PI L2TP server

I denne tutorial vil du lære hvordan du laver en L2TP (Layer 2 Tunneling Protocol) VPN-serveren på din Raspberry Pi box.

Liste over grunde til, at man bør overveje at installere L2TP via PPTP VPN-server

1. Det er mere sikkert

2. Ekstremt nem at setup

3. Indbygget understøttelse af de fleste mobile enheder uden at installere yderligere software

Desuden er det meget billigt at få det installeret på en lav pris, meget lidt strøm forbrugende Raspberry Pi end at købe en VPN-router, eller få et månedligt abonnement. vigtigste trin 1. Router-konfiguration

2. Installer openswan (for IPsec), xl2tpd (L2TP) og ppp

3. Konfigurer Router-konfiguration

1. Tildel statisk IP-addresse til din Raspberry Pi

2. På din router firewall åbne porte 1701 TCP, 4500 UDP og 500 UDP og sende dem til raspberrypi IP-adresse Jeg har Verizon FiOS, jeg var i stand til at gå ind i min router konfiguration ved at gå til http://192.168.1.1 og foretage ovenstående ændringer. Scenario Min Raspberry Pi IP-adresse: 192.168.1.19

Min router gateway-adresse: 192.168.1.1

Hvis du vil køre kommandoerne som superbruger eller root sudo passwd su Opdater systemet og installere pakker apt-get update apt-get install openswan xl2tpd ppp lsof Den openswan installation måske stille dig nogle spørgsmål, denne tutorial fungerer med standard svar, bare ind gennem den.

$ apt-get update
$ apt-get install openswan xl2tpd ppp lsof

Når du har installeret ovenstående pakker, køre nedenstående kommandoer en efter en.

$ iptables --table nat --append POSTROUTING --jump MASQUERADE

$ echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
$ echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
$ echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
$ for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
$ sysctl -p

Rediger /etc/rc.local  og indsæt denne kode i rc.local

$ nano /etc/rc.local
$ for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
$ iptables --table nat --append POSTROUTING --jump MASQUERADE

Omdøb /etc/ipsec.conf at /etc/ipsec.conf.old

$ mv /etc/ipsec.conf /etc/ipsec.conf.old

Rediger /etc/ipsec.conf nano /etc/ipsec.conf

Erstat indholdet i filen:

version 2.0
config setup

        nat_traversal=yes
        protostack=netkey
        virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.25$
        oe=off

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Apple iOS doesn't send delete notify so we need dead peer detection
        # to detect vanishing clients
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        left=192.168.1.19
        #
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "%any" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port.
        rightprotoport=17/%any
        #force all to be nat'ed. because of ios
        forceencaps=yes
# Normally, KLIPS drops all plaintext traffic from IP's it has a crypted
# connection with. With L2TP clients behind NAT, that's not really what
# you want. The connection below allows both l2tp/ipsec and plaintext
# connections from behind the same NAT router.
# The l2tpd use a leftprotoport, so they are more specific and will be used
# first. Then, packets for the host on different ports and protocols (eg ssh)
# will match this passthrough conn.
conn passthrough-for-non-l2tp
        type=passthrough
        left=192.168.1.19
        leftnexthop=192.168.1.1
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route

 

Rediger fil /etc/ipsec.secrets

$ nano /etc/ipsec.secrets

Tilsæt hemmeligt kodeord 192.168.1.19

192.168.1.19 %any: PSK “TESTSECRET”

Rediger filen /etc/xl2tpd/xl2tpd.conf

$ nano /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
listen-addr = 192.168.1.19
[lns default]
ip range = 192.168.1.201-192.168.1.250
local ip = 192.168.1.19
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = linkVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

 

Rediger fil /etc/ppp/options.xl2tpd nano /etc/ppp/options.xl2tpd

Indsæt følgende kode

ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
asyncmap 0
auth
crtscts
lock
idle 1800
mtu 1200
mru 1200
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
nodefaultroute
connect-delay 5000

 

Rediger /etc/ppp/chap-secrets

$ nano /etc/ppp/chap-secrets

Indsæt følgende, ændre brugernavn og adgangskode for din bruger.

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
USERNAME    *       PASSWORD        *

 

Så skal opsec lige installeres i boot med en.

$ update-rc.d -f ipsec remove update-rc.d ipsec defaults

Genstart services efter vi har ændre config filerne.

$ /etc/init.d/xl2tpd restart
$ /etc/init.d/ipsec restart

 

Hvis alt gik rigtigt, bør du have en fungerende VPN server lige nu.

 

Referencer – tutorial baseret på nedenstående artikler

https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_12.04.html

http://www.raspberrypi.org/phpBB3/viewtopic.php?t=31541

http://blog.riobard.com/2010/04/30/l2tp-over-ipsec-ubuntu

http://www.cryptocracy.com/blog/2012/05/13/ipsec-slash-l2tp-vpn-server-with-ubuntu-precise

http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html