aws和tx 双xl2tpd搭建

程序员文章站 2022-07-08 17:03:04

...

注意mtu，需要aws和tx各网卡设置成一致的
ifconfig设置就可以
ifconfig eth0 mtu 1500


aws:
eth0:172.31.33.238

ppp0:192.168.3.99---------172.17.0.13


tx:
eth0: 172.17.0.13

ppp0: 172.17.0.13-------- 192.168.3.99

ppp1:192.168.2.99---------192.168.2.128

手机 192.168.2.128

tx：
iptables -t nat -A POSTROUTING -s 192.168.2.0/24  -o ppp0  -j MASQUERADE

route add default dev ppp0



#iptables -t nat -A POSTROUTING -s 192.168.3.0/24  -o ppp1  -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.17.0.0/24  -o ppp0  -j MASQUERADE


#iptables -t nat -A POSTROUTING -s 192.168.2.0/20  -o ppp0  -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.3.0/24  -o ppp0  -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.17.0.0/24  -o eth0  -j MASQUERADE

aws：
iptables -t nat -A POSTROUTING -s 172.17.0.0/24  -o eth0  -j MASQUERADE

检查脚本为：
checkppp0.sh

#!/bin/sh
ppp0=`ifconfig |grep ppp0`
if [ ! -n "$ppp0" ] ;then
    a="will start vpn"
    echo 'c testvpn' > /var/run/xl2tpd/l2tp-control
    sleep 5
    #route del default
    ip link set ppp0 up
    /usr/sbin/route add default dev ppp0
    touch /opt/c
else
    ip link set ppp0 up
    /usr/sbin/route add default dev ppp0
    a="noting to do"
fi
/usr/sbin/ifconfig ppp0

echo $a

工具命令集：

ping -I ppp0 www.baidu.com
tcpdump -i ppp1
ifconfig ppp0 promisc
ifconfig eth0 mtu 1500



#route add -net  223.104.3.0 netmask 255.255.255.0 dev eth0
#route del -net 192.168.2.0 netmask 255.255.255.0


#route add 192.168.2.99 gw 192.168.3.99 ppp0 
#route add  52.196.182.31 dev eth0
#route del 192.168.2.99 dev ppp0

snat原理：https://blog.csdn.net/jk110333/article/details/8229828

tx:
/etc/xl2tpd/xl2tpd.conf

[lac testvpn]
lns =  52.196.182.31
;pppoptfile = /etc/ppp/peers/testvpn.l2tpd
pppoptfile = /etc/ppp/peers/aws.l2tpd
ppp debug = yes

[global]
;ipsec saref = no
force userspace = yes
; listen-addr = 192.168.1.98

[lns default]
ip range = 192.168.2.128-192.168.2.254
local ip = 192.168.2.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

cat /etc/ppp/peers/aws.l2tpd

remotename testvpn
user "root"
password "Haohao123"
unit 0
nodeflate
nobsdcomp
noauth
persist
nopcomp
noaccomp
maxfail 5
debug

这个几座客户端又做服务端

/etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
name xl2tpd
auth
idle 1800
mtu 1500
mru 1500
nodefaultroute
debug
proxyarp
connect-delay 5000

注意检查mtu 和各个网卡是否一致

/etc/ipsec.d/l2tp-ipsec.conf
这个新建的

conn L2TP-PSK-NAT
    rightsubnet=0.0.0.0/0
    dpddelay=10
    dpdtimeout=20
    dpdaction=clear
    encapsulation=yes
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=172.17.0.13
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

/etc/ipsec.d/default.secrets

:   PSK "Haohao123!"

cat /etc/ppp/chap-secrets

# Secrets for authentication using CHAP
# client	server	secret			IP addresses
root    *   haha123 *

systemctl start ipsec
systemctl start xl2tpd

tail -f /var/log/messages

/etc/resolv.conf 都配置成8.8.8.8
#################
在aws上配置

/etc/xl2tpd/xl2tpd.conf

[global]

[lns default]
ip range = 192.168.3.128-192.168.3.254
local ip = 192.168.3.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

cat /etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
ms-dns  1.1.1.1
# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
noccp
auth
#obsolete: crtscts
idle 1800
mtu 1500
mru 1500
nodefaultroute
debug
#obsolete: lock
proxyarp
connect-delay 5000

注意mtu要一致

/etc/ipsec.d/l2tp-ipsec.conf

conn L2TP-PSK-NAT
    rightsubnet=0.0.0.0/0
    dpddelay=10
    dpdtimeout=20
    dpdaction=clear
    forceencaps=yes
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=172.31.33.238
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

/etc/ipsec.d/default.secrets

:	PSK	Haohao123

cat /etc/ppp/chap-secrets

root	*	Haohao123	*

systemctl start ipsec
systemctl start xl2tpd