Tif*_*ker -2 linux vpn routing pptp centos
问题:如何让PPTP连接到互联网?
IP表:
#!/bin/sh
#openvpn
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 199.101.x.x
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 199.101.x.x
#pptp
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
指南:http : //safesrv.net/setup-pptp-and-freeradius-on-centos-5/
如果配置
eth0 Link encap:Ethernet HWaddr 00:16:3E:AC:F3:C4
inet addr:199.101.x.x Bcast:199.101.x.x Mask:255.255.255.192
inet6 addr: fe80::216:3eff:feac:f3c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1264874 errors:0 dropped:0 overruns:0 frame:0
TX packets:226234 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:144280558 (137.5 MiB) TX bytes:83158009 (79.3 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:11 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1417 (1.3 KiB) TX bytes:1417 (1.3 KiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:10.0.0.1 P-t-P:10.0.0.10 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1396 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:142 (142.0 b) TX bytes:94 (94.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:76887 errors:0 dropped:0 overruns:0 frame:0
TX packets:93454 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:11624030 (11.0 MiB) TX bytes:55299615 (52.7 MiB)
路由 -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.0.11 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
199.101.100.192 0.0.0.0 255.255.255.192 U 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 199.101.100.193 0.0.0.0 UG 0 0 0 eth0
199.101.100.192/193 不是我的服务器 IP。
检查您可以从客户端 ping 到 vpn 服务器
ping 10.0.0.1
检查您可以通过 IP ping google
ping 8.8.8.8
检查您可以按名称 ping google
ping google.com
如果 1 失败,则 pptp 有问题。
如果 1,2 成功但 3 失败,则是 dns 问题。转到下一节中的步骤 1。
如果 1 成功但 2 失败,则正确路由问题。转到下一节中的步骤 2。
检查etc/ppp/pptpd-options以下行/选项
ms-dns <dns server IP>
这将是分配给 VPN 客户端的 dns。
重新启动pptpd,重新连接 VPN 客户端,再次进行上面的 VPN 客户端测试。
在 vpn 服务器上,检查以下输出
cat /proc/sys/net/ipv4/ip_forward
如果上面的输出为0,那就是问题,修复如下
echo 1 > /proc/sys/net/ipv4/ip_forward
添加或取消注释以下行以/etc/sysctl.conf进行永久更改
net.ipv4.ip_forward=1
再次执行上面的 VPN 客户端测试。
尝试遵循规则,这包括刷新 iptables。
# Reset/Flush iptables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Flush end
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
# Allow localhost traffic
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
# Allow server and internal network to go anyway
iptables -A INPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 199.101.100.10 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j ACCEPT
# Allow ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
option /etc/ppp/pptpd-options
localip 10.0.0.1
remoteip 10.0.0.10-100
还请检查您是否拥有/etc/ppp/pptpd-options。
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
proxyarp
lock
nobsdcomp
Jan 11 11:39:27 vpn12 pppd[1155]: Cannot determine ethernet address for proxy ARP
添加或取消注释proxyarp中/etc/ppp/options
在末尾添加以下内容 /etc/radiusclient/dictionary.microsoft
#
# Experimental extensions, configuration only (for check-items)
# Names/numbers as per the MERIT extensions (if possible).
#
ATTRIBUTE NAS-Identifier 32 string
ATTRIBUTE Proxy-State 33 string
ATTRIBUTE Login-LAT-Service 34 string
ATTRIBUTE Login-LAT-Node 35 string
ATTRIBUTE Login-LAT-Group 36 string
ATTRIBUTE Framed-AppleTalk-Link 37 integer
ATTRIBUTE Framed-AppleTalk-Network 38 integer
ATTRIBUTE Framed-AppleTalk-Zone 39 string
ATTRIBUTE Acct-Input-Packets 47 integer
ATTRIBUTE Acct-Output-Packets 48 integer
# 8 is a MERIT extension.
VALUE Service-Type Authenticate-Only 8