亲测在Vultr
和UltraVPS
的Ubuntu 14.04 LTS
成功搭建L2TP
的VPN
。
本方法使用Linux自带的账户认证作为L2TP
的认证。用户名默认为vpn_user
,密码在脚本执行过程中,由执行者手动设定密码;PSK
为psk
,开机自动启动。
本脚本必须使用root
账户执行。
@H_
403_28@
#!/bin/bash
if [[
$EUID -ne 0 ]];
then
echo 'Error:This script must be run as root!'
exit 1
fi
apt-get install -y openswan xl2tpd ppp lsof vim rng-tools curl
SERVERIP=`curl
-s -
4 icanhazip.com`
iptables -t nat -A POSTROUTING -j SNAT --to-source
$SERVERIP -o eth0
echo 'net.ipv4.ip_forward = 1' | tee
-a /etc/sysctl.conf
echo 'net.ipv4.conf.all.accept_redirects = 0' | tee
-a /etc/sysctl.conf
echo 'net.ipv4.conf.all.send_redirects = 0' | tee
-a /etc/sysctl.conf
echo 'net.ipv4.conf.default.rp_filter = 0' | tee
-a /etc/sysctl.conf
echo 'net.ipv4.conf.default.accept_source_route = 0' | tee
-a /etc/sysctl.conf
echo 'net.ipv4.conf.default.send_redirects = 0' | tee
-a /etc/sysctl.conf
echo 'net.ipv4.icmp_ignore_bogus_error_responses = 1' | tee
-a /etc/sysctl.conf
for vpn
in /proc/sys/net/ipv4/conf/*;
do echo 0 >
$vpn/accept_redirects;
echo 0 >
$vpn/send_redirects;
done
sysctl -p
cp /etc/rc.local{,.bak}
sed -i
'/exit 0/d' /etc/rc.local
cat >> /etc/rc.local<<EOF
for vpn
in /proc/sys/net/ipv4/conf/*;
do echo 0 >
$vpn/accept_redirects;
echo 0 >
$vpn/send_redirects;
done
iptables -t nat -A POSTROUTING -j SNAT --to-source
$SERVERIP -o eth0
exit 0
EOF
cp /etc/ipsec.conf{,.bak}
cat >/etc/ipsec.conf <<EOF
version
2
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:
10.0.
0.0/
8,%v4:
192.168.
0.0/
16,%v4:
172.16.
0.0/
12,%v6:fd00::/
8,%v6:fe80::/
10
protostack=netkey
force_keepalive=yes
keep_alive=
60
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=
3
ikelifetime=
8h
keylife=
1h
ike=aes256-sha1,aes128-sha1,
3des-sha1
phase2alg=aes256-sha1,
3des-sha1
type=transport
left=
$SERVERIP
leftprotoport=
17/
1701
right=%any
rightprotoport=
17/%any
dpddelay=
10
dpdtimeout=
20
dpdaction=clear
EOF
cp /etc/ipsec.secrets{,.bak}
cat >/etc/ipsec.secrets <<EOF
$SERVERIP %any: PSK
'psk'
EOF
ipsec verify
cp /etc/xl2tpd/xl2tpd.conf{,.bak}
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[global]
ipsec saref = yes
saref refinfo =
30
;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes
[lns default]
ip range =
172.16.
1.30-
172.16.
1.100
local ip =
172.16.
1.1
require authentication = yes
unix authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
EOF
cp /etc/ppp/options.xl2tpd{,.bak}
cat >/etc/ppp/options.xl2tpd <<EOF
ms-dns
8.8.
8.8
ms-dns
8.8.
4.4
auth
mtu
1200
mru
1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval
30
lcp-echo-failure
4
login
EOF
cp /etc/pam.d/ppp{,.bak}
sed -i
'/^auth/c\ auth required pam_nologin.so\ auth required pam_unix.so\ account required pam_unix.so\ session required pam_unix.so ' /etc/pam.d/ppp
cp /etc/ppp/pap-secrets{,.bak}
cat >>/etc/ppp/pap-secrets <<EOF
* l2tpd
'' *
EOF
useradd vpn_user
echo -n
'set password for [vpn_user]:'
passwd vpn_user
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
echo 'IP:' $SERVERIP
echo 'UserName(set by useradd vpn_user): vpn_user'
echo 'PSK(set by /etc/ipsec.secrets): psk'
exit 0