Ubuntu 16.04 配置L2TP VPN Server

之前在Ubuntu机器上配置过L2TP VPN Server,参考的是下面这篇文章:

https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_14.04.html

从标题可以看出,这是针对14.04系统的。在升级到16.04之后,我发现其中的openswan软件包不再包含在官方源里了,因此整个配置过程有了变化,为了方便之后再用,我将完整流程记录于此。

整个流程的部分过程仍与上述文章中描述的一样。

1、安装软件包

1
apt-get install strongswan xl2tpd ppp lsof

注意:这里用strongswan替代了openswan

2、配置

修改系统转发配置

1
2
3
4
5
6
7
8
9
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

启用配置:

1
sysctl -p

将以下命令添加至 /etc/rc.local ,以在开机时运行:

1
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

配置strongswan (ipsec)

修改 /etc/ipsec.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
version 2 # conforms to second version of ipsec.conf specification

config setup
conn L2TP-PSK-noNAT
authby=secret
#shared secret. Use rsasig for certificates.

auto=add
#the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

keyingtries=3
#Only negotiate a conn. 3 times.

ikelifetime=8h
keylife=1h

ike=aes256-sha1,aes128-sha1,3des-sha1

type=transport
#because we use l2tp as tunnel protocol

left=%any
#fill in server IP above

leftprotoport=17/1701
right=%any
rightprotoport=17/%any

dpddelay=10
# Dead Peer Dectection (RFC 3706) keepalives delay
dpdtimeout=20
# length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
dpdaction=clear
# When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

此配置在原文章基础上删除了许多strongswan中已弃用或不支持的项目。另, left=%any 一项表示使用任意服务器地址。若仅针对某一个地址配置的话,可以将 %any 改为相应的地址。

然后配置共享密钥 /etc/ipsec.secrets

1
2
3
4
5
6
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

%any : PSK "PASSWORD"

同样,此配置与原文的格式也略有不同,且针对任意server地址。请将“PASSWORD”改为足够安全的长密码。

配置xl2tpd

修改 /etc/xl2tpd/xl2tpd.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[global]
ipsec saref = yes
saref refinfo = 30

;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes

[lns default]
ip range = 192.168.100.100 - 192.168.100.200
local ip = 192.168.100.1
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

请注意修改ip rangelocal ip这两行。

然后修改 /etc/ppp/options.xl2tpd

1
2
3
4
5
6
7
8
9
10
11
12
13
require-mschap-v2
ms-dns 192.168.1.1
ms-dns 192.168.1.2
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

注意修改ms-dns为你想要vpn客户端使用的dns server。

添加用户

修改 /etc/ppp/chap-secrets 文件:

1
2
3
4
# Secrets for authentication using CHAP
# client server secret IP addresses
alice l2tpd password1 *
bob l2tpd password2 *

3、运行&测试

执行下述命令以重启服务

1
2
ipsec restart
service xl2tpd restart

然后就使用客户端连接试试吧!
若连接失败,可查看以下log:

1
2
/var/log/syslog
/var/log/auth.log