VPN 对比:
OpenVPN: 客户端连接太麻烦,放弃 PPTP VPN:版本较高的苹果手机没有 PPTP VPN 的连接方式,放弃 L2TP VPN:支持所有平台,客户端连接容易,最终选择部署 L2TP VPN
一键安装 L2TP VPN :
wget --no-check-certificate https://raw.githubusercontent.com/teddysun/across/master/l2tp.sh sh l2tp.sh
修改配置:
- 编辑 /etc/ipsec.conf ,将 left、leftid 修改为公网IP ,并在 conn L2TP-PSK-noNAT 下加入 sha2-truncbug=yes
- 编辑 /etc/xl2tpd/xl2tpd.conf ,将 listen-addr 修改为公网IP
- 编辑 /etc/sysconfig/iptables ,替换为如下内容(红色字体为 VPN 虚拟网段):
*nat
:PREROUTING ACCEPT [39:3503]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.18.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Jun 28 15:50:40 2012
# # Generated by iptables-save v1.4.7 on Thu Jun 28 15:50:40 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [121:13264]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
#
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.18.0/24 -j ACCEPT
-A FORWARD -s 192.168.18.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# # Completed on Thu Jun 28 15:50:40 2012
4. 重启:
/etc/init.d/iptables restart
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
如果Windwos不能连接,参考:http://blog.sina.com.cn/s/blog_6390cb4c0101p8vb.html
本文参考:http://dingxuan.info/blog/post/setup-l2tp-vpn-server-with-ipsec-in-centos6.php?page=2&part=1
扩展:PPTP VPN 一键安装脚本 -- http://www.hi-vps.com/shell/vpn_centos6.sh