VPN服务器搭建以及使用(L2TP类型) =============================== \[TOC\] ### 介绍 ``` VPN属于远程访问技术,简单地说就是利用公用网络假设专用网络。例如某公司员工需要出差到外地,他想访问企业内网的服务器资源或者连接企业内网的服务器,这种访问就属于远程访问。 ``` ### 实现方式 ``` VPN的实现有很多种方法,常用的有以下四种: ``` ``` 1.VPN服务器:在大型局域网中,可以通过在网络中心搭建VPN服务器的方法实现VPN。 ``` ``` 2.软件VPN:可以通过专用的软件实现VPN ``` ``` 3.硬件VPN:可以通过专用的硬件实现VPN ``` ``` 4.集成VPN:某些硬件设备,如路由器、防火墙等,都含有VPN功能,但是一般拥有VPN功能的硬件设备通常都比没有这一功能的要贵。 ``` ### 优缺点 ##### 优点 1. VPN能够让移动员工、远程员工、商务合作伙伴和其他人利用本地可用的高速宽带网连接(如[DSL](https://baike.baidu.com/item/DSL)、有线电视或者[WiFi](https://baike.baidu.com/item/WiFi)网络)连接到企业网络。此外,高速宽带网连接提供一种成本效率高的连接远程办公室的方法。 2. 设计良好的宽带VPN是模块化的和可升级的。VPN能够让应用者使用一种很容易设置的互联网基础设施,让新的用户迅速和轻松地添加到这个网络。这种能力意味着企业不用增加额外的基础设施就可以提供大量的容量和应用。 3. VPN能提供高水平的安全,使用高级的[加密](https://baike.baidu.com/item/加密)和身份识别协议保护数据避免受到窥探,阻止数据窃贼和其他非授权用户接触这种数据。 4. 完全控制,虚拟专用网使用户可以利用ISP的设施和服务,同时又完全掌握着自己网络的控制权。用户只利用ISP提供的网络资源,对于其它的安全设置、网络管理变化可由自己管理。在企业内部也可以自己建立虚拟专用网。 ##### 缺点 1. 企业不能直接控制基于互联网的VPN的可靠性和性能。机构必须依靠提供VPN的互联网服务提供商保证服务的运行。这个因素使企业与互联网服务提供商签署一个服务级协议非常重要,要签署一个保证各种性能指标的协议。 2. 企业创建和部署VPN线路并不容易。这种技术需要高水平地理解网络和安全问题,需要认真的规划和配置。因此,选择互联网服务提供商负责运行VPN的大多数事情是一个好主意。 3. 不同厂商的VPN产品和解决方案总是不兼容的,因为许多厂商不愿意或者不能遵守VPN技术标准。因此,混合使用不同厂商的产品可能会出现技术问题。另一方面,使用一家供应商的设备可能会提高成本。 4. 当使用无线设备时,VPN有安全风险。在接入点之间漫游特别容易出问题。当用户在接入点之间漫游的时候,任何使用高级加密技术的解决方案都可能被攻破。 ### 安装L2TP类型VPN服务器 ##### 创建脚本 > 进入linux服务器创建l2tp.sh脚本,复制以下内容到脚本中,或者在windows客户端进行创建后上传。 > > l2tp.sh脚本内容 ```sh #!/usr/bin/env bash PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin export PATH #=======================================================================# # System Supported: CentOS 6+ / Debian 7+ / Ubuntu 12+ # # Description: L2TP VPN Auto Installer # # Author: Teddysun # # Intro: https://teddysun.com/448.html # #=======================================================================# cur_dir=`pwd` libreswan_filename="libreswan-3.27" download_root_url="https://dl.lamp.sh/files" rootness(){ if [[ $EUID -ne 0 ]]; then echo "Error:This script must be run as root!" 1>&2 exit 1 fi } tunavailable(){ if [[ ! -e /dev/net/tun ]]; then echo "Error:TUN/TAP is not available!" 1>&2 exit 1 fi } disable_selinux(){ if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config setenforce 0 fi } get_opsy(){ [ -f /etc/redhat-release ] && awk '{print ($1,$3~/^[0-9]/?$3:$4)}' /etc/redhat-release && return [ -f /etc/os-release ] && awk -F'[= "]' '/PRETTY_NAME/{print $3,$4,$5}' /etc/os-release && return [ -f /etc/lsb-release ] && awk -F'[="]+' '/DESCRIPTION/{print $2}' /etc/lsb-release && return } get_os_info(){ IP=$( ip addr | egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | egrep -v "^192\.168|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-2]\.|^10\.|^127\.|^255\.|^0\." | head -n 1 ) [ -z ${IP} ] && IP=$( wget -qO- -t1 -T2 ipv4.icanhazip.com ) local cname=$( awk -F: '/model name/ {name=$2} END {print name}' /proc/cpuinfo | sed 's/^[ \t]*//;s/[ \t]*$//' ) local cores=$( awk -F: '/model name/ {core++} END {print core}' /proc/cpuinfo ) local freq=$( awk -F: '/cpu MHz/ {freq=$2} END {print freq}' /proc/cpuinfo | sed 's/^[ \t]*//;s/[ \t]*$//' ) local tram=$( free -m | awk '/Mem/ {print $2}' ) local swap=$( free -m | awk '/Swap/ {print $2}' ) local up=$( awk '{a=$1/86400;b=($1%86400)/3600;c=($1%3600)/60;d=$1%60} {printf("%ddays, %d:%d:%d\n",a,b,c,d)}' /proc/uptime ) local load=$( w | head -1 | awk -F'load average:' '{print $2}' | sed 's/^[ \t]*//;s/[ \t]*$//' ) local opsy=$( get_opsy ) local arch=$( uname -m ) local lbit=$( getconf LONG_BIT ) local host=$( hostname ) local kern=$( uname -r ) echo "########## System Information ##########" echo echo "CPU model : ${cname}" echo "Number of cores : ${cores}" echo "CPU frequency : ${freq} MHz" echo "Total amount of ram : ${tram} MB" echo "Total amount of swap : ${swap} MB" echo "System uptime : ${up}" echo "Load average : ${load}" echo "OS : ${opsy}" echo "Arch : ${arch} (${lbit} Bit)" echo "Kernel : ${kern}" echo "Hostname : ${host}" echo "IPv4 address : ${IP}" echo echo "########################################" } check_sys(){ local checkType=$1 local value=$2 local release='' local systemPackage='' if [[ -f /etc/redhat-release ]]; then release="centos" systemPackage="yum" elif cat /etc/issue | grep -Eqi "debian"; then release="debian" systemPackage="apt" elif cat /etc/issue | grep -Eqi "ubuntu"; then release="ubuntu" systemPackage="apt" elif cat /etc/issue | grep -Eqi "centos|red hat|redhat"; then release="centos" systemPackage="yum" elif cat /proc/version | grep -Eqi "debian"; then release="debian" systemPackage="apt" elif cat /proc/version | grep -Eqi "ubuntu"; then release="ubuntu" systemPackage="apt" elif cat /proc/version | grep -Eqi "centos|red hat|redhat"; then release="centos" systemPackage="yum" fi if [[ ${checkType} == "sysRelease" ]]; then if [ "$value" == "$release" ];then return 0 else return 1 fi elif [[ ${checkType} == "packageManager" ]]; then if [ "$value" == "$systemPackage" ];then return 0 else return 1 fi fi } rand(){ index=0 str="" for i in {a..z}; do arr[index]=${i}; index=`expr ${index} + 1`; done for i in {A..Z}; do arr[index]=${i}; index=`expr ${index} + 1`; done for i in {0..9}; do arr[index]=${i}; index=`expr ${index} + 1`; done for i in {1..10}; do str="$str${arr[$RANDOM%$index]}"; done echo ${str} } is_64bit(){ if [ `getconf WORD_BIT` = '32' ] && [ `getconf LONG_BIT` = '64' ] ; then return 0 else return 1 fi } download_file(){ if [ -s ${1} ]; then echo "$1 [found]" else echo "$1 not found!!!download now..." if ! wget -c -t3 -T60 ${download_root_url}/${1}; then echo "Failed to download $1, please download it to ${cur_dir} directory manually and try again." exit 1 fi fi } versionget(){ if [[ -s /etc/redhat-release ]];then grep -oE "[0-9.]+" /etc/redhat-release else grep -oE "[0-9.]+" /etc/issue fi } centosversion(){ if check_sys sysRelease centos;then local code=${1} local version="`versionget`" local main_ver=${version%%.*} if [ "${main_ver}" == "${code}" ];then return 0 else return 1 fi else return 1 fi } debianversion(){ if check_sys sysRelease debian;then local version=$( get_opsy ) local code=${1} local main_ver=$( echo ${version} | sed 's/[^0-9]//g') if [ "${main_ver}" == "${code}" ];then return 0 else return 1 fi else return 1 fi } version_check(){ if check_sys packageManager yum; then if centosversion 5; then echo "Error: CentOS 5 is not supported, Please re-install OS and try again." exit 1 fi fi } get_char(){ SAVEDSTTY=`stty -g` stty -echo stty cbreak dd if=/dev/tty bs=1 count=1 2> /dev/null stty -raw stty echo stty $SAVEDSTTY } preinstall_l2tp(){ echo if [ -d "/proc/vz" ]; then echo -e "\033[41;37m WARNING: \033[0m Your VPS is based on OpenVZ, and IPSec might not be supported by the kernel." echo "Continue installation? (y/n)" read -p "(Default: n)" agree [ -z ${agree} ] && agree="n" if [ "${agree}" == "n" ]; then echo echo "L2TP installation cancelled." echo exit 0 fi fi echo echo "Please enter IP-Range:" read -p "(Default Range: 192.168.18):" iprange [ -z ${iprange} ] && iprange="192.168.18" echo "Please enter PSK:" read -p "(Default PSK: teddysun.com):" mypsk [ -z ${mypsk} ] && mypsk="teddysun.com" echo "Please enter Username:" read -p "(Default Username: teddysun):" username [ -z ${username} ] && username="teddysun" password=`rand` echo "Please enter ${username}'s password:" read -p "(Default Password: ${password}):" tmppassword [ ! -z ${tmppassword} ] && password=${tmppassword} echo echo "ServerIP:${IP}" echo "Server Local IP:${iprange}.1" echo "Client Remote IP Range:${iprange}.2-${iprange}.254" echo "PSK:${mypsk}" echo echo "Press any key to start... or press Ctrl + C to cancel." char=`get_char` } install_l2tp(){ mknod /dev/random c 1 9 if check_sys packageManager apt; then apt-get -y update if debianversion 7; then if is_64bit; then local libnspr4_filename1="libnspr4_4.10.7-1_amd64.deb" local libnspr4_filename2="libnspr4-0d_4.10.7-1_amd64.deb" local libnspr4_filename3="libnspr4-dev_4.10.7-1_amd64.deb" local libnspr4_filename4="libnspr4-dbg_4.10.7-1_amd64.deb" local libnss3_filename1="libnss3_3.17.2-1.1_amd64.deb" local libnss3_filename2="libnss3-1d_3.17.2-1.1_amd64.deb" local libnss3_filename3="libnss3-tools_3.17.2-1.1_amd64.deb" local libnss3_filename4="libnss3-dev_3.17.2-1.1_amd64.deb" local libnss3_filename5="libnss3-dbg_3.17.2-1.1_amd64.deb" else local libnspr4_filename1="libnspr4_4.10.7-1_i386.deb" local libnspr4_filename2="libnspr4-0d_4.10.7-1_i386.deb" local libnspr4_filename3="libnspr4-dev_4.10.7-1_i386.deb" local libnspr4_filename4="libnspr4-dbg_4.10.7-1_i386.deb" local libnss3_filename1="libnss3_3.17.2-1.1_i386.deb" local libnss3_filename2="libnss3-1d_3.17.2-1.1_i386.deb" local libnss3_filename3="libnss3-tools_3.17.2-1.1_i386.deb" local libnss3_filename4="libnss3-dev_3.17.2-1.1_i386.deb" local libnss3_filename5="libnss3-dbg_3.17.2-1.1_i386.deb" fi rm -rf ${cur_dir}/l2tp mkdir -p ${cur_dir}/l2tp cd ${cur_dir}/l2tp download_file "${libnspr4_filename1}" download_file "${libnspr4_filename2}" download_file "${libnspr4_filename3}" download_file "${libnspr4_filename4}" download_file "${libnss3_filename1}" download_file "${libnss3_filename2}" download_file "${libnss3_filename3}" download_file "${libnss3_filename4}" download_file "${libnss3_filename5}" dpkg -i ${libnspr4_filename1} ${libnspr4_filename2} ${libnspr4_filename3} ${libnspr4_filename4} dpkg -i ${libnss3_filename1} ${libnss3_filename2} ${libnss3_filename3} ${libnss3_filename4} ${libnss3_filename5} apt-get -y install wget gcc ppp flex bison make pkg-config libpam0g-dev libcap-ng-dev iptables \ libcap-ng-utils libunbound-dev libevent-dev libcurl4-nss-dev libsystemd-daemon-dev else apt-get -y install wget gcc ppp flex bison make python libnss3-dev libnss3-tools libselinux-dev iptables \ libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libunbound-dev \ libevent-dev libcurl4-nss-dev libsystemd-dev fi apt-get -y --no-install-recommends install xmlto apt-get -y install xl2tpd compile_install elif check_sys packageManager yum; then echo "Adding the EPEL repository..." yum -y install epel-release yum-utils [ ! -f /etc/yum.repos.d/epel.repo ] && echo "Install EPEL repository failed, please check it." && exit 1 yum-config-manager --enable epel echo "Adding the EPEL repository complete..." if centosversion 7; then yum -y install ppp libreswan xl2tpd firewalld yum_install elif centosversion 6; then yum -y remove libevent-devel yum -y install libevent2-devel yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel lsof \ curl-devel flex bison gcc ppp make iptables gmp-devel \ fipscheck-devel unbound-devel xmlto libpcap-devel xl2tpd compile_install fi fi } config_install(){ cat > /etc/ipsec.conf< /etc/ipsec.secrets< /etc/xl2tpd/xl2tpd.conf< /etc/ppp/options.xl2tpd< /etc/ppp/chap-secrets< Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false USE_DH31 = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF make programs && make install /usr/local/sbin/ipsec --version >/dev/null 2>&1 if [ $? -ne 0 ]; then echo "${libreswan_filename} install failed." exit 1 fi config_install cp -pf /etc/sysctl.conf /etc/sysctl.conf.bak sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf for each in `ls /proc/sys/net/ipv4/conf/`; do echo "net.ipv4.conf.${each}.accept_source_route=0" >> /etc/sysctl.conf echo "net.ipv4.conf.${each}.accept_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.${each}.send_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.${each}.rp_filter=0" >> /etc/sysctl.conf done sysctl -p if centosversion 6; then [ -f /etc/sysconfig/iptables ] && cp -pf /etc/sysconfig/iptables /etc/sysconfig/iptables.old.`date +%Y%m%d` if [ "`iptables -L -n | grep -c '\-\-'`" == "0" ]; then cat > /etc/sysconfig/iptables < /var/tmp/libreswan-nss-pwd certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d rm -f /var/tmp/libreswan-nss-pwd fi chkconfig --add iptables chkconfig iptables on chkconfig --add ipsec chkconfig ipsec on chkconfig --add xl2tpd chkconfig xl2tpd on /etc/init.d/iptables restart /etc/init.d/ipsec start /etc/init.d/xl2tpd start else [ -f /etc/iptables.rules ] && cp -pf /etc/iptables.rules /etc/iptables.rules.old.`date +%Y%m%d` if [ "`iptables -L -n | grep -c '\-\-'`" == "0" ]; then cat > /etc/iptables.rules < /etc/iptables.rules fi cat > /etc/network/if-up.d/iptables < /var/tmp/libreswan-nss-pwd certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d rm -f /var/tmp/libreswan-nss-pwd fi update-rc.d -f xl2tpd defaults cp -f /etc/rc.local /etc/rc.local.old.`date +%Y%m%d` sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local cat >> /etc/rc.local < /proc/sys/net/ipv4/ip_forward /usr/sbin/service ipsec start exit 0 EOF chmod +x /etc/rc.local echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/iptables-restore < /etc/iptables.rules /usr/sbin/service ipsec start /usr/sbin/service xl2tpd restart fi } yum_install(){ config_install cp -pf /etc/sysctl.conf /etc/sysctl.conf.bak echo "# Added by L2TP VPN" >> /etc/sysctl.conf echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> /etc/sysctl.conf for each in `ls /proc/sys/net/ipv4/conf/`; do echo "net.ipv4.conf.${each}.accept_source_route=0" >> /etc/sysctl.conf echo "net.ipv4.conf.${each}.accept_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.${each}.send_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.${each}.rp_filter=0" >> /etc/sysctl.conf done sysctl -p cat > /etc/firewalld/services/xl2tpd.xml< xl2tpd L2TP IPSec EOF chmod 640 /etc/firewalld/services/xl2tpd.xml systemctl enable ipsec systemctl enable xl2tpd systemctl enable firewalld systemctl status firewalld > /dev/null 2>&1 if [ $? -eq 0 ]; then firewall-cmd --reload echo "Checking firewalld status..." firewall-cmd --list-all echo "add firewalld rules..." firewall-cmd --permanent --add-service=ipsec firewall-cmd --permanent --add-service=xl2tpd firewall-cmd --permanent --add-masquerade firewall-cmd --reload else echo "Firewalld looks like not running, trying to start..." systemctl start firewalld if [ $? -eq 0 ]; then echo "Firewalld start successfully..." firewall-cmd --reload echo "Checking firewalld status..." firewall-cmd --list-all echo "adding firewalld rules..." firewall-cmd --permanent --add-service=ipsec firewall-cmd --permanent --add-service=xl2tpd firewall-cmd --permanent --add-masquerade firewall-cmd --reload else echo "Failed to start firewalld. please enable udp port 500 4500 1701 manually if necessary." fi fi systemctl restart ipsec systemctl restart xl2tpd echo "Checking ipsec status..." systemctl -a | grep ipsec echo "Checking xl2tpd status..." systemctl -a | grep xl2tpd echo "Checking firewalld status..." firewall-cmd --list-all } finally(){ cd ${cur_dir} rm -fr ${cur_dir}/l2tp # create l2tp command cp -f ${cur_dir}/`basename $0` /usr/bin/l2tp echo "Please wait a moment..." sleep 5 ipsec verify echo echo "###############################################################" echo "# L2TP VPN Auto Installer #" echo "# System Supported: CentOS 6+ / Debian 7+ / Ubuntu 12+ #" echo "# Intro: https://teddysun.com/448.html #" echo "# Author: Teddysun #" echo "###############################################################" echo "If there is no [FAILED] above, you can connect to your L2TP " echo "VPN Server with the default Username/Password is below:" echo echo "Server IP: ${IP}" echo "PSK : ${mypsk}" echo "Username : ${username}" echo "Password : ${password}" echo echo "If you want to modify user settings, please use below command(s):" echo "l2tp -a (Add a user)" echo "l2tp -d (Delete a user)" echo "l2tp -l (List all users)" echo "l2tp -m (Modify a user password)" echo echo "Welcome to visit our website: https://teddysun.com/448.html" echo "Enjoy it!" echo } l2tp(){ clear echo echo "###############################################################" echo "# L2TP VPN Auto Installer #" echo "# System Supported: CentOS 6+ / Debian 7+ / Ubuntu 12+ #" echo "# Intro: https://teddysun.com/448.html #" echo "# Author: Teddysun #" echo "###############################################################" echo rootness tunavailable disable_selinux version_check get_os_info preinstall_l2tp install_l2tp finally } list_users(){ if [ ! -f /etc/ppp/chap-secrets ];then echo "Error: /etc/ppp/chap-secrets file not found." exit 1 fi local line="+-------------------------------------------+\n" local string=%20s printf "${line}|${string} |${string} |\n${line}" Username Password grep -v "^#" /etc/ppp/chap-secrets | awk '{printf "|'${string}' |'${string}' |\n", $1,$3}' printf ${line} } add_user(){ while : do read -p "Please input your Username:" user if [ -z ${user} ]; then echo "Username can not be empty" else grep -w "${user}" /etc/ppp/chap-secrets > /dev/null 2>&1 if [ $? -eq 0 ];then echo "Username (${user}) already exists. Please re-enter your username." else break fi fi done pass=`rand` echo "Please input ${user}'s password:" read -p "(Default Password: ${pass}):" tmppass [ ! -z ${tmppass} ] && pass=${tmppass} echo "${user} l2tpd ${pass} *" >> /etc/ppp/chap-secrets echo "Username (${user}) add completed." } del_user(){ while : do read -p "Please input Username you want to delete it:" user if [ -z ${user} ]; then echo "Username can not be empty" else grep -w "${user}" /etc/ppp/chap-secrets >/dev/null 2>&1 if [ $? -eq 0 ];then break else echo "Username (${user}) is not exists. Please re-enter your username." fi fi done sed -i "/^\<${user}\>/d" /etc/ppp/chap-secrets echo "Username (${user}) delete completed." } mod_user(){ while : do read -p "Please input Username you want to change password:" user if [ -z ${user} ]; then echo "Username can not be empty" else grep -w "${user}" /etc/ppp/chap-secrets >/dev/null 2>&1 if [ $? -eq 0 ];then break else echo "Username (${user}) is not exists. Please re-enter your username." fi fi done pass=`rand` echo "Please input ${user}'s new password:" read -p "(Default Password: ${pass}):" tmppass [ ! -z ${tmppass} ] && pass=${tmppass} sed -i "/^\<${user}\>/d" /etc/ppp/chap-secrets echo "${user} l2tpd ${pass} *" >> /etc/ppp/chap-secrets echo "Username ${user}'s password has been changed." } # Main process action=$1 if [ -z ${action} ] && [ "`basename $0`" != "l2tp" ]; then action=install fi case ${action} in install) l2tp 2>&1 | tee ${cur_dir}/l2tp.log ;; -l|--list) list_users ;; -a|--add) add_user ;; -d|--del) del_user ;; -m|--mod) mod_user ;; -h|--help) echo "Usage: `basename $0` -l,--list List all users" echo " `basename $0` -a,--add Add a user" echo " `basename $0` -d,--del Delete a user" echo " `basename $0` -m,--mod Modify a user password" echo " `basename $0` -h,--help Print this help information" ;; *) echo "Usage: `basename $0` [-l,--list|-a,--add|-d,--del|-m,--mod|-h,--help]" && exit ;; esac ``` ##### 运行脚本(获得root权限后操作) ```bash chmod +x l2tp.sh ./l2tp.sh ``` ##### 运行后依次填入 局域网网段 格式:192.168.1 PSK密钥 默认: teddysun.com 连接用户名 连接用户名密码 ##### 执行完上面操作按回车健进行安装配置 ##### 30秒左右后安装完成 可以使用以下命令管理连接账户 ```bash l2tp -a # 增加一个连接账户 l2tp -d # 删除一个连接账户 l2tp -l # 展示现有的账户 l2tp -m # 修改账户的密码 ``` 注:l2tp服务使用端口为UDP类型的500,1701,4500 ##### 在windows客户端进行创建l2tp.sh文件后上传出现以下错误 :bad variable name ###### 原因: 脚本是在window下编写的,window和linux的编码不同 ###### 解决办法: ```bash vim l2tp.sh #进入该文件的编辑状态 set ff=unix #这是进行编码切换 :wq #保存退出 ``` ### 使用Windows客户端进行连接 ##### 右键任务栏的小电脑图标,打开“网络和共享中心” ##### 在左边选择“VPN” — 添加VPN连接,填入你的信息 vpn提供商 选择windows内置 连接名称 随便写 服务器名称或地址 服务器的公网ip VPN类型 使用预共享密钥的L2TP/IPsec 预共享密钥 创建l2tp服务时填写的PSK 登录信息的类型 选择用户名和密码 用户名 l2tp服务器添加的登录用户 密码 l2tp服务器添加的登录用户 ##### 填写完成后,找到这个连接,点击连接 ##### 查看效果 windows+r =》cmd =》ipconfig 会发现多了一个PPP适配器的网卡 ### 连接上没有网络问题 ##### 原因 连接上VPN之后会存在一个问题,你会发现电脑没法上外网了。这是因为默认网关被配置成了你的服务器网关,导致无法访问网络。解决方法很简单: ##### 解决办法 打开网络连接,可以看到你的所有网卡,找到你的VPN虚拟网卡,右键–属性 依次选择“网络”–“internet协议版本4”-”属性“–“高级”,去掉“在远程网络上使用默认网关”前面的钩然后重新连接VPN,就可以上网了。 ### 连接失败问题 ##### 开启服务 windows+r =》services.msc 找到"IPsecPolicyAgent","Remote Access Auto Connection Manager”、“Remote Access Connection Manager”和“Secure Socket Tunneling Protocol Service设置启动类型为自动并启动。 ##### 添加注册表 复制下面代码到txt文档, 将后缀改为.reg,双击注册 ```sh Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters] "ProhibitIpSec"=dword:00000000 ``` 修改reg文档为以下内容,再次双击注册 ```sh Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent] "AssumeUDPEncapsulationContextOnSendRule"=dword:00000002 ``` ##### 重启电脑然后尝试进行连接 如果两次以上都链接不上的话在执行以下操作 修改reg文档为以下内容,再次双击注册 ```sh Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters] "ProhibitIpSec"=dword:00000001 ``` ##### 重启电脑然后尝试进行连接(请多尝试几次连接) > 如果还连接不上,打开事件查看器,找到windows日志,选择应用程序,查看错误代码然后自行百度。 ### 测试失败方式 ##### 1.在windows设置传入连接进行配置 ###### 客户端错误 ``` CoId={0B7CA270-211F-0002-5FA3-950B1F21D701}: 用户 DESKTOP-7SNFPUA\Administrator 已进行名为 VPN 连接 的拨号连接,该连接已失败。失败后返回的错误代码为 800。 ``` ``` CoId={0B7CA270-211F-0007-3733-910B1F21D701}: 用户 DESKTOP-7SNFPUA\Administrator 已进行名为 VPN 连接 的拨号连接,该连接已失败。失败后返回的错误代码为 807。 ``` ###### 解决方法:未知 ##### 2.在ubuntu 安装 pptpd 进行配置 ###### 客户端错误 ``` CoId={0B7CA270-211F-0004-A355-940B1F21D701}: 用户 DESKTOP-7SNFPUA\Administrator 已进行名为 VPN 杩炴帴 的拨号连接,该连接已终止。终止后返回的原因代码为 829。 ``` ``` CoId={0B7CA270-211F-0004-A355-940B1F21D701}: 用户 DESKTOP-7SNFPUA\Administrator 已进行名为 VPN 连接 的拨号连接,该连接已失败。失败后返回的错误代码为 619。 ``` ###### 解决方法:未知