (kernel support mppe) without installation

DKMS is short for Dynamic Kernel ModuleSupport. it can help us maintain these drivers outside the Kernel and automatically generate new modules after Kernel version changes.

(4). kernel_ppp_mppe-1.0.2-3dkms.noarch (MPPE kernel patch), CentOS6x/RHEL6x (kernel support mppe) not installed

(5). pptp-release-4-7.rhel6.noarch.rpm (pptpd yum repository package, available after installation # yum-y install pptpd command to install pptpd)

:

Http://poptop.sourceforge.net/yum/stable/rhel6Server/i386/dkms-2.0.17.5-1.noarch.rpm

Http://poptop.sourceforge.net/yum/stable/rhel6Server/i386/pptpd-1.4.0-1.el6.i686.rpm

Http://poptop.sourceforge.net/yum/stable/rhel6Server/i386/pptp-release-4-7.rhel6.noarch.rpm

Http://poptop.sourceforge.net/yum/stable/rhel6Server/i386/ppp-2.4.5-33.0.rhel6.i686.rpm

Http://poptop.sourceforge.net/yum/stable/rhel6Server/i386/ppp-devel-2.4.5-33.0.rhel6.i686.rpm

Here is a 32-bit system. if it is a 64-bit system, download the corresponding software package.

3. install the pptp VPN server

1. download and download the required software package to the/vpnsoft directory.

2. install the software package

Rpm-Uvh ppp-2.4.5-33.0.rhel6.i686.rpm

Rpm ivhppp-devel-2.4.5-33.0.rhel6.i686.rpm

Rpm-ivh pptpd-1.4.0-1.el6.i686.rpm

Rpm-ivh dkms-2.0.17.5-1.noarch.rpm (can be installed without installation)

3. check whether the mppe module is loaded in the kernel.

(1) # lsmod | grep ppp is not automatically loaded by default, so no results are returned after the command is executed.

(2) # modprobeppp-compress-18 manual loading mppe module

(3) Check whether the mppe module is loaded again.

# Lsmod | grep ppp

Ppp_mppe 39881 0

Ppp_generic 62689 1 ppp_mppe

Slhc 39745 1 ppp_generic

In the above case, it indicates that the ppp module and mppe have been loaded successfully.

4. PPTP service configuration

1. modify the main configuration file/etc/pptpd. conf.

# Vi/etc/pptpd. conf

Ppp/usr/sbin/pppd

Option/etc/ppp/options.ppt pd

Debug

The first sentence is where the pppd service is located, the second sentence is the location of the pptpd parameter configuration file, and the third sentence is to enable debugging logs (stored in/var/log/messages ).

Modify the following two lines at the end of the file:

Localip 192.168.1.4

Remoteip 192.168.10.234-254,192.168 .10.256

Localip refers to the local address, which is the address of the VPN server to be connected to by the client. it can be a virtual address or the same or different segment as the remoteip address.

Remoteip: the range of the addresses to be allocated to the client (if the addresses are not continuous, they can be separated by commas ).

2. modify the/etc/ppp/options.ppt pd parameter configuration file.

# Vi/etc/ppp/options.ppt pd

Name vpnserver

Name is followed by the name of the VPN server. the default value is pptpd,

If Authentication is enabled, it is commented out by default. it is required to enable identity Authentication.

Debug

Enable debugging logs (stored in/var/log/messages)

Ms-dns 8.8.8.8

Ms-dns 8.8.4.4

Add a DNS address. We use google DNS.

Refuse-pap reject pap authentication

Refuse-chap reject chap authentication

Refuse-mschap: reject mschap authentication

Require-mschap-v2 uses mschap-v2 authentication

Require-mppe-128 encrypted with 128-bit MPPE

3. modify the/etc/ppp/chap-secrets user account file

# Vi/etc/ppp/chap-secrets

# Client server secret IP addresses

Test001 vpnserver "test "*

The client field refers to the user name, and the server refers to the VPN server name, which must be the same as the VPN server name after the name in the/etc/ppp/options.ppt pd file. Secret refers to the password, IP addresses refers to the IP address used by the client to access, and * indicates random allocation.

4. network and iptable settings

To access the Internet through the VPN server, enable the ip_forward forwarding function, disguise the IP address, and enable the relevant Protocol Port. if you want to access the internal Lan of the VPN server, use the route add command to add a route.

(1) enable the forwarding function

# Vi/etc/sysctl. conf

Net. ipv4.ip _ forward = 1

(2) enable the forwarding function to take effect immediately

# Sysctl-p

(3) disguised IP address

# Iptables-tnat-I POSTROUTING-p tcp-s 192.168.10.0/24-j SNAT-to-source XX. XX

Or

# Iptables-tnat-I POSTROUTING-o eth0-s 192.168.10.0/24-j SNAT -- to-source 192.168.1.4

XX. XX is the Internet IP address of the VPN server.

PS: You can also use the following rule to achieve the same effect in disguise.

--------------------------------------------------------------------------

Iptables-t nat-a postrouting-s 192.168.10.0/24-j MASQUERADE

--------------------------------------------------------------------------

(4) enable relevant protocol ports

1. open the corresponding port DNS/53 DHCP/68 PPTPD/1723

----------------------------------------------------------------------------

Iptables-IINPUT-p udp -- dport 53-j ACCEPT

Iptables-IINPUT-p tcp -- dport 53-j ACCEPT

Iptables-IINPUT-p tcp -- dport 68-j ACCEPT

Iptables-IINPUT-p tcp -- dport 1723-j ACCEPT

----------------------------------------------------------------------------

② Establish a VPN tunnel; otherwise, the user name and password cannot be verified.

----------------------------------------------------------------------------

Iptables-IINPUT-p gre-j ACCEPT

----------------------------------------------------------------------------

③ Allow client route forwarding.

----------------------------------------------------------------------------

Iptables-IFORWARD-s 192.168.10.0/24-j ACCEPT

Iptables-IFORWARD-d 192.168.10.0/24-j ACCEPT

----------------------------------------------------------------------------

Service iptablessave

Service iptablesrestart

----------------------------------------------------------------------------

(5) start the pptpd service

Start service pptpd start

Service pptpd stop stops, and all session connections will be lost.

Service pptpdrestart restarts the service, and the session connection will not be lost now.

(6) check whether the pptpd service is started

Netstat-an | grep 1723

5. install the linux VPN client

Environment: CentOS release 6.4 (Final) i386

Software: libpcap-1.4.0, ppp-2.4.5-33.0.rhel6.i686.rpm, pptp-1.7.2-3.rhel5.i386.rpm

Yum-yinstall libcap

Http://poptop.sourceforge.net/yum/stable/rhel6Server/i386/ppp-2.4.5-33.0.rhel6.i686.rpm

Http://nchc.dl.sourceforge.net/project/pptpclient/pptp/pptp-1.7.2/pptp-1.7.2-3.rhel5.i386.rpm

1. install the software package

# Rpm-ivh ppp-2.4.5-33.0.rhel6.i686.rpm

# Rpm-ivh pptp-1.7.2-3.rhel5.i386.rpm

2. establish a VPN connection Channel

# Pptpsetup -- create vpntunnel -- server 192.168.1.4 -- username test001 -- passwordtest -- encrypt-start

Vpntunnel channel name

-- Server 192.168.1.4 specifies the VPN server address

-- Usernametest001 specify the user name

-- Passwordtest specifies the password

-- Encrypt enable encryption

The created connection user and password are automatically added to the/etc/ppp/chap-secrets file, and a vpntunnel file is generated under the/etc/ppp/peers directory, the file content is as follows:

# Vi/etc/ppp/peers/vpntunnel

# Written by pptpsetup

Pty "pptp 192.168.1.4 -- nolaunchpppd"

Lock

Noauth

Nobsdcomp

Nodeflate

Name test001

Remotename vpntunnel

Ipparam vpntunnel

Require-mppe-128

# Vi/etc/ppp/chap-secrets

# Added by pptpsetup forvpntunnel

Test001 vpntunnel "test "*

Run the command # pppd call vpntunnel to connect to the VPN Server. You can also use the following command to disable enabling.

#/Usr/share/doc/ppp-2.4.5/scripts/ponvpntunnel

#/Usr/share/doc/ppp-2.4.5/scripts/poffvpntunnel

3. modify the route using vpn

# Ip route replace 192.168.1.4 via192.168.1.1 dev eth0 src 192.168.1.180

# Ip route replace default dev 'ppp0'

Vpntunnel channel name

-- 192.168.1.4 specify the VPN server address (vpn server)

-- 192.168.1.1 original gateway address

-- Eth0 original device View connection

-- 192.168.1.180 original IP address

-- Ppp0 vpn connection

After a VPN is created in Windows, the VPN network is used by default, but Linux does not have to specify a VPN route for Linux if a VPN connection network is used.

6. create a VPN connection in Windows

1. create a VPN connection on the window client

The IP address is the address of the VPN server. enter the user name and password and connect to the server. (The specific operation is skipped)

2. View connections

After running the ipconfig/all command on the command line, an additional PPP connection will be provided to connect to the VPN server.

3. after ifconfig is run on the VPN server, an additional PPP connection will be established.

4. to facilitate troubleshooting, you can go to/etc/pptpd. enable the debug and logwtmp options in the main configuration file of conf. These two options will record the client connection status in/var/log/message.

5. VPN Client2 is used as the FTP server. when VPN Client2 obtains FTP data, WireShark can be used to capture packets. you can view that the packets are encrypted.

7. other commands and techniques

1. connection (available in linux)

Pppd call tunnelname

Tunnelname is the name of the PPP connection viewed in ifconfig.

2. Disconnect all PPP connections

Killall pppd

3. disconnect the specified ppp connection

Ps-ef | grep pptpd

This will identify many processes, find the corresponding process number based on the client's Internet IP address, and kill it.

4. add a VPN user account

Vpnuser add vpnuser vpnpasswd

5. delete the VPN user account

Vpnuser del vpnuser

8. References

1. software download

Http://poptop.sourceforge.net/

Http://poptop.sourceforge.net/yum/stable/rhel6Server/i386/

Http://sourceforge.net/projects/pptpclient/files/pptp/

2. configuration document

Http://yuejun.blog.51cto.com/634963/666650

Http://blog.163.com/qk_zhu/blog/static/195076154201162795311632/

Http://hi.baidu.com/reyleon/item/c48e981857d51612e3f9866d

Http://hi.baidu.com/baihebeijixing/item/0b42b787decd8b2d100ef3d4