Ubuntu架設VPN Server

VPN在現今環境是很實用的，可以讓你在家裡也能存取公司內部網路的資源，這樣就可遠端工作啦~(但順不順暢還是得靠網路速度和硬體夠不夠強@@)

這邊用Ubuntu Server 12.04來說明如何架設。



首先硬體方面，安裝兩張網路卡比較好，網路卡設定:

	eth0(內部連線)	eth1(對外連線)
IP	192.168.1.10	i.i.i.i(視情況而定)
Gateway	不指定(因為不對外)	g.g.g.g(視情況)
Mask	255.255.255.0	255.255.255.0(視情況)
DNS	(有內部dns server可在此指定)	8.8.8.8(視情況)

如果是全新安裝，那在安裝時候預設網路要選擇eth1，在DHCP會失敗沒關係(如果對外是DHCP連線就沒此問題)，在下一步會讓你手動輸入對外網路連線資訊，就照著實際情況輸入好，這樣網路就會通。在選擇要安裝的套件先只選擇OpenSSH Server就好，其他就照著說明裝完吧。

裝好之後的設定步驟：

1. 變身Root

   sudo -i
   (輸入你帳號的密碼)

2. 安裝pptpd

   apt-get install pptpd

3. 編輯/etc/pptpd.conf

   vi /etc/pptpd.conf

4. 幾乎都不用動，只需編輯最下面的localip與remoteip。
   這裡說明一下，localip指的是vpn server的真實IP，也就是可連線到internet的IP；而remoteip就是你要指派給用戶端的IP範圍，跟DHCP的意思差不多。

   ###############################################################################
   # $Id$
   #
   # Sample Poptop configuration file /etc/pptpd.conf
   #
   # Changes are effective when pptpd is restarted.
   ###############################################################################
   # TAG: ppp
   #       Path to the pppd program, default '/usr/sbin/pppd' on Linux
   #
   #ppp /usr/sbin/pppd
   # TAG: option
   #       Specifies the location of the PPP options file.
   #       By default PPP looks in '/etc/ppp/options'
   #
   #下面這行的檔案等等也要做修改。
   option /etc/ppp/pptpd-options
   # TAG: debug
   #       Turns on (more) debugging to syslog
   #
   #debug
   # TAG: stimeout
   #       Specifies timeout (in seconds) on starting ctrl connection
   #
   # stimeout 10
   # TAG: noipparam
   #       Suppress the passing of the client's IP address to PPP, which is
   #       done by default otherwise.
   #
   #noipparam
   # TAG: logwtmp
   #       Use wtmp(5) to record client connections and disconnections.
   #
   logwtmp
   # TAG: bcrelay
   #       Turns on broadcast relay to clients from interface
   #
   #bcrelay eth1
   # TAG: localip
   # TAG: remoteip
   #       Specifies the local and remote IP address ranges.
   #
   #       Any addresses work as long as the local machine takes care of the
   #       routing.  But if you want to use MS-Windows networking, you should
   #       use IP addresses out of the LAN address space and use the proxyarp
   #       option in the pppd options file, or run bcrelay.
   #
   #       You can specify single IP addresses seperated by commas or you can
   #       specify ranges, or both. For example:
   #
   #               192.168.0.234,192.168.0.245-249,192.168.0.254
   #
   #       IMPORTANT RESTRICTIONS:
   #
   #       1. No spaces are permitted between commas or within addresses.
   #
   #       2. If you give more IP addresses than MAX_CONNECTIONS, it will
   #          start at the beginning of the list and go until it gets
   #          MAX_CONNECTIONS IPs. Others will be ignored.
   #
   #       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
   #          you must type 234-238 if you mean this.
   #
   #       4. If you give a single localIP, that's ok - all local IPs will
   #          be set to the given one. You MUST still give at least one remote
   #          IP for each simultaneous client.
   #
   # (Recommended)
   #localip 192.168.0.1
   #remoteip 192.168.0.234-238,192.168.0.245
   # or
   #localip 192.168.0.234-238,192.168.0.245
   #remoteip 192.168.1.234-238,192.168.1.245
   #伺服器真實IP，依實際情況修改
   localip i.i.i.i
   #要指派給用戶端的內部IP範圍，依實際情況修改
   remoteip 192.168.1.241-245

5. 編輯/etc/ppp/pptpd-options檔案，把ms-dns打開，還有做一些連線認證的設定

   ###############################################################################
   # $Id$
   #
   # Sample Poptop PPP options file /etc/ppp/pptpd-options
   # Options used by PPP when a connection arrives from a client.
   # This file is pointed to by /etc/pptpd.conf option keyword.
   # Changes are effective on the next connection.  See "man pppd".
   #
   # You are expected to change this file to suit your system.  As
   # packaged, it requires PPP 2.4.2 and the kernel MPPE module.
   ###############################################################################
   # Authentication
   # Name of the local system for authentication purposes
   # (must match the second field in /etc/ppp/chap-secrets entries)
   name pptpd
   # Optional: domain name to use for authentication
   # domain mydomain.net
   # Strip the domain prefix from the username before authentication.
   # (applies if you use pppd with chapms-strip-domain patch)
   #chapms-strip-domain
   # Encryption
   # Debian: on systems with a kernel built with the package
   # kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
   # {{{
   #################################################################
   #注意這底下的設定，沒打開或是開錯了都有可能造成client端無法通過認證連線VPN
   refuse-pap
   refuse-chap
   refuse-mschap
   # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
   # Challenge Handshake Authentication Protocol, Version 2] authentication.
   require-mschap-v2
   # Require MPPE 128-bit encryption
   # (note that MPPE requires the use of MSCHAP-V2 during authentication)
   require-mppe-128
   # }}}
   ############################################
   # Network and Routing
   # If pppd is acting as a server for Microsoft Windows clients, this
   # option allows pppd to supply one or two DNS (Domain Name Server)
   # addresses to the clients.  The first instance of this option
   # specifies the primary DNS address; the second instance (if given)
   # specifies the secondary DNS address.
   # Attention! This information may not be taken into account by a Windows
   # client. See KB311218 in Microsoft's knowledge base for more information.
   #ms-dns 10.0.0.1
   #ms-dns 10.0.0.2
   #dns server依實際情況設定
   ms-dns 8.8.8.8
   ms-dns 8.8.4.4
   # If pppd is acting as a server for Microsoft Windows or "Samba"
   # clients, this option allows pppd to supply one or two WINS (Windows
   # Internet Name Services) server addresses to the clients.  The first
   # instance of this option specifies the primary WINS address; the
   # second instance (if given) specifies the secondary WINS address.
   #ms-wins 10.0.0.3
   #ms-wins 10.0.0.4
   # Add an entry to this system's ARP [Address Resolution Protocol]
   # table with the IP address of the peer and the Ethernet address of this
   # system.  This will have the effect of making the peer appear to other
   # systems to be on the local ethernet.
   # (you do not need this if your PPTP server is responsible for routing
   # packets to the clients -- James Cameron)
   proxyarp
   # Debian: do not replace the default route
   nodefaultroute
   # Logging
   # Enable connection debugging facilities.
   # (see your syslog configuration for where pppd sends to)
   #debug
   # Print out all the option values which have been set.
   # (often requested by mailing list to verify options)
   #dump
   # Miscellaneous
   # Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
   # access.
   lock
   # Disable BSD-Compress compression
   nobsdcomp

6. 編輯/etc/ppp/chap-secrets，這個檔案設定可用VPN連線的使用者，跟系統裡的帳號無關，採用明碼設定，所以一定要記得權限只有root可讀寫(600)，內容就照底下範例:

   # Secrets for authentication using CHAP
   # client        server  secret                  IP addresses
   # 帳號名         勿動     密碼                     允許連線的IP
   vpn-user        pptpd   userpassword            *

7. 設定好後重新啟動pptpd

   /etc/init.d/pptpd restart

試著連線看看，OK~可以連線成功，但....嘿嘿...

怎麼連上去之後甚麼網站都去不了?

因為上面的設定只是讓外部網路使用者能以PPTP協定連線進來該台主機並取得內部IP，但預設NAT功能並沒打開，所以想要連其他IP或網站是不可能瘩!!!

所以我們繼續說明NAT設定...

---

1. 首先開啟封包轉遞(IP forward功能)

   vi /etc/sysctl.conf

   # 將底下這個設定值修改正確即可！ (本來值為 0 ，將它改為 1 即可)
   net.ipv4.ip_forward = 1

   
   改完存檔後輸入 sysctl -p 讓設定馬上生效。
2. 輸入底下指令打開IP轉送

   iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE

   
   上面指令是將192.168.1.x網段透過eth1(也就是外網)轉發出去
3. 上面設定完之後，透過VPN連線進來的User們應該就可以上網和連線到別台主機了!!但是這樣Port其實是全開，有點危險，所以有機會要再設定一下iptables防火牆

----

經過參考鳥哥的網頁之後，可照著底下的步驟，可使這台也充當IP分享器和簡易防火牆的功能，照底下步驟設定的話，上面的步驟就可以省囉~

1. mkdir -p /usr/local/iptables
   vi /usr/local/iptables/iptables.rule

2. 增加底下所有，並視情況修改

   #!/bin/bash
   #設定參數
   EXTIF="eth1"
   INIF="eth0"
   INNET="192.168.1.0/24"
   export EXTIF INIF INNET
   #重設防火牆規則
   iptables -F
   iptables -X
   iptables -Z
   iptables -P INPUT   DROP
   iptables -P OUTPUT  ACCEPT
   iptables -P FORWARD ACCEPT
   iptables -A INPUT -i lo -j ACCEPT
   iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
   #允許某些ICMP封包進入
   ##AICMP="0 3 3/4 4 8 11 12 14 16 18"
   #AICMP="0 8 17 18"
   #for tyicmp in $AICMP
   #do
   #  #iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
     #iptables -A INPUT -i $INIF -p icmp --icmp-type $tyicmp -j ACCEPT
   #done
   #內部網路全部允許
   iptables -A INPUT -i $INIF -s $INNET -j ACCEPT
   #僅允許ssh與pptpd進入
   iptables -A INPUT -p TCP --dport 22 --sport 1024:65534 -j ACCEPT   #SSH
   iptables -A INPUT -p TCP --dport 1723 --sport 1024:65534 -j ACCEPT #PPTP
   #iptables -A INPUT -p TCP --dport 53 --sport 1024:65534 -j ACCEPT   #DNS
   #iptables -A INPUT -p UDP --dport 53 --sport 1024:65534 -j ACCEPT   #DNS
   #更新pptp之後，突然變得無法連線了嗎?因為新版pptpd要開GRE才能通的關係，所以必須打開47才能連線!!系統更新後就是為了這個卡超久
   iptables -A INPUT -p 47 -j ACCEPT
   #清除NAT Table
   iptables -F -t nat
   iptables -X -t nat
   iptables -Z -t nat
   iptables -t nat -P PREROUTING  ACCEPT
   iptables -t nat -P POSTROUTING ACCEPT
   iptables -t nat -P OUTPUT      ACCEPT
   #開啟IP轉發
   iptables -t nat -A POSTROUTING -s $INNET -o $EXTIF -j MASQUERADE
   #存檔
   iptables-save

3. 修改權限僅root可讀取寫入執行

   chmod 700 /usr/local/iptables/iptables.*

4. 這樣的步驟每次開機都要手動執行一次/usr/local/iptables/iptables.rule，太麻煩了，我們讓他每次開機就自動執行:

   vi /etc/rc.local

   
   在exit 0前面加上下面那行

   /usr/local/iptables/iptables.rule

   
   存檔即可。