Linux
PPTP IPTables 路由問題
- PPTP 可以很好地連接到 radius 伺服器
- PPTP 模組被載入到核心中
- PPTP 可以很好地連接到 pptp 服務
問題:如何讓 PPTP 連接到網際網路?
IPTables:
#!/bin/sh #openvpn iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 199.101.x.x iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -j SNAT --to-source 199.101.x.x #pptp iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT iptables -A INPUT -i eth0 -p gre -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
指南: http ://safesrv.net/setup-pptp-and-freeradius-on-centos-5/
如果配置
eth0 Link encap:Ethernet HWaddr 00:16:3E:AC:F3:C4 inet addr:199.101.x.x Bcast:199.101.x.x Mask:255.255.255.192 inet6 addr: fe80::216:3eff:feac:f3c4/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1264874 errors:0 dropped:0 overruns:0 frame:0 TX packets:226234 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:144280558 (137.5 MiB) TX bytes:83158009 (79.3 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:11 errors:0 dropped:0 overruns:0 frame:0 TX packets:11 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1417 (1.3 KiB) TX bytes:1417 (1.3 KiB) ppp0 Link encap:Point-to-Point Protocol inet addr:10.0.0.1 P-t-P:10.0.0.10 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1396 Metric:1 RX packets:7 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:142 (142.0 b) TX bytes:94 (94.0 b) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:76887 errors:0 dropped:0 overruns:0 frame:0 TX packets:93454 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:11624030 (11.0 MiB) TX bytes:55299615 (52.7 MiB)
路線-n
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.0.0.11 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1 199.101.100.192 0.0.0.0 255.255.255.192 U 0 0 0 eth0 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 199.101.100.193 0.0.0.0 UG 0 0 0 eth0
199.101.100.192/193 不是我的伺服器 IP。
VPN客戶端測試
- 檢查您是否可以從客戶端 ping 通到 vpn 伺服器
ping 10.0.0.1
- 檢查您是否可以通過 IP ping google
ping 8.8.8.8
- 檢查您是否可以按名稱 ping google
ping google.com
如果 1 失敗,則 pptp 有問題。
如果 1,2 成功但 3 失敗,則為 dns 問題。轉到下一節中的第 1 步。
如果 1 成功但 2 失敗,則正確路由問題。轉到下一節中的第 2 步。
在 VPN 伺服器上
- 檢查
etc/ppp/pptpd-options
以下行/選項ms-dns <dns server IP>
這將是分配給 VPN 客戶端的 dns。
重新啟動
pptpd
,重新連接VPN客戶端,再次進行上面的VPN客戶端測試。 2. 在 vpn 伺服器上,檢查以下輸出cat /proc/sys/net/ipv4/ip_forward
- 如果上面的輸出為0,那就是問題,修復如下
echo 1 > /proc/sys/net/ipv4/ip_forward
- 添加或取消註釋以下行以
/etc/sysctl.conf
進行永久更改net.ipv4.ip_forward=1
再次進行上面的 VPN 客戶端測試。
iptables
嘗試以下規則,包括刷新 iptables。
# Reset/Flush iptables iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # Flush end iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT iptables -A INPUT -i eth0 -p gre -j ACCEPT # Allow localhost traffic iptables -A INPUT -i lo -m state --state NEW -j ACCEPT iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT # Allow server and internal network to go anyway iptables -A INPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT iptables -A INPUT -s 199.101.100.10 -m state --state NEW -j ACCEPT iptables -A OUTPUT -m state --state NEW -j ACCEPT # Allow ssh iptables -A INPUT -p tcp --dport ssh -j ACCEPT
/etc/pptpd.conf
option /etc/ppp/pptpd-options localip 10.0.0.1 remoteip 10.0.0.10-100
另請檢查您是否擁有
/etc/ppp/pptpd-options
./etc/ppp/pptpd-選項
name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 ms-dns 8.8.8.8 proxyarp lock nobsdcomp
/etc/ppp/選項
Jan 11 11:39:27 vpn12 pppd[1155]: Cannot determine ethernet address for proxy ARP
添加或取消
proxyarp
註釋/etc/ppp/options
dictionary.microsoft
在末尾添加以下內容
/etc/radiusclient/dictionary.microsoft
# # Experimental extensions, configuration only (for check-items) # Names/numbers as per the MERIT extensions (if possible). # ATTRIBUTE NAS-Identifier 32 string ATTRIBUTE Proxy-State 33 string ATTRIBUTE Login-LAT-Service 34 string ATTRIBUTE Login-LAT-Node 35 string ATTRIBUTE Login-LAT-Group 36 string ATTRIBUTE Framed-AppleTalk-Link 37 integer ATTRIBUTE Framed-AppleTalk-Network 38 integer ATTRIBUTE Framed-AppleTalk-Zone 39 string ATTRIBUTE Acct-Input-Packets 47 integer ATTRIBUTE Acct-Output-Packets 48 integer # 8 is a MERIT extension. VALUE Service-Type Authenticate-Only 8