在linux上安装配置pptp vpn[转]

:点对点隧道协议(Point to Point Tunneling Protocol)

点对点隧道协议(PPTP)是一种支持多协议虚拟专用网络的网络技术。通过该协议,远程用户能够通过 Microsoft Windows NT 工作站、Windows 95 和 Windows 98 操作系统以及其它装有点对点协议的系统安全访问公司网络,并能拨号连入本地 ISP,通过 Internet 安全链接到公司网络。

PPTP 可以用于在 IP 网络上建立 PPP 会话隧道。在这种配置下,PPTP 隧道和 PPP 会话运行在两个相同的机器上,呼叫方充当 PNS。PPTP 使用客户机-服务器结构来分离当前网络访问服务器具备的一些功能并支持虚拟专用网络。PPTP 作为一个呼叫控制和管理协议,它允许服务器控制来自 PSTN 或 ISDN 的拨入电路交换呼叫访问并初始化外部电路交换连接。

PPTP 使用 GRE 的扩展版本来传输用户 PPP 包。

操作系统:

centos5

确定内核是否支持mppe:

modprobe ppp-compress-18 && echo ok

如果显示ok,内核已经具备了mppe支持。

用以下命令检查PPP是否支持MPPE:

strings ‘/usr/sbin/pppd’ |grep -i mppe | wc –lines

如果以上命令输出为“0”则表示不支持;输出为“30”或更大的数字就表示支持。

编译内核支持mppe

选以下选项

CONFIG_PPP_MPPE=m

CONFIG_NF_CONNTRACK_PPTP=m

CONFIG_NF_NAT_PPTP=m

CONFIG_PPP=m

CONFIG_PPP_MULTILINK=y

CONFIG_PPP_FILTER=y

CONFIG_PPP_ASYNC=m

CONFIG_PPP_SYNC_TTY=m

CONFIG_PPP_DEFLATE=m

CONFIG_PPP_BSDCOMP=m

CONFIG_PPP_MPPE=m

CONFIG_PPPOE=m

CONFIG_PPPOL2TP=m

不编译内核内核支持mppe

http://sourceforge.net/project/showfiles.php?group_id=44827

下载

dkms-2.0.6-1.noarch.rpm

kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm

dkms是一个新的软件,能让你在不编译内核的基础上,外挂一些内核的模块。

kernel_ppp_mppe就是mppe支持的内核模块了。

安装pptpd

http://poptop.sourceforge.net/

wget http://nchc.dl.sourceforge.net/sourceforge/poptop/pptpd-1.3.4.tar.gz

tar xfz pptpd-1.3.4.tar.gz -C /usr/local/src

cd /usr/local/src/pptpd-1.3.4/

./configure –prefix=/usr/local

make && make install

配置pppd和pptpd

pppd的默认配置文件在 /etc/ppp

pptpd的配置文件在 /etc/pptpd.conf

vi /etc/pptpd.conf

ppp /usr/sbin/pppd

option /etc/ppp/options.pptpd

debug

Logwtmp

localip 10.168.168.51

remoteip 10.168.168.52-100

netmask 255.255.255.0

#localip是pptpd的对外服务的ip,也就是客户端需要拨号的ip,remoteip是拨号服务器分配给拨号用户的ip ,可以用-表示ip范围

vi /etc/ppp/options.pptpd

#

# Authentication

auth

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive

# access.

lock

# Name of the local system for authentication purposes

# (must match the second field in /etc/ppp/chap-secrets entries)

name pptpd

# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o

# {{{

refuse-pap

refuse-chap

refuse-mschap

# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft

# Challenge Handshake Authentication Protocol, Version 2] authentication.

require-mschap-v2

# Require MPPE 128-bit encryption

# (note that MPPE requires the use of MSCHAP-V2 during authentication)

require-mppe-128

# }}}

# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o

# {{{

#-chap

##-chapms

# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft

# Challenge Handshake Authentication Protocol, Version 2] authentication.

##+chapms-v2

# Require MPPE encryption

# (note that MPPE requires the use of MSCHAP-V2 during authentication)

#mppe-40        # enable either 40-bit or 128-bit, not both

#mppe-128

#mppe-stateless

# }}}

# Add an entry to this system’s ARP [Address Resolution Protocol]

# table with the IP address of the peer and the Ethernet address of this

# system. This will have the effect of making the peer appear to other

# systems to be on the local ethernet.

# (you do not need this if your PPTP server is responsible for routing

# packets to the clients — James Cameron)

proxyarp

debug

dump

logfile /var/log/pptpd.log

# Miscellaneous

# Disable BSD-Compress compression

#nobsdcomp

# Disable Van Jacobson compression

# (needed on some networks with Windows 9x/ME/XP clients, see posting to

# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,

# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )

#novj

#novjccomp

# turn off logging to stderr, since this may be redirected to pptpd,

# which may trigger a loopback

nologfd

#lcp-echo-failure 30

#lcp-echo-interval 5

noipdefault

#ipcp-accept-local

#ipcp-accept-remote

#mru 1454

#mtu 1454

ms-dns 10.168.168.171

vi /etc/ppp/chap-secrets

# Secrets for authentication using CHAP

# client        server secret                  IP addresses

“veryi.com” pptpd   “iamok” *

第一个veryi.com是用户,第二个iamok是密码,*表示任意ip

vi /etc/init.d/pptpd

#!/bin/bash

#

# chkconfig: 35 95 15

# description: pptpd

# processname: pptpd

# pidfile: /var/run/pptpd.pid

# config: /etc/pptpd.conf

# source function library

. /etc/init.d/functions

pptpd=/usr/local/sbin/pptpd

prog=pptpd

RETVAL=0

start() {

        echo -n $”Starting pptpd services: ”

        RETVAL=$?

        daemon $pptpd

        echo

        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/pptpd

}

stop() {

        killproc pptpd

        RETVAL=$?

        echo

        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/pptpd

}

case “$1″ in

start)

        start

        ;;

stop)

        stop

        ;;

restart|reload)

        stop

        start

        ;;

condrestart)

        if [ -f /var/lock/subsys/pptpd ]; then

            stop

            start

        fi

        ;;

status)

        status pptpd

        RETVAL=$?

        ;;

*)

        echo $”Usage: $0 {start|stop|restart|condrestart|status}”

        exit 1

esac

exit $RETVAL

chmod +x /etc/init.d/pptpd

chkconfig –level 345 pptpd on

启动pptpd

/etc/init.d/pptpd restart

防火墙配置:

vi /etc/sysconfig/iptables

-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 1723 -j ACCEPT

vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

sysctl -p

windows客户端配置:

新建一个vpn连接,把“在远程网络上使用默认网关”这个选项取消(不打勾)。

网络->TCP/IP属性->高级->设置->在远程网络上使用默认网关

发表评论

邮箱地址不会被公开。 必填项已用*标注

click to changeSecurity Code