さくらのVPSのCentOS7に中継用のVPNサーバーを立ててみました。
ここでは L2TP/IPsec を利用したVPNサーバー構築の手順を書きます。
VPNサーバーに接続するメリットは下記です。
L2TP/IPsecについては下記サイトを参考にしてください。
localectl set-locale LANG=ja_JP.UTF-8
vi /etc/hosts.allow
sshd:192.168.1. 18.97.14.89
vi /etc/hosts.deny
sshd:all
useradd -m -s /sbin/nologin webmaster useradd -m -g webmaster yukawa passwd yukawa passwd root
vi /etc/ssh/sshd_config
PermitRootLogin no AllowUsers yukawa
yum -y update yum -y install yum-cron systemctl enable yum-cron
下記のページのセットアップのスクリプトを利用しました。
L2TP_IPSec_vpn_setup_for_centos7.sh・GitHub
vi l2tp_ipsec_setup.sh
#!/bin/bash -x # Description:L2TP/IPsec for CentOS7 64bit # 2015/05/09 @mix3 ( ## setting cat << _SECRETS_ > /tmp/SECRETS_TMP.txt #============================================== # username auth_server password auth_ipaddress "hoge001" "xl2tpd" "hoge##123" * "hoge002" "xl2tpd" "hoge##456" * #============================================== _SECRETS_ PSK_SECRETS='HOGESECRETS' COLOR_LIGHT_GREEN='\033[1;32m' COLOR_LIGHT_BLUE='\033[1;34m' COLOR_YELLOW='\033[1;33m' COLOR_RED='\033[0;31m' COLOR_WHITE='\033[1;37m' COLOR_DEFAULT='\033[0m' IPADDR_GLOBAL=$(/sbin/ip addr show eth0 2>/dev/null | /bin/grep 'inet ' | /bin/sed -e 's/.*inet \([^ ]*\)\/.*/\1/') VPN_LOCAL_IPADDRESS='192.168.0.1' VPN_REMOTE_IPADDRESS='192.168.0.151-200' ## リポジトリ追加:EPEL yum install -y epel-release ## パッケージ追加 yum install -y xl2tpd libreswan lsof yum update -y ## L2TP セットアップ sed -i.org -e "s/; listen-addr.*/listen-addr = ${IPADDR_GLOBAL}/g" -e "s/ip range.*/ip range = ${VPN_REMOTE_IPADDRESS}/g" -e "s/local ip.*/local ip = ${VPN_LOCAL_IPADDRESS}/g" /etc/xl2tpd/xl2tpd.conf sed -i.org -e "s/^ms-dns/# ms-dns/g" -e "s/^noccp/# noccp/g" /etc/ppp/options.xl2tpd cat << _XL2TPDCONF_ >> /etc/ppp/options.xl2tpd ms-dns 8.8.8.8 ms-dns 209.244.0.3 ms-dns 208.67.222.222 name xl2tpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 persist logfile /var/log/xl2tpd.log _XL2TPDCONF_ ## IPsec セットアップ sed -i.org -e "s/^#include/include/g" /etc/ipsec.conf cat << _IPSECCONF_ > /etc/ipsec.d/l2tp-ipsec.conf conn L2TP-PSK-NAT rightsubnet=0.0.0.0/0 dpddelay=10 dpdtimeout=20 dpdaction=clear forceencaps=yes also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=${IPADDR_GLOBAL} leftprotoport=17/1701 right=%any rightprotoport=17/%any _IPSECCONF_ cat /tmp/SECRETS_TMP.txt >> /etc/ppp/chap-secrets rm /tmp/SECRETS_TMP.txt echo -e ": PSK \"${PSK_SECRETS}\"" > /etc/ipsec.d/default.secrets ## firewalld セットアップ firewall-cmd --permanent --add-service=ipsec firewall-cmd --permanent --add-port=1701/udp firewall-cmd --permanent --add-port=4500/udp firewall-cmd --permanent --add-masquerade firewall-cmd --reload ## IP_FORWARD 設定 cat << _SYSCTLCONF_ > /etc/sysctl.d/60-sysctl_ipsec.conf net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.eth1.accept_redirects = 0 net.ipv4.conf.eth1.rp_filter = 0 net.ipv4.conf.eth1.send_redirects = 0 net.ipv4.conf.eth2.accept_redirects = 0 net.ipv4.conf.eth2.rp_filter = 0 net.ipv4.conf.eth2.send_redirects = 0 net.ipv4.conf.ip_vti0.accept_redirects = 0 net.ipv4.conf.ip_vti0.rp_filter = 0 net.ipv4.conf.ip_vti0.send_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.lo.send_redirects = 0 net.ipv4.conf.ppp0.accept_redirects = 0 net.ipv4.conf.ppp0.rp_filter = 0 net.ipv4.conf.ppp0.send_redirects = 0 _SYSCTLCONF_ systemctl restart network ## プロセス起動 systemctl enable ipsec systemctl enable xl2tpd systemctl restart ipsec systemctl restart xl2tpd ## Finish echo -e "${COLOR_WHITE}L2TP/IPsec SERVER IP : ${COLOR_LIGHT_GREEN}${IPADDR_GLOBAL}${COLOR_DEFAULT}" echo -e "${COLOR_WHITE}L2TP/IPsec USER/PASSWORD : \n${COLOR_LIGHT_GREEN}$(/bin/cat /etc/ppp/chap-secrets)${COLOR_DEFAULT}" echo -e "${COLOR_WHITE}L2TP/IPsec PSK SECRETS : ${COLOR_LIGHT_GREEN}${PSK_SECRETS}${COLOR_DEFAULT}" echo -e "${COLOR_WHITE}Install log : ${COLOR_LIGHT_GREEN}/var/log/L2TP_IPsec-installer.log${COLOR_DEFAULT}" ) 2>&1 | tee /var/log/L2TP_IPsec-installer.log
chmod 700 l2tp_ipsec_setup.sh ./l2tp_ipsec_setup.sh
vi /etc/ppp/chap-secrets
"yukawa" "xl2tpd" "yukawaのパスワード" *
vi /etc/ipsec.d/default.secrets
: PSK "事前共有鍵のパスワード"
僕の環境では crtscts lock をコメントアウトしないと動作しませんでした。
vi /etc/ppp/options.xl2tpd
#crtscts #lock
systemctl restart ipsec systemctl restart xl2tpd
Copyright(C) systemexpress.co.jp All Rights Reserved. Author Takayuki Yukawa