|
|
Пишет djdfy (![[info]](http://lj.rossia.org/img/userinfo.gif){kind=small} djdfy)@ 2011-12-07 00:59:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
| Настроение: |  content |
| Музыка: | Lake of Tears - BlackBrickRoad - Track 01 |
| Entry tags: | howto, pptp, pptpd, vpn |
Very short pptpd VPN HOWTO
$Id: pptp-howto.xhtml 435 2011-12-06 21:12:47Z djdfy $
Step 1. Install
apt-get install pptpd pwgen
Step 2. Configure server
Add to end of /etc/pptpd.conf:
localip 192.168.97.1 remoteip 192.168.97.128-254
Using 192.168.0.x or 192.168.1.x are often used in home/public routers/wifi spots, so it is better to select random network number from 3..254.
Uncomment "proxyarp" in /etc/ppp/options to enable Windows clients:
# Add an entry to this system's ARP [Address Resolution Protocol] # table with the IP address of the peer and the Ethernet address of this # system. proxyarp
And restart pptpd:
/etc/init.d/pptpd restart
Set up masquerading, add new rule to firewall (e.g., to /etc/rc.local):
iptables -t nat -A POSTROUTING -s 192.168.97.0/24 ! -d 192.168.97.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 iptables -t nat -A POSTROUTING -s 192.168.97.0/24 ! -d 192.168.97.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 iptables -t nat -A POSTROUTING -s 192.168.97.0/24 ! -d 192.168.97.0/24 -j MASQUERADE
To allow forwarding, execute:
sysctl net/ipv4/ip_forward # check if forwarding enabled? sysctl net/ipv4/ip_forward=1 # enable forwarding
Uncomment this line in /etc/sysctl.conf:
net.ipv4.ip_forward=1
And restart server to check if all settings persist.
If you are using restrictive firewall, allow TCP 1723 TCP and GRE traffic:
iptables -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT iptables -A INPUT -p gre -j ACCEPT
Step 3. Adding users
Users and theirs passwords are stored in /etc/ppp/chap-secrets. Example:
# client server secret IP addresses user1 pptpd myübersecretpassword * user2 pptpd Ok1l1zgSWvHkUkJpC6HF * user3 pptpd MGmmPFHbgd7F2LcryStz *
Passwords can be generated by command:
pwgen pwgen -s 20
Tips & tricks
While you configuring and/or testing some sort of VPN on instance, it is uncomfortable to suddenly lose RDP/SSH connect to it. So, to prevent connection with your home computer be routed via VPN, set up a special fixed route:
Assuming 172.20.60.1 is instances gateway, 213.180.2.12 is your home IP, on Windows:
route print route add -p 213.180.2.12 172.20.60.1
-p — persist route after reboot
on Linux:
ip route show ip route add 213.180.2.12 via 172.20.60.1
to persist route, add it to /etc/rc.local or /etc/network/interfaces in "post-up" line.
Links
