在buyvm和digitalocean的centos上都遇到了安装l2tpd后连接不上的问题,无论是逐步安装还是使用一键安装脚本都不行,折腾了大半天终于搞定。一键安装脚本在最下面。
首先要确保/etc/sysctl.conf 如下设置
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0修改好了要重启sysctl
sysctl -p检查一下ipsec的状态,确保没有[faild]或者错误,如果有先试试service ipsec restart,再verify
ipsec verify如果有错误,谷歌一下就能解决。然后创建xl2tpd重启脚本:
nano /etc/init.d/xl2tpd脚本内容如下
#!/bin/sh
#
# xl2tpd This shell script takes care of starting and stopping l2tpd.
#
# chkconfig: – 80 30
# description: Layer 2 Tunnelling Protocol Daemon (RFC 2661)
#
# processname: xl2tpd
# config: /etc/xl2tpd/xl2tpd.conf
# pidfile: /var/run/xl2tpd.pid
#Servicename
SERVICE=xl2tpd
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
[ -x /usr/local/sbin/$SERVICE ] || exit 0
RETVAL=0
start() {
echo -n "Restarting IPSec: "
service ipsec restart
echo -n "Starting $SERVICE: "
if [ ! -d /var/run/xl2tpd ]
then
mkdir /var/run/xl2tpd
fi
daemon /usr/local/sbin/$SERVICE
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SERVICE
echo ""
return $RETVAL
}
stop() {
echo -n "Stopping $SERVICE: "
killproc $SERVICE
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$SERVICE
return $RETVAL
}
restart() {
stop
start
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $SERVICE
RETVAL=$?
;;
restart|reload)
restart
;;
condrestart)
[ -f /var/lock/subsys/$SERVICE ] && restart || :
;;
*)
echo "Usage: $SERVICE {start|stop|status|restart|reload|condrestart}"
exit 1
esac然后修改运行权限
chmod 777 /etc/init.d/xl2tpd然后重启:
service xl2tpd restart很奇怪重启之后就可以连接上了。如果要添加新用户只需修改 /etc/ppp/chap-secrets
# user server pass IP
l2tpuser xl2tpd l2tppass *pptp-l2tp.sh安装脚本
#!/bin/bash
clear
if [ $(id -u) != "0" ]; then
printf "Error: You must be root to run this tool!\n"
exit 1
fi
host_ip=`ifconfig eth0 | awk '/inet addr/ {print $2}' | awk -F ':' '{print $2}'`
cur_dir=`pwd`
read -p "(Please input PSK: )" psk
if [ "$psk" = "" ]; then
psk="fuck高墙"
fi
read -p "Enter vpn username: " username
if [ "$username" = "" ];then
username="vpn"
fi
read -p "Enter vpn password: " userpsw
if [ "$userpsw" = "" ];then
userpsw="vpn"
fi
clear
get_char()
{
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
echo ""
echo "ServerIP:"
echo "$host_ip"
echo ""
echo "PSK:"
echo "$psk"
echo ""
echo "VPN Account:"
echo "$username"
echo ""
echo "Account Password:"
echo "$userpsw"
echo ""
echo "Press any key to start..."
char=`get_char`
clear
yum -y update
yum remove -y pptpd ppp
yum install -y make gcc gmp-devel bison flex libpcap-devel ppp lsof perl iptables
yum install -y libpcap gcc-c++ logrotate tar cpio pam tcp_wrappers
wget http://fastlnmp.googlecode.com/files/dkms-2.0.17.5-1.noarch.rpm
wget http://fastlnmp.googlecode.com/files/kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
wget http://fastlnmp.googlecode.com/files/pptpd-1.3.4-1.rhel5.1.i386.rpm
rpm -ivh dkms-2.0.17.5-1.noarch.rpm
rpm -ivh kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
rpm -qa kernel_ppp_mppe
rpm -ivh pptpd-1.3.4-1.rhel5.1.i386.rpm
wget http://www.openswan.org/download/openswan-2.6.34.tar.gz
tar zxvf openswan-2.6.34.tar.gz
cd openswan-2.6.34/
make programs install
cd ../
cat > /etc/ipsec.conf <<EOF
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=$host_ip
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
EOF
cat > /etc/ipsec.secrets <<EOF
$host_ip %any: PSK "$psk"
EOF
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
echo 1 > /proc/sys/net/core/xfrm_larval_drop
iptables --table nat --append POSTROUTING -o eth0 --jump MASQUERADE
service iptables save
service iptables restart
chkconfig iptables on
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sysctl -p
/etc/init.d/ipsec restart
ipsec verify
cd $cur_dir
wget http://downloads.sourceforge.net/project/rp-l2tp/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz
tar zxvf rp-l2tp-0.4.tar.gz
cd rp-l2tp-0.4
./configure
make
cp handlers/l2tp-control /usr/local/sbin/
mkdir /var/run/xl2tpd/
ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control
cd $cur_dir
wget http://fastlnmp.googlecode.com/files/xl2tpd-1.2.8.tar
tar zxvf xl2tpd-1.2.8.tar
cd xl2tpd-1.2.8
make install
cd ..
mkdir -p /etc/xl2tpd
touch /etc/xl2tpd/xl2tpd.conf
cat >> /etc/xl2tpd/xl2tpd.conf <<EOF
[global]
ipsec saref = yes
[lns default]
ip range = 10.85.91.10-10.85.91.254
local ip = 10.85.91.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF
touch /etc/ppp/options.xl2tpd
cat >> /etc/ppp/options.xl2tpd <<EOF
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
EOF
mknod /dev/ppp c 108 0
echo "localip 10.85.92.1" >> /etc/pptpd.conf
echo "remoteip 10.85.92.10-254" >> /etc/pptpd.conf
echo "ms-dns 8.8.8.8" >> /etc/ppp/options.pptpd
echo "ms-dns 8.8.4.4" >> /etc/ppp/options.pptpd
chkconfig pptpd on
service pptpd restart
echo "$username l2tpd $userpsw *" >> /etc/ppp/chap-secrets
echo "$username pptpd $userpsw *" >> /etc/ppp/chap-secrets
/usr/local/sbin/xl2tpd
cat >> /etc/rc.local <<EOF
mknod /dev/ppp c 108 0
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > \$each/accept_redirects
echo 0 > \$each/send_redirects
done
echo 1 > /proc/sys/net/core/xfrm_larval_drop
/etc/init.d/ipsec restart
/usr/local/sbin/xl2tpd
EOF
clear
ipsec verify
printf "
if there are no [FAILED] above, then you can
connect to your L2TP&PPTP VPN Server with the default
user/pass below:
ServerIP:$host_ip
username:$username
password:$userpsw
PSK:$psk (for L2TP VPN)
"