在 Freebsd 上用 mpd5 构建 PPTP VPN
cd /usr/ports/net/mpd5
make
make install
在make install之后若出现报错"/usr/share/mk/bsd.kmod.mk", line 12: "can't find kernel source tree",则是因为sys、base库没有安装
解决方法:
running “sysinstall” as root, choosing “Configure”, then “Distributions”, then “src”, then “base” and “sys”.
?
mpd_enable="YES"
复制默认的 mpd.conf 配置文件
cd /usr/local/etc/mpd5/
cp mpd.conf.sample mpd.conf
修改 mpd.conf 文件中的 startup: default: pptp_server: 三块,其它的不要理睬,放在里面不要删除,因为可以通过 default: 标签来调用需要执行的模块,所以不受影响。
以下是这三部分的代码,需要修改的地方见我的中文解释。
startup: #configure mpd users set user admin password ### 设置 mpd 的访问帐号及密码,通过 telnet 或 web 访问时需要此帐号 #set user foo1 bar1 #configure the console set console self 127.0.0.1 5005 set console open #configure the web server set web self 0.0.0.0 5006 set web open#Default configuration is "dialup" default: #load dialup load pptp_server ### 默认调用 pptp_server 模块pptp_server:#Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.#Suppose you have a private Office LAN numbered 192.168.1.0/24 and the#machine running mpd is at 192.168.1.1, and also has an externally visible#IP address of 1.2.3.4.#We want to allow a client to connect to 1.2.3.4 from out on the Internet#via PPTP. We will assign that client the address 192.168.1.50 and proxy-ARP#for that address, so the virtual PPP link will be numbered 192.168.1.1 local#and 192.168.1.50 remote. From the client machine's perspective, it will#appear as if it is actually on the 192.168.1.0/24 network, even though in#reality it is somewhere far away out on the Internet.##Our DNS server is at 192.168.1.3 and our NBNS (WINS server) is at 192.168.1.4.#If you don't have an NBNS server, leave that line out.#Define dynamic IP address pool. set ippool add pool1 172.16.0.100 172.16.0.199 # 此处是配置vpn客户端分配的ip地址池#Create clonable bundle template named B create bundle template B set iface enable proxy-arp set iface idle 1800 set iface enable tcpmssfix set ipcp yes vjcomp#Specify IP address pool for dynamic assigment. set ipcp ranges 172.16.0.1/32 ippool pool1 # 此处是配置vpn客户端分配的ip地址的网关 set ipcp dns 218.108.248.200 ### 设置 dns #set ipcp nbns 192.168.1.4 ###如果你用不到 wins 的话,可以注释掉这块,#The five lines below enable Microsoft Point-to-Point encryption#(MPPE) using the ng_mppc(8) netgraph node type. set bundle enable compression set ccp yes mppc set mppc yes e40 set mppc yes e128 set mppc yes stateless#Create clonable link template named L create link template L pptp#Set bundle template to use set link action bundle B#Multilink adds some overhead, but gives full 1500 MTU. set link enable multilink set link yes acfcomp protocomp set link no pap chap eap set link enable chap#We can use use RADIUS authentication/accounting by including#another config section with label 'radius'.#load radius set link keep-alive 10 60#We reducing link mtu to avoid GRE packet fragmentation. set link mtu 1460#Configure PPTP set pptp self 202.101.8.18 ###设置 pptp 的监听 ip 地址,也就是你的网卡的 IP 地址#Allow to accept calls set link enable incoming
好了,that's all。
/usr/local/etc/rc.d/mpd5 start
检查 mpd5 是否已经启动
netstat -a
可以看到类似于这样的输出信息
tcp4 0 0 vpn.server..pptp *.* LISTEN
说明 pptp 已正常启动
添加 VPN 帐号
创建 /usr/local/etc/mpd5/mpd.secret 文件,输入用户名及密码,一行一个
example:
vpn "123456" test "123456"
然后就可以在 windows 下尝试登录 vpn 服务器了
?
以上配置好后,但只能访问内部网络,而不访问外网,所以要让服务器启用nat。我用 ipfw + nat 来提供此功能。
首先需要在内核中加入支持ipfw、nat的options
进入目录/usr/src/sys/i386/conf,在该目录下有个文件:GENERIC。
先查看文件中是否有ipfw、nat对应options,若没有
先备份此文件,然后编辑
在options中加入
ident GENERIC #可以更改此文件名为你想要内核文件名options IPFIREWALL #启用ipfwoptions IPDIVERT #启用nat功能options IPFIREWALL_DEFAULT_TO_ACCEPT #默认处理数据规则为允许流量通过options IPFIREWALL_VERBOSE #日志功能options IPFIREWALL_VERBOSE_LIMIT=100 #日志条目options IPFIREWALL_FORWARD #启用包转发options DUMMYNET #做nat服务器?
加入之后,执行命令/usr/sbin/config GENERIC
执行完之后输出会有操作提示,即: cd ../complie/GENERIC
make dependmake #make过程比较长,耐心等待make install
执行完毕即完成内核编译
?
在 /etc/rc.conf 中加入以下行
gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/ipfw.rules" natd_enable="yes" natd_interface="bge0" #该设置为公网ip所在网卡,下同
启动natd和使gateway_enable生效:
/etc/rc.d/natd startsysctl net.inet.ip.forwarding=1
在/etc目录下创建文件ipfw.rules
编辑文件内容如下:
#!/bin/shIPFW="/sbin/ipfw -q" $IPFW -f flush$IPFW add 100 divert natd all from any to any via bge0 #此接口与rc.conf中的natd_interface="bge0"对应$IPFW add 200 allow all from any to any
修改ipfw.rules属性:chmod 755 ipfw.rules
?
是ipfw规则生效,运行该脚本:/etc/ipfw.rules
执行完毕后,ipfw show查看是否运行了规则
正常情况下,vpn可以正常启用了。并且可以访问外网。
?