openvpn在win7或windows 2003有时会有下面的问题:

Thu Apr 07 23:13:51 2011 Notified TAP-Win32 driver to set aDHCP IP/netmask of 192.168.0.4/255.255.255.0 on interface{8FE77B49-DAF1-492B-881F-B15C991EF754} [DHCP-serv: 192.168.0.0,lease-time: 31536000]

Thu Apr 07 23:13:51 2011 NOTE: FlushIpNetTable failed oninterface [15] {8FE77B49-DAF1-492B-881F-B15C991EF754} (status=5) :拒绝访问。  Thu Apr 07 23:13:52 2011 TEST ROUTES: 1/1 succeeded len=1ret=1 a=0 u/d=upThu Apr 07 23:13:52 2011 route ADD 192.168.1.0 MASK255.255.255.0 192.168.0.1Thu Apr 07 23:30:54 2011ROUTE: route addition failed usingCreateIpForwardEntry: 至少有一个参数不正确。  [if_index=15]Thu Apr 07 23:30:54 2011 Route addition via IPAPI failedThu Apr 07 23:30:54 2011 Initialization SequenceCompleted

 

关于

NOTE: FlushIpNetTable failed oninterface [15] {8FE77B49-DAF1-492B-881F-B15C991EF754} (status=5) :拒绝访问。 

的问题,一般在windows 2003上出现比较多,可能是启动了windows 2003的路由及远程访问服务,停止这个服务后应该可以解决。

 

关于

ROUTE: route addition failed usingCreateIpForwardEntry: 至少有一个参数不正确。

的问题,可以在配置文件内加下面三个参数解决:

script-security 3
route-method exe
route-delay 2

 

另外win7的系统需注意要用管理员权限运行openvpn,否则会因没有权限加路由而失败。

为了更安全和方便的访问在机房服务器,我们在公司和机房间用openvpn建立一个vpn。

公司的内网网段是:192.168.20.0/24

机房的内网网段是:192.168.1.0/24

openvpn用的网段是:10.0.0.0/24

服务器和客户端都是Centos linux 5.x.

 

1) openvpn安装:

我是直接用yum从rpmforge库上安装的:

# yum install -y openvpn

客户端和服务器都是这么安装,如果你的机器上没有安装rpmforge,安装之前请先:

# rpm -ivh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm

 

2) 服务端配置

a) 生成服务端的安全证书:

# cp -rf /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0 /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa/

# vim vars
按自己的需求更改下面几行:
export KEY_COUNTRY=CN
export KEY_PROVINCE=SHANGHAI
export KEY_CITY=SHANGHAI
export KEY_ORG=”SHOFFICE”
export KEY_EMAIL=”test@gmail.com”

# chmod 755 *

# source ./vars
# ./clean-all
# ./build-ca
# ./build-dh
# ./build-key-server server

然后把上面几个文件copy到/etc/openvpn目录中
keys/ca.crt
keys/Server.crt
keys/Server.key
keys/dh1024.pem

b) 接着把客户端密钥先生成了
# cd /etc/openvpn/easy-rsa/
# source ./vars
# ./build-key client1
# ./build-key client2
# ./build-key client3

上面生成client1,client2,client3三个客户端的密钥,key在keys目录下,把

ca.crt

clientx.crt

clientx.csr

clientx.key

这几个文件发给各自的客户端,x代表上面的1,2,3…

 

c) 服务器配置:
# vim /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh1024.pem
mode server
tls-server
server 10.0.0.0 255.255.255.0
link-mtu 1300
push "route 192.168.1.0 255.255.255.0"
client-config-dir ccd
client-to-client
keepalive 5 30
tls-auth ta.key 0
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3

 

分配客户端的IP段:

# mkdir ccd
# vim  ccd/client1
–ifconfig-push 10.0.0.2 10.0.0.1
# vim  ccd/client2
–ifconfig-push 10.0.0.5 10.0.0.6

# vim  ccd/client3
–ifconfig-push 10.0.0.9 10.0.0.10

 

服务器端的openvpn就配置好了,启动服务:

# service openvpn start

 

d) 服务器端iptables配置:
# vim /etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/24 -o eth1  -j SNAT –to-source 192.168.1.135
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i tap0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp –dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.0.0.0/24 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT

有几个地方需要注意:

-A POSTROUTING -s 10.0.0.0/24 -o eth1  -j SNAT –to-source 192.168.1.135

这里是让客户端访问服务器的内网,如果是想让客户端通过这里共享上网,可以把192.168.1.135改成这台服务器上的公网IP就行了,当然,-o eth1也要改成相应的网卡。

-A RH-Firewall-1-INPUT -p udp -m udp –dport 1194 -j ACCEPT

需要开放openvpn的1194端口

-A RH-Firewall-1-INPUT -s 10.0.0.0/24 -j ACCEPT

需要让openvpn的网段通过

 

重启iptables:

# service iptables restart

 

还要更改内核参数,让其支持包转发:
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

让更改生效:

# sysctl -p

 

3) 客户端配置

 a) 复制证书

       把服务器生成的客户端证书复制到客户端的/etc/openvpn目录内。

 

b) 配置openvpn

# vim /etc/openvpn.conf
client
dev tun
link-mtu 1300
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
ping 5
ping-restart 30
persist-local-ip
persist-remote-ip
ping-timer-rem
;persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
status /var/log/openvpn-client-status.log
log /var/log/openvpn-client.log

 

启动openvpn:

# service openvpn start

应该已经能看到openvpn连上服务器了。

 

c) iptables配置:

# vim /etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.20.0/24 -d 192.168.1.0/24  -j SNAT –to-source 10.0.0.2
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i tun0 -j ACCEPT
-A RH-Firewall-1-INPUT -i tun1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp –dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.20.0/24 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT

重启iptables:

# service iptables restart

 

还要更改内核参数,让其支持包转发:
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

让更改生效:

# sysctl -p

 

4) Replay-window backtrack occurred的问题

刚开始配置的时候,配置文件内并没有加link-mtu 1300这个参数。vpn也能正常用,但是用windows远程桌面的时候,有时会连不上,或者很慢。查看openvpn客户端的日志,发现有下面的类似报错:

Tue May 24 09:37:39 2011 Replay-window backtrack occurred [1]
Tue May 24 09:37:40 2011 Replay-window backtrack occurred [6]

解决方案有两个:

I.

google后发现可能是分片大小不当的问题,openvpn有下面几个参数是这一块的:

link-mtu 
mssfix
fragment

发现我这边只要加上link-mtu 1300就行了。

 

II.

改成tcp方式。

Error: "Replay-window backtrack occurred"

Sometimes network congestion and latency cause the UDP protocol, most commonly used with OpenVPN, to drop packets and even lose the connection. You will see a ‘Replay window backtrack occurred’ error in the log if this is occurring. One solution is to switch to the TCP protocol, assuming your server is configured to support a TCP connection.

参考下面的链接:

http://www.personalvpn.org/troubleshoot_openvpn.htm

 

OpenVPN使用User/Pass验证登录

在之前的OpenVPN+CA中已经介绍了使用CA验证登录的方式,详见:
http://bbs.chinaunix.net/forum/viewtopic.php?t=503434&show_type=new

本文主要介绍使用Username/Password方式验证登录VPN的方法,虽然使用的是User/Pass
方式登录,但是在Server端仍然需要证书,这样的VPN和web的HTTPs方式有点类似(不能等同),
只需Server端有证书,Client可以不提供自己的证书,Client只需验证Server的合法性即可,
所以Client端只需ca.crt(根证书)即可。当然,由于Client不是使用证书验证的,所以安全
性方面必然有所下降,但是省去了烦琐的CA管理,我们可以通过用户名和密码来登录VPN,
这样使得VPN可以很容易和论坛、邮件系统或者其他统一验证系统结合,使用现成的管理界面。

关于VPN的一些初步认识,可以从下面这个URL获得:(E文的)
http://blog.chinaunix.net/resserver.php?blogId=2389&resource=OpenVPN%20and%20the%20SSL%20VPN%20Revolution.pdf
原文出自:
http://www.giac.org/certified_professionals/practicals/gsec/3985.php
文中觉得很有意义的语句是: A VPN is a site-to-site tunnel. Let me say that one more time, a VPN is a site-to-site tunnel.
这篇文章介绍了OpenVPN1.x,也简单介绍了OpenVPN 2.x的一些新特性,同时也简单的介绍了
其他VPN以及不同方式实现的VPN产品、软件,有时间看看是很有必要的。

关于VPN比较通俗的理解,在OpenVPN的FAQ中找到的:
Imagine you had a direct physical wire (i.e. a long cable) connecting two computers (A and B) at different locations. On each computer there would be a /dev/longcable which would be a network device. You could route IP traffic over it, and do everything you could normally do with a network device.

下面开始介绍VPN的安装和配置:

环境:
OS: FC2 (在公司网络出口处,作路由或者是NAT设备使用)
eth0: 61.1.1.2 (外网地址,直接与Internet相连)
eth1: 192.168.0.1 (内网地址,连接公司内部,假设公司内部使用192.168.0.0/22这4个C地址)

Client端硬件及网络环境配置:
OS: Windown 2000 XP 为主,部分Linux (配置文件通用)
单网卡,IP地址不固定

需要达到的目的:
VPN Client可以随处通过User/Pass登录VPN,访问内网资源。

Server端配置

首先检查pam-devel包是否安装,否则从系统盘安装改软件包
[root@vpn ~]# rpm -qa | grep pam
pam_smb-1.1.7-3.1
pam-0.77-40
pam_krb5-2.0.10-1
pam-devel-0.77-40
[root@vpn ~]#

检查Mysql是否安装,确认mysql-devel包已经安装,否则从系统盘安装改软件包
[root@vpn ~]# rpm -qa | grep mysql
mysql-3.23.58-9
mysql-server-3.23.58-9
mysql-devel-3.23.58-9
[root@vpn ~]#

检查lzo包是否有安装,如果没有,可以到http://rpmfind.net去找
[root@vpn ~]# rpm -qa | grep lzo
[root@vpn ~]# wget
[root@vpn ~]# rpm -ivh lzo-1.08-3.1.fc2.dag.i386.rpm
[root@vpn ~]# wget
[root@vpn ~]# rpm -ivh lzo-devel-1.08-3.1.fc2.dag.i386.rpm
[root@vpn ~]# rpm -qa | grep lzo
lzo-devel-1.08-3.1.fc2.dag
lzo-1.08-3.1.fc2.dag
[root@vpn ~]#

下面开始编译安装OpenVPN
[root@vpn ~]# wgethttp://mesh.dl.sourceforge.net/sourceforge/openvpn/openvpn-2.0_rc16.tar.gz
[root@vpn ~]# rpmbuild -tb openvpn-2.0_rc16.tar.gz
[root@vpn ~]# cd /usr/src/redhat/RPMS/i386/
[root@vpn /usr/src/redhat/RPMS/i386]# rpm -ivh openvpn-2.0_rc6-1.i386.rpm

为了能使用OpenVPN的PAM验证插件,我们安装pam_mysql使用MySQL数据库存储用户数据,其它数据库可以找相应的PAM验证模块
[root@vpn ~]# wgethttp://internap.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.5.tar.gz
[root@vpn ~]# tar -zxvf pam_mysql-0.5.tar.gz
[root@vpn ~]# cd pam_mysql
[root@vpn ~]# make
[root@vpn ~]# cp pam_mysql.so /lib/security/

配置数据库
以管理员身份登录数据库:
mysql> create database vpn;
mysql> GRANT ALL ON vpn.* TO vpn@localhost IDENTIFIED BY ‘vpn123’;
mysql> flush privileges;
mysql> use vpn;
mysql> CREATE TABLE vpnuser (
   ->   name char(20) NOT NULL,
   ->   password char(128) default NULL,
   ->   active int(10) NOT NULL DEFAULT 1,
   ->   PRIMARY KEY (name)
   -> );
mysql> insert into vpnuer (name,password) values(‘elm’,password(‘elm’));

#创建vpn用户,对vpn这个database有所有操作权限,密码为vpn123
#active不为1,无权使用VPN
#增加用户 用户名:elm 密码:elm

配置pam_mysql模块
创建/etc/pam.d/openvpn文件,文件内容如下:
===================CUT Here================
auth    sufficient      pam_mysql.so                    user=vpn passwd=vpn123 host=localhost db=vpn
       table=vpnuser usercolumn=name passwdcolumn=password
       where=active=1 sqllog=0 crypt=2
account required        pam_mysql.so                    user=vpn passwd=vpn123 host=localhost db=vpn
       table=vpnuser usercolumn=name passwdcolumn=password
       where=active=1 sqllog=0 crypt=2
==================Cut Here=================
crypt(0) — Used to decide to use MySQL’s PASSWORD() function or crypt()
           0 = No encryption. Passwords in database in plaintext. NOT recommended!
           1 = Use crypt
           2 = Use MySQL PASSWORD() function

下面可以测试pam_mysql是否工作正常,先检查saslauthd是否安装:
[root@vpn ~]# rpm -qa | grep sasl
cyrus-sasl-plain-2.1.18-2
cyrus-sasl-md5-2.1.18-2
cyrus-sasl-devel-2.1.18-2
cyrus-sasl-2.1.18-2
[root@vpn ~]#

有cyrus-sasl-2.1.18-2应该就可以了,如果没有请安装相应的软件包,不安装也行,可以通过其它方法测试

[root@vpn ~]# saslauthd -a pam
[root@vpn ~]# testsaslauthd -u elm -p elm -s openvpn
0: OK "Success."
[root@vpn ~]#

恭喜,pam_mysql工作正常了,下面可以开始配置OpenVPN服务器了。

配置VPN Server:
[root@vpn /usr/src/redhat/RPMS/i386]# cd
[root@vpn ~]# cp -r /usr/share/openvpn/easy-rsa/ /etc/openvpn/
[root@vpn ~]# cd /etc/openvpn/easy-rsa/
[root@vpn /etc/openvpn/easy-rsa]# vi vars
修改vars 文件
—————————————–
# 定义你所在的国家,2个字符
export KEY_COUNTRY=CN
# 你所在的省份
export KEY_PROVINCE=Liaoning
# 你所在的城市
export KEY_CITY=Shenyang
# 你所在的组织
export KEY_ORG="ELM OpenVPN ORG"
# 你的邮件地址
export KEY_EMAIL="elm@elm.freetcp.com"
—————————————–

#使修改的环境变量生效

[root@vpn /etc/openvpn/easy-rsa]# . vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

#初始化keys目录

[root@vpn /etc/openvpn/easy-rsa]# ./clean-all

#生成Root CA证书,用于签发Server和Client证书,请保护好keys/ca.key文件。

[root@vpn /etc/openvpn/easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
……………………++++++
………….++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]: #如果无需修改,直接回车
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [ELM OpenVPN ORG]:
Organizational Unit Name (eg, section) []: OpenVPN Service
Common Name (eg, your name or your server’s hostname) []:OpenVPN Root CA
Email Address [elm@elm.freetcp.com]:

#查看生成的keys

[root@vpn /etc/openvpn/easy-rsa]# ls keys
ca.crt ca.key index.txt serial

#我们可以看到ca.crt ca.key文件已经生成了。
#面我们为服务器生成 Diffie-Hellman 文件
#TLS server 需要使用的一个文件

[root@vpn /etc/openvpn/easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+……………………………………………………..+……………..
……………………………………………+….+……..+………+…….
………………………………………+.+……………………………..
………………………………………………………………………..
……………………………………..+………………………………..
.+……………………………+………….+……………………………
…………………………………………+…………………………….
…………………+………………………..++*++*++*

#创建并签发VPN Server使用的CA
# `server’ 为创建后的文件名,分别为server.crt server.key

[root@vpn /etc/openvpn/easy-rsa]# ./build-key-server server
Generating a 1024 bit RSA private key
………………….++++++
……………++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [ELM OpenVPN ORG]:
Organizational Unit Name (eg, section) []:OpenVPN Service
Common Name (eg, your name or your server’s hostname) []:Server No.1
Email Address [elm@elm.freetcp.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’Liaoning’
localityName :PRINTABLE:’Shenyang’
organizationName :PRINTABLE:’ELM OpenVPN ORG’
organizationalUnitName:PRINTABLE:’OpenVPN Service’
commonName :PRINTABLE:’Server No.1′
emailAddress :IA5STRING:’elm@elm.freetcp.com’
Certificate is to be certified until Feb 26 14:43:44 2015 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

#为防止恶意攻击(如DOS、UDP port flooding),我们生成一个"HMAC firewall"

[root@vpn /etc/openvpn/easy-rsa]# openvpn –genkey –secret keys/ta.key

#Server使用的配置文件server.conf
—————-CUT Here————-
port 1194
;proto tcp
proto udp
;dev tap
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
;client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0
plugin ./openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
;log         /var/log/openvpn.log
;log-append  openvpn.log
verb 4
;mute 20
————–Cut Here—————–

;client-to-client #如果让Client之间可以相互看见,去掉本行的注释掉,否则Client之间无法相互访问
;duplicate-cn  #是否允许一个User同时登录多次,去掉本行注释后可以使用同一个用户名登录多次
plugin ./openvpn-auth-pam.so openvpn #说明使用的插件,openvpn为插件的参数,使用pam的servicesname
client-cert-not-required #不请求客户的CA证书,使用User/Pass验证
username-as-common-name #使用客户提供的UserName作为Common Name

把server.conf文件保存到/etc/opennvpn目录中,并把使用easy-rsa下的脚本什成的key都复制到/etc/openvpn目录下,命令如下:  
[root@vpn /etc/openvpn/easy-rsa]# cp keys/ca.crt ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/server.crt ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/server.key ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/dh1024.pem ../
[root@vpn /etc/openvpn/easy-rsa]# cp keys/ta.key ../
[root@vpn /etc/openvpn/easy-rsa]# cp /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so ../

#立即启动openenvpn
[root@vpn /etc/openvpn/easy-rsa]# /etc/init.d/openvpn start

#接下来配置客户端的配置文件client.conf:
#Linux或Unix下使用扩展名为.conf Windows下使用的是.ovpn,并把需要使用的文件复制到配置文件所在目录ca.crt ta.key
————-Cut Here———————
client
;dev tap
dev tun
;proto tcp
proto udp
remote 61.1.1.2 1194
;remote my-server-2 1194
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
ns-cert-type server
tls-auth ta.key 1
route 192.168.0.0 255.255.252.0
comp-lzo
verb 4
;mute 20
————Cut Here———————–

auth-user-pass #询问用户名和密码

Linux下Client的OpenVPN的安装方法一样,只是配置文件和keys上的不同,只要把client.conf ca.crt ta.key复制到/etc/openvpn目录即可启动VPN。
Win下OpenVPN的安装,WIN下有图形界面的OpenVPN-GUI程序,下载地址http://openvpn.se

这里使用的是TUN设备,主要考虑到Client客户多,VPN的效率和广播的问题,选用TUN设备,因为客户端可能是
Windows系统,Win系统TUN设备获得的IP地址将会是/30的地址,所以有3*Client个地址浪费,所以地址池设置得比较大。

这样你每次使用VPN登录的时候,程序会自动询问你得用户名和密码,输入正确后就可以连接上VPN了,
连接VPN后所有访问内网(192.168.0.0/22)的数据都从VPN经过。
如果Win的Client比较多,可以试着把ca.crt ta.key client.ovpn打包到安装包程序里,具体操作方法参见:

http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html

然后发布改软件包即可,最好小心保管ta.key文件(防止Dos攻击)。

#首先要把系统的Forward打开
[root@vpn /etc]# vi sysctl.conf
修改
# Controls IP packet forwarding
net.ipv4.ip_forward = 1

#IPTABLES的配置文件
[root@vpn /etc/sysconfig]# cat iptables
# Generated by iptables-save v1.2.1a on Tue Nov  6 19:50:51 2001
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/255.255.252.0 -o eth0 -j SNAT –to-source 61.1.1.2
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:BLOCK – [0:0]
:ANTIVIRUS – [0:0]
# block internal ip address
-A INPUT -i lo -j ACCEPT
-A INPUT -j BLOCK
-A INPUT -j ANTIVIRUS

-A BLOCK -s 192.168.0.0/16 -d 0/0 -j RETURN
-A BLOCK -s 172.16.0.0/12 -d 0/0 -j REJECT
-A BLOCK -s 10.0.0.0/8 -d 0/0 -j RETURN
-A BLOCK -s 127.0.0.0/8 -d 0/0 -j REJECT
-A BLOCK -s 0.0.0.0/8 -d 0/0 -j REJECT
-A BLOCK -s 169.254.0.0/16 -d 0/0 -j REJECT
-A BLOCK -s 192.0.2.0/24 -d 0/0 -j REJECT
-A BLOCK -s 204.152.64.0/23 -d 0/0 -j REJECT
-A BLOCK -s 224.0.0.0/3 -d 0/0 -j REJECT

-A INPUT -p icmp -j ACCEPT

# OSPFD
-A INPUT -d 224.0.0.0/24 -j ACCEPT

# sync time
-A INPUT -p udp -m udp –sport 123 -j ACCEPT

# accept dns
-A INPUT -p udp -m udp –sport 53 -j ACCEPT

# accept ssh from any
-A INPUT -p tcp -m tcp –dport 22 –syn -j ACCEPT

# accept dhcp request
-A INPUT -p udp -m udp –dport 67 -j ACCEPT

# OpenVPN 1194_UDP
-A INPUT -p udp -m udp –dport 1194 -j ACCEPT

# www
-A INPUT -p tcp -m tcp –dport 80 –syn -j ACCEPT

# keep stats
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state –state INVALID -j DROP

# Reject all packet to me
-A INPUT -p tcp -m tcp –syn -j REJECT –reject-with tcp-reset
-A INPUT -p udp -m udp -j REJECT

-A FORWARD -j ANTIVIRUS

-A ANTIVIRUS -p tcp -m tcp –dport 135:139 -j DROP
-A ANTIVIRUS -p tcp -m tcp –dport 445 -j DROP
-A ANTIVIRUS -p udp -m udp –dport 69 -j DROP
-A ANTIVIRUS -p udp -m udp –dport 135:139 -j DROP
-A ANTIVIRUS -p udp -m udp –dport 1434 -j DROP

COMMIT
[root@vpn /etc/sysconfig]#

本文是本人在实验+一字一句的敲上去,如果转载,麻烦注明出处,谢谢

pptpd+radius+mysql  安装攻略(part3 mysql部分)

2006.02.10 by i_amok  

1.需要软件,什么都不需要。

你只要给各mysql的库就好了,库结构在

freeradius源码目录下的/src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql

你建立一个数据库就好了,我在我自己的机器上建立了一个名字为radius的数据库

并且导入了这个数据库的结构。

2。配置sql.conf

先回到刚才的freeradius的配置文件目录

CODE:[Copy to clipboard]cd /usr/local/freeradius-1.1.0/etc/raddbvi sql.conf

修改连接信息

CODE:[Copy to clipboard]        # Connect info
        server = "192.168.8.53"
        login = "radius"
        password = "radius"

        # Database table configuration
        radius_db = "radius"去掉下面的simul。。。。前面的#
打开sql的用户同时连接数测试的语句

CODE:[Copy to clipboard]        # Uncomment simul_count_query to enable simultaneous use checking
         simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName=’%{SQL-User-Name}’ AND AcctStopTime = 0"3.配置radiusd.conf

注释掉 authorize {
的files
去掉sql前的注释

注释掉 preacct {
的files

注释掉 accounting {
的radutmp
去掉sql前面的#

注释掉 session{
的radutmp
去掉sql前面的#

去掉 post-auth {
sql前的#

总之就是去掉files模块,开启sql模块

4。在数据库中添加用户

在usergroup中添加一个test用户,组名为vpn

在radgroupcheck中添加一个vpn组,
attribute为Simultaneous-Use
op为:=
value为1
的纪录

在radcheck中添加
username为test
attribute为 User-Password
op为==
value为test

这样就添加了一个用户为test,组为vpn,密码为test
并且所有的组用户的都只能1个用户名登陆一次

5.测试
用debug模式启动radiusd

会看到

CODE:[Copy to clipboard][root@kdfng raddb]# ../../sbin/radiusd -x
Starting – reading configuration files …
Using deprecated naslist file.  Support for this will go away soon.
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded SQL
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius@192.168.8.53:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Instantiated sql (sql)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded detail
Module: Instantiated detail (detail)
Initializing the thread pool…
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.用test用户登陆一下.

会看到

CODE:[Copy to clipboard]rad_recv: Access-Request packet from host 127.0.0.1:32768, id=222, length=146
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "test"
        MS-CHAP-Challenge = 0xb6a9e94b94c3c386875043efd5144e17
        MS-CHAP2-Response = 0x38006d78036bb5e40ddeca0ce96b944619e000000000000000007b887b8762be38eb111a94a4b581925b85e07453a38a070f
        Calling-Station-Id = "192.168.8.53"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
rlm_sql (sql): Processing sql_postauth
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
Sending Access-Accept of id 222 to 127.0.0.1 port 32768
        MS-CHAP2-Success = 0x38533d33453434464142394232444230413143464539453832444536453534373331383833454238414536
        MS-MPPE-Recv-Key = 0x53a3812a0fd5b6f7b1cf4f6f6796f26b
        MS-MPPE-Send-Key = 0xb8be60559cbc46fd4da277516d6584f3
        MS-MPPE-Encryption-Policy = 0x00000002
        MS-MPPE-Encryption-Types = 0x00000004
rad_recv: Accounting-Request packet from host 127.0.0.1:32768, id=223, length=110
        Acct-Session-Id = "43EC0822056A00"
        User-Name = "test"
        Acct-Status-Type = Start
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "192.168.8.53"
        Acct-Authentic = RADIUS
        NAS-Port-Type = Async
        Framed-IP-Address = 10.10.110.1
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Acct-Delay-Time = 0
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
Sending Accounting-Response of id 223 to 127.0.0.1 port 32768如果你把Simultaneous-Use改成0

会看到

CODE:[Copy to clipboard]rad_recv: Access-Request packet from host 127.0.0.1:32768, id=225, length=146
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "test"
        MS-CHAP-Challenge = 0x2295d4d65913cbc0a7836e986fe4a998
        MS-CHAP2-Response = 0x34001739a3331c1a1a938eed99cda89b691f0000000000000000a8a9e9ae2eadaa6b1acb93e368113dc4ed47dac0a20b1ed8
        Calling-Station-Id = "192.168.8.53"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
rad_recv: Access-Request packet from host 127.0.0.1:32768, id=225, length=146
Sending Access-Reject of id 225 to 127.0.0.1 port 32768
        Reply-Message := "rnYou are already logged in – access deniedrnn"提示已经登陆过了,可见那个选项时生效的.

另,我找一个会俄语的,帮我看看

FreeNIBS

FreeNIBS is a loadable plugin for the FreeRADIUSradius server. FreeNIBS provides authorization,authentication, and accounting for dial-in(PPP/PPPOE/PPTP) users. It can be used forreal-time prepaid and postpaid billing. FreeNIBScan bill users based on service accuration, time,traffic, and both time and traffic. FreeNIBS hasvery flexible settings for groups, users, andprices. All data is stored in SQL databases suchas MySQl, PgSQL, and Oracle.

这个东西只有俄文的手册,死活看不来.连配置文件都是俄文的……

如果加上这个就能实现时间和流量的限制.

pptpd+radius+mysql  安装攻略(part2 radius部分)

2006.02.10 by i_amok  

1。需要软件

freeradius

原先pppd源码目录中的一些关于radius外挂模块的配置文件。

2。安装freeradius的前期准备

安装mysql-devel.i386

yum install mysql-devel.i386

3。安装freeradius

http://www.freeradius.org

下载源码,我测试的时候是用 freeradius-1.1.0

用指定安装目录的方法安装

CODE:[Copy to clipboard]./configure –prefix=/usr/local/freeradius-1.1.0
make
make install4。配置pppd支持radius

4.1拷贝文件

从pppd的源码目录把下面这个目录复制到/etc/radiusclient/

CODE:[Copy to clipboard]cp -R ppp-2.4.4b1/pppd/plugins/radius/etc  /etc/radiusclient/4.2修改options.pptpd中的配置

在/etc/ppp/options.pptpd

中加入

CODE:[Copy to clipboard]
plugin /usr/local/lib/pppd/2.4.4b1/radius.so4.3 配置 /etc/radiusclient中的servers和radiusclient.conf

在servers中,你需要增加一个radiusd的地址和密码

CODE:[Copy to clipboard][root@kdfng radiusclient]# cat servers
#Server Name or Client/Server pair              Key
#—————-                               —————
#portmaster.elemental.net                       hardlyasecret
#portmaster2.elemental.net                      donttellanyone
localhost       netdragon这里localhost表示你的radiusd就在本机,并且访问的密码是netdragon

radiusclient.conf中

CODE:[Copy to clipboard]# service. if this fails also a compiled in default is used.
authserver      localhost:1812

# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
acctserver      localhost:1813确认上面也是本地的,默认就是本地,所以一般不需要修改。
同时确保这个文件中radiusclient相关的路径所有的路径都是 /etc/radiusclient 开头的。

5。配置freeradius

cd /usr/local/freeradius-1.1.0/etc/raddb

raddb这个目录就是所有的freeradius配置文件所在了

5.1 修改clients.conf

这里说明一下,所有的nas都是radiusd的client,nas就是那个pptpd,所以这个文件就是配置pptpd的登陆权限的。

CODE:[Copy to clipboard]client 127.0.0.1      {
                        secret = netdragon
                        shortname = iamok
                        nastype     = other
                        }修改127.0.0.1部分为上面的样子。secret就是我们刚才在/etc/radiusclient中servers里设置的那个。这两个要一致

5.2 在users文件的最上面加入一个用户

CODE:[Copy to clipboard]ww Auth-Type:= MS-CHAP, User-Password=="ww", Simultaneous-Use:=1
          Service-Type = Framed-User,
          Framed-Protocol = PPP,
          Framed-IP-Address = 255.255.255.254,
          Framed-IP-Netmask = 255.255.255.0说明一下 ww是用户名
auth-type是验证的类型
第二个ww是密码
Simultaneous-Use是允许这个用户名同时登陆的个数

所有这些都是check属性,要写在第一行
然后第二行开始用tab开头,是服务器返回给radius客户端的(也就是返回给pptpd)时reply属性。
其中ip地址设置为255.255.255.254表示ip地址的分配是由radius客户端决定的,也就是由pptpd决定。
最后一个是子网掩码。

5.3用debug模式运行radiusd

CODE:[Copy to clipboard]../../sbin/radiusd -x你会看到

CODE:[Copy to clipboard]Starting – reading configuration files …
Using deprecated naslist file.  Support for this will go away soon.
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded detail
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Initializing the thread pool…
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.6。测试

建立一个新的vpn连接

用户名ww密码ww

然后拨号

成功的话,会看到。

CODE:[Copy to clipboard]rad_recv: Access-Request packet from host 127.0.0.1:32768, id=214, length=144
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "ww"
        MS-CHAP-Challenge = 0x729e2492953298b498a766e778defe74
        MS-CHAP2-Response = 0xfc00475dd294431a52ee1187d13127c3bf49000000000000000043aad8bb5cd6f5ece16ddae9d20c63d857836053b2197144
        Calling-Station-Id = "192.168.8.53"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
Sending Access-Accept of id 214 to 127.0.0.1 port 32768
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 255.255.255.254
        Framed-IP-Netmask = 255.255.255.0
        MS-CHAP2-Success = 0xfc533d31303637323037453037384244433138333441303536434337433044373046363942414446343039
        MS-MPPE-Recv-Key = 0x0211fcb6f599479e8ee0a7d8a16a3252
        MS-MPPE-Send-Key = 0x91242cedc84a2dc69355c56951119065
        MS-MPPE-Encryption-Policy = 0x00000002
        MS-MPPE-Encryption-Types = 0x00000004
rad_recv: Accounting-Request packet from host 127.0.0.1:32768, id=215, length=108
        Acct-Session-Id = "43EBFF39048300"
        User-Name = "ww"
        Acct-Status-Type = Start
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "192.168.8.53"
        Acct-Authentic = RADIUS
        NAS-Port-Type = Async
        Framed-IP-Address = 10.10.110.1
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Acct-Delay-Time = 0
Sending Accounting-Response of id 215 to 127.0.0.1 port 32768这样pptp+radius的部分就完成了,下面一部分是对radiusd增加mysql的支持

用ctrl+c退出radius

1.你所需要的软件 
内核最好能升级到2.6
如果你是centos的用户,可以通过yum update来升级到最新的centos4.2
升级内核是为了待会安装一个内核模块增加对mppe的支持。这样才能支持pptp拨号。

pppd    ppp拨号服务器
pptpd   在pppd拨号的基础上增加pptpd的支持
freeradius   作拨号用户验证的。
mysql        增加freeradius的数据库支持

2。确定你的内核是否支持mppe

modprobe ppp-compress-18 && echo ok

如果显示ok,那么恭喜,你的内核已经具备了mppe支持。请到第4部分

3。升级内核支持mppe

http://sourceforge.net/project/showfiles.php?group_id=44827

到上面这个网址。下载2个rpm包。

dkms-2.0.6-1.noarch.rpm 
kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm 

dkms是一个新的软件,能让你在不编译内核的基础上,外挂一些内核的模块。
kernel_ppp_mppe就是mppe支持的内核模块了。

ok后重起你的系统。

4。安装pppd

http://www.samba.org/ppp

在上面的网址下载最新的ppp软件包,我测试的时候是 ppp-2.4.4b1
用最常规的方法,configure,make,make install
由于新版的没有复制范例配置文件,需要用 make install-etcppp 来安装范例配置文件

5。安装pptpd

http://poptop.sourceforge.net/

在上面的网址下载最新的pptpd包,我测试的时候是pptpd-1.2.3

也是最常规的方法 configure,make,make install

6。配置你的pppd和pptpd

pppd的默认配置文件在 /etc/ppp

pptpd的配置文件在 /etc/pptpd.conf

pptpd和pppd的关系好比 pptpd是pppd的外挂一样。

6.1 
/etc/pptpd.conf中需要配置的地方只有几个

你首先要确定下面这个

ppp  /usr/local/sbin/pppd

他给pptpd指名了pppd的所在

option /etc/ppp/options.pptpd

这个说明了pptpd在ppp下的配置文件

localip 192.168.8.22
remoteip 10.10.110.1-100

localip是pptpd的对外服务的ip,也就是客户端需要拨号的ip
remoteip是拨号服务器分配给拨号用户的ip ,可以用-表示ip范围

6.2
 配置/etc/ppp/options.pptpd

为了测试,请打开debug和dump

# Logging

# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
dump

默认的信息会写在/var/log/messages

6.3
编辑 /etc/ppp/chap-secrets

添加一个测试用户

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
"iamok" pptpd   "iamok" *

第一个iamok是用户,第二个iamok是密码 ,*表示任意ip
pptpd表示和/etc/ppp/options.pptpd中的name 部分的pptpd要匹配,一般不用修改,我们只是
测试以下pptpd是否正常。

7。测试你的pptpd

如果是默认安装,你在任意路径打pptpd就可以了。

如果成功,你就会在 
/var/log/messages里面看到

Feb 10 09:51:46 kdfng pptpd[926]: MGR: Manager process started
Feb 10 09:51:46 kdfng pptpd[926]: MGR: Maximum of 100 connections available

然后你可以在任意一个win2k系统上建立一个vpn连接,用pptp方式的,用户名用上面设置的,这样你就能拨号了
而且ip就是你在上面所设置的ip

现在复查以下log文件

Feb 10 09:54:53 kdfng pptpd[937]: MGR: Manager process started
Feb 10 09:54:53 kdfng pptpd[937]: MGR: Maximum of 100 connections available
Feb 10 09:55:06 kdfng pptpd[939]: CTRL: Client 192.168.8.53 control connection started
Feb 10 09:55:06 kdfng pptpd[939]: CTRL: Starting call (launching pppd, opening GRE)
Feb 10 09:55:06 kdfng pppd[940]: pppd options in effect:
Feb 10 09:55:06 kdfng pppd[940]: debug          # (from /etc/ppp/options.pptpd)
Feb 10 09:55:06 kdfng pppd[940]: nologfd                # (from /etc/ppp/options.pptpd)
Feb 10 09:55:06 kdfng pppd[940]: dump           # (from /etc/ppp/options.pptpd)
Feb 10 09:55:06 kdfng pppd[940]: require-mschap-v2              # (from /etc/ppp/options.pptpd)
Feb 10 09:55:06 kdfng pppd[940]: refuse-pap             # (from /etc/ppp/options.pptpd)
Feb 10 09:55:06 kdfng pppd[940]: refuse-chap            # (from /etc/ppp/options.pptpd)
Feb 10 09:55:06 kdfng pppd[940]: refuse-mschap          # (from /etc/ppp/options.pptpd)
Feb 10 09:55:06 kdfng pppd[940]: name pptpd             # (from /etc/ppp/options.pptpd)
Feb 10 09:55:06 kdfng pppd[940]: 115200         # (from command line)
Feb 10 09:55:06 kdfng pppd[940]: lock           # (from /etc/ppp/options.pptpd)
Feb 10 09:55:06 kdfng pppd[940]: local          # (from command line)
Feb 10 09:55:06 kdfng pppd[940]: ipparam 192.168.8.53           # (from command line)
Feb 10 09:55:06 kdfng pppd[940]: 192.168.8.22:10.10.110.1               # (from command line)
Feb 10 09:55:06 kdfng pppd[940]: nobsdcomp              # (from /etc/ppp/options.pptpd)
Feb 10 09:55:06 kdfng pppd[940]: require-mppe-128               # (from /etc/ppp/options.pptpd)
Feb 10 09:55:06 kdfng pppd[940]: pppd 2.4.4b1 started by root, uid 0
Feb 10 09:55:06 kdfng pppd[940]: Using interface ppp0
Feb 10 09:55:06 kdfng pppd[940]: Connect: ppp0 <–> /dev/pts/1
Feb 10 09:55:06 kdfng pptpd[939]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Feb 10 09:55:06 kdfng pppd[940]: MPPE 128-bit stateless compression enabled
Feb 10 09:55:08 kdfng pppd[940]: local  IP address 192.168.8.22
Feb 10 09:55:08 kdfng pppd[940]: remote IP address 10.10.110.1
Feb 10 09:55:17 kdfng pppd[940]: LCP terminated by peer (^Z^HEO^@<M-Mt^@^@^@^@)
Feb 10 09:55:17 kdfng pppd[940]: Connect time 0.2 minutes.
Feb 10 09:55:17 kdfng pppd[940]: Sent 0 bytes, received 3492 bytes.
Feb 10 09:55:17 kdfng pppd[940]: Modem hangup
Feb 10 09:55:17 kdfng pppd[940]: Connection terminated.
Feb 10 09:55:17 kdfng pppd[940]: Exit.
Feb 10 09:55:17 kdfng pptpd[939]: CTRL: Client 192.168.8.53 control connection finished

这样你的pptpd就配置完成了。