PPTP | 部署PPTP VPN翻墙(AD认证)
一、PPTP是什么?
点对点隧道协议(PPTP,Point to Point Tunneling Protocol)是一种主要用于VPN的数据链路层网络协议。因为之前的所在pptp服务器机房要裁撤了,所以要在新机房重新搭建服务,也借此记录下来
二、初始化环境
1、关闭SELINUX(不关闭会影响基于Winbind的用户验证)
# vim /etc/selinux/configSELINUX=disabled
2、配置DNS(这里DNS地址一定要配置AD的DNS,要不然会影响到后面的入域)
# vim /etc/resolv.confsearch test.comnameserver 10.0.0.1
3、开启IP包转发功能(默认是关闭的)
# vim /etc/sysctl.conf# Controls IP packet forwardingnet.ipv4.ip_forward = 1# sysctl -pnet.ipv4.ip_forward = 1
4、确定linux内核是否支持iptables_nat跟PPP
# lsmod | grep iptableiptable_nat 6158 0 nf_nat 22759 1 iptable_natnf_conntrack_ipv4 9506 3 iptable_nat,nf_natiptable_filter 2793 0 ip_tables 17831 2 iptable_nat,iptable_filternf_conntrack 79357 5 iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state# dmesg | grep PPP[ 29.826098] PPP generic driver version 2.4.2[ 29.826196] PPP Deflate Compression module registered[ 29.826198] PPP BSD Compression module registered[ 29.826306] PPP MPPE Compression module registered[ 29.826315] PPPoL2TP kernel driver, V1.0
三、相关组件安装
1、安装epel源
# rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
2、安装PPTP、Samba、hearbeat、Kerberos
# yum install pptpd ppp samba samba-common samba-client heartbeat krb5-libs krb5-workstation krb5-devel -y
三、Samba、Kerberos配置
1、配置Samba
# vim /etc/samba/smb.conf[global] # define the netbios name of the domain workgroup = TEST # define the pptp server netbios name netbios name = SK-PPTP-46 # server description server string = pptpd server # define the AD domain name realm = TEST.COM # printer stuff printcap name = /etc/printcap load printers = no # log file stuff log file = /var/log/samba/%m.log max log size = 50 # must set to ads security = ADS # enable encrypt passwords encrypt passwords = yes # not to be a master browser domain master = no preferred master = no # winbind stuff idmap uid = 50001-550000 idmap gid = 50001-550000 winbind separator = + winbind refresh tickets = yes winbind use default domain = no winbind enum users = yes winbind enum groups = yes template shell = /bin/bash template homedir = /home/%D/%U
2、配置Kerberos
# vim /etc/krb5.conf[logging] default = FILE:/var/log/krb5/krb5libs.log kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log[libdefaults] default_realm = TEST.COM dns_lookup_realm = false dns_lookup_kdc = false clockskew = 300[realms]TEST.COM = { kdc = ldap.test.com default_domain = test.com admin_server = ldap.test.com}[domain_realm] .test.com = TEST.COM test.com = TEST.COM[appdefaults]pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 try_first_pass = true}
3、测试Kerberos(注意域名得大写)
root@SK-PPTP-48:~> kinit -V clavinzjli@TEST.COMUsing default cache: /tmp/krb5cc_0Using principal: clavinzjli@TEST.COMPassword for clavinzjli@TEST.COM: Authenticated to Kerberos v5# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: clavinzjli@TEST.COMValid starting Expires Service principal12/06/13 11:34:10 12/06/13 21:33:44 krbtgt/TEST.COM@TEST.COM renew until 12/07/13 11:34:10
4、加入TEST域
# net ads join -U clavinzjli@TEST.COMclavinzjli@TEST.COM's password: Using short domain name -- TESTJoined 'SK-PPTP-46' to realm 'TEST.COM'
备注
这里需要主要的是要入域的机器的时间不能跟AD相差5分钟,否则会提示加域失败
(kinit: Clock skew too great while getting initial credentials)
四、开启服务并测试winbind
1、开启samba、winbind服务
# /etc/init.d/smb start# /etc/init.d/nmb start# /etc/init.d/winbind start
2、测试winbind是否工作正常
# wbinfo -tchecking the trust secret for domain TEST via RPC calls succeeded
3、设置开机启动
# chkconfig winbind on# chkconfig nmb on# chkconfig smb on
五、PPTP配置
1、配置/etc/pptpd.conf
# vim /etc/pptpd.conf# Path to the pppd program, default '/usr/sbin/pppd' on Linuxppp /usr/sbin/pppd# Specifies the speed for the PPP daemon to talk atspeed 115200# Specifies the location of the PPP options fileoption /etc/ppp/options.pptpd# Turn on debugging to syslogdebug# Use wtmp(5) to record client connections and disconnectionslogwtmp# Specifies the local and remote IP address rangeslocalip 10.14.36.46remoteip 192.168.1.10-240# Specifies the pid file of pptpdpidfile /var/run/pptpd.pid
2、配置/etc/ppp/options.pptpd
# vim /etc/ppp/options.pptpd######## Authentication ######### Name of the local system for authentication purposes name SK-PPTP-46######## Encryption ######### BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o#refuse-pap#refuse-chap#refuse-mschap# Require the peer to authenticate itself using MS-CHAPv2 [Microsoftrequire-mschap-v2# Require MPPE 128-bit encryptionrequire-mppe-128######## Network and Routing ######### specifies the DNS addressms-dns 8.8.8.8# Add an entry to this system's ARPproxyarp######## Logging ######### Enable connection debugging facilities.debug######## Miscellaneous ######### Create a UUCP-style lock file for the pseudo-tty to ensure exclusivelock# Disable BSD-Compress compressionnobsdcompnodeflatenopcompnoaccomp######## Plugins ######### Putting them higher up may cause them to sent messages to the ptyplugin winbind.sontlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=S-1-5-21-1333135361-625243220-14044502-190030"
3、额外配置MTU(适合那些XP系统)
# vim /etc/ppp/ip-up#!/bin/bash# This file should not be modified -- make local changes to# /etc/ppp/ip-up.local insteadPATH=/sbin:/usr/sbin:/bin:/usr/binexport PATHifconfig $1 mtu 1496...