操作系统:CentOS7.9
查看操作系统版本:
# 执行这条命令
cat /etc/redhat-release
# 返回如下内容就对了
CentOS Linux release 7.9.2009 (Core)查看是否开启TUN
# 执行如下命令
cat /dev/net/tun
# 返回如下内容就对了
cat: /dev/net/tun: File descriptor in bad state
# 如果提示 cat: /dev/net/tun: No such file or directory 那就执行如下操作即可
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 666 /dev/net/tun
安装 EPEL 源,因为CentOS7官方源中去掉了 l2tpd
yum install -y epel-release
yum -y update安装l2tpd和libreswan
yum install -y xl2tpd libreswan ppp lsof配置(/etc/xl2tpd/xl2tpd.conf) ,首先备份配置文件,然后再编辑
cp /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.bak
vim /etc/xl2tpd/xl2tpd.conf经过调试,里面的东西暂时保持默认即可!
配置(/etc/ppp/options.xl2tpd),同样,先备份,再修改!
cp /etc/ppp/options.xl2tpd /etc/ppp/options.xl2tpd.bak
vim /etc/ppp/options.xl2tpd打开后,讲里面的全部删除,并且,写入如下内容:
ipcp-accept-local
ipcp-accept-remote
ms-dns 114.114.114.114
ms-dns 114.114.115.115
noccp
auth
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
connect-delay 5000配置(/etc/ipsec.conf),先备份,再修改!
cp /etc/ipsec.conf /etc/ipsec.conf.bak
vim /etc/ipsec.conf此处暂时没啥修改的
配置(/etc/ipsec.d/l2tp-ipsec.conf) ,这是一个新文件。
vim /etc/ipsec.d/l2tp-ipsec.conf此处将新建一个 l2tp-ipsec.conf 文件,然后将如下内容写入该文件。
conn L2TP-PSK-NAT
rightsubnet=0.0.0.0/0
dpddelay=10
dpdtimeout=20
dpdaction=clear
forceencaps=yes
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=xxx.xxx.xxx.xxx # 本机IP地址(我的宿主机IP地址就是这个)
leftprotoport=17/1701
right=%any
rightprotoport=17/%any设置用户名和密码(/etc/ppp/chap-secrets) ,先备份,再修改。
cp /etc/ppp/chap-secrets /etc/ppp/chap-secrets.bak
vim /etc/ppp/chap-secrets然后按照下面的例子,填写自己的用户信息
# Secrets for authentication using CHAP
# client server secret IP addresses
user01 * 1234567890 *
user01是用户,第一个星号 是全部服务器类型 123xx是密码,第二个星号是 允许访问的IP地址
设置PSK(/etc/ipsec.d/default.secrets),这是一个新文件。
vim /etc/ipsec.d/default.secrets然后填入如下内容:当中 test 为你的密钥
0.0.0.0 %any: PSK "test"配置防火墙开机自启动
# 开启防火墙,并设置开机启动
systemctl enable firewalld
systemctl start firewalld
systemctl status firewalld
配置防火墙规则
# 设置防火墙规则
firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-port=1701/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reloadIP_FORWARD设置(/etc/sysctl.d/60-sysctl_ipsec.conf) 新建并打开这个配置文件
vim /etc/sysctl.d/60-sysctl_ipsec.conf然后将如下内容写入
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth2.accept_redirects = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.ip_vti0.accept_redirects = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.conf.ip_vti0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.ppp0.accept_redirects = 0
net.ipv4.conf.ppp0.rp_filter = 0
net.ipv4.conf.ppp0.send_redirects = 0重启网络服务,使配置生效
systemctl restart network设置 ipsec 开机启动并且验证是否可用
systemctl enable ipsec
systemctl restart ipsec
设置 l2tpd 开机启动
systemctl enable xl2tpd
systemctl start xl2tpd
systemctl status xl2tpd如果遇到 xl2tpd 启动不成功,这可能是由于 系统内核缺少 l2tp_ppp 模块导致的
使用如下方法修复
sed -i '/^ExecStartPre=\//s/=/=-/' /usr/lib/systemd/system/xl2tpd.service
systemctl daemon-reload此处参考:linux配置vpn客户端时,service xl2tpd restart 不成功 · Issue #261 · hwdsl2/docker-ipsec-vpn-server · GitHub
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
