Poptop简介

Poptop,官方网站上的定义是The PPTP Server for Linux,就是利用PPTP(Point to Point Tunneling Protocol,点到点隧道协议)通过Internet访问×××(Virtual Private Network,虚拟局域网),它允许远程用户安全、花费低廉地从Internet上的任何地方访问公司内部网络。
依据连接方式划分,×××可以分为Lan to Lan模式和client to Lan模式两种。前者可以将两个彼此独立的局域网连接起来,就像同属于一个局域网内一样,可以利用Open×××来实现。而后者就该用到Poptop了。
PPTP使用了client-server模式来建立×××连接。大多数微软操作系统都内置了PPTP客户端,所以就不需要安装第三方客户端软件,这就比其他×××技术有了便于安装的优势。
在Poptop出现以前,并没有使用PPTP客户端连接Linux主机的方法存在。使用Poptop,Linux主机可以立即在一个PPTP ×××环境下进行工作。
 
1 PPTP ×××的基本原理
PPTP ×××本质上是虚拟的点对点链路,它先把到达远方内网的数据包打包成PPP帧,然后再对这些PPP帧进行二次封装,以便于能够在其他物理链路上进行传送。 PPTP ×××有控制信道和数据信道之分,控制信道连接到×××报务器的TCP1723端口,起着控制和管理×××隧道的功能,数据信道是传送PPP帧的信道,关于PPTP数据帧的封装过程如图所示:
在打包PPP帧的过程中,将对PPP数据包进行加密,为了取得最大的安全性,我们这里将使用MPPE加密和MSCHAPv2身份验证方法。下面我们来看看具体配置过程。
 
注:这里的PPTP只是一种协议,PPTP: Point to Point Tunneling Protocol -- 点到点隧道协议。读者不要被他迷惑了。实现×××有多种协议可以选择,本文讲述的是使用PPTP协议来实现×××,即:PPTP ×××.
 
 
2 安装和配置PPTP ××× 服务器
 
我的系统系统配置:
服务器 : CentOS 5.5 final
内核版本: 2.6.18-8.e15
客户端 : Window XP Professional
 
 
由于Linux本身并没有集成PPTP功能,所以需要安装几种程序以让我们的RedHat支持PPTP,根据内核的版本,下载相应的安装包。
 
一、下载并安装相关软件
1、下载:
wget http://poptop.sourceforge.net/yum/stable/packages/dkms-2.0.17.5-1.noarch.rpm
wget http://poptop.sourceforge.net/yum/stable/packages/kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-2.rhel5.i386.rpm
wget http://poptop.sourceforge.net/yum/stable/rhel5Server/i386/ppp-2.4.4-14.1.rhel5.i386.rpm
 
2、安装:
[root@POPTOP home]# ls
dkms-2.0.17.5-1.noarch.rpm              lost+found                           pptpd-1.3.4-2.rhel5.i386.rpm
kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm ppp-devel-2.4.4-14.1.rhel5.i386.rpm
 
[root@POPTOP home]# rpm -ivh dkms-2.0.17.5-1.noarch.rpm
warning: dkms-2.0.17.5-1.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 862acc42
Preparing...                ########################################### [100%]
   1:dkms                   ########################################### [100%]
[root@POPTOP home]# rpm -ivh kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
warning: kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 862acc42
Preparing...                ########################################### [100%]
   1:kernel_ppp_mppe        ########################################### [100%]
 
Creating symlink /var/lib/dkms/kernel_ppp_mppe/1.0.2/source ->
                 /usr/src/kernel_ppp_mppe-1.0.2
 
DKMS: add Completed.
 
Kernel preparation unnecessary for this kernel. Skipping...
 
Running the pre_build script:
 
Building module:
cleaning build area....
make KERNELRELEASE=2.6.18-194.el5 -C /lib/modules/2.6.18-194.el5/build M=/var/lib/dkms/kernel_ppp_mppe/1.0.2/build.....(bad exit status: 2)
 
Error! Bad return status for module build on kernel: 2.6.18-194.el5 (i686)
Consult the make.log in the build directory
/var/lib/dkms/kernel_ppp_mppe/1.0.2/build/ for more information.
 
Error! Could not locate ppp_generic.ko for module kernel_ppp_mppe in the DKMS tree.
You must run a dkms build for kernel 2.6.18-194.el5 (i686) first.
 
--------------上面的错误好像没有影响------------------------------------------------------------
 
[root@POPTOP home]#
[root@POPTOP home]# rpm -qa kernel_ppp_mppe
kernel_ppp_mppe-1.0.2-3dkms
 
PPTP需要PPP支持,虽然系统本身有PPP功能,但它并不一定支持MPPE. 如果不支持则需要更新系统的PPP组件,参数-U就是更新的意思。
 
[root@POPTOP home]# rpm -Uvh ppp-2.4.4-14.1.rhel5.i386.rpm
warning: ppp-2.4.4-14.1.rhel5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 862acc42
Preparing...                ########################################### [100%]
   1:ppp                    ########################################### [100%]
 
要使用MPPE加密,还需要内核支持,Linux 2.6.14起Linux核心提供完整的PPTP支援《包括自由版本的MPPE》。查看内核版本可以使用命令:uname –r,如果内核版本低于2.6.14则还要下载一个MPPE内核补丁:kernel-mppe-2.4.20-8.i686.rpm
我的系统:
[root@POPTOP ~]# uname -r
2.6.18-194.el5 所以不需要打补丁了。
 
[root@POPTOP home]# rpm -ivh pptpd-1.3.4-2.rhel5.i386.rpm
warning: pptpd-1.3.4-2.rhel5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 862acc42
Preparing...                ########################################### [100%]
   1:pptpd                  ########################################### [100%]
[root@POPTOP home]#
 
二,修改配置文件
这里需要修改如下3个配置文件: 带底纹的就是需要我们修改的地方,其他加了红色注释的是说明,确实设置的。
/etc/pptpd.conf
/etc/ppp/options.pptpd
/etc/ppp/chap-secrets
 
I /etc/pptpd.conf 服务pptpd运行时使用的配置文件
 

###############################################################################
# $Id: pptpd.conf,v 1.10 2006/09/04 23:30:57 quozl Exp $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################
 
# TAG: ppp
#       Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
ppp /usr/sbin/pppd
 
# TAG: option
#       Specifies the location of the PPP options file.
#       By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/options.pptpd #指定pptpd用到的选项文件
 
# TAG: debug
#       Turns on (more) debugging to syslog
#
#debug
 
# TAG: stimeout
#       Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
 
# TAG: noipparam
#       Suppress the passing of the client's IP address to PPP, which is
#       done by default otherwise.
#
#noipparam
 
# TAG: logwtmp
#       Use wtmp(5) to record client connections and disconnections.
#
logwtmp
 
# TAG: bcrelay <if>
#       Turns on broadcast relay to clients from interface <if>
#
# bcrelay eth2 #好像用不到,后面再研究
 
# TAG: delegate
#       Delegates the allocation of client IP addresses to pppd.
#
#       Without this option, which is the default, pptpd manages the list of
#       IP addresses for clients and passes the next free address to pppd.
#       With this option, pptpd does not pass an address, and so pppd may use
#       radius or chap-secrets to allocate an address.
#
#delegate
 
# TAG: connections
#       Limits the number of client connections that may be accepted.
#
#       If pptpd is allocating IP addresses (e.g. delegate is not
#       used) then the number of connections is also limited by the
#       remoteip option. The default is 100.
#connections 100
 
# TAG: localip
# TAG: remoteip
#       Specifies the local and remote IP address ranges.
#
#       These options are ignored if delegate option is set.
#
#       Any addresses work as long as the local machine takes care of the
#       routing. But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#       You can specify single IP addresses seperated by commas or you can
#       specify ranges, or both. For example:
#
#               192.168.0.234,192.168.0.245-249,192.168.0.254
#
#       IMPORTANT RESTRICTIONS:
#
#       1. No spaces are permitted between commas or within addresses.
#
#       2. If you give more IP addresses than the value of connections,
#          it will start at the beginning of the list and go until it
#          gets connections IPs. Others will be ignored.
#
#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#          you must type 234-238 if you mean this.
#
#       4. If you give a single localIP, that's ok - all local IPs will
#          be set to the given one. You MUST still give at least one remote
#          IP for each simultaneous client.
#
# (Recommended)
localip 192.168.16.110 #这个地址无所谓的,随便指定一个,不过用你拨号的服务器地址比较清晰
remoteip 58.241.84.47,58.241.84.48,58.241.84.49 #你要分配给客户机的地址池
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
 
II /etc/ppp/options.pptpd
就是上面/etc/pptpd.conf中的option所指定的,它是PPP功能组件pppd将使用的配置文件,由于PPTP ×××的加密和验证都与PPP相关,所以PPTP的加密和验证选项都将在这个配置文件中进行配置。

[root@POPTOP ppp]# vi options.pptpd
 
###############################################################################
# $Id: options.pptpd,v 1.11 2005/12/29 01:21:09 quozl Exp $
#
# Sample Poptop PPP options file /etc/ppp/options.pptpd
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################
 
 
# Authentication
 
# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name POPTOP #相当于身份验证时的域,一定要和/etc/ppp/chap-secrets中的内容对应
 
# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain
 
 
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)
 
 
# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap #拒绝pap身份验证
refuse-chap #拒绝chap身份验证
refuse-mschap #拒绝mschap身份验证
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2 #采用mschap-v2(Microsoft Challenge Handshake Authentication Protocol, Version 2)身份验证方式
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128 #要求128位MPPE加密
# }}}
 
 
# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
#-chap
#-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
#+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40        # enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}
 
 
# Network and Routing
 
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
ms-dns 58.241.84.5 #分给客户机的DNS地址
ms-dns 58.241.84.6
 
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
 
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
# proxyarp #启用ARP代理,如果分配给客户端的IP与内网卡同一个子网  
# Normally pptpd passes the IP address to pppd, but if pptpd has been
# given the delegate option in pptpd.conf or the --delegate command line
# option, then pppd will use chap-secrets or radius to allocate the
# client IP address. The default local IP address used at the server
# end is often the same as the address of the server. To override this,
# specify the local IP address here.
# (you must not use this unless you have used the delegate option)
#10.8.0.100
 
 
# Logging
 
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
#debug
 
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump
 
 
# Miscellaneous
 
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
 
# Disable BSD-Compress compression
nobsdcomp
 
# Disable Van Jacobson compression
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
novj
novjccomp
 
# turn off logging to stderr, since this may be redirected to pptpd,
# which may trigger a loopback
nologfd
 
# put plugins here
# (putting them higher up may cause them to sent messages to the pty)
 
III /etc/ppp/chap-secrets
客户机帐号和密码信息。

# Secrets for authentication using CHAP
# client        server    secret                  IP addresses
"123456"       POPTOP   "123456"                 "*"
"qwe"           *         "qwe123456"               *
 
“qwe”是Client端的×××用户名;
“server”对应的是×××服务器的名字,该名字必须和/etc/ppp/options.pptpd文件中指明的一样,或者设置成“*”号来表示自动识别服务器;
“secret”对应的是登录密码;
“IP addresses”对应的是可以拨入的客户端IP地址,如果不需要做特别限制,可以将其设置为“*”号
 
三 启动pptpd服务
   启动pptpd
/sbin/service pptpd start
相关命令如下:
启动:                service pptpd start
停止:                service pptpd stop
重新启动:                service pptpd restart
pptpd服务使用的端口是1723,这个端口是系统固定分配的,可以通过查看该端口检查pptpd服务的运行情况,命令:netstat –ntpl
如果服务已经启动,会看到下面的内容
tcp   0   0 0.0.0.0:1723           0.0.0.0:*            LISTEN      24981/pptpd
 
3设置×××服务器的防火墙
设置iptables
我们已经把×××服务器部署好了,这一步的目的是制定一些约束规则,以便我们可以控制哪些请求可以被×××服务器处理,哪些请求需要被拒绝。即:设定防火墙的参数。Linux下设定防火墙使用iptables命令,详细用法请参考
 
设置防火墙的net表,目的是为了实现数据包的伪装及转发,从内网发出的包通过××× SERVER伪装后变成由外网发出。
iptables –t nat –F-------清除nat表中所有规则
将Linux服务器的1723端口和47端口打开,并打开GRE协议。

#/sbin/iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
#/sbin/iptables -A INPUT -p tcp --dport 47 -j ACCEPT
#/sbin/iptables -A INPUT -p gre -j ACCEPT
 
二 开启NAT转发
 
echo "1" > /proc/sys/net/ipv4/ip_forward
 
这一步很重要,否则只能拨号成功,但是不用访问内网信息资源。
 
到这里配置基本就完成了。关于windows下的***客户端建立过程就不表了。
 
 
 
4 问题检查过程:
 
检查pptpd服务是否起了:
[root@POPTOP ppp]# ps -ef | grep pptpd
root      7361     1 0 11:51 ?        00:00:00 /usr/sbin/pptpd
root      7429 7361 0 11:51 ?        00:00:00 pptpd [192.168.16.13:C000 - 0080]
 
检查iptables列表:
[root@POPTOP ppp]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:pptp
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:ni-ftp
ACCEPT     gre -- anywhere             anywhere           
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
 
Chain RH-Firewall-1-INPUT (0 references)
target     prot opt source               destination
 
 
 
 
4 设置开机启动项:
上面配置正确,拨号成功后,重新启动机器
拨号出678错误
查看linux:
netstat -tcln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State     
tcp        0      0 0.0.0.0:1000                0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN     
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN     
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN     
tcp        0      0 :::22                       :::*                        LISTEN     
没有端口号1723的服务,pptpd服务没有起来。
启动pptpd服务:
[root@POPTOP ~]# service pptpd start
Starting pptpd: [ OK ]
拨号成功,但是ping外面不通。
估计是NAT转发没有开。执行:
[root@POPTOP ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@POPTOP ~]#
 
后,马上就能ping得通了。
 
所以,需要将这两个服务添加到开机启动服务中。
 
先将linux显示让其为英文,然后运行服务管理器
[root@POPTOP ~]# LANG=en 系统为英文显示
[root@POPTOP ~]# ntsysv   启动服务管理器
选中pptpd,然后ok就退出了。 pptpd服务就能随机启动了。
 
路由转发服务 echo "1" > /proc/sys/net/ipv4/ip_forward 需要将其添加到开机项目里:
vi /etc/rc.d/rc.local
[root@POPTOP rc.d]# vi rc.local
 
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
 
touch /var/lock/subsys/local
echo "1" > /proc/sys/net/ipv4/ip_forward
 
 
保存退出就好了。
 

这下没有什么问题,开始用。