今日は勉強会でした。
Routerboard勉強会 vol.7
Routerboard
http://routerboard.connpass.com/event/9791/
ConoHaのVPSに入れたCentOSと
RouterboardをPPTPでつなげてみようとしましたが、
時間がなくで出来なかったので、
日記に記しておきますw
このはちゃんまじこのは!!
ConoHaにPPTPサーバを立てる
# yum update
# yum info pptpd
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: ftp.tsukuba.wide.ad.jp
* epel: ftp.tsukuba.wide.ad.jp
* extras: ftp.tsukuba.wide.ad.jp
* updates: ftp.tsukuba.wide.ad.jp
Installed Packages
Name : pptpd
Arch : x86_64
Version : 1.4.0
Release : 3.el6
Size : 178 k
Repo : installed
From repo : epel
Summary : PoPToP Point to Point Tunneling Server
URL : http://poptop.sourceforge.net/
License : GPLv2+ and LGPLv2+
Description : This implements a Virtual Private Networking Server (VPN) that is
: compatible with Microsoft VPN clients. It allows windows users to
: connect to an internal firewalled network using their dialup.
#
# yum install pptpd
Loaded plugins: fastestmirror, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: ftp.tsukuba.wide.ad.jp
* epel: ftp.tsukuba.wide.ad.jp
* extras: ftp.tsukuba.wide.ad.jp
* updates: ftp.tsukuba.wide.ad.jp
Resolving Dependencies
--> Running transaction check
---> Package pptpd.x86_64 0:1.4.0-3.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================================
Installing:
pptpd x86_64 1.4.0-3.el6 epel 75 k
Transaction Summary
========================================================================================================================================================
Install 1 Package(s)
Total download size: 75 k
Installed size: 178 k
Is this ok [y/N]: y
Downloading Packages:
pptpd-1.4.0-3.el6.x86_64.rpm | 75 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : pptpd-1.4.0-3.el6.x86_64 1/1
Verifying : pptpd-1.4.0-3.el6.x86_64 1/1
Installed:
pptpd.x86_64 0:1.4.0-3.el6
Complete!
これだけで入ります。
さて設定
# vi /etc/pptpd.conf loocalip 157.7.***.*** remoteip 10.10.10.10-20
localip・・・ConoHaのグローバルIPを設定
remoteip・・・クライアントに与えられるアドレスプール
クライアントのパスワードなど
# vi /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses conoha * mikumoconoha *
ユーザ名・・・conoha
パスワード・・・mikumoconoha
(どこからでも接続できます)
*2015年7月13日追記
MTUについて
/etc/ppp/options.pptpd mtu 1200 mru 1200
一部繋がらなかったりする場合があるので、
MTUの値「1400~1200」を小さくしてみてください。
ファイヤーウォールの設定
初期設定だとこんな感じ
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
直接書いてしまいます。
# vi /etc/sysconfig/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 1723 -j ACCEPT -A INPUT -p 47 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited
TCP 1723とGRE(プロトコル番号47)を通します。
これ、「REJECT」の前に書くのがポイント。。。
iptablesの再起動
# /etc/init.d/iptables restart iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] # # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:availant-mgr ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pptp ACCEPT gre -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
ルールが追加されています。
念のためパケットフォワード見ておきます
# vi /etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 1 # # sysctl -p net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key error: "net.bridge.bridge-nf-call-iptables" is an unknown key error: "net.bridge.bridge-nf-call-arptables" is an unknown key kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296
なんかエラーしとる。。。
Routerboardの設定をする
[admin@MikroTik] > interface pptp-client print detail
Flags: X - disabled, R - running
0 R name="pptp-out1" max-mtu=1450 max-mru=1450 mrru=disabled
connect-to=157.7.***.*** user="conoha" password="mikumoconoha"
profile=default-encryption keepalive-timeout=disabled
add-default-route=no dial-on-demand=no allow=pap,chap,mschap1,mschap2
複数台繋げて遊んでてください。
[tegaki]お疲れ様でした!![/tegaki]
pppd[11639]: Using interface ppp0
pppd[11639]: Connect: ppp0 /dev/pts/2
pppd[11639]: LCP: timeout sending Config-Requests
pppd[11639]: Connection terminated.
pppd[11639]: Modem hangup
pppd[11639]: Exit.
pptpd[11638]: GRE: read(fd=6,buffer=611860,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
pptpd[11638]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
pptpd[11638]: CTRL: Client 58.62.94.146 control connection finished
コメント有難う御座います
/etc/ppp/options.pptpd
mtu 1200
mru 1200
一部繋がらなかったりする場合があるので、
MTUの値「1400~1200」を小さくしてみてください。