- PPTP 可以顺利连接到 radius 服务器
- PPTP 模块已加载到内核
- PPTP 成功连接到 pptp 服务
问题:如何让 PPTP 连接到互联网?
IP表:
#!/bin/sh
#openvpn
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 199.101.x.x
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 199.101.x.x
#pptp
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
指导: http://safesrv.net/setup-pptp-and-freeradius-on-centos-5/
是否配置
eth0 Link encap:Ethernet HWaddr 00:16:3E:AC:F3:C4
inet addr:199.101.x.x Bcast:199.101.x.x Mask:255.255.255.192
inet6 addr: fe80::216:3eff:feac:f3c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1264874 errors:0 dropped:0 overruns:0 frame:0
TX packets:226234 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:144280558 (137.5 MiB) TX bytes:83158009 (79.3 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:11 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1417 (1.3 KiB) TX bytes:1417 (1.3 KiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:10.0.0.1 P-t-P:10.0.0.10 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1396 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:142 (142.0 b) TX bytes:94 (94.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:76887 errors:0 dropped:0 overruns:0 frame:0
TX packets:93454 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:11624030 (11.0 MiB) TX bytes:55299615 (52.7 MiB)
路线-n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.0.11 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
199.101.100.192 0.0.0.0 255.255.255.192 U 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 199.101.100.193 0.0.0.0 UG 0 0 0 eth0
199.101.100.192/193 不是我的服务器 IP。
答案1
VPN 客户端测试
检查您是否可以从客户端 ping 通 VPN 服务器
ping 10.0.0.1检查是否可以通过 IP ping google
ping 8.8.8.8检查是否可以通过名称 ping google
ping google.com
如果 1 失败,则 pptp 有问题。
如果 1、2 成功,但 3 失败,则为 DNS 问题。转到下一节中的步骤 1。
如果 1 成功但 2 失败,则正确路由问题。转到下一节中的步骤 2。
在 VPN 服务器上
检查
etc/ppp/pptpd-options以下行/选项ms-dns <dns server IP>这将是分配给 VPN 客户端的 DNS。
重新启动
pptpd,重新连接VPN客户端,再次进行上述VPN客户端测试。在 VPN 服务器上,检查以下输出
cat /proc/sys/net/ipv4/ip_forward如果上面的结果为 0,那就是问题所在,修复方法如下
echo 1 > /proc/sys/net/ipv4/ip_forward添加或取消注释以下行
/etc/sysctl.conf以进行永久更改net.ipv4.ip_forward=1再次进行上述VPN客户端测试。
iptables 目录
尝试遵循规则,包括刷新 iptables。
# Reset/Flush iptables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Flush end
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
# Allow localhost traffic
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
# Allow server and internal network to go anyway
iptables -A INPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
iptables -A INPUT -s 199.101.100.10 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j ACCEPT
# Allow ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
/etc/pptpd.conf
option /etc/ppp/pptpd-options
localip 10.0.0.1
remoteip 10.0.0.10-100
请检查您是否有/etc/ppp/pptpd-options。
/etc/ppp/pptpd 选项
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
proxyarp
lock
nobsdcomp
/etc/ppp/选项
Jan 11 11:39:27 vpn12 pppd[1155]: Cannot determine ethernet address for proxy ARP
添加或取消proxyarp注释/etc/ppp/options
微软词典
将以下内容添加到末尾/etc/radiusclient/dictionary.microsoft
#
# Experimental extensions, configuration only (for check-items)
# Names/numbers as per the MERIT extensions (if possible).
#
ATTRIBUTE NAS-Identifier 32 string
ATTRIBUTE Proxy-State 33 string
ATTRIBUTE Login-LAT-Service 34 string
ATTRIBUTE Login-LAT-Node 35 string
ATTRIBUTE Login-LAT-Group 36 string
ATTRIBUTE Framed-AppleTalk-Link 37 integer
ATTRIBUTE Framed-AppleTalk-Network 38 integer
ATTRIBUTE Framed-AppleTalk-Zone 39 string
ATTRIBUTE Acct-Input-Packets 47 integer
ATTRIBUTE Acct-Output-Packets 48 integer
# 8 is a MERIT extension.
VALUE Service-Type Authenticate-Only 8