PPTP Linux VPN Serveris

Iš Žinynas.
19:00, 15 sausio 2017 versija, sukurta \dev\null (Aptarimas | indėlis) (one more link :-))
(skirt) ← Ankstesnė versija | Dabartinė versija (skirt) | Vėlesnė versija → (skirt)
Jump to navigation Jump to search

Analogiškas pradžiamokslis apie pptp ant FreeBSD aprašytas čia. Tiesiog čia aprašyta apie tai kaip padaryti pptp VPN serverio implementaciją Linux serveryje, kuri plačiai naudojama Windows sistemose nuo Win9x laikų.

Konfigūraciniai failai[keisti]

Keletas aspektų:

  • eth0 - Serverio kuriame yra pptp interfeisas išeinantis į internetą
  • eth2 - Vidinis pptp serverio tinklo interfeisas
  • 192.168.1.0/24 bendras tinklo subnetas (žiūrėti, kad nekonfliktuotų su esama dhcp ar statinių ip konfigūracija)

Pirmiausia pro fajevolą prasileidžiame GRE (Generic Routing Encapsulation) protokolą: 

iptables --insert OUTPUT 1 --source 0.0.0.0/0.0.0.0 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --protocol gre --out-interface eth0
iptables --insert INPUT 1 --source 0.0.0.0/0.0.0.0 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --protocol gre --in-interface eth0


/etc/pptpd.conf[keisti]

option /etc/ppp/pptpd-options
# debuginimo sumetimai galime atkomentuoti šią eilutę (pvz.: jeigu eilinį karta nepasisekė konfigūracija ir "kažkas neveikia")
#debug
logwtmp
# vėliau aprašysiu kaip veikia broadcastinimo relayus
#bcrelay eth2
localip 192.168.1.254
remoteip 192.168.1.200-240

/etc/ppp/chap-secrets [keisti]

Konfigūracinis failas aprašantis prisijungimų informaciją, vartotojo vardus, slaptažodžius bei priskiriamus ip 

# Secrets for authentication using CHAP
# client        server   secret                  IP addresses
devnull         pptpd   123456                *

Vietoj žvaigždutės galima vartotojui priskirti statinį vidinį ip pvz.: šiuo atveju galima įrašyti 192.168.1.200. Slaptažodis šiuo atveju yra 123456.

/etc/ppp/options [keisti]

ms-dns 8.8.8.8
ms-dns 8.8.4.4
# Jeigu tinkle bus naudojamas SMB (samba) serveris galima nustatyti jį kaip wins serverį (samba konfige tai įjungus)
# ms-wins 192.168.1.50
# ms-wins 192.168.1.51
# async character map -- 32-bit hex; each bit is a character
# that needs to be escaped for pppd to receive it.  0x00000001
# represents '\x01', and 0x80000000 represents '\x1f'.
asyncmap 0
# Require the peer to authenticate itself before allowing network 
# packets to be sent or received.
# Please do not disable this setting. It is expected to be standard in
# future releases of pppd. Use the call option (see manpage) to disable
# authentication for specific peers.
noauth
nodeflate
# Use hardware flow control (i.e. RTS/CTS) to control the flow of data
# on the serial port.
crtscts
# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
lock
# Don't show the passwords when logging the contents of PAP packets.
# This is the default.
hide-password
# When logging the contents of PAP packets, this option causes pppd to
# show the password string in the log message.
#show-password
# Use the modem control lines.  On Ultrix, this option implies hardware
# flow control, as for the crtscts option.  (This option is not fully
# implemented.)
modem
# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
netmask 255.255.255.0
# Disables the default behaviour when no local IP address is specified,
# which is to determine (if possible) the local IP address from the
# hostname. With this option, the peer will have to supply the local IP
# address during IPCP negotiation (unless it specified explicitly on the
# command line or in an options file).
noipdefault
# Enables the "passive" option in the LCP.  With this option, pppd will
# attempt to initiate a connection; if no reply is received from the
# peer, pppd will then just wait passively for a valid LCP packet from
# the peer (instead of exiting, as it does without this option).
passive
# vėlgi jeigu atsitiko bėda galima, eilutę apačioje atkomentuojame
#debug
# Enable debugging code in the kernel-level PPP driver.  The argument n
# is a number which is the sum of the following values: 1 to enable
# general debug messages, 2 to request that the contents of received
# packets be printed, and 4 to request that the contents of transmitted
# packets be printed.
#kdebug 1
mtu 1450
mru 1450
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.
proxyarp
lcp-echo-interval 10
lcp-echo-failure 10
noipx
# Do not exit after a connection is terminated; instead try to reopen
# the connection.
#persist 
# ---<End of File>---

/etc/ppp/pptpd-options[keisti]

# Authentication
# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
# chap-secrets naudojama antroji eilutė kuri naurodo lokalią sistemą pagal kurią bus autentifikuojamas vartotojas
name pptpd
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)
# Kokį šifrą naudosime ?
# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
#refuse-pap
#refuse-chap
#refuse-mschap
#require-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2 # Jeigu norite apynormalės 128 bit šifruotės užkomentuokite šią eilute ir atkomentuokite sekančias dvi
#require-mppe-128
#require-mppe
# }}}
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients.  The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
# Attention! This information may not be taken into account by a Windows
# client. See KB311218 in Microsoft's knowledge base for more information.
ms-dns 8.8.8.8
ms-dns 8.8.4.4
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients.  The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.  This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp
# Normally pptpd passes the IP address to pppd, but if pptpd has been
# given the delegate option in pptpd.conf or the --delegate command line
# option, then pppd will use chap-secrets or radius to allocate the
# client IP address.  The default local IP address used at the server
# end is often the same as the address of the server.  To override this,
# specify the local IP address here.
# (you must not use this unless you have used the delegate option)
#10.8.0.100
# Debian: do not replace the default route
nodefaultroute
# Logging
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
# Jeigu reikalingas debuginimas 
#debug
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Disable BSD-Compress compression
nobsdcomp
# Disable Van Jacobson compression
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
novj
novjccomp

Paleidimas[keisti]

Rašome: 

/usr/sbin/pptpd --fg

Žiūrime šiuos logus 

/var/log/debug
/var/log/daemon

Kliento sukonfigūravimas[keisti]

Konfigūracija[keisti]

Pirmiausia sudiegiame pptp 

apt-get install pptp-linux

Užregistruojame naują klientą 

pptpsetup --create PPTP --server SERVERIO_IP_ADRESAS --username devnull --password 123456 --start

Klientas po naujo serverio pridėjimo iškart turėtų jungtis. Pakartotinai jungtis vėliau galima komanda: 

pppd call PPTP

Arba debug režimu (matant kas vyksta) 

pon PPTP debug dump logfd 2 nodetach

Jeigu matome kažką panašaus į žemiau esantį tekstą, mums pasisekė: 

root@localhost:~# pon PPTP debug dump logfd 2 nodetach
pppd options in effect:
debug debug   # (from command line)
kdebug 1    # (from /etc/ppp/options)
nodetach    # (from command line)
logfd 2   # (from command line)
dump    # (from command line)
noauth    # (from /etc/ppp/peers/PPTP)
refuse-pap    # (from /etc/ppp/options)
refuse-chap   # (from /etc/ppp/options)
refuse-mschap  # (from /etc/ppp/options)
refuse-eap    # (from /etc/ppp/options)
name devnull   # (from /etc/ppp/peers/PPTP)
remotename PPTP  # (from /etc/ppp/peers/PPTP)
   # (from /etc/ppp/peers/PPTP)
pty pptp SERVERIO_IP --nolaunchpppd   # (from /etc/ppp/peers/PPTP)
crtscts   # (from /etc/ppp/options)
   # (from /etc/ppp/options)
asyncmap 0    # (from /etc/ppp/options)
lcp-echo-failure 4  # (from /etc/ppp/options)
lcp-echo-interval 30  # (from /etc/ppp/options)
hide-password  # (from /etc/ppp/options)
ipparam PPTP   # (from /etc/ppp/peers/PPTP)
netmask 255.255.255.0  # (from /etc/ppp/options)
nobsdcomp   # (from /etc/ppp/peers/PPTP)
nodeflate   # (from /etc/ppp/peers/PPTP)
noipx   # (from /etc/ppp/options)
using channel 34
Using interface ppp0
Connect: ppp0 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1724c810> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x58caf7a0> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x58caf7a0> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x1724c810> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x1724c810]
rcvd [LCP EchoReq id=0x0 magic=0x58caf7a0]
sent [LCP EchoRep id=0x0 magic=0x1724c810]
rcvd [CHAP Challenge id=0x79 <xxxxxxxxxxxxxx>, name = "pptpd"]
added response cache entry 0
sent [CHAP Response id=0x79 <xxxxxxxxxxxxxxxxxx>, name = "devnull"]
rcvd [LCP EchoRep id=0x0 magic=0x58caf7a0]
rcvd [CHAP Success id=0x79 "S=xxxxxxxxxxxxx M=Access granted"]
response found in cache (entry 0)
CHAP authentication succeeded
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
rcvd [IPCP ConfReq id=0x1 <addr 192.168.1.254>]
sent [IPCP ConfAck id=0x1 <addr 192.168.1.254>]
rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
sent [IPCP ConfReq id=0x2 <addr 0.0.0.0>]
rcvd [IPCP ConfNak id=0x2 <addr 192.168.1.200>]
sent [IPCP ConfReq id=0x3 <addr 192.168.1.200>]
rcvd [IPCP ConfAck id=0x3 <addr 192.168.1.200>]
local  IP address 192.168.1.200
remote IP address 192.168.1.254
Script /etc/ppp/ip-up started (pid 14850)
Script /etc/ppp/ip-up finished (pid 14850), status = 0x0
rcvd [LCP EchoReq id=0x1 magic=0x58caf7a0]

Testavimas[keisti]

Kaip jungtis iš kliento pusės žiūr. viršuj.

Serverio pusėje. Jeigu matome /var/log/debug arba /var/log/daemon kažką panašaus į apačioje esantį tekstą, mums vėlgi pasisekė: 

Dec 30 02:31:55 blastpit pppd[21067]: using channel 1699
Dec 30 02:31:55 blastpit pppd[21067]: sent [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x15386901> <pcomp> <accomp>]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #1
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [LCP ConfReq id=0x1 <mru 1450> <asyncmap 0x0> <magic 0x16d47616> <pcomp> <accomp>]
Dec 30 02:31:57 blastpit pppd[21067]: sent [LCP ConfAck id=0x1 <mru 1450> <asyncmap 0x0> <magic 0x16d47616> <pcomp> <accomp>]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #2
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [LCP ConfAck id=0x1 <mru 1450> <asyncmap 0x0> <auth chap MS-v2> <magic 0x15386901> <pcomp> <accomp>]
Dec 30 02:31:57 blastpit pppd[21067]: sent [LCP EchoReq id=0x0 magic=0x15386901]
Dec 30 02:31:57 blastpit pppd[21067]: sent [CHAP Challenge id=0xab <xxxxxxxxx>, name = "pptpd"]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #3
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [LCP EchoReq id=0x0 magic=0x16d47616]
Dec 30 02:31:57 blastpit pppd[21067]: sent [LCP EchoRep id=0x0 magic=0x15386901]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #4
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [LCP EchoRep id=0x0 magic=0x16d47616]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #5
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [CHAP Response id=0xab <xxxxxxxxxxxxxxxx>, name = "devnull"]
Dec 30 02:31:57 blastpit pppd[21067]: sent [CHAP Success id=0xab "S=xxxxxxxxxxxxxxxxxxxxxxxxxxxx M=Access granted"]
Dec 30 02:31:57 blastpit pppd[21067]: sent [IPCP ConfReq id=0x1 <addr 192.168.2.254>]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #6
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 192.168.5.1> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Dec 30 02:31:57 blastpit pppd[21067]: sent [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #7
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [IPCP ConfAck id=0x1 <addr 192.168.2.254>]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #8
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [IPCP ConfReq id=0x2 <addr 192.168.5.1> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Dec 30 02:31:57 blastpit pppd[21067]: sent [IPCP ConfNak id=0x2 <addr 192.168.2.200> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Dec 30 02:31:57 blastpit pptpd[21066]: GRE: accepting packet #9
Dec 30 02:31:57 blastpit pppd[21067]: rcvd [IPCP ConfReq id=0x3 <addr 192.168.2.200> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Dec 30 02:31:57 blastpit pppd[21067]: sent [IPCP ConfAck id=0x3 <addr 192.168.2.200> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Dec 30 02:31:57 blastpit pppd[21067]: Script /etc/ppp/ip-up started (pid 21075)
Dec 30 02:31:57 blastpit pppd[21067]: Script /etc/ppp/ip-up finished (pid 21075), status = 0x0
Dec 30 02:31:59 blastpit pptpd[21066]: GRE: accepting packet #10
Dec 30 02:31:59 blastpit pppd[21067]: rcvd [LCP EchoReq id=0x1 magic=0x16d47616]
Dec 30 02:31:59 blastpit pppd[21067]: sent [LCP EchoRep id=0x1 magic=0x15386901]

Pinginam vieną hostą iš kito, jeigu pingas eina, viskas ok. t.y: 

root@host1# ping 192.168.1.200
root@host2# ping 192.168.1.254

 Galutinis paleidimas ir naudojimas[keisti]

Serverio pusėje paleidžiame daemoną: 

/etc/init.d/pptpd start

Kliento pusėje: 

echo "pppd call PPTP" >> /etc/rc.local && pppd call PPTP

Pabaigai[keisti]

Kol kas nematysime vidinių vieno ir kito tinklo resursų be papildomo routinimo ir keletos fajervolo taisyklių kurias aprašysiu vėliau, bet tai turi atrodyti maždaug taip: 

route add -net 192.168.1.0 netmask 255.255.255.0 dev ppp0 
iptables --insert OUTPUT 1 --source 0.0.0.0/0.0.0.0 --destination 192.168.1.0/24 --jump ACCEPT --out-interface ppp0   
iptables --insert INPUT 1 --source 192.168.1.0/24 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp0
iptables --insert FORWARD 1 --source 0.0.0.0/0.0.0.0 --destination 192.168.1.0/24 --jump ACCEPT --out-interface ppp0   
iptables --insert FORWARD 1 --source 192.168.1.0/24 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT

Nu natinimas nebūtinas nebent kartu norėsit naudoti ir pptp serverio internetus. 

iptables --table nat --append POSTROUTING --out-interface ppp0 --jump MASQUERADE
iptables --append FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

Tada sumetame scriptą į /etc/ppp/ip-up.d/scriptas (nurodę kintamuosius vietoj statinių dabar parašytų interfeisų, nes kiekvienas klientas jungiantis prie pptp jų turės po vieną). PASTABA! Stebėtinai būtina subnetą 192.168.1.0/24 keisti į kitą visame šiame straipsnyje norint, kad viskas sklandžiai veiktų, nors galimos ir kontraversijos.

Kaip naudoti windows sistemose kaip klientą ?[keisti]

Nuorodos[keisti]

Kitos susijusios nuorodos:



Gauta iš „https://wiki.eofnet.lt/w//index.php?title=PPTP_Linux_VPN_Serveris&oldid=8110