Author of vpn simple transit application service:LinuxpfLast modification time: 2008.12.24
I will not talk much about the principles on the Internet. When you encounter some other problems, you often try to analyze the principles, mainly to understand the ppp encapsulation principle and gre routing knowledge. for more information about the principles, see the following link. In this article, vpn transit can be implemented, and can be basically used for vpn proxy Internet access, for example, to solve the slow speed of domestic users accessing foreign websites. Of course, access to resources in the vpn Network is a natural problem.
Note: The MTU of the ppp session has been properly set to 1359 to avoid some web pages that cannot be displayed and MSN cannot be logged in. After testing, the MTU can provide the intermediate services, including: http https ssl dns smtp POP3 DNS FTP MSN QQ
1. download to/home/download
Site: http://poptop.sourceforge.net/yum/stable/rhel4/i386/
# Cd/home/download
# Wget http://poptop.sourceforge.net/yum/stable/rhel4/i386/ppp-2.4.3-7.rhel4.i386.rpm
# Wget http://poptop.sourceforge.net/yum/stable/rhel4/i386/pptpd-1.3.4-1.rhel4.i386.rpm
# Wget http://poptop.sourceforge.net/yum/stable/rhel4/i386/dkms-2.0.17.5-1.noarch.rpm
# Wget http://poptop.sourceforge.net/yum/stable/rhel4/i386/kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
2. Install pptpd
# Yum install kernel-devel
Because here I use the minimum centos installation method and the kernel source code is not installed on the system, errors will occur during the re-compilation process. Therefore, install and update the kernel source code based on your own situation.
# Vi/etc/grub. conf
-----------------------------------------------------
Default = 0
------------------------------------------------------
Set the kernel startup sequence
# Uname-
Linux squid.x.com 2.6.9-78.0.1.EL #1 Tue Aug 5 10:49:42 EDT 2008 i686 i686 i386 GNU/Linux
# Cd/home/download
# Rpm-Uvh ppp-2.4.3-7.rhel4.i386.rpm
# Rpm-ivh pptpd-1.3.4-1.rhel4.i386.rpm
# Rpm-ivh dkms-2.0.17.5-1.noarch.rpm
# Rpm-ivh kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
3. Load the kernel module
Check whether the kernel module is normal
# Modprobe ppp-compress-18 & echo OK
OK
If
# Modprobe ppp-compress-18 & echo OK
FATAL: Module ppp_mppe not found.
Install them with command "rpm-ivh ".
This prompt indicates that the module has not been loaded successfully, or the kernel source code has not been installed. Follow the above steps to avoid this error.
4. vpn Server Settings
Custom network settings. Note that if multiple Intranet NICs exist, you must set the route table in the vpn. Otherwise, you cannot access the Intranet.
NIC: 172.16.12.1
NIC: x. x
# Cd/etc/sysconfig/network-scripts
# Cp ifcfg-eth0 ifcfg-eth0: 1
# Vi ifcfg-eth0: 1
---------------------------------------------------
DEVICE = eth0: 1
BOOTPROTO = static
BROADCAST = 172.16.12.255
HWADDR = 00: 0C: 2F: 58: F4: 4E
IPADDR = 172.16.12.1
NETMASK = 255.255.255.0
NETWORK = 172.16.12.0
ONBOOT = yes
TYPE = Ethernet
---------------------------------------------------
5. Configure pptpd
# Vi/etc/pptpd. conf
___________________________________
Ppp/usr/sbin/pppd
Option/etc/ppp/options.ppt pd
Localip 172.16.12.1
Remoteip 172.16.12.100-250,172.16 .12.252
Netmask 255.255.255.0
--------------------------------------------------------------
# Vi/etc/ppp/options.ppt pd
-----------------------------------
Name pptpd
Refuse-pap
Refuse-chap
Refuse-mschap
Require-mschap-v2
Require-mppe-128
Ms-dns 202.177.20.6
Proxyarp
Logfile/var/log/pptpd. log
-----------------------------------
Note: Generally, you only need to modify ms-dns.
# Vi/etc/ppp/chap-secrets
---------------------------------------------------------------
# Secrets for authentication using CHAP
# Client server secret IP addresses
"Username" pptpd "yourpassword ""*"
"Admin" pptpd "password" "172.16.12.85"
---------------------------------------------------------------
Each line of user information is in the above format and referenced with "". Although it is in plain text, it is recommended that this file cannot be read by non-owner.
If a user assigns a fixed ip address, further behavior control can be performed to facilitate your management.
6: create a file
Create a script file to enable iptables forwarding to enable the Internet connection. Otherwise, the file will not work properly and start automatically when it is started!
# Vi vpn_forward
#! /Bin/bash
#2008.11.19
Echo "Starting ................."
# Configured to forward packets, using echo or sysctl
Echo 1>/proc/sys/net/ipv4/ip_forward
Echo "Allow input and output on port 1723 for protocol tcp"
Echo "Allow input and output on protocol gre 47, required for vpn"
Echo "Enable time rsync"
Iptables-I INPUT-p tcp -- dport 123-j ACCEPT
Iptables-I INPUT-p udp -- dport 123-j ACCEPT
Iptables-I INPUT-p gre-j ACCEPT
Iptables-I INPUT-p tcp -- dport 1723-j ACCEPT
Iptables-I OUTPUT-p gre-j ACCEPT
Iptables-I OUTPUT-p tcp -- sport 1723-j ACCEPT
Echo "Insert the rule to forward all data! "
Iptables-I FORWARD-p udp -- dport 8000-s 172.16.12.0/24-j ACCEPT
Iptables-I FORWARD-p tcp -- dport 1024: 8000-j ACCEPT
Iptables-I FORWARD-p tcp -- dport 20:22-s 172.16.12.0/24-j ACCEPT
Iptables-I FORWARD-p tcp -- dport 25-j ACCEPT
Iptables-I FORWARD-p tcp -- dport 69-j ACCEPT
Iptables-I FORWARD-p tcp -- dport 110-j ACCEPT
Iptables-I FORWARD-p tcp -- dport 443-j ACCEPT
Iptables-I FORWARD-m state -- state ESTABLISHED, RELATED-j ACCEPT
Iptables-I FORWARD-o eth0-s 172.16.12.0/24-m state -- state NEW-j ACCEPT
Iptables-I FORWARD-p tcp -- dport 80-j ACCEPT
Iptables-I FORWARD-p tcp -- dport 53-j ACCEPT
Iptables-I FORWARD-p udp -- dport 53-j ACCEPT
Iptables-I FORWARD-p tcp-s 172.16.12.0/24 -- dport 1723-j ACCEPT
Echo "Set the session mtuwith 1356"
Iptables-I FORWARD-p tcp -- syn-s 172.16.12.0/24-j TCPMSS -- set-mss 1356
Echo "Enable NAT"
Iptables-t nat-a postrouting-o eth0-s 172.16.12.0/24-j SNAT -- to-source 202.177.24.X
Echo "Now, Enabled Firewall Access rule Successfull"
Copy code
# Chmod + x vpn_forward.sh
# Cp vpn_forward/etc/rc. d/init. d/vpn_forward
# Ln-s/etc/rc. d/init. d/vpn_forward/etc/rc. d/rc3.d/S94vpn_forward
Note:
(1) Enable ntp Time Synchronization
Iptables-I INPUT-p tcp -- dport 123-j ACCEPT
Iptables-I INPUT-p udp -- dport 123-j ACCEPT
(2) allow vpn connection
Iptables-I INPUT-p gre-j ACCEPT
Iptables-I INPUT-p tcp -- dport 1723-j ACCEPT
Iptables-I OUTPUT-p gre-j ACCEPT
Iptables-I OUTPUT-p tcp -- sport 1723-j ACCEPT
(3) Enable the kernel ip forwarding function
# Configured to forward packets, using echo or sysctl
Echo 1>/proc/sys/net/ipv4/ip_forward
(4) The forward function is enabled. To improve forwarding efficiency, you only need to verify the new tcp session and the connected session data packets have been directly transmitted.
Iptables-I FORWARD-p tcp -- dport 20: 8000-s 172.16.12.0/24-j ACCEPT \ custom account opening service
Iptables-I FORWARD-m state -- state ESTABLISHED, RELATED-j ACCEPT has been ESTABLISHED to connect to the tcp packet for direct traffic
Iptables-I FORWARD-o eth0-s 172.16.12.0/24-m state -- state NEW-j ACCEPT \ only needs to verify the NEW tcp session
Iptables-I FORWARD-p tcp -- dport 80-j ACCEPT \ http forwarding for accounts
Iptables-I FORWARD-p tcp -- dport 53-j ACCEPT