2013-03-04

Ubuntu架設VPN Server

VPN在現今環境是很實用的,可以讓你在家裡也能存取公司內部網路的資源,這樣就可遠端工作啦~(但順不順暢還是得靠網路速度和硬體夠不夠強@@)

這邊用Ubuntu Server 12.04來說明如何架設。



首先硬體方面,安裝兩張網路卡比較好,網路卡設定:
eth0(內部連線) eth1(對外連線)
IP 192.168.1.10 i.i.i.i(視情況而定)
Gateway 不指定(因為不對外) g.g.g.g(視情況)
Mask 255.255.255.0 255.255.255.0(視情況)
DNS (有內部dns server可在此指定) 8.8.8.8(視情況)

如果是全新安裝,那在安裝時候預設網路要選擇eth1,在DHCP會失敗沒關係(如果對外是DHCP連線就沒此問題),在下一步會讓你手動輸入對外網路連線資訊,就照著實際情況輸入好,這樣網路就會通。在選擇要安裝的套件先只選擇OpenSSH Server就好,其他就照著說明裝完吧。

裝好之後的設定步驟:

  1. 變身Root
    sudo -i
    (輸入你帳號的密碼)
  2. 安裝pptpd
    apt-get install pptpd
  3. 編輯/etc/pptpd.conf
    vi /etc/pptpd.conf
  4. 幾乎都不用動,只需編輯最下面的localip與remoteip。
    這裡說明一下,localip指的是vpn server的真實IP,也就是可連線到internet的IP;而remoteip就是你要指派給用戶端的IP範圍,跟DHCP的意思差不多。
    ###############################################################################
    # $Id$
    #
    # Sample Poptop configuration file /etc/pptpd.conf
    #
    # Changes are effective when pptpd is restarted.
    ###############################################################################
    
    # TAG: ppp
    #       Path to the pppd program, default '/usr/sbin/pppd' on Linux
    #
    #ppp /usr/sbin/pppd
    
    # TAG: option
    #       Specifies the location of the PPP options file.
    #       By default PPP looks in '/etc/ppp/options'
    #
    #下面這行的檔案等等也要做修改。
    option /etc/ppp/pptpd-options
    
    # TAG: debug
    #       Turns on (more) debugging to syslog
    #
    #debug
    
    # TAG: stimeout
    #       Specifies timeout (in seconds) on starting ctrl connection
    #
    # stimeout 10
    
    # TAG: noipparam
    #       Suppress the passing of the client's IP address to PPP, which is
    #       done by default otherwise.
    #
    #noipparam
    
    # TAG: logwtmp
    #       Use wtmp(5) to record client connections and disconnections.
    #
    logwtmp
    # TAG: bcrelay
    #       Turns on broadcast relay to clients from interface
    #
    #bcrelay eth1
    
    # TAG: localip
    # TAG: remoteip
    #       Specifies the local and remote IP address ranges.
    #
    #       Any addresses work as long as the local machine takes care of the
    #       routing.  But if you want to use MS-Windows networking, you should
    #       use IP addresses out of the LAN address space and use the proxyarp
    #       option in the pppd options file, or run bcrelay.
    #
    #       You can specify single IP addresses seperated by commas or you can
    #       specify ranges, or both. For example:
    #
    #               192.168.0.234,192.168.0.245-249,192.168.0.254
    #
    #       IMPORTANT RESTRICTIONS:
    #
    #       1. No spaces are permitted between commas or within addresses.
    #
    #       2. If you give more IP addresses than MAX_CONNECTIONS, it will
    #          start at the beginning of the list and go until it gets
    #          MAX_CONNECTIONS IPs. Others will be ignored.
    #
    #       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
    #          you must type 234-238 if you mean this.
    #
    #       4. If you give a single localIP, that's ok - all local IPs will
    #          be set to the given one. You MUST still give at least one remote
    #          IP for each simultaneous client.
    #
    # (Recommended)
    #localip 192.168.0.1
    #remoteip 192.168.0.234-238,192.168.0.245
    # or
    #localip 192.168.0.234-238,192.168.0.245
    #remoteip 192.168.1.234-238,192.168.1.245
    
    #伺服器真實IP,依實際情況修改
    localip i.i.i.i
    
    #要指派給用戶端的內部IP範圍,依實際情況修改
    remoteip 192.168.1.241-245
  5. 編輯/etc/ppp/pptpd-options檔案,把ms-dns打開,還有做一些連線認證的設定
    ###############################################################################
    # $Id$
    #
    # Sample Poptop PPP options file /etc/ppp/pptpd-options
    # Options used by PPP when a connection arrives from a client.
    # This file is pointed to by /etc/pptpd.conf option keyword.
    # Changes are effective on the next connection.  See "man pppd".
    #
    # You are expected to change this file to suit your system.  As
    # packaged, it requires PPP 2.4.2 and the kernel MPPE module.
    ###############################################################################
    
    # Authentication
    
    # Name of the local system for authentication purposes
    # (must match the second field in /etc/ppp/chap-secrets entries)
    name pptpd
    
    # Optional: domain name to use for authentication
    # domain mydomain.net
    
    # Strip the domain prefix from the username before authentication.
    # (applies if you use pppd with chapms-strip-domain patch)
    #chapms-strip-domain
    
    # Encryption
    # Debian: on systems with a kernel built with the package
    # kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
    # {{{
    
    #################################################################
    #注意這底下的設定,沒打開或是開錯了都有可能造成client端無法通過認證連線VPN
    refuse-pap
    refuse-chap
    refuse-mschap
    # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
    # Challenge Handshake Authentication Protocol, Version 2] authentication.
    require-mschap-v2
    # Require MPPE 128-bit encryption
    # (note that MPPE requires the use of MSCHAP-V2 during authentication)
    require-mppe-128
    # }}}
    ############################################
    
    # Network and Routing
    
    # If pppd is acting as a server for Microsoft Windows clients, this
    # option allows pppd to supply one or two DNS (Domain Name Server)
    # addresses to the clients.  The first instance of this option
    # specifies the primary DNS address; the second instance (if given)
    # specifies the secondary DNS address.
    # Attention! This information may not be taken into account by a Windows
    # client. See KB311218 in Microsoft's knowledge base for more information.
    #ms-dns 10.0.0.1
    #ms-dns 10.0.0.2
    #dns server依實際情況設定
    ms-dns 8.8.8.8
    ms-dns 8.8.4.4
    # If pppd is acting as a server for Microsoft Windows or "Samba"
    # clients, this option allows pppd to supply one or two WINS (Windows
    # Internet Name Services) server addresses to the clients.  The first
    # instance of this option specifies the primary WINS address; the
    # second instance (if given) specifies the secondary WINS address.
    #ms-wins 10.0.0.3
    #ms-wins 10.0.0.4
    
    # Add an entry to this system's ARP [Address Resolution Protocol]
    # table with the IP address of the peer and the Ethernet address of this
    # system.  This will have the effect of making the peer appear to other
    # systems to be on the local ethernet.
    # (you do not need this if your PPTP server is responsible for routing
    # packets to the clients -- James Cameron)
    proxyarp
    
    # Debian: do not replace the default route
    nodefaultroute
    
    # Logging
    
    # Enable connection debugging facilities.
    # (see your syslog configuration for where pppd sends to)
    #debug
    
    # Print out all the option values which have been set.
    # (often requested by mailing list to verify options)
    #dump
    
    # Miscellaneous
    
    # Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
    # access.
    lock
    
    # Disable BSD-Compress compression
    nobsdcomp
  6. 編輯/etc/ppp/chap-secrets,這個檔案設定可用VPN連線的使用者,跟系統裡的帳號無關,採用明碼設定,所以一定要記得權限只有root可讀寫(600),內容就照底下範例:
    # Secrets for authentication using CHAP
    # client        server  secret                  IP addresses
    # 帳號名         勿動     密碼                     允許連線的IP
    vpn-user        pptpd   userpassword            *
  7. 設定好後重新啟動pptpd
    /etc/init.d/pptpd restart
試著連線看看,OK~可以連線成功,但....嘿嘿...

怎麼連上去之後甚麼網站都去不了?

因為上面的設定只是讓外部網路使用者能以PPTP協定連線進來該台主機並取得內部IP,但預設NAT功能並沒打開,所以想要連其他IP或網站是不可能瘩!!!

所以我們繼續說明NAT設定...


  1. 首先開啟封包轉遞(IP forward功能)
    vi /etc/sysctl.conf
    # 將底下這個設定值修改正確即可! (本來值為 0 ,將它改為 1 即可)
    net.ipv4.ip_forward = 1

    改完存檔後輸入 sysctl -p 讓設定馬上生效。
  2. 輸入底下指令打開IP轉送
    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE

    上面指令是將192.168.1.x網段透過eth1(也就是外網)轉發出去
  3. 上面設定完之後,透過VPN連線進來的User們應該就可以上網和連線到別台主機了!!但是這樣Port其實是全開,有點危險,所以有機會要再設定一下iptables防火牆

----

經過參考鳥哥的網頁之後,可照著底下的步驟,可使這台也充當IP分享器和簡易防火牆的功能,照底下步驟設定的話,上面的步驟就可以省囉~
  1. mkdir -p /usr/local/iptables
    vi /usr/local/iptables/iptables.rule
  2. 增加底下所有,並視情況修改
    #!/bin/bash
    
    #設定參數
    EXTIF="eth1"
    INIF="eth0"
    INNET="192.168.1.0/24"
    export EXTIF INIF INNET
    
    #重設防火牆規則
    iptables -F
    iptables -X
    iptables -Z
    iptables -P INPUT   DROP
    iptables -P OUTPUT  ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    #允許某些ICMP封包進入
    ##AICMP="0 3 3/4 4 8 11 12 14 16 18"
    #AICMP="0 8 17 18"
    #for tyicmp in $AICMP
    #do
    #  #iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
      #iptables -A INPUT -i $INIF -p icmp --icmp-type $tyicmp -j ACCEPT
    #done
    
    #內部網路全部允許
    iptables -A INPUT -i $INIF -s $INNET -j ACCEPT
    
    #僅允許ssh與pptpd進入
    iptables -A INPUT -p TCP --dport 22 --sport 1024:65534 -j ACCEPT   #SSH
    iptables -A INPUT -p TCP --dport 1723 --sport 1024:65534 -j ACCEPT #PPTP
    #iptables -A INPUT -p TCP --dport 53 --sport 1024:65534 -j ACCEPT   #DNS
    #iptables -A INPUT -p UDP --dport 53 --sport 1024:65534 -j ACCEPT   #DNS
    
    #更新pptp之後,突然變得無法連線了嗎?因為新版pptpd要開GRE才能通的關係,所以必須打開47才能連線!!系統更新後就是為了這個卡超久
    iptables -A INPUT -p 47 -j ACCEPT
    
    
    #清除NAT Table
    iptables -F -t nat
    iptables -X -t nat
    iptables -Z -t nat
    iptables -t nat -P PREROUTING  ACCEPT
    iptables -t nat -P POSTROUTING ACCEPT
    iptables -t nat -P OUTPUT      ACCEPT
    
    #開啟IP轉發
    iptables -t nat -A POSTROUTING -s $INNET -o $EXTIF -j MASQUERADE
    
    #存檔
    iptables-save
    
  3. 修改權限僅root可讀取寫入執行
    chmod 700 /usr/local/iptables/iptables.*
  4. 這樣的步驟每次開機都要手動執行一次/usr/local/iptables/iptables.rule,太麻煩了,我們讓他每次開機就自動執行:
    vi /etc/rc.local

    在exit 0前面加上下面那行
    /usr/local/iptables/iptables.rule

    存檔即可。