ä»æã®ãã³ããã¼ã ã©ã³æ SHOW BY ROCK!! ãæ¯é±æ¥½ãã¿ãª mix3 ã§ãã
CentOS6/7 㧠VPN æ§ç¯
ä»ã¾ã§ã«ãä½åã VPN æ§ç¯ã«ææ¦ãã¦ãã®åº¦ã«ãä¸æããããªããã¨ãªã£ã¦è«¦ããã¨ãããã¨ãç¹°ãè¿ãã¦ãã®ã§ãããä»åã¯ã©ãã«ãæåããã®ã§å¿ããªããã¡ã«ã¡ã¢ã
openswan (for CentOS6) / libreswan (for CentOS7) (IPsec), xl2tpd(L2TP) ã§ããã VPS 㧠VPN ãæ§ç¯ããã
åèã«ãããµã¤ã
- CLCL / CentOS6-L2TP-IPsec.md - Gist
- ã¹ã¯ãªããã§ä¸çºç°¡åï¼iPhone/Android/Mac/Windowsããæ¥ç¶å¯è½ãªL2TP/IPSecãªVPNç°å¢ãæ§ç¯ãã - [email protected]
- CentOS7 PPTPãè¾ãã¦L2TP/IPSecã«å¤æ´ãã - ã¨ãããã¡ã¢
- ipsec - linuxã§VPNãµã¼ã - Qiita
- CentOS7 第4å ã¯ããã¦ã® firewalld ã§ä½ã Linuxã«ã¼ã¿ – CLARA ONLINE techblog
- etc...
è¨å®ã¯ ã¹ã¯ãªããã§ä¸çºç°¡åï¼iPhone/Android/Mac/Windowsããæ¥ç¶å¯è½ãªL2TP/IPSecãªVPNç°å¢ãæ§ç¯ãã - [email protected] ã®ã¹ã¯ãªãããã»ã¼ã»ã¼ãã®ã¾ã¾ä½¿ããã¦ããã£ã¦ããã
以ä¸ãããããã¤ã³ã
VPNãã¹ã¹ã«ã¼ãã¾ãã¯IPsecãã¹ã¹ã«ã¼
ä»ã¾ã§ãã£ã¨çç ãã¦ãçç±ãå¤åããã§ãããã¼ããã³ãã«ã¼ã¿ã®ã»ã㧠NAT ãçªç ´åºæ¥ãããã«è¨å®ããªããã°ãªããã大æµãVPN ãã¹ã¹ã«ã¼ãã¾ãã¯ãIPsec ãã¹ã¹ã«ã¼ãã¨ããååã§è¨å®ãç¨æããã¦ããã®ã§è¨å®ãæå¹ã«ããªãã¨ãããªãã£ãã
NATè¶ ããåºæ¥ãªãã¨ãµã¼ãã«æ¥ç¶ãå°éããªãã®ã§ãã°ããåºåãããéæ¹ã«ãããããã£ãã®ã§ãä»åã©ãã«ãã«ã¼ã¿ã§æ¢ã¾ã£ã¦ãã¨ãããã¨ã«æ°ä»ãã¦è¯ãã£ãã
CentOS6 ã® openswan 㯠yum ã§å ¥ããã¨ãã¼ã¸ã§ã³ãä½ã
openswan ã®ãã¼ã¸ã§ã³ã«ãã£ã¦ã¯ MacOSX ã§ãã¾ãæ¥ç¶åºæ¥ãªãåé¡ãããã£ã½ã
ãªã®ã§ããããªæã㧠openswan ãææ°ã«æ´æ°ãã¦ãããå¿ è¦ããã£ãã
$ wget https://download.openswan.org/openswan/openswan-latest.tar.gz -O /tmp/openswan-latest.tar.gz
$ mkdir /tmp/openswan-latest
$ tar xzf /tmp/openswan-latest.tar.gz -C /tmp/openswan-latest --strip=1
$ cd /tmp/openswan-latest
$ make programs
$ make install
CentOS7 ã® libreswan ã§ã¯ããããåé¡ã¯ãªãã£ã½ãã
conf ã® name ã¯æããå¿ è¦ããã
/etc/ppp/options.xl2tpd
name xl2tpd
/etc/xl2tpd/xl2tpd.conf
name = LinuxVPNserver
/etc/ipsec.d/default.secrets
"hoge001" "xl2tpd" "hoge##123" *
"hoge002" "xl2tpd" "hoge##456" *
ãããã®è¨å®ã§ LinuxVPNserver ã¨ãªã£ã¦ãã¨ããã xl2tpd ã«ãã¦ååãæããªãã¨æ¥ç¶ããã¾ããããªãã£ããï¼ããããããæ°ã®ãããããããªãï¼
CentoOS7 ã®ã«ã¼ãã«è¨å®
CentOS7 ã®ã«ã¼ãã«è¨å®ã¯ /etc/sysctl.d/*.conf ã«ãã¡ã¤ã«ãç½®ãã¦è¨å®ããã£ã½ãã®ã§ CentOS7 PPTPãè¾ãã¦L2TP/IPSecã«å¤æ´ãã - ã¨ãããã¡ã¢ ã«å¾ã£ã¦
/etc/sysctl.d/10-sysctl_ipsec.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
ã¨ãã¦è¨å®åæ ããã㨠ipsec verify ããã¨ãããããããªæãã®ãåºã¦ãã
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
rp_filter ãã¡ããã¨ç¡å¹ã«ãã ã¨ãããã¨ãªã®ã§ã
/etc/sysctl.d/10-sysctl_ipsec.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
ã¨ãã¦è¨å®åæ ããã㨠ipsec verify ããã¨ãªããå¤ããã ENABLED ãã§ã¦ãããè¨å®ã確èªããã¨ãªããåæ ããã¦ããªãã
$ sysctl -a | grep -e net.ipv4.conf.*send_redirects -e net.ipv4.conf.*accept_redirects -e net.ipv4.conf.*rp_filter | grep -v arp
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 1 <= ããã ããããã
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.send_redirects = 0
ä¸æ¸ãããã¦ãã£ã½ãé°å²æ°ã¯æããã®ã§ãã©ãã§ä½ãè¨å®ãããã調ã¹ãããªããã¨ã°ã°ã£ãã¨ãã sysctl --system ã§è¦ããã£ã½ããã¨ãåãã£ãã®ã§ã試ããã¨ãããããªæãã«ãªã£ã¦ãã /usr/lib/sysctl.d/50-default.conf ã§ä¸æ¸ãããã¦ããã¨ãå¤æã
* Applying /usr/lib/sysctl.d/00-system.conf ...
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
kernel.shmmax = 4294967295
kernel.shmall = 268435456
* Applying /etc/sysctl.d/10-sysctl_ipsec.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 1 <= ããã§ä¸æ¸ãããã¦ã
net.ipv4.conf.default.accept_source_route = 0
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.conf ...
ä»æ¹ãªãã®ã§ mv /etc/sysctl.d/10-sysctl_ipsec.conf /etc/sysctl.d/60-sysctl_ipsec.conf ã¨ãã¦ä¸æ¸ããããã®ãåé¿ãããã¨ã§ãããã ENABLED ãé¤å»åºæ¥ãã
CentOS7 ã§ã¯ iptables ã§ã¯ãªã firewalld
CentOS7 ã§ã¯ iptables ã§ã¯ãªã firewalld ã§ãã¡ã¤ã¢ã¼ã¦ã©ã¼ã«ãè¨å®ãããIPsec/L2TP ã§å¿ è¦ãªè¨å®ã¯ä»¥ä¸ã§è¯ããã¨æãããã
firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-port=1701/udp
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
CentOS7 ã§ã¯ chkconfig, /etc/init.d/NAME COMMAND ã§ã¯ãªã systemctl COMMAND NAME
CentOS7 ã§ã¯ãµã¼ãã¹ã®ç®¡çæ¹æ³ãå¤æ´ããã¦ããã®ã§èªåèµ·åããµã¼ãã¹ã®ã¹ã¿ã¼ãã以ä¸ã®ããã«ãªã£ã¦ããã
systemctl enable ipsec
systemctl enable xl2tpd
systemctl restart ipsec
systemctl restart xl2tpd
å®æåããã¡ã
CentOS7 ã®ä¸çºVPNæ§ç¯ã¹ã¯ãªãã L2TP_IPSec_vpn_setup_for_centos7.sh
$ curl -L https://gist.githubusercontent.com/mix3/efbaf5cb47946bff6f56/raw/L2TP_IPSec_vpn_setup_for_centos7.sh | bash
or
$ wget https://gist.githubusercontent.com/mix3/efbaf5cb47946bff6f56/raw/L2TP_IPSec_vpn_setup_for_centos7.sh
$ vim L2TP_IPSec_vpn_setup_for_centos7.sh
$ bash L2TP_IPSec_vpn_setup_for_centos7.sh
ã¨ã§ãããã¨ä¸çºã§æ§ç¯VPNãæ§ç¯åºæ¥ãã¨æãã
å ±æéµã§ã¯ãªãå ¬ééµ
ã«åºæ¥ãããããªãã¨ãæã£ã¦ããããã¾ã§ã¯è¡ãã¦ããªãã