PC1:VPN server(Ubuntu 7.10)
eth0: publicIP(61.220.51.26)
eth1: DHCP server(192.168.4.254)
DHCP range: 100-200
PC2:VPN client(WindowsXP sp2)
under NAT(59.124.68.73)
local IP:192.168.1.4
PC3:DHCP client(WindowsXP sp2)
IP:192.168.4.199
Target
Establish a VPN connection between PC1 and PC2,so that PC2 can access PC3's share folders
Notice:Assume that PC1's eth0 can access internet, and PC3 can also access internet though PC1's eth0.
Steps
1.install pptp
sudo apt-get install pptpd
2.There are three files needed to be configured
/etc/pptpd.conf
/etc/ppp/pptpd-options
/etc/ppp/chap-secretsv
3.Modify /etc/pptpd.conf
sudo gedit /etc/pptpd.conf
###############################################################################
# $Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################
# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/pptpd-options
# TAG: debug
# Turns on (more) debugging to syslog
#
#debug
# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
# TAG: noipparam
# Suppress the passing of the client's IP address to PPP, which is
# done by default otherwise.
#
#noipparam
# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
logwtmp
# TAG: bcrelay
# Turns on broadcast relay to clients from interface
#
#bcrelay eth1
# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# Any addresses work as long as the local machine takes care of the
# routing. But if you want to use MS-Windows networking, you should
# use IP addresses out of the LAN address space and use the proxyarp
# option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
# (Recommended)
localip 192.168.4.201 #this is the local ip when you establish a connection
remoteip 192.168.4.202-210 #this are ips will asign to VPN clients
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
4.Modify /etc/ppp/pptpd-options
sudo gedit /etc/ppp/pptpd-options
###############################################################################
# $Id: pptpd-options 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop PPP options file /etc/ppp/pptpd-options
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################
# Authentication
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd
# Optional: domain name to use for authentication
# domain mydomain.net
# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain
# Encryption
# Debian: on systems with a kernel built with the package
# kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
# {{{
#refuse-pap
#refuse-chap
#refuse-mschap
require-chap
require-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#require-mppe-128
# }}}
# Network and Routing
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
ms-dns 168.95.1.1
#ms-dns 166.111.8.29
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp
# Debian: do not replace the default route
nodefaultroute
# Logging
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump
# Miscellaneous
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Disable BSD-Compress compression
nobsdcomp
5.Modify /etc/ppp/chap-secrets
sudo gedit /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
sarosa pptpd 1234 192.168.4.201
vosky pptpd vosky * #this means VPN server will assign a IP to VPN clients within the remote IP setting in pptpd.conf
6. Restart pptp to let it work
sudo /etc/init.d/pptpd restart
At this point the setting of pptp is complete, but you may not be able to establish connection. Still need to modify iptables to allow VPN connections
7. Modify iptables
add the following rules to your iptables
iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -o eth0 -j SNAT --to 61.220.51.26
iptables -A INPUT -p TCP -i $EIF --dport 1723 -j ACCEPT # pptp VPN
Next we need to config VPN client(PC2)
control pannel -> Network Connections -> create a new connect ->
next -> connect to the network at my working place -> next ->
virtual private network connection -> campany name (input: VoSKY) ->
Host name or IP address (input: 61.220.51.26) -> finish ->Fill in username/password
click "內容" -> goes to "安全性" tag -> uncheck "要求資料加密" -> click "確定"
Now you shuould be able to establish a VPN connection between PC1 and PC2
In PC2's end,try to trace route to 168.95.1.1. Check if it first goes to 192.168.4.201 then goes to 61.220.51.254
Also you can try to access PC3's share folder.
Reference
Ubuntu 下面 pptp VPN 的配置
發表文章
沒有留言:
張貼留言