http://www.phparchitecture.com/howto_show.php?id=3&showall
补丁和patch位置主要是:
http://mppe-mppc.alphacron.de/
Just as with my Postfix HOWTO I am
going to share my experiences in setting up a a working PPTP ××× server. I
decided to write this after I saw a lack of concise documentation for the
current versions of PoPToP and the current Linux kernel.
By the end of this document you will hopefully achieve what I
have:
To start off, you will use the following
applications/patches:
Updates: 08/16/04: After countless hours of scratching my
head trying to figure this out on a ××× server I'm setting up, I finally figued
it out. Even though the MPPE patch was enabled in the kernel, it wasn't being
recognized by pppd. After reading Jan's site I noticed that I had to enable SHA1
and RC4 encyption in the kernel. Recompiled and viola, works again.
Installing and Patching Sources
Linux Kernel
I normally extract my kernel source into /usr/src and link to "linux".
Extract the kernel, put the Kernel patch (linux-2.6.6-mppe-mppc-1.0.patch.gz)
into the same directory, extract it, and patch the kernel as follows. Finally
install it as you normally do.
$ tar zxvf linux-2.6.6.tar.gz $ ln -s linux-2.6.6 linux $ gunzip linux-2.6.6-mppe-mppc-1.0.patch.gz $ patch -p0 -i linux-2.6.6-mppe-mppc-1.0.patch $ cd linux $ make menuconfig (or the config tool of your choice) go to Device Drivers -> Networking Options -> select "PPP support" and then select "Microsoft PPP compression/encryption (MPPC/MPPE)" $ make bzImage PPP
After you finish patching and compiling the kernel (hopefully you have boot
into it by now), it's now time to patch and install a copy of pppd. Make sure
you have the pppd patch in the same directory as the pppd tar.gz
(ppp-2.4.2-mppe-mppc-1.0.patch.gz).
$ tar zxvf ppp-2.4.2.tar.gz
$ gunzip ppp-2.4.2-mppe-mppc-1.0.patch.gz $ patch -p0 -i ppp-2.4.2-mppe-mppc-1.0.patch $ cd ppp-2.4.2 $ ./configure $ make $ make install (as root) PoPToP (pptpd)
Finally we compile an install a copy of the PoPToP PPTPD.
$ tar zxvf pptpd-1.1.4-b4.tar.gz
$ cd poptop-1.1.4 $ ./configure $ make $ make install (as root) Now for configuring all of this.
Configuration
PoPToP (pptpd)
First let's setup the configuration file for PoPToP. By default it resides in
/etc/pptpd.conf. Here is my configuration file:
option /etc/ppp/options-pptpd
localip 172.19.1.6 remoteip 172.19.1.30-50 Let's go over this line-by-line. The first line specifies the pppd
configuration file, for the sake of this document (and my setup), we're going to
use /etc/ppp/options-pptpd.
The second line is set to the IP address of the server's network interface
(in my case, 172.19.1.6).
The line after that tells the the daemon what IP addresses to assign to
incoming clients that connect to the server. In my configuration file it will
give the IP addresses 172.19.1.30 to 172.19.1.50.
pppd
In the last section we setup the configuration file for our pptpd daemon. In
the first line we specified the pppd configuration file. This is the one we're
going to configure next. NOTE: for security sake, MAKE SURE that the
/etc/ppp directory and everything in it are chmod'ed 700 and only root owns it.
My options-pptpd file looks like this:
name *
lock mtu 1450 mru 1450 proxyarp auth ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 # Handshake Auth Method +chap +mschap-v2 # Data Encryption Methods mppe required The two lines that I had trouble with are the mschap-v2 and mppe lines.
My first mistake was that instead of putting "+mschap-v2" I was putting
"chapms-v2" as I had in my configuration file that used an older version of
pppd. Oddly enough pppd would not error out on this, but eventually after
searching google I was able to find the correct syntax.
And lastly, I was not using the right syntax for the MPPE patch. Even though
Jan Dubiec mentioned on his page that he uses a different syntax for initiating
his patch, I neglected to pay attention to that and used the common "+mppe-128"
line.
chap-secrects
Now we need to create the chap-secrets. This file belongs in
/etc/ppp/chap-secrets. It is very important the this file be accessible by only
root and no one else as it contains plaintext passwords.
# Client Server Password IP Address This will allow the user "Serge" with the password "stupidpassword" to
connect to this ××× server from any IP address.
Start Up
Now let's start everything up and see if it works (*crosses fingers*).
Start pptpd:
$ /usr/local/sbin/pptpd (as root)
Let's check our /var/log/messages file to make sure it didn't fail...
Jun 1 11:00:43 merlot pptpd[10611]: MGR: Manager process
started
Jun 1 11:00:43 merlot pptpd[10611]: MGR: Maximum of 21 connections available Looks good!
Go to your Windows client (XP Pro in my case) and open "Network Connections."
Start the "New Connection Wizard." Choose "connect to the network at my
workplace" ->
Choose "Virtual Private Network connection" -> Enter a name for your connection -> Enter the hostname of the ××× server -> Click finish. Go to the properties of this new connection. Click on the "Networking" tab
->
Double click on "Internet Protocol (TCP/IP)" -> Click on "Advanced..." -> Untick "Use default gateway on remote network." This will prevent all your Internet traffic from running through the ×××
server (not necessary to do this, but I do). Now for the real moment of
truth. Trying to connect...
Connect
Enter your username and password in the connection dialog box and click
"Connect." Monitor your /var/log/messages file, you should see something like
this:
Jun 1 11:11:32 merlot pptpd[10633]: CTRL: Client 172.19.1.89 control connection started Jun 1 11:11:32 merlot pptpd[10633]: CTRL: Starting call (launching pppd, opening GRE) Jun 1 11:11:32 merlot pppd[10634]: pppd 2.4.2 started by root, uid 0 Jun 1 11:11:32 merlot pppd[10634]: Using interface ppp0 Jun 1 11:11:32 merlot pppd[10634]: Connect: ppp0 <--> /dev/pts/77 Jun 1 11:11:35 merlot pppd[10634]: MPPC/MPPE 128-bit stateful compression enabled Jun 1 11:11:38 merlot pppd[10634]: found interface eth0 for proxy arp Jun 1 11:11:38 merlot pppd[10634]: local IP address 172.19.1.6 Jun 1 11:11:38 merlot pppd[10634]: remote IP address 172.19.1.31 If you see this... CONGRATULATIONS! You have successfully
setup a Linux-based PPTP ××× server capable of MPPC and MPPE using MS-CHAP v2
for handshake authentication.
××× Server Behind Firewall (optional)
In the event that your ××× server is behind a Linux (iptables) firewall and
you want to have access to it from the Internet, follow these quick
instructions:
First of all, you must have "IP: GRE tunnels over IP" and "IP: broadcast GRE
over IP" support in your kernel. Make sure you have that done, or else this
might not work.
To forward the PPTP ports from your router's external interface
(eth1 in my case, eth0 is my internal
interface, 172.19.1.6 is my ××× server's internal IP) to your
××× server, use this iptables rule set:
$ /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport
1723 -j DNAT --to 172.19.1.6
$ /sbin/iptables -A FORWARD -i eth1 -o eth0 -p TCP -d 172.19.1.6 --dport 1723 -j ACCEPT $ /sbin/iptables -A FORWARD -i eth1 -o eth0 -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ /sbin/iptables -t nat -A PREROUTING -i eth1 -p 47 -j DNAT --to 172.19.1.6 Conclusion
Hope that this document has helped some of you in some way or another. Happy
×××'ing! |