centos6 pptpd 搭建

搭建pptpd大致分为以下几个步骤：
1.下载，安装相关软件
2.配置pptpd环境
3.设置网关(以上步骤在sh脚本里面)
4.测试运行(我着重写的内容)

我使用vpn_centos6.sh 安装pptpd。安装完后在win7客户端上能够连接上vpn，但是浏览器上不了网。
1）我先是开启了pptpd的debug模式
编辑/etc/pptpd.conf,将debug前的# 去掉
编辑/etc/ppp/options.pptpd,将debug; dump前的# 去掉
再执行 service pptpd restart
2)pptp日志与系统日志分离
编辑/etc/rsyslog.conf
daemon.* /var/log/pptpd.log
执行 service rsyslog restart
3)连接vpn客户端
vpn connection显示 No Internet connection
查看客户端网络情况 ipconfi/all如下所示：
PPP adapter VPN Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VPN Connection
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.36.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Enabled
IPv4 地址172.16.36.2是在我设置的段内。
4）查看pptpd log信息
Jul 23 00:21:12 localhost pppd[1781]: rcvd [IPCP ConfReq id=0x9 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Jul 23 00:21:12 localhost pppd[1781]: sent [IPCP ConfNak id=0x9 <addr 172.16.36.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Jul 23 00:21:12 localhost pptpd[1780]: GRE: accepting packet #14
Jul 23 00:21:12 localhost pppd[1781]: rcvd [IPCP ConfReq id=0xa <addr 172.16.36.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Jul 23 00:21:12 localhost pppd[1781]: sent [IPCP ConfAck id=0xa <addr 172.16.36.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Jul 23 00:21:12 localhost pppd[1781]: Cannot determine ethernet address for proxy ARP
Jul 23 00:21:12 localhost pppd[1781]: local IP address 172.16.36.1
Jul 23 00:21:12 localhost pppd[1781]: remote IP address 172.16.36.2
Jul 23 00:21:12 localhost pppd[1781]: pptpd-logwtmp.so ip-up ppp0 vpn 183.167.211.6
Jul 23 00:21:13 localhost pptpd[1780]: GRE: accepting packet #15
Jul 23 00:21:13 localhost pptpd[1780]: GRE: accepting packet #16
其中有一段提示Cannot determine ethernet address for proxy ARP

5）怀疑是centos服务器防火墙设置有问题。检查/etc/sysconfig/iptables配置如下：
-A POSTROUTING -s 172.16.36.0/24 -j SNAT --to-source 10.10.10.1
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 47 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 172.16.36.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356
没有看出问题，不知道咋解。

6）解答
1].输入命令'iptables-save'
比对'iptables-save'输出结果和/etc/sysconfig/iptables中的结果。需要一致（不一致检测配置，尝试重启）
2].输入命令'ip a'
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/void
inet 127.0.0.1/32 scope host venet0
inet fff.105.211.92/32 brd fff.105.211.92 scope global venet0:0
inet6 ffff:8700:101:1fd0::/128 scope global
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/[65534]
inet 10.10.10.1 peer 10.10.10.2/32 scope global tun0
确定公网ip对应的名字，这里为venet0
回到防火墙配置
-A POSTROUTING -s 172.16.36.0/24 -j SNAT --to-source 10.10.10.1
这句意思是将'172.16.36.0/24' 伪装成(SNAT) '10.10.10.1'
而我需要访问外网，需要masquerade成公网ip，而'10.10.10.1'不是。
所以
-A POSTROUTING -s 172.16.36.0/24 -j SNAT --to-source 10.10.10.1
---->
-A POSTROUTING -s 172.16.36.0/24 -j SNAT --to-source fff.105.211.92
or
-A POSTROUTING -o venet0 -j MASQUERADE
再reboot

7）维护
添加用户
sh vpn_centos6.sh //根据提示做
查看用户登录日志
last -f /var/log/wtmp
查看log信息
vi /var/log/pptpd.log

 

 

 

 

附件一vpn_centos6.sh

#!/bin/bash

function installVPN(){
    echo "begin to install VPN services";
    #check wether vps suppot ppp and tun

    #step1.clear old environment    
    yum remove -y pptpd ppp
    iptables --flush POSTROUTING --table nat
    iptables --flush FORWARD
    rm -rf /etc/pptpd.conf
    rm -rf /etc/ppp
    
    arch=`uname -m`
    
    #step2.get source    
    wget http://www.hi-vps.com/downloads/dkms-2.0.17.5-1.noarch.rpm
    wget http://wty.name/linux/sources/kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
    wget http://www.hi-vps.com/downloads/kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
    wget http://www.hi-vps.com/downloads/pptpd-1.3.4-2.el6.$arch.rpm
    wget http://www.hi-vps.com/downloads/ppp-2.4.5-17.0.rhel6.$arch.rpm


    #step3.install source    
    yum -y install make libpcap iptables gcc-c++ logrotate tar cpio perl pam tcp_wrappers
    rpm -ivh dkms-2.0.17.5-1.noarch.rpm
    rpm -ivh kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
    rpm -qa kernel_ppp_mppe
    rpm -Uvh ppp-2.4.5-17.0.rhel6.$arch.rpm    
    rpm -ivh pptpd-1.3.4-2.el6.$arch.rpm

    #step4.config pptpd
    mknod /dev/ppp c 108 0 
    echo 1 > /proc/sys/net/ipv4/ip_forward 
    echo "mknod /dev/ppp c 108 0" >> /etc/rc.local
    echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.local
    echo "localip 172.16.36.1" >> /etc/pptpd.conf
    echo "remoteip 172.16.36.2-254" >> /etc/pptpd.conf
    echo "ms-dns 8.8.8.8" >> /etc/ppp/options.pptpd
    echo "ms-dns 8.8.4.4" >> /etc/ppp/options.pptpd

    pass=`openssl rand 6 -base64`
    if [ "$1" != "" ]
    then pass=$1
    fi

    echo "vpn pptpd ${pass} *" >> /etc/ppp/chap-secrets

    #step5.setting firewall
    iptables -t nat -A POSTROUTING -s 172.16.36.0/24 -j SNAT --to-source `ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk 'NR==1 { print $1}'`
    iptables -A FORWARD -p tcp --syn -s 172.16.36.0/24 -j TCPMSS --set-mss 1356
    service iptables save

    #step6.setting start with system
    chkconfig iptables on
    chkconfig pptpd on

    #step7.start pptpd
    service iptables start
    service pptpd start

    echo "VPN service is installed, your VPN username is vpn, VPN password is ${pass}"
    
}

function repaireVPN(){
    echo "begin to repaire VPN";
    mknod /dev/ppp c 108 0
    service iptables restart
    service pptpd start
}

function addVPNuser(){
    echo "input user name:"
    read username
    echo "input password:"
    read userpassword
    echo "${username} pptpd ${userpassword} *" >> /etc/ppp/chap-secrets
    service iptables restart
    service pptpd start
}

echo "which do you want to?input the number."
echo "1. install VPN service"
echo "2. repaire VPN service"
echo "3. add VPN user"
read num

case "$num" in
[1] ) (installVPN);;
[2] ) (repaireVPN);;
[3] ) (addVPNuser);;
*) echo "nothing,exit";;
esac