原文链接:http://grid.tsinghua.edu.cn/home/liulk/publish/computer/ServerVPN.html

提纲

整个安装和配置过程主要包括如下的命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[root@gw3121 ~]# apt-get install  pptpd      #安装pptpd  
[root@gw3121 ~]# apt-get install pptp-linux  #安装pptpd client,这一步可以没有  
[root@gw3121 ~]# vi /etc/pptpd.conf          #编辑pptpd的配置文件  
[root@gw3121 ~]# vi /etc/ppp/pptpd-options            #编辑底层ppp服务器配置文件  
[root@gw3121 ~]# vi /etc/ppp/chap-secrets             #用户名和密码文件  
[root@gw3121 ~]# /etc/init.d/pptpd restart   #重启pptpd服务器  
  
#打开防火墙和nat,如果你没有使用防火墙和nat,这一步可以不做  
[root@gw3121 ~]# iptables -t nat -A POSTROUTING -s 10.0.11.0/24  -o eth0 -j SNAT --to 166.111.202.141  
[root@gw3121 ~]# iptables -A  FORWARD -s 10.0.11.0/24 -j ACCEPT  
[root@gw3121 ~]# iptables -A  FORWARD -d 10.0.11.0/24 -j ACCEPT   

## 配置文件编辑结果

    *   /etc/pptpd.conf

###############################################################################

$Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $

Sample Poptop configuration file /etc/pptpd.conf

Changes are effective when pptpd is restarted.

###############################################################################

TAG: ppp

Path to the pppd program, default ‘/usr/sbin/pppd’ on Linux

#ppp /usr/sbin/pppd

TAG: option

Specifies the location of the PPP options file.

By default PPP looks in ‘/etc/ppp/options’

option /etc/ppp/pptpd-options

TAG: debug

Turns on (more) debugging to syslog

#debug

TAG: stimeout

Specifies timeout (in seconds) on starting ctrl connection

stimeout 10

TAG: noipparam

Suppress the passing of the client’s IP address to PPP, which is

done by default otherwise.

#noipparam

TAG: logwtmp

Use wtmp(5) to record client connections and disconnections.

logwtmp

TAG: bcrelay

Turns on broadcast relay to clients from interface

#bcrelay eth1

TAG: localip

TAG: remoteip

Specifies the local and remote IP address ranges.

Any addresses work as long as the local machine takes care of the

routing. But if you want to use MS-Windows networking, you should

use IP addresses out of the LAN address space and use the proxyarp

option in the pppd options file, or run bcrelay.

You can specify single IP addresses seperated by commas or you can

specify ranges, or both. For example:

192.168.0.234,192.168.0.245-249,192.168.0.254

IMPORTANT RESTRICTIONS:

1. No spaces are permitted between commas or within addresses.

2. If you give more IP addresses than MAX_CONNECTIONS, it will

start at the beginning of the list and go until it gets

MAX_CONNECTIONS IPs. Others will be ignored.

3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,

you must type 234-238 if you mean this.

4. If you give a single localIP, that’s ok - all local IPs will

be set to the given one. You MUST still give at least one remote

IP for each simultaneous client.

(Recommended)

localip 10.0.11.254
remoteip 10.0.11.1-253

or

#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245 

*   pptpd-options 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
###############################################################################  
# $Id: pptpd-options 4255 2004-10-03 18:44:00Z rene $  
#  
# Sample Poptop PPP options file /etc/ppp/pptpd-options  
# Options used by PPP when a connection arrives from a client.  
# This file is pointed to by /etc/pptpd.conf option keyword.  
# Changes are effective on the next connection.  See "man pppd".  
#  
# You are expected to change this file to suit your system.  As  
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.  
###############################################################################  
  
  
# Authentication  
  
# (must match the second field in /etc/ppp/chap-secrets entries)  
name gw3121  
  
# Optional: domain name to use for authentication  
# domain mydomain.net  
  
# Strip the domain prefix from the username before authentication.  
# (applies if you use pppd with chapms-strip-domain patch)  
#chapms-strip-domain  
  
  
# Encryption  
# Debian: on systems with a kernel built with the package  
# kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...  
# `{{{  
#refuse-pap  
#refuse-chap  
#refuse-mschap  
require-chap  
require-mschap  
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft  
# Challenge Handshake Authentication Protocol, Version 2] authentication.  
require-mschap-v2  
# Require MPPE 128-bit encryption  
# (note that MPPE requires the use of MSCHAP-V2 during authentication)  
#require-mppe-128  
# `}}}  
  
  
  
  
# Network and Routing  
  
# If pppd is acting as a server for Microsoft Windows clients, this  
# option allows pppd to supply one or two DNS (Domain Name Server)  
# addresses to the clients.  The first instance of this option  
# specifies the primary DNS address; the second instance (if given)  
# specifies the secondary DNS address.  
ms-dns 166.111.8.28  
ms-dns 166.111.8.29  
  
# If pppd is acting as a server for Microsoft Windows or "Samba"  
# clients, this option allows pppd to supply one or two WINS (Windows  
# Internet Name Services) server addresses to the clients.  The first  
# instance of this option specifies the primary WINS address; the  
# second instance (if given) specifies the secondary WINS address.  
#ms-wins 10.0.0.3  
#ms-wins 10.0.0.4  
  
# Add an entry to this system's ARP [Address Resolution Protocol]  
# table with the IP address of the peer and the Ethernet address of this  
# system.  This will have the effect of making the peer appear to other  
# systems to be on the local ethernet.  
# (you do not need this if your PPTP server is responsible for routing  
# packets to the clients -- James Cameron)  
proxyarp  
  
# Debian: do not replace the default route  
nodefaultroute  
  
  
# Logging  
  
# Enable connection debugging facilities.  
# (see your syslog configuration for where pppd sends to)  
debug  
  
# Print out all the option values which have been set.  
# (often requested by mailing list to verify options)  
#dump  
  
  
# Miscellaneous  
  
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive  
# access.  
lock  
  
# Disable BSD-Compress compression  
nobsdcomp  
  

    *   chap-secrets

Secrets for authentication using CHAP

client server secret IP addresses

lkliu gw3121 “passwd1” 10.0.11.1
vpn gw3121 “passwd2” *

客户端

*   windows

建立连接 

1
2
3
4
5
6
7
  control pannel -> Network Connections -> create a new  connect ->  
  next -> connect to the network at my working place -> next ->  
  virtual private network connection -> campany name (input: 3-121) ->  
  Host name or IP address (input: 166.111.202.141) -> finish  

>    设置连接

duble click the connection created just now -> properties -> security ->
advanced(custom setting) ->optional encryption( connect even no encryption) ->
allow this protocal -> CHAP (only choose this) -> OK -> Yes 

1
2


1
2


1
2