我在家庭网络中设置了 Seagate DockStar 和 Debian Squeeze,作为小型服务器。现在我想从自己的网络外部访问它,因此我需要 VPN 连接。顺便说一句,我没有集成 VPN 服务器的路由器。我已经运行了一台“大型”Windows XP 服务器,我可以通过 PPTP VPN 隧道访问它。这很容易,但现在有了 Debian,我在设置 VPN 连接时遇到了一些问题。
我通过以下方式安装了 pptpd
apt-get install pptpd
已经。这是我的 pptpd.conf:
# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/pptpd-options
# TAG: debug
# Turns on (more) debugging to syslog
#
#debug
# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
# TAG: noipparam
# Suppress the passing of the client's IP address to PPP, which is
# done by default otherwise.
#
#noipparam
# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
logwtmp
# TAG: bcrelay <if>
# Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1
# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# Any addresses work as long as the local machine takes care of the
# routing. But if you want to use MS-Windows networking, you should
# use IP addresses out of the LAN address space and use the proxyarp
# option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
# (Recommended)
localip 192.168.0.120
remoteip 192.168.0.121-129
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
路由器中的 DHCP 服务器正在分配以 192.168.0.2 开头的 IP。我的大服务器将从 192.168.0.121 开头的 IP 分配给 VPN 客户端(服务器本身有 xxx120 TP)- 正如我已经写过的,VPN 在大服务器上有效,因此我只需将 localip 和 remoteip 范围设置为来自大服务器的 IP 范围即可。
我的 pptpd-options 如下所示:
# Authentication
# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd
# Optional: domain name to use for authentication
# domain mydomain.net
# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain
# Encryption
# Debian: on systems with a kernel built with the package
# kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#require-mppe-128
# }}}
# Network and Routing
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
# Attention! This information may not be taken into account by a Windows
# client. See KB311218 in Microsoft's knowledge base for more information.
#ms-dns 10.0.0.1
#ms-dns 10.0.0.2
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp
# Debian: do not replace the default route
nodefaultroute
# Logging
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
#debug
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump
# Miscellaneous
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Disable BSD-Compress compression
nobsdcomp
ms-dns 192.168.0.1
netmask 255.255.255.0
noipx
mtu 1490
mru 1490
在 chap-secrets 文件中我注册了一个用户。(如下所示:- 这是正确的吗?)
netstat 告诉我端口 1723 已打开并由 pptpd 监听,另一台计算机的 nmap 端口扫描也是如此。DockStar 上未安装 iptables。在我的路由器中,我将每个到端口 1723 的 TCP 或 UDP 连接转发到 DockStar 的 IP。
我尝试使用 Windows XP、Windows 7 和 Mac OS X 客户端进行连接。所有客户端均无法建立连接。Mac OS X 仅显示一般错误消息,Windows 客户端显示“错误 619 - 无法与远程计算机建立连接。”。客户端配置为使用 MSCHAPv2,用户名和密码在 chap-secrets 文件中设置。
无论我尝试从同一网络中的笔记本电脑还是通过 WWAN 连接(当 WiFi 已关闭时)连接到服务器,每次尝试连接时都无法正常工作。
有人知道服务器配置出了什么问题并知道如何让它正常工作吗?
提前致谢,
亚辛
答案1
我无法完全理解,当您将所有端口 1723 流量转发到 Debian Squeeze 服务器后,如何让 PPTP 运行到 Windows XP 服务器。您可能只能从本地 LAN 内通过“VPN”连接到 WinXP 服务器,这似乎用处不大。
无论如何,PPTP 不仅需要 TCP 端口 1723 流量,还需要 GRE 协议。您的路由器能够正确处理 GRE 隧道吗?如果它是普通的消费级路由器,那么我怀疑它不能。即使可以,GRE 也非常深奥,寻求帮助可能很困难。
对于您来说,我建议您尝试使用仅使用 TCP 和/或 UDP 传输的 VPN 解决方案,因为这些协议无处不在且众所周知。OpenVPN 就是这样一种 VPN 解决方案,它适用于所有主流操作系统(Win、Mac、Linux、*BSD)。
根据您要完成的任务,另一种可能性是在 Debian 服务器上运行 sshd,例如:
apt-get install openssh-server
所有主流操作系统都有免费的 ssh 客户端,能够通过 ssh 连接创建隧道。
答案2
好吧,我的 Debian 安装中确实没有安装任何日志服务。现在我安装了 rsyslog,因此当我尝试使用 Windows 7 计算机通过 PPTP 连接到 VPN 服务器时,以下是写入 /var/log/syslog 的日志:
Oct 17 20:05:57 debian pptpd[769]: MGR: Launching /usr/sbin/pptpctrl to handle client
Oct 17 20:05:57 debian pptpd[769]: CTRL: local address = 192.168.1.1
Oct 17 20:05:57 debian pptpd[769]: CTRL: remote address = 192.168.2.1
Oct 17 20:05:57 debian pptpd[769]: CTRL: pppd options file = /etc/ppp/pptpd-options
Oct 17 20:05:57 debian pptpd[769]: CTRL: Client 192.168.0.7 control connection started
Oct 17 20:05:57 debian pptpd[769]: CTRL: Received PPTP Control Message (type: 1)
Oct 17 20:05:57 debian pptpd[769]: CTRL: Made a START CTRL CONN RPLY packet
Oct 17 20:05:57 debian pptpd[769]: CTRL: I wrote 156 bytes to the client.
Oct 17 20:05:57 debian pptpd[769]: CTRL: Sent packet to client
Oct 17 20:05:57 debian pptpd[769]: CTRL: Received PPTP Control Message (type: 7)
Oct 17 20:05:57 debian pptpd[769]: CTRL: Set parameters to 100000000 maxbps, 64 window size
Oct 17 20:05:57 debian pptpd[769]: CTRL: Made a OUT CALL RPLY packet
Oct 17 20:05:57 debian pptpd[769]: CTRL: Starting call (launching pppd, opening GRE)
Oct 17 20:05:57 debian pptpd[769]: CTRL: pty_fd = 6
Oct 17 20:05:57 debian pptpd[769]: CTRL: tty_fd = 7
Oct 17 20:05:57 debian pptpd[769]: CTRL: I wrote 32 bytes to the client.
Oct 17 20:05:57 debian pptpd[769]: CTRL: Sent packet to client
Oct 17 20:05:57 debian pptpd[771]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd
Oct 17 20:05:57 debian pptpd[771]: CTRL (PPPD Launcher): local address = 192.168.1.1
Oct 17 20:05:57 debian pptpd[771]: CTRL (PPPD Launcher): remote address = 192.168.2.1
Oct 17 20:05:57 debian pptpd[769]: CTRL: Received PPTP Control Message (type: 15)
Oct 17 20:05:57 debian pptpd[769]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Oct 17 20:05:57 debian pppd[771]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so is for pppd version 2.4.4, this is 2.4.5
Oct 17 20:05:57 debian pptpd[769]: GRE: read(fd=6,buffer=1fb40,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Oct 17 20:05:57 debian pptpd[769]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Oct 17 20:05:57 debian pptpd[769]: CTRL: Reaping child PPP[771]
Oct 17 20:05:57 debian pptpd[769]: CTRL: Client 192.168.0.7 control connection finished
Oct 17 20:05:57 debian pptpd[769]: CTRL: Exiting now
Oct 17 20:05:57 debian pptpd[507]: MGR: Reaped child 769
似乎 GRE 出了点问题……但是,正如我已经说过的,与我的 Windows 服务器的 PPTP 连接可以正常工作(如果我将路由器中的端口转发设置回 Windows 服务器)。Windows 服务器是否使用 GRE 进行 PPTP VPN 连接?如果是,我想我可以假设我的路由器支持 GRE。我是否必须在 Debian 系统上设置 GRE 支持?