All notes
Vp

pptp

A Point-To-Point Tunneling Protocol (PPTP) allows you to implement your own VPN very quickly, and is compatible with most mobile devices. Even though PPTP is less secure than OpenVPN, it is also faster and uses less CPU resources.

Ref.

Set up pptp vpn

  1. Select one server to be responsible for handling out IPs to others and authenticating all of your servers into your VPN. This will become your PPTP Server.
  2. edit /etc/pptpd.conf (for more on it, use "man pptpd.conf") and add the following lines:
    localip 10.0.0.1
    remoteip 10.0.0.100-200
    
    Where localip is IP address of your server and remoteip are IPs that will be assigned to clients that connect to it.
  3. Adding users and passwords. Simply add them to /etc/ppp/chap-secrets. Client is the username, server is type of service - pptpd for our example, secret is the password, and IP addresses specifies which IP address may authenticate. By setting '*' in IP addresses field, you specify that you would accept username/password pair for any IP.
  4. Add DNS servers to /etc/ppp/pptpd-options ("man pppd" for commands help) to provide primary and secondary DNS's to windows clients
    ms-dns 8.8.8.8
    ms-dns 8.8.4.4
    
  5. Now you can start PPTP daemon: service pptpd restart.
  6. It is important to enable IP forwarding on your PPTP server. This will allow you to forward packets between public IP and private IPs that you setup with PPTP. Simply edit /etc/sysctl.conf and add the following line if it doesn't exist there already: net.ipv4.ip_forward = 1. To make changes active, run sysctl -p.
  7. Create a NAT rule for iptables: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE && iptables-save
  8. If you would also like your PPTP clients to talk to each other, add the following iptables rules: (Arch wiki ref.)
    iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
    iptables -I INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT
    iptables -A FORWARD -i eth0 -j ACCEPT
    
    # The following from Arch Wiki.
    # Accept all packets via ppp* interfaces (for example, ppp0)
    iptables -A INPUT -i ppp+ -j ACCEPT
    iptables -A OUTPUT -o ppp+ -j ACCEPT
    
    # Accept incoming connections to port 1723 (PPTP)
    iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
    
    # Accept GRE packets
    iptables -A INPUT -p 47 -j ACCEPT
    iptables -A OUTPUT -p 47 -j ACCEPT
    
    # Enable IP forwarding
    iptables -F FORWARD
    iptables -A FORWARD -j ACCEPT
    
    # Enable NAT for eth0 и ppp* interfaces
    iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
    iptables -A POSTROUTING -t nat -o ppp+ -j MASQUERADE
    
    sudo iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 192.168.200.2-100 -j TCPMSS  --clamp-mss-to-pmtu
    
    Now your PPTP server also acts as a router.

http://www.linuxyan.com/linux-service/64.html sudo iptables -t nat -A POSTROUTING -s 192.168.200.0/24 ! -d 192.168.200.0/24 -j SNAT -to-source 54.169.32.81

Client setting

  1. On your client servers,
    # Install PPTP client:
    yum -y install pptp
    # Add necessary Kernel module
    modprobe ppp_mppe
    
  2. Create a new file /etc/ppp/peers/pptpserver and add the following lines, replacing name and password with your own values:
    pty "pptp 198.211.104.17 --nolaunchpppd"
    name box1
    password 24oiunOi24
    remotename PPTP
    require-mppe-128
    
  3. called our file pptpserver: pppd call pptpserver.
  4. On your PPTP client, setup routing to your private network via ppp0 interface: ip route add 10.0.0.0/8 dev ppp0.
Your interface ppp0 should come up on PPTP client. Now you can ping your PPTP server and any other clients that are connected to this network.

OpenVPN

Set up CA (Certificate Authority)

Establish PKI (public key infrastructure), which consists of

Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority (CA), and then by testing information in the now-authenticated certificate header, such as the certificate common name or certificate type (client or server).

easy-rsa

For PKI management, we will use easy-rsa, a set of scripts which is bundled with OpenVPN 2.2.x and earlier. If you're using OpenVPN 2.3.x, you need to download easy-rsa separately from here.

# On CA:
./easyrsa init-pki
./easyrsa build-ca

# On the system that is requesting a certificate
./easyrsa init-pki
./easyrsa gen-req EntityName
# Req file will be in pki/reqs, and key in pki/private.

# Transport the request (.req file) to the CA system and import it.
./easyrsa import-req /tmp/path/to/import.req EntityName

# CA sign the request as the correct type. This example uses a client type:
./easyrsa sign-req client EntityName
# Other types are: server, ca. See easyrsa3/x509-types/.
# Signed crt will be in pki/issued.

# Transport the newly signed certificate to the requesting entity. This entity may also need the CA cert.
# The entity now has its own keypair, and signed cert, and the CA.

DH

After initializing a PKI, any entity can create DH params that needs them. This is normally only used by a TLS server. While the CA PKI can generate this, it makes more sense to do it on the server itself to avoid the need to send the files to another system after generation.
DH params can be generated with:

./easyrsa gen-dh
# Usually generated as pki/dh.pem.

Showing details of requests or certs

To show the details of a request or certificate by referencing the short EntityName, use one of the following commands. It is an error to call these without a matching file.

./easyrsa show-req EntityName
./easyrsa show-cert EntityName

Changing private key passphrases

RSA and EC private keys can be re-encrypted so a new passphrase can be supplied with one of the following commands depending on the key type:

./easyrsa set-rsa-pass EntityName
./easyrsa set-ec-pass EntityName

Config

The example config of openvpn is under /usr/share/doc/openvpn/sample/sample-config-files. server.conf will be a good start.

server.conf

client.conf

Bridging vs Routing

Ref.

In short, routing is more efficient and scalable, allows for better tuning of MTU. But routing doesn't support broadcasts traverse the VPN.

Log in ppp/pptpd

pptp日志开启:
编辑/etc/pptpd.conf
将debug前的# 去掉或加上debug。

pptp日志分离
编辑/etc/syslog.conf
daemon.*            /var/log/ppp.log

执行:servie syslog restart

pptpd默认将日志写入/var/log/syslog系统日志,在/etc/ppp/options里加入如下一行启用单独的日志。
logfile /var/log/ppp.log
需要注意的是,pptpd依然会写系统日志。

sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 172.31.14.215 sudo iptables -t nat -A POSTROUTING -p all -o eth0 -s 172.16.0.0/24 -j SNAT -to $ETH0IP 假如我有三台机器,一台能上外网,另外二台却不可以.不能上网的机器可以伪装成可上网的那机器的IP iptables -t nat -I POSTROUTING 1 -j SNAT -s 192.168.10.0/24 --to-destination 192.168.10.108 iptables -t nat -I POSTROUTING 1 -j SNAT -s 192.168.200.101-200 --to-destination 172.31.14.215 192.168.10.0/24这个IP段是不可以上网的,108这台机器是可以上网的.