由 tiger2008 在 09-03-2002 11:56 发表:
vpn for linux setup
我有一台redhat 7.2(两网卡,一对内192.168.2.x,一对外211.96.x.x,),想在上面作vpn 主机,参考 http://www.linuxforum.net/docnew/sh...ll&fpart=: 安装了pptpd.但启动pptpd时出现如下错误:[/url] createHostSocket: Address already in use,现不知道问题出在何处,请各位大侠指点!
:eek:
+++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
声明:1.第一次写此类文章,写得不好,先自我解嘲:见笑了。
2.如本文确实对你有用,请给我发EMAIL:[email protected] ,不妨鼓励几句以示你的谢意。
3.如转载本文,请保持本文的完整,包括声明。
4.保留其他一切权利。
什么是VPN?大家千万别问我,我只是略懂那么一丁点皮毛而已,不过大家可以阅读后面提到的参考文章。我只知道
我为什么要用到VPN,呵呵,相信有很多象我一样的莱鸟。
我使用VPN的原由是最近我用DELPHI写了一个 ActiveForm 放在我们的内部WEB服务器上,以便公司总部外的分部可以
通过IE访问数据和打印一些奇怪的报表,该ActiveForm 需要访问内部网上的另一台机器。顺便介绍一下我们公司的
网络配置情况:公司总部有一局域网,大家通过一台专用的LINUX服务器拨ADSL(包月200元的那一种)共享上网,该
LINUX服务器也运行WWW、EMAIL、DNS、DHCP等服务,当然也运行IPCHAINS。公司对外网站租用虚拟主机(带域名系
统)。
我们的做法是,公司分部先上互连网,然后拨通VPN,使其可以以内部IP身份访问内部网。那样,我的ActiveForm 就
可以发挥作用了。
下面内容一、二、三是我们实现VPN应用的相关步骤,四是给大家一些参考文章。
一、服务器安装
1.取得PoPToP软件,可到 http://www.poptop.org 下载,现在是1.2版。[/url]
2.安装:
rpm -ivh pptpd-1.0.0-1.i386.rpm
3.编辑文件/etc/syslog.conf,增加一行:
daemon.debug /var/log/pptpd.log
重新启动syslogd:
killall syslogd
syslogd
4.编辑下列文件,确定包含以下相似内容:
/etc/ppp/options
debug
name servername(LINUX服务器名称)
auth
require-chap
proxyarp
/etc/pptpd.conf
speed 115200
localip 192.168.0.234-238
remoteip 192.168.1.234-238
/etc/ppp/chap-secrets
#帐号 服务器名称 密码 IP
susu servername 123 *
5.开始启用PoPToP:
/usr/sbin/pptpd
至此,你的linux服务器,已经可以接受VPN拨号接入了,如果有问题,可以查看日志/var/log/pptpd.log。
6.ipchains设置(-d和-s的IP就看你的罗)
ipchains -I forward -p tcp -d 192.168.0.10 1723 -j ACCEPT
ipchains -A forward -p tcp -s 192.168.0.10 1723 -j ACCEPT
ipchains -A forward -p 47 -d 192.168.0.10 -j ACCEPT
ipchains -A forward -p 47 -s 192.168.0.10 -j ACCEPT
二、域名设置:
这里的域名设置指的不是局域网中LINUX的DNS设置,而是指前面所说的虚拟主机服务商提供的域名系统设
置(例如某某ISP的虚拟主机业务标准型)。在域名系统中增加一条A记录。
域名:vpn.gd!%!%!.com
(差点暴露公司机密:),虽然可以为公司做一下广告)
IP :为我现在ADSL拨号所获得的IP。
为什么要这样做?因为我不想在每一次获得新IP时,都要电话通知各个分部,现在公司总部的IP是多少。
三、客户端设置:
WIN98的设置要点
1.新建一个拨号连接,拨号设备选用"虚拟拨号设备",对方IP输入:vpn.gd!%!%!.com
帐号输入:susu,密码输入:123(见上面的/etc/ppp/chap-secrets文件)
WIN2000的设置要点
1.新建一个"网络和拨号连接",网络连接类型选择"通过 Internet 连接到专用网络(V)"
2.主机名或IP地址输入: www. !%!%!.com
3.帐号输入:susu,密码输入:123(见上面的/etc/ppp/chap-secrets文件)
4.该连接的“属性”――“安全措施”请选“高级(自定义设置)”――“设置”
数据加密:选“可选加密(没有加密也可以连接)”
允许协议:请确保“质询握手身份验证协议(CHAP)”被选中。
四、参考文章:
1.基于IPsec的虚拟专用网--原理篇
Linuxaid技术支持网站 01-02-02 20:11 910p unix_guo
http://www.linuxaid.com.cn/solution/showsol.jsp?i=99
2.基于IPsec的虚拟专用网在Linux上的实现--安装配置篇
Linuxaid技术支持网站 01-02-02 20:15 1173p unix_guo
http://www.linuxaid.com.cn/solution/showsol.jsp?i=100
3.VPN-HOWTO
http://www.tldp.org/HOWTO/VPN-HOWTO/
4.Linux VPN Masquerade HOWTO
http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html
5.PoPToP HOWTO/FAQ
6.就在我沉思到哪个网站灌水的时候,发现了下面这编:
《RedHat7.2实现免费的VPN》 任我行 04/27/02 02:39 PM
http://www.linuxforum.net/docnew/sh...&Number=402
7.其他请自已找...
本文只为实现文中提到目的而做,其他(如安全等)问题请自行解决了。
真心希望对大家有用!
susu 2002.06.10 于广州
由 北南南北 在 09-03-2002 12:11 发表:
NJLUG 1998.12.26 LinuXmas联谊会 征文比赛 参赛作品
作者 : 周健成
Email: [email protected]
一.Linux与Linux之间的互拔:
请看图一:
我家里: 办公室:
机器名:j128 机器名:vms68
OS: RedHat5.1 OS: RedHat5.1
IP: 192.168.88.128 <----电话网----> IP: 192.168.89.68 <--->
Internet
| [ttyS0] [ttyS1] [ttyS0]
|网线
|
机器名:j003
OS: Win98
IP: 192.168.88.3
第一步要配置Linux为ppp服务器,允许拔入,如姚飞所说:
使用mgetty
(以下假设modem装在ttyS0)
cd /etc
vi inittab
add :
d1:2345:respawn:/sbin/mgetty ttyS0 # COM1口允许拔入
d2:2345:respawn:/sbin/mgetty ttyS1 # COM2口允许拔入
then: init q # 重读配置文件/etc/inittab
注意, 如果想拔号出去, pppd 使用的设备也必须是/dev/ttyS0或/dev/ttyS1,
而不是/dev/modem, 要不然是拨不出去的.
我这样做后,j128和vms68都可允许拔入,但还不是ppp server,还需要以下几步:
在vms68里:
adduser ppp #新加一个用户
passwd ppp #为ppp起个密码
在/home/ppp下建一个脚本ppplogin,内容如下:
exec /usr/sbin/pppd 115200 modem asyncmap 0 proxyarp \
192.168.89.68:192.193.89.69
LOCALIP:REMOTEIP
vi /etc/passwd
将这行ppp:xxxx:505:505:ppp acount:/home/ppp:/bin/bash
改为ppp:xxxx:505:505:ppp acount:/home/ppp:/home/ppp/ppplogin
在j128里:
adduser ppp #新加一个用户
passwd ppp #为ppp起个密码
在/home/ppp下建一个脚本ppplogin,内容如下:
exec /usr/sbin/pppd 115200 modem asyncmap 0 proxyarp \
0.0.0.0:0.0.0.0.0 ###等vms68分配ip地址
vi /etc/passwd
将这行ppp:xxxx:505:505:ppp acount:/home/ppp:/bin/bash
改为ppp:xxxx:505:505:ppp acount:/home/ppp:/home/ppp/ppplogin
下一步要配j128拔到vms68,这很简单,
跟拔到Internet是一样的,文件ppp-onvms68如下:
Script to initiate a ppp connection. This is the first part of the
pair of scripts. This is not a secure pair of scripts as the codes
are visible with the 'ps' command. However, it is simple.
These are the parameters. Change as needed.
TELEPHONE=xxxx # The telephone number for the connection
ACCOUNT=ppp # The account name for logon (as in 'George Burns')
PASSWORD=xxxx # The password for this account (and 'Gracie Allen')
LOCAL_IP=0.0.0.0 # Local IP address if known. Dynamic = 0.0.0.0
REMOTE_IP=0.0.0.0 # Remote IP address if desired. Normally 0.0.0.0
NETMASK=255.255.255.0 # The proper netmask if needed
Export them so that they will be available at 'ppp-on-dialer' time.
export TELEPHONE ACCOUNT PASSWORD
This is the location of the script which dials the phone and logs
in. Please use the absolute file name as the $PATH variable is not
used on the connect option. (To do so on a 'root' account would be
a security hole so don't ask.)
DIALER_SCRIPT=/home/ppp/ppp-on-dialer
Initiate the connection
I put most of the common options on this command. Please, don't
forget the 'lock' option or some programs such as mgetty will not
work. The asyncmap and escape will permit the PPP link to work with
a telnet or rlogin connection. You are welcome to make any changes
as desired. Don't use the 'defaultroute' option if you currently
have a default route to an ethernet gateway.
exec /usr/sbin/pppd /dev/ttyS0 115200 modem $LOCAL_IP:$REMOTE_IP \
defaultroute lock crtscts asyncmap 0 connect $DIALER_SCRIPT \
debug
现在配vms68拔到j128,文件ppp-onj128如下:
Script to initiate a ppp connection. This is the first part of the
pair of scripts. This is not a secure pair of scripts as the codes
are visible with the 'ps' command. However, it is simple.
These are the parameters. Change as needed.
TELEPHONE=xxxx # The telephone number for the connection
ACCOUNT=ppp # The account name for logon (as in 'George Burns')
PASSWORD=xxxx # The password for this account (and 'Gracie Allen')
LOCAL_IP=192.168.89.68 # Local IP address if known. Dynamic = 0.0.0.0
REMOTE_IP=192.168.89.69 # Remote IP address if desired. Normally 0.0.0.0
NETMASK=255.255.255.0 # The proper netmask if needed
Export them so that they will be available at 'ppp-on-dialer' time.
export TELEPHONE ACCOUNT PASSWORD
This is the location of the script which dials the phone and logs
in. Please use the absolute file name as the $PATH variable is not
used on the connect option. (To do so on a 'root' account would be
a security hole so don't ask.)
DIALER_SCRIPT=/home/ppp/ppp-on-dialer
Initiate the connection
I put most of the common options on this command. Please, don't
forget the 'lock' option or some programs such as mgetty will not
work. The asyncmap and escape will permit the PPP link to work with
a telnet or rlogin connection. You are welcome to make any changes
as desired. Don't use the 'defaultroute' option if you currently
have a default route to an ethernet gateway.
exec /usr/sbin/pppd /dev/ttyS1 115200 modem $LOCAL_IP:$REMOTE_IP \
lock crtscts asyncmap 0 connect $DIALER_SCRIPT \
debug
这里要注意LOCAL_IP和REMOTE_IP要给值,还有的是在pppd里没有defaultroute。
因为vms68还要拔上Internet,所以不要defaultroute。
在j128上用ppp-onvms68拔上vms68,连通后telnet vms68,执行以下命令:
nohup sleep 30;ppp-onj128
然后在j128上断线,等待vms68拔入。拔通后,在j128上要执行以下命令:
route add -net 192.168.89.0 gw 192.168.89.69 ppp0
route add default gw 192.168.89.69 ppp0
ipfwadm -F -a m -S 192.168.88.0/24 -D 0.0.0.0/0
现在可再telnet vms68,在vms68上拔号上网,这样j003可通过j128,再通
过vms68上网,我也不用付任何费用。
二.Win98与Linux之间的互拔:
请看图二:
我家里: 办公室:
机器名:j128 机器名:vms68
OS: RedHat5.1 OS: RedHat5.1
IP: 192.168.88.128 IP: 192.168.89.68 <--->
Internet
| [ttyS1] [ttyS0]
|网线 |
| |
机器名:j003 |
OS: Win98 ---------------------------
IP: 192.168.88.3 电话网
这里vms68要象第一步所说的,要配成允许拔入的ppp server。
这里主要是win98的配置,首先象上Internet那样,在拔号网络里新建一个连接, 要注意两点,一要设置连通后弹出终端窗口,二是最主要的,在“控制面板”里选“调制解调器”,选用来连线的modem,选“属性”按钮,选“连接”,再选“高级”按钮,再在“附加设置”里输入&C0S0=001。
为什么要这样做?因为win98自带的ppp client会自动退出当远端ppp server挂线,因此要骗一骗win98,要modem不要报告断线,并自动应答拔入。&C0就是要
modem不要检测carrier,s0=001要modem在响一下后就应答。
现在配vms68拔到j003,文件ppp-onj003如下:
Script to initiate a ppp connection. This is the first part of the
pair of scripts. This is not a secure pair of scripts as the codes
are visible with the 'ps' command. However, it is simple.
These are the parameters. Change as needed.
TELEPHONE=xxxx # The telephone number for the connection
#ACCOUNT=ppp # The account name for logon (as in 'George Burns')
#PASSWORD=xxxx # The password for this account (and 'Gracie Allen')
LOCAL_IP=192.168.89.68 # Local IP address if known. Dynamic = 0.0.0.0
REMOTE_IP=192.168.89.69 # Remote IP address if desired. Normally 0.0.0.0
NETMASK=255.255.255.0 # The proper netmask if needed
Export them so that they will be available at 'ppp-on-dialer' time.
export TELEPHONE ###ACCOUNT PASSWORD
This is the location of the script which dials the phone and logs
in. Please use the absolute file name as the $PATH variable is not
used on the connect option. (To do so on a 'root' account would be
a security hole so don't ask.)
DIALER_SCRIPT=/home/ppp/ppp-on-dialer
Initiate the connection
I put most of the common options on this command. Please, don't
forget the 'lock' option or some programs such as mgetty will not
work. The asyncmap and escape will permit the PPP link to work with
a telnet or rlogin connection. You are welcome to make any changes
as desired. Don't use the 'defaultroute' option if you currently
have a default route to an ethernet gateway.
exec /usr/sbin/pppd /dev/ttyS1 115200 modem $LOCAL_IP:$REMOTE_IP \
lock crtscts asyncmap 0 connect $DIALER_SCRIPT \
debug
这里要注意LOCAL_IP和REMOTE_IP要给值,还有的是在pppd里没有defaultroute。
因为vms68还要拔上Internet,所以不要defaultroute。还有这里没有ACOUNT和
PASSWORD,因为WIN98的PPP CLIENT不要用户名和密码,因此在PPP-ON-DIALER里
要把送ACOUNT和PASSWORD的那两行去掉。
J003通过拔号拔上VMS68后,要TELNET VMS68,在VMS68里执行以下脚本:
kill cat /var/run/ppp0.pid ###注意如果是用ppp1,就用ppp1.pid
nohup sleep 30;ppp-onj003
这里要特别注意的一点是一定要在linux里断线,因为在WIN98里断线,则WIN98
的PPP CLIENT就会退出,就不会应答呼叫。
现在WIN98和LINUX之间就可以实现回拔了,但要注意WIN98的路由问题。
在win98下要自配一下路由,在win98的目录里有route程序,它的格式如下:
route print/add/delete/change (直接打route就有帮助看)
象我的j003,在没有拔号时,用route print得到如下信息:(行号是我加上的)
Active Routes: