PPTP | 部署PPTP VPN翻墙(AD认证)

一、PPTP是什么?

点对点隧道协议(PPTP,Point to Point Tunneling Protocol)是一种主要用于VPN的数据链路层网络协议。因为之前的所在pptp服务器机房要裁撤了,所以要在新机房重新搭建服务,也借此记录下来

二、初始化环境

1、关闭SELINUX(不关闭会影响基于Winbind的用户验证)

# vim /etc/selinux/config
SELINUX=disabled

2、配置DNS(这里DNS地址一定要配置AD的DNS,要不然会影响到后面的入域)

# vim /etc/resolv.conf
search test.com
nameserver 10.0.0.1

3、开启IP包转发功能(默认是关闭的)

# vim /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# sysctl -p
net.ipv4.ip_forward = 1

4、确定linux内核是否支持iptables_nat跟PPP

# lsmod | grep iptable
iptable_nat             6158  0 
nf_nat                 22759  1 iptable_nat
nf_conntrack_ipv4       9506  3 iptable_nat,nf_nat
iptable_filter          2793  0 
ip_tables              17831  2 iptable_nat,iptable_filter
nf_conntrack           79357  5 iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
# dmesg | grep PPP
[   29.826098] PPP generic driver version 2.4.2
[   29.826196] PPP Deflate Compression module registered
[   29.826198] PPP BSD Compression module registered
[   29.826306] PPP MPPE Compression module registered
[   29.826315] PPPoL2TP kernel driver, V1.0

三、相关组件安装

1、安装epel源

# rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

2、安装PPTP、Samba、hearbeat、Kerberos

# yum install pptpd ppp samba samba-common samba-client heartbeat krb5-libs krb5-workstation krb5-devel -y

三、Samba、Kerberos配置

1、配置Samba

# vim /etc/samba/smb.conf
[global]
    # define the netbios name of the domain
    workgroup = TEST
    # define the pptp server netbios name
    netbios name = SK-PPTP-46
    # server description
    server string = pptpd server
    # define the AD domain name
    realm = TEST.COM
    # printer stuff
    printcap name = /etc/printcap
    load printers = no
    # log file stuff
    log file = /var/log/samba/%m.log
    max log size = 50
    # must set to ads
    security = ADS
    # enable encrypt passwords
    encrypt passwords = yes
    # not to be a master browser
    domain master = no  
    preferred master = no
    # winbind stuff
    idmap uid = 50001-550000
    idmap gid = 50001-550000
    winbind separator = +
    winbind refresh tickets = yes
    winbind use default domain = no
    winbind enum users = yes
    winbind enum groups = yes
    template shell = /bin/bash
    template homedir = /home/%D/%U

2、配置Kerberos

# vim /etc/krb5.conf
[logging]
    default = FILE:/var/log/krb5/krb5libs.log
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
[libdefaults]
    default_realm = TEST.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    clockskew = 300
[realms]
TEST.COM = {
    kdc = ldap.test.com
    default_domain = test.com
    admin_server = ldap.test.com
}
[domain_realm]
    .test.com = TEST.COM
    test.com = TEST.COM
[appdefaults]
pam = {
    ticket_lifetime = 1d
    renew_lifetime = 1d
    forwardable = true
    proxiable = false
    retain_after_close = false
    minimum_uid = 0
    try_first_pass = true
}

3、测试Kerberos(注意域名得大写)

root@SK-PPTP-48:~> kinit -V clavinzjli@TEST.COM
Using default cache: /tmp/krb5cc_0
Using principal: clavinzjli@TEST.COM
Password for clavinzjli@TEST.COM: 
Authenticated to Kerberos v5
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: clavinzjli@TEST.COM
Valid starting     Expires            Service principal
12/06/13 11:34:10  12/06/13 21:33:44  krbtgt/TEST.COM@TEST.COM
    renew until 12/07/13 11:34:10

4、加入TEST域

# net ads join -U clavinzjli@TEST.COM
clavinzjli@TEST.COM's password: 
Using short domain name --  TEST
Joined 'SK-PPTP-46' to realm 'TEST.COM'

备注
这里需要主要的是要入域的机器的时间不能跟AD相差5分钟,否则会提示加域失败
(kinit: Clock skew too great while getting initial credentials)

四、开启服务并测试winbind

1、开启samba、winbind服务

# /etc/init.d/smb start
# /etc/init.d/nmb start
# /etc/init.d/winbind start

2、测试winbind是否工作正常

# wbinfo -t
checking the trust secret for domain TEST via RPC calls succeeded

3、设置开机启动

# chkconfig winbind on
# chkconfig nmb on
# chkconfig smb on

五、PPTP配置

1、配置/etc/pptpd.conf

# vim /etc/pptpd.conf
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
ppp /usr/sbin/pppd
# Specifies the speed for the PPP daemon to talk at
speed 115200
# Specifies the location of the PPP options file
option /etc/ppp/options.pptpd
# Turn on debugging to syslog
debug
# Use wtmp(5) to record client connections and disconnections
logwtmp
# Specifies the local and remote IP address ranges
localip 10.14.36.46
remoteip 192.168.1.10-240
# Specifies the pid file of pptpd
pidfile /var/run/pptpd.pid

2、配置/etc/ppp/options.pptpd

# vim /etc/ppp/options.pptpd
######## Authentication ########
# Name of the local system for authentication purposes 
name SK-PPTP-46
######## Encryption ########
# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
#refuse-pap
#refuse-chap
#refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
require-mschap-v2
# Require MPPE 128-bit encryption
require-mppe-128
######## Network and Routing ########
# specifies the DNS address
ms-dns 8.8.8.8
# Add an entry to this system's ARP
proxyarp
######## Logging ########
# Enable connection debugging facilities.
debug
######## Miscellaneous ########
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
lock
# Disable BSD-Compress compression
nobsdcomp
nodeflate
nopcomp
noaccomp
######## Plugins ########
# Putting them higher up may cause them to sent messages to the pty
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=S-1-5-21-1333135361-625243220-14044502-190030"

3、额外配置MTU(适合那些XP系统)

# vim /etc/ppp/ip-up
#!/bin/bash
# This file should not be modified -- make local changes to
# /etc/ppp/ip-up.local instead
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
ifconfig $1 mtu 1496
...