文章介绍:使用Ubuntu 22.04 部署 L2TP Server,用于爱快软路由拨号。
一、更新系统软件包
sudo apt update
二、安装必要依赖
sudo apt install xl2tpd ppp strongswan iptables-persistent -y
三、修改IPSec配置
sudo nano /etc/ipsec.conf
config setup
charondebug="ike 4, cfg 4, net 4, enc 4, lib 4, knl 4"
uniqueids=no
strictcrlpolicy=no
conn %default
ike=aes256-sha1-modp2048,aes256-sha1-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,aes128-sha1,3des-sha1!
keyexchange=ikev1
rekey=no
aggressive=no
fragmentation=yes
forceencaps=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
conn l2tp-psk
auto=add
authby=secret
type=transport
left=0.0.0.0
leftprotoport=udp/1701
right=%any
rightprotoport=udp/%any
leftauth=psk
rightauth=psk
ikelifetime=24h
keylife=8h
keyingtries=0
四、修改共享密钥
sudo nano /etc/ipsec.secrets
%any %any : PSK "Adc@12345"
五、修改L2TP配置
sudo nano /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
listen-addr = 0.0.0.0
[lns default]
ip range = 100.64.0.2-100.64.0.254
local ip = 100.64.0.1
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
六、修改PPP配置
sudo nano /etc/ppp/options.xl2tpd
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 1.1.1.1
asyncmap 0
auth
crtscts
lock
hide-password
modem
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
七、创建用户分配固定IP
7.1、创建用户名密码文件
sudo touch /etc/ppp/chap-secrets && sudo chmod 600 /etc/ppp/chap-secrets && sudo nano /etc/ppp/chap-secrets
l2tp002 l2tpd l2tp@vpn 100.64.0.2
l2tp003 l2tpd l2tp@vpn 100.64.0.3
l2tp004 l2tpd l2tp@vpn 100.64.0.4
l2tp005 l2tpd l2tp@vpn 100.64.0.5
l2tp006 l2tpd l2tp@vpn 100.64.0.6
l2tp007 l2tpd l2tp@vpn 100.64.0.7
l2tp008 l2tpd l2tp@vpn 100.64.0.8
l2tp009 l2tpd l2tp@vpn 100.64.0.9
l2tp010 l2tpd l2tp@vpn 100.64.0.10
l2tp011 l2tpd l2tp@vpn 100.64.0.11
7.2、格式化用户密码文件
sudo sed -i 's/ /\t/g' /etc/ppp/chap-secrets
八、配置SNAT规则
8.1、执行一对一NAT
sudo iptables -t nat -A POSTROUTING -s 100.64.0.2 -o eth0 -j SNAT --to-source 22.176.141.4
sudo iptables -t nat -A POSTROUTING -s 100.64.0.3 -o eth0 -j SNAT --to-source 22.176.141.4
sudo iptables -t nat -A POSTROUTING -s 100.64.0.4 -o eth0 -j SNAT --to-source 22.176.141.5
sudo iptables -t nat -A POSTROUTING -s 100.64.0.5 -o eth0 -j SNAT --to-source 22.176.141.5
sudo iptables -t nat -A POSTROUTING -s 100.64.0.6 -o eth0 -j SNAT --to-source 22.176.141.6
sudo iptables -t nat -A POSTROUTING -s 100.64.0.7 -o eth0 -j SNAT --to-source 22.176.141.6
sudo iptables -t nat -A POSTROUTING -s 100.64.0.8 -o eth0 -j SNAT --to-source 22.176.141.7
sudo iptables -t nat -A POSTROUTING -s 100.64.0.9 -o eth0 -j SNAT --to-source 22.176.141.7
sudo iptables -t nat -A POSTROUTING -s 100.64.0.10 -o eth0 -j SNAT --to-source 22.176.141.8
sudo iptables -t nat -A POSTROUTING -s 100.64.0.11 -o eth0 -j SNAT --to-source 22.176.141.8
8.2、保存NAT配置
sudo netfilter-persistent save
8.3、查看NAT规则
sudo iptables -t nat -L POSTROUTING -n
九、启动IP转发
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf && sudo sysctl -p
十、关闭防火墙
sudo ufw disable
十一、服务配置
11.1、开机自启动
sudo systemctl enable strongswan-starter
sudo systemctl enable xl2tpd
11.2、停止服务
sudo systemctl stop strongswan-starter
sudo systemctl stop xl2tpd
11.3、启动服务
sudo systemctl start strongswan-starter
sleep 3
sudo systemctl start xl2tpd