Ubuntu 下面 pptp VPN 的配置
發表於 : 2007-06-22 10:43:58
http://grid.tsinghua.edu.cn/home/liulk/ ... erVPN.html
提纲
配置文件编辑结果
客户端
提纲
整个安装和配置过程主要包括如下的命令:
[root@gw3121 ~]# apt-get install pptpd #安装pptpd
[root@gw3121 ~]# apt-get install pptp-linux #安装pptpd client,这一步可以没有
[root@gw3121 ~]# vi /etc/pptpd.conf #编辑pptpd的配置文件
[root@gw3121 ~]# vi /etc/ppp/pptpd-options #编辑底层ppp服务器配置文件
[root@gw3121 ~]# vi /etc/ppp/chap-secrets #用户名和密码文件
[root@gw3121 ~]# /etc/init.d/pptpd restart #重启pptpd服务器
#打开防火墙和nat,如果你没有使用防火墙和nat,这一步可以不做
[root@gw3121 ~]# iptables -t nat -A POSTROUTING -s 10.0.11.0/24 -o eth0 -j SNAT --to 166.111.202.141
[root@gw3121 ~]# iptables -A FORWARD -s 10.0.11.0/24 -j ACCEPT
[root@gw3121 ~]# iptables -A FORWARD -d 10.0.11.0/24 -j ACCEPT
配置文件编辑结果
* /etc/pptpd.conf
###############################################################################
# $Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################
# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/pptpd-options
# TAG: debug
# Turns on (more) debugging to syslog
#
#debug
# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
# TAG: noipparam
# Suppress the passing of the client's IP address to PPP, which is
# done by default otherwise.
#
#noipparam
# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
logwtmp
# TAG: bcrelay <if>
# Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1
# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# Any addresses work as long as the local machine takes care of the
# routing. But if you want to use MS-Windows networking, you should
# use IP addresses out of the LAN address space and use the proxyarp
# option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
# (Recommended)
localip 10.0.11.254
remoteip 10.0.11.1-253
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
* pptpd-options
###############################################################################
# $Id: pptpd-options 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop PPP options file /etc/ppp/pptpd-options
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################
# Authentication
# (must match the second field in /etc/ppp/chap-secrets entries)
name gw3121
# Optional: domain name to use for authentication
# domain mydomain.net
# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain
# Encryption
# Debian: on systems with a kernel built with the package
# kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
# {{{
#refuse-pap
#refuse-chap
#refuse-mschap
require-chap
require-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#require-mppe-128
# }}}
# Network and Routing
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
ms-dns 166.111.8.28
ms-dns 166.111.8.29
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp
# Debian: do not replace the default route
nodefaultroute
# Logging
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump
# Miscellaneous
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Disable BSD-Compress compression
nobsdcomp
* chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
lkliu gw3121 "passwd1" 10.0.11.1
vpn gw3121 "passwd2" *
客户端
* windows
建立连接
control pannel -> Network Connections -> create a new connect ->
next -> connect to the network at my working place -> next ->
virtual private network connection -> campany name (input: 3-121) ->
Host name or IP address (input: 166.111.202.141) -> finish
设置连接
duble click the connection created just now -> properties -> security ->
advanced(custom setting) ->optional encryption( connect even no encryption) ->
allow this protocal -> CHAP (only choose this) -> OK -> Yes
如图:
Updated: 2006-12-26 Home / Index
提纲
配置文件编辑结果
客户端
提纲
整个安装和配置过程主要包括如下的命令:
[root@gw3121 ~]# apt-get install pptpd #安装pptpd
[root@gw3121 ~]# apt-get install pptp-linux #安装pptpd client,这一步可以没有
[root@gw3121 ~]# vi /etc/pptpd.conf #编辑pptpd的配置文件
[root@gw3121 ~]# vi /etc/ppp/pptpd-options #编辑底层ppp服务器配置文件
[root@gw3121 ~]# vi /etc/ppp/chap-secrets #用户名和密码文件
[root@gw3121 ~]# /etc/init.d/pptpd restart #重启pptpd服务器
#打开防火墙和nat,如果你没有使用防火墙和nat,这一步可以不做
[root@gw3121 ~]# iptables -t nat -A POSTROUTING -s 10.0.11.0/24 -o eth0 -j SNAT --to 166.111.202.141
[root@gw3121 ~]# iptables -A FORWARD -s 10.0.11.0/24 -j ACCEPT
[root@gw3121 ~]# iptables -A FORWARD -d 10.0.11.0/24 -j ACCEPT
配置文件编辑结果
* /etc/pptpd.conf
###############################################################################
# $Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################
# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/pptpd-options
# TAG: debug
# Turns on (more) debugging to syslog
#
#debug
# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
# TAG: noipparam
# Suppress the passing of the client's IP address to PPP, which is
# done by default otherwise.
#
#noipparam
# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
logwtmp
# TAG: bcrelay <if>
# Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1
# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# Any addresses work as long as the local machine takes care of the
# routing. But if you want to use MS-Windows networking, you should
# use IP addresses out of the LAN address space and use the proxyarp
# option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
# (Recommended)
localip 10.0.11.254
remoteip 10.0.11.1-253
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
* pptpd-options
###############################################################################
# $Id: pptpd-options 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop PPP options file /etc/ppp/pptpd-options
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################
# Authentication
# (must match the second field in /etc/ppp/chap-secrets entries)
name gw3121
# Optional: domain name to use for authentication
# domain mydomain.net
# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain
# Encryption
# Debian: on systems with a kernel built with the package
# kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
# {{{
#refuse-pap
#refuse-chap
#refuse-mschap
require-chap
require-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#require-mppe-128
# }}}
# Network and Routing
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
ms-dns 166.111.8.28
ms-dns 166.111.8.29
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp
# Debian: do not replace the default route
nodefaultroute
# Logging
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump
# Miscellaneous
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Disable BSD-Compress compression
nobsdcomp
* chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
lkliu gw3121 "passwd1" 10.0.11.1
vpn gw3121 "passwd2" *
客户端
* windows
建立连接
control pannel -> Network Connections -> create a new connect ->
next -> connect to the network at my working place -> next ->
virtual private network connection -> campany name (input: 3-121) ->
Host name or IP address (input: 166.111.202.141) -> finish
设置连接
duble click the connection created just now -> properties -> security ->
advanced(custom setting) ->optional encryption( connect even no encryption) ->
allow this protocal -> CHAP (only choose this) -> OK -> Yes
如图:
Updated: 2006-12-26 Home / Index