采用点到点隧道协议(Point to Point Tunneling Protocol)
操作系统的版本:
检查环境是否支持:
[root@centos8 ~]# modprobe ppp-compress-18 && echo yes
yes
[root@centos8 ~]# ls /dev/net/tun && echo yes
/dev/net/tun
yes
[root@centos8 ~]# ls /dev/ppp && echo yes
/dev/ppp
Yes
安装相关软件包:
[root@centos8 ~]# dnf -y install ppp pptp net-tools gcc make wget
[root@centos8 ~]# wget https://pic.ithothub.com/wp-content/uploads/2020/03/pptpd-1.4.0-2.el8.x86_64.rpm
[root@centos8 ~]# dnf -y install pptpd-1.4.0-2.el8.x86_64.rpm
编辑 /etc/pptpd.conf
去到文件的最后,追加或修改:(这样子就可以了,不用管服务器的IP是什么!)
localip 192.168.18.1
remoteip 192.168.18.2-254
编辑 /etc/ppp/options.pptpd
这里绝大多数参数只需维持原来的默认值即可,我们只需要改变其中的 ms-dns 选项,为 VPN 客户端指派 DNS 服务器地址:
修改(最好是复制粘贴后修改)
ms-dns 8.8.8.8
ms-dns 114.114.114.114
修改 /etc/ppp/chap-secrets
这里面存放着 VPN 的用户名和密码,根据实际情况填写即可。如文件的注释所示,第一列是用户名,第二列是服务器名(默认写 pptpd 即可),第三列是密码,第四列是IP限制(不做限制则写 * )
如下图:(无需创建系统用户)
开启路由转发:
[root@centos8 ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
使新配置生效:
[root@centos8 ~]# sysctl -p
net.ipv4.ip_forward = 1
iptables的安装可参考:CentOS8防火墙(netfilter)
先把防火墙规则清空:
[root@centos8 ~]# iptables -t filter -F
[root@localhost ~]# iptables -t filter -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
添加防火墙规则:(服务器是单网卡 ens160 ,IP地址为 192.168.168.154 )
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.18.0/24 -o ens160 -j SNAT --to-source 192.168.168.154
iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
[root@centos8 ~]# iptables -t filter -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@centos8 ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.18.0/24 0.0.0.0/0 to:192.168.168.154
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
保存防火墙规则:
[root@centos8 ~]# iptables-save > /etc/sysconfig/iptables
[root@centos8 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.8.4 on Wed Sep 2 10:08:53 2020
*security
:INPUT ACCEPT [93:6662]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [80:12264]
COMMIT
# Completed on Wed Sep 2 10:08:53 2020
# Generated by iptables-save v1.8.4 on Wed Sep 2 10:08:53 2020
*raw
:PREROUTING ACCEPT [94:6738]
:OUTPUT ACCEPT [80:12264]
COMMIT
# Completed on Wed Sep 2 10:08:53 2020
# Generated by iptables-save v1.8.4 on Wed Sep 2 10:08:53 2020
*mangle
:PREROUTING ACCEPT [94:6738]
:INPUT ACCEPT [94:6738]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [80:12264]
:POSTROUTING ACCEPT [80:12264]
COMMIT
# Completed on Wed Sep 2 10:08:53 2020
# Generated by iptables-save v1.8.4 on Wed Sep 2 10:08:53 2020
*nat
:PREROUTING ACCEPT [3:482]
:INPUT ACCEPT [2:406]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [3:228]
-A POSTROUTING -s 192.168.18.0/24 -o ens160 -j SNAT --to-source 192.168.168.154
-A POSTROUTING -o ens160 -j MASQUERADE
COMMIT
# Completed on Wed Sep 2 10:08:53 2020
# Generated by iptables-save v1.8.4 on Wed Sep 2 10:08:53 2020
*filter
:INPUT ACCEPT [61:4782]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52:7724]
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p gre -j ACCEPT
COMMIT
# Completed on Wed Sep 2 10:08:53 2020
重启 iptables 服务:
systemctl restart iptables
启动 pptpd 服务:
systemctl start pptpd
开机自动开启pptpd服务:
systemctl enable pptpd
TCP 1723 是PPTP的默认端口:
[root@centos8 ~]# netstat -anp |grep 1723
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 1017/pptpd
######
在Windows7客户端连接VPN
C:\Users\jacky>ipconfig/all
相关文章:
CentOS6.9配置VPN |