今日は勉強会でした。
Routerboard勉強会 vol.7
RouterboardのVPN接続設定入門&パフォーマンス計測をしてみよう!
http://routerboard.connpass.com/event/9791/
ConoHaのVPSに入れたCentOSと
RouterboardをPPTPでつなげてみようとしましたが、
時間がなくで出来なかったので、
日記に記しておきますw
このはちゃんまじこのは!!
ConoHaにPPTPサーバを立てる
# yum update # yum info pptpd Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile * base: ftp.tsukuba.wide.ad.jp * epel: ftp.tsukuba.wide.ad.jp * extras: ftp.tsukuba.wide.ad.jp * updates: ftp.tsukuba.wide.ad.jp Installed Packages Name : pptpd Arch : x86_64 Version : 1.4.0 Release : 3.el6 Size : 178 k Repo : installed From repo : epel Summary : PoPToP Point to Point Tunneling Server URL : http://poptop.sourceforge.net/ License : GPLv2+ and LGPLv2+ Description : This implements a Virtual Private Networking Server (VPN) that is : compatible with Microsoft VPN clients. It allows windows users to : connect to an internal firewalled network using their dialup. # # yum install pptpd Loaded plugins: fastestmirror, security Setting up Install Process Loading mirror speeds from cached hostfile * base: ftp.tsukuba.wide.ad.jp * epel: ftp.tsukuba.wide.ad.jp * extras: ftp.tsukuba.wide.ad.jp * updates: ftp.tsukuba.wide.ad.jp Resolving Dependencies --> Running transaction check ---> Package pptpd.x86_64 0:1.4.0-3.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================================== Installing: pptpd x86_64 1.4.0-3.el6 epel 75 k Transaction Summary ======================================================================================================================================================== Install 1 Package(s) Total download size: 75 k Installed size: 178 k Is this ok [y/N]: y Downloading Packages: pptpd-1.4.0-3.el6.x86_64.rpm | 75 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : pptpd-1.4.0-3.el6.x86_64 1/1 Verifying : pptpd-1.4.0-3.el6.x86_64 1/1 Installed: pptpd.x86_64 0:1.4.0-3.el6 Complete!
これだけで入ります。
さて設定
# vi /etc/pptpd.conf loocalip 157.7.***.*** remoteip 10.10.10.10-20
localip・・・ConoHaのグローバルIPを設定
remoteip・・・クライアントに与えられるアドレスプール
クライアントのパスワードなど
# vi /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses conoha * mikumoconoha *
ユーザ名・・・conoha
パスワード・・・mikumoconoha
(どこからでも接続できます)
*2015年7月13日追記
MTUについて
/etc/ppp/options.pptpd mtu 1200 mru 1200
一部繋がらなかったりする場合があるので、
MTUの値「1400~1200」を小さくしてみてください。
ファイヤーウォールの設定
初期設定だとこんな感じ
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
直接書いてしまいます。
# vi /etc/sysconfig/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 1723 -j ACCEPT -A INPUT -p 47 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited
TCP 1723とGRE(プロトコル番号47)を通します。
これ、「REJECT」の前に書くのがポイント。。。
iptablesの再起動
# /etc/init.d/iptables restart iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] # # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:availant-mgr ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pptp ACCEPT gre -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
ルールが追加されています。
念のためパケットフォワード見ておきます
# vi /etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 1 # # sysctl -p net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key error: "net.bridge.bridge-nf-call-iptables" is an unknown key error: "net.bridge.bridge-nf-call-arptables" is an unknown key kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296
なんかエラーしとる。。。
Routerboardの設定をする
[admin@MikroTik] > interface pptp-client print detail Flags: X - disabled, R - running 0 R name="pptp-out1" max-mtu=1450 max-mru=1450 mrru=disabled connect-to=157.7.***.*** user="conoha" password="mikumoconoha" profile=default-encryption keepalive-timeout=disabled add-default-route=no dial-on-demand=no allow=pap,chap,mschap1,mschap2
複数台繋げて遊んでてください。
[tegaki]お疲れ様でした!![/tegaki]
pppd[11639]: Using interface ppp0
pppd[11639]: Connect: ppp0 /dev/pts/2
pppd[11639]: LCP: timeout sending Config-Requests
pppd[11639]: Connection terminated.
pppd[11639]: Modem hangup
pppd[11639]: Exit.
pptpd[11638]: GRE: read(fd=6,buffer=611860,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
pptpd[11638]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
pptpd[11638]: CTRL: Client 58.62.94.146 control connection finished
コメント有難う御座います
/etc/ppp/options.pptpd
mtu 1200
mru 1200
一部繋がらなかったりする場合があるので、
MTUの値「1400~1200」を小さくしてみてください。