Posted on 2009/02/19 13:29
Filed Under 리눅스기술문서/서버관련 조회수: view 78303

PPTP를 이용한 VPN 서버 만들기! (CentOS 4) 
OS : CentOS 4
커널 : 2.6.9-42.0.3.ELsmp
# rpm -qa|grep kernel 확인해서 kernel-devel 패키지가 있는지 확인하고 없으면 설치한다.
Kernel-devel RPM을 YUM으로 설치하면 편합니다.

# yum install kernel-devel

pptpd(VPN) 구성을 위해 필요한 패키지 목록
URL : http://poptop.sourceforge.net/dox/redhat-howto.phtml 

dkms-2.0.10-1.noarch.rpm 
kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm 
ppp-2.4.3-5.rhel4.i386.rpm 
pptpd-1.3.3-1.rhel4.i386.rpm

# rpm -Uvh dkms-2.0.10-1.noarch.rpm
# rpm -Uvh kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm
# rpm -Uvh ppp-2.4.3-5.rhel4.i386.rpm
# rpm -ivh pptpd-1.3.3-1.rhel4.i386.rpm
패키지 설치 완료!!!

이제 다음 환경 파일을 수정해 보자!
[root@Linux etc]# vi /etc/pptpd.conf
###############################################################################
# $Id: pptpd.conf,v 1.10 2006/09/04 23:30:57 quozl Exp $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################
# TAG: ppp
#       Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
#       Specifies the location of the PPP options file.
#       By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/options.pptpd
# TAG: debug
#       Turns on (more) debugging to syslog
#
#debug
# TAG: stimeout
#       Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
# TAG: noipparam
#       Suppress the passing of the client's IP address to PPP, which is
#       done by default otherwise.
#
#noipparam
# TAG: logwtmp
#       Use wtmp(5) to record client connections and disconnections.
#
logwtmp
# TAG: bcrelay <if>
#       Turns on broadcast relay to clients from interface <if>
#
#
#bcrelay eth1
# TAG: delegate
#       Delegates the allocation of client IP addresses to pppd.
#
#       Without this option, which is the default, pptpd manages the list of
#       IP addresses for clients and passes the next free address to pppd.
#       With this option, pptpd does not pass an address, and so pppd may use
#       radius or chap-secrets to allocate an address.
#
#delegate
# TAG: connections
#       Limits the number of client connections that may be accepted.
#
#       If pptpd is allocating IP addresses (e.g. delegate is not
#       used) then the number of connections is also limited by the
#       remoteip option.  The default is 100.
#connections 100
# TAG: localip
# TAG: remoteip
#       Specifies the local and remote IP address ranges.
#
#       These options are ignored if delegate option is set.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#       You can specify single IP addresses seperated by commas or you can
#       specify ranges, or both. For example:
#
#               192.168.0.234,192.168.0.245-249,192.168.0.254
#
#       IMPORTANT RESTRICTIONS:
#
#       1. No spaces are permitted between commas or within addresses.
#
#       2. If you give more IP addresses than the value of connections,
#          it will start at the beginning of the list and go until it
#          gets connections IPs.  Others will be ignored.
#
#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#          you must type 234-238 if you mean this.
#
#       4. If you give a single localIP, that's ok - all local IPs will
#          be set to the given one. You MUST still give at least one remote
#          IP for each simultaneous client.
#
# (Recommended)
localip 192.168.0.1
remoteip 192.168.0.234-238,192.168.0.245
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245


================================================================================
[root@Linux ppp]# vi /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
계정            pptpd   암호                       *
id                pptpd   password                *

=================================================================================
[root@Linux ppp]# vi /etc/ppp/options.pptpd
###############################################################################
# $Id: options.pptpd,v 1.11 2005/12/29 01:21:09 quozl Exp $
#
# Sample Poptop PPP options file /etc/ppp/options.pptpd
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection.  See "man pppd".
#
# You are expected to change this file to suit your system.  As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################

# Authentication
# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd
# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain

# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.)

# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#require-mppe-128     <-- 주석처리함.## 활성화 시키지 않아도  mschap-v2때문에 128비트 암호화 됨.
# }}}                                  특정 URL 접속이 됩니다.(다음,네이버 등등...)
# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
# {{{
#-chap
#-chapms
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
#+chapms-v2
# Require MPPE encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
#mppe-40        # enable either 40-bit or 128-bit, not both
#mppe-128
#mppe-stateless
# }}}

# Network and Routing
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients.  The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
ms-dns 210.104.1.3               <-- 주석 제거하고 DNS 입력
ms-dns 168.126.63.1
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients.  The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.  This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp
# Normally pptpd passes the IP address to pppd, but if pptpd has been
# given the delegate option in pptpd.conf or the --delegate command line
# option, then pppd will use chap-secrets or radius to allocate the
# client IP address.  The default local IP address used at the server
# end is often the same as the address of the server.  To override this,
# specify the local IP address here.
# (you must not use this unless you have used the delegate option)
#10.8.0.100

# Logging
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
#debug
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump

# Miscellaneous
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Disable BSD-Compress compression
nobsdcomp
# Disable Van Jacobson compression
# (needed on some networks with Windows 9x/ME/XP clients, see posting to
# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2  )
novj
novjccomp
# turn off logging to stderr, since this may be redirected to pptpd,
# which may trigger a loopback
nologfd
# put plugins here
# (putting them higher up may cause them to sent messages to the pty)
=============================================================================

방화벽 설정 부분입니다.
VPN 접속을 위한 설정
iptables --append INPUT --protocol 47 --jump ACCEPT
iptables --append INPUT --protocol tcp --match tcp --destination-port 1723 --jump ACCEPT

인터넷 공유 관련
echo "1" > /proc/sys/net/ipv4/ip_forward                 <-- /etc/sysctl.conf 수정
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

/etc/sysconfig/iptables
===================================================================================
# Generated by iptables-save v1.2.11 on Wed Jan 10 15:17:43 2007
*nat
:PREROUTING ACCEPT [10:584]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE                                      <-- eth0 로 MASQUERADE(인터넷 공유)
COMMIT
# Completed on Wed Jan 10 15:17:43 2007
# Generated by iptables-save v1.2.11 on Wed Jan 10 15:17:43 2007
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [387:86918]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -p gre -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited         <-- 요고 주석처리 안하면 VPN 접속 안됩니다. ^^
COMMIT
# Completed on Wed Jan 10 15:17:43 2007
====================================================================================

마지막으로 데몬 재기동 시켜 보자!
# service iptables restart
# service pptpd restart


클라이언트 설정
Clients configuration
Windows XP:
Start / Connection / Show Connection / Crate a new connection
"보안 옵션에서 데이터 암호화 필요(없으면 연결 끊기)(I)" 체크를 제거한다.
첨부파일 참조 ^^;
체크 제거를 안하면 접속이 안됩니다. ^^;

참고사이트 :
http://poptop.sourceforge.net/dox/ 
http://pptpclient.sourceforge.net/howto-fedora-core-4.phtml 
http://www.shorewall.net/PPTP.htm 
http://quozl.linux.org.au/pptp/pptpd.conf.5.html 
http://kldp.org/node/73417 
http://poptop.sourceforge.net/dox/replacing-windows-pptp-with-linux-howto.phtml 
http://sourceforge.net/mailarchive/forum.php?thread_id=31188132&forum_id=8250 
http://www.shorewall.net/three-interface.htm#id2504154 


Writer profile
author image
-아랑 -
2009/02/19 13:29 2009/02/19 13:29

트랙백 주소 : 이 글에는 트랙백을 보낼 수 없습니다

  1. Subject : grosir baju garmen

    Tracked from grosir baju garmen / 2015/01/08 23:49  삭제

    시스템 엔지니어 공동 관리 구역 :: PPTP를 이용한 VPN 서버 만들기! (CentOS 4)

  2. Subject : toket

    Tracked from toket / 2015/03/14 18:08  삭제

    시스템 엔지니어 공동 관리 구역 :: PPTP를 이용한 VPN 서버 만들기! (CentOS 4)

  3. Subject : clash of clans generator

    Tracked from clash of clans generator / 2015/04/27 10:48  삭제

    시스템 엔지니어 공동 관리 구역 :: PPTP를 이용한 VPN 서버 만들기! (CentOS 4)

About

by 서진우
Twitter :@muchunalang

Counter

• Total
: 4244807
• Today
: 957
• Yesterday
: 1584