科学上网之 PPTP

PPTP 介绍

摘自维基百科

点对点隧道协议(英语:Point to Point Tunneling Protocol,缩写为PPTP)是实现虚拟专用网(VPN)的方式之一。PPTP使用传输控制协议(TCP)创建控制通道来发送控制命令,以及利用通用路由封装(GRE)通道来封装点对点协议(PPP)数据包以发送数据。这个协议最早由微软等厂商主导开发,但因为它的加密方式容易被破解,微软已经不再建议使用这个协议。

PPTP的协议规范本身并未描述加密或身份验证的部分,它依靠点对点协议(PPP)来实现这些安全性功能。因为PPTP协议内置在微软视窗系统家族的各个产品中,在微软点对点协议(PPP)协议堆栈中,提供了各种标准的身份验证与加密机制来支持PPTP。 在微软视窗系统中,它可以搭配PAP、CHAP、MS-CHAP v1/v2或EAP-TLS来进行身份验证。通常也可以搭配微软点对点加密(MPPE)或IPSec的加密机制来提高安全性。

RFC 文档: Point-to-Point Tunneling Protocol (PPTP)

PPTP 网络拓扑图

接下来的安装部署主要参考 How To Setup Your Own VPN With PPTP

PPTP 服务端 GCP(NOK)

失败原因: GCE 不支持GRE,详见 Google Cloud 如何设置 PPTP?

安装 pptpd 软件包

1
2
3
4
5
huzhifeng@Ubuntu16041:~$ ssh gcp.huzhifeng.com
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.8.0-52-generic x86_64)
Last login: Tue Jul 11 15:45:38 2017 from 118.250.157.17
huzhifeng@ss:~$ sudo -i
root@gcp:~# apt-get install -y pptpd

编辑 /etc/pptpd.conf

localip是指服务端公网IP,remoteip是指VPN通道所使用的网段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@gcp:~# ifconfig
ens4 Link encap:Ethernet HWaddr 42:01:0a:8c:00:02
inet addr:10.140.0.2 Bcast:10.140.0.2 Mask:255.255.255.255
inet6 addr: fe80::4001:aff:fe8c:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1460 Metric:1
RX packets:1347257 errors:0 dropped:0 overruns:0 frame:8
TX packets:1347853 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:626851432 (626.8 MB) TX bytes:170406351 (170.4 MB)
root@gcp:~# cp /etc/pptpd.conf /etc/pptpd.conf.orig
root@gcp:~# vim /etc/pptpd.conf
root@gcp:~# diff -Nurp /etc/pptpd.conf.orig /etc/pptpd.conf
--- /etc/pptpd.conf.orig 2017-07-11 16:01:36.124776540 +0000
+++ /etc/pptpd.conf 2017-07-11 16:03:15.128709618 +0000
@@ -93,8 +93,8 @@ logwtmp
# IP for each simultaneous client.
#
# (Recommended)
-#localip 192.168.0.1
-#remoteip 192.168.0.234-238,192.168.0.245
+localip 10.140.0.2
+remoteip 10.0.0.100-200
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
root@gcp:~#

编辑 /etc/ppp/chap-secrets

创建测试帐号,用户名test,密码huzhifeng

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@gcp:~# cp /etc/ppp/chap-secrets /etc/ppp/chap-secrets.orig
root@gcp:~# vim /etc/ppp/chap-secrets
root@gcp:~# diff -Nurp /etc/ppp/chap-secrets.orig /etc/ppp/chap-secrets
--- /etc/ppp/chap-secrets.orig 2017-07-11 16:04:09.320672975 +0000
+++ /etc/ppp/chap-secrets 2017-07-11 16:06:11.836590160 +0000
@@ -1,4 +1,5 @@
# Secrets for authentication using CHAP
# client server secret IP addresses
+test pptpd huzhifeng *
root@gcp:~# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
test pptpd huzhifeng *

编辑 /etc/ppp/pptpd-options

配置 DNS 服务器地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@gcp:~# cp /etc/ppp/pptpd-options /etc/ppp/pptpd-options.orig
root@gcp:~# vim /etc/ppp/pptpd-options
root@gcp:~# diff -Nurp /etc/ppp/pptpd-options.orig /etc/ppp/pptpd-options
--- /etc/ppp/pptpd-options.orig 2017-07-11 16:07:21.488543091 +0000
+++ /etc/ppp/pptpd-options 2017-07-11 16:08:07.256512172 +0000
@@ -55,8 +55,8 @@ require-mppe-128
# specifies the secondary DNS address.
# Attention! This information may not be taken into account by a Windows
# client. See KB311218 in Microsoft's knowledge base for more information.
-#ms-dns 10.0.0.1
-#ms-dns 10.0.0.2
+ms-dns 8.8.8.8
+ms-dns 8.8.4.4
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
root@gcp:~#

启动 PPTP 服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@gcp:~# service pptpd restart
root@gcp:~# service pptpd status
● pptpd.service - PoPToP Point to Point Tunneling Server
Loaded: loaded (/lib/systemd/system/pptpd.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2017-07-11 16:08:45 UTC; 5s ago
Main PID: 30463 (pptpd)
Tasks: 1
Memory: 212.0K
CPU: 1ms
CGroup: /system.slice/pptpd.service
└─30463 /usr/sbin/pptpd --fg
Jul 11 16:08:45 ss systemd[1]: Started PoPToP Point to Point Tunneling Server.
Jul 11 16:08:45 ss pptpd[30463]: MGR: connections limit (100) reached, extra IP addresses ignored
Jul 11 16:08:45 ss pptpd[30463]: MGR: Manager process started
Jul 11 16:08:45 ss pptpd[30463]: MGR: Maximum of 100 connections available
root@gcp:~# netstat -nlp | grep pptpd
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 30463/pptpd
root@gcp:~#

启用 IP 转发

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@gcp:~# cp /etc/sysctl.conf /etc/sysctl.conf.orig
root@gcp:~# vim /etc/sysctl.conf
root@gcp:~# diff -Nurp /etc/sysctl.conf.orig /etc/sysctl.conf
--- /etc/sysctl.conf.orig 2017-07-11 16:10:00.568435602 +0000
+++ /etc/sysctl.conf 2017-07-11 16:10:13.316426988 +0000
@@ -25,7 +25,7 @@
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
-#net.ipv4.ip_forward=1
+net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
root@gcp:~# sysctl -p
net.ipv4.ip_forward = 1
root@gcp:~#

添加防火墙规则

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@gcp:~# iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADE && iptables-save
# Generated by iptables-save v1.6.0 on Tue Jul 11 16:11:16 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ens4 -j MASQUERADE
COMMIT
# Completed on Tue Jul 11 16:11:16 2017
# Generated by iptables-save v1.6.0 on Tue Jul 11 16:11:16 2017
*filter
:INPUT ACCEPT [1284652:606310551]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1285126:149924590]
COMMIT
# Completed on Tue Jul 11 16:11:16 2017
root@gcp:~# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 2 packets, 100 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 2 packets, 100 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 152 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 152 MASQUERADE all -- * ens4 0.0.0.0/0 0.0.0.0/0
root@gcp:~#

观察日志

1
root@gcp:~# tail -f /var/log/syslog

PPTP 服务端 HKServer(NOK)

失败原因: 不支持 PPP,详见
iptables 不支持 nat
基于Openvz的VPS搭建PPTP必须要支持TUN/TAP才行

安装 pptpd 软件包

1
2
3
4
huzhifeng@Ubuntu16041:~$ ssh root@huzhifeng.com
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 2.6.32-042stab116.2 x86_64)
Last login: Sun Jul 9 00:28:08 2017 from 118.250.159.220
root@vps:~# apt-get install -y pptpd

编辑 /etc/pptpd.conf

localip是指服务端公网IP,remoteip是指VPN通道所使用的网段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root@vps:~# ifconfig
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.2 P-t-P:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:219710246 errors:0 dropped:0 overruns:0 frame:0
TX packets:202918530 errors:0 dropped:417 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:89939128706 (89.9 GB) TX bytes:102789459399 (102.7 GB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:43.242.175.148 P-t-P:43.242.175.148 Bcast:43.242.175.148 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
root@vps:~# cp /etc/pptpd.conf /etc/pptpd.conf.orig
root@vps:~# vim /etc/pptpd.conf
root@vps:~# diff -Nurp /etc/pptpd.conf.orig /etc/pptpd.conf
--- /etc/pptpd.conf.orig 2017-07-12 00:31:10.478163720 +0800
+++ /etc/pptpd.conf 2017-07-12 00:32:03.458163690 +0800
@@ -93,8 +93,8 @@ logwtmp
# IP for each simultaneous client.
#
# (Recommended)
-#localip 192.168.0.1
-#remoteip 192.168.0.234-238,192.168.0.245
+localip 43.242.175.148
+remoteip 10.0.0.100-200
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245

编辑 /etc/ppp/chap-secrets

创建测试帐号,用户名test,密码huzhifeng

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@vps:~# cp /etc/ppp/chap-secrets /etc/ppp/chap-secrets.orig
root@vps:~# vim /etc/ppp/chap-secrets
root@vps:~# diff -Nurp /etc/ppp/chap-secrets.orig /etc/ppp/chap-secrets
--- /etc/ppp/chap-secrets.orig 2017-07-12 00:32:55.430163660 +0800
+++ /etc/ppp/chap-secrets 2017-07-12 00:33:23.948163644 +0800
@@ -1,4 +1,5 @@
# Secrets for authentication using CHAP
# client server secret IP addresses
+test pptpd huzhifeng *
root@vps:~# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
test pptpd huzhifeng *

编辑 /etc/ppp/pptpd-options

配置 DNS 服务器地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@vps:~# cp /etc/ppp/pptpd-options /etc/ppp/pptpd-options.orig
root@vps:~# vim /etc/ppp/pptpd-options
root@vps:~# diff -Nurp /etc/ppp/pptpd-options.orig /etc/ppp/pptpd-options
--- /etc/ppp/pptpd-options.orig 2017-07-12 00:33:52.547163627 +0800
+++ /etc/ppp/pptpd-options 2017-07-12 00:34:12.805163615 +0800
@@ -55,8 +55,8 @@ require-mppe-128
# specifies the secondary DNS address.
# Attention! This information may not be taken into account by a Windows
# client. See KB311218 in Microsoft's knowledge base for more information.
-#ms-dns 10.0.0.1
-#ms-dns 10.0.0.2
+ms-dns 8.8.8.8
+ms-dns 8.8.4.4
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows

启动 PPTP 服务

1
2
3
4
root@vps:~# service pptpd restart
* Restarting PoPToP Point to Point Tunneling Server pptpd [ OK ]
root@vps:~# service pptpd status
* pptpd is running

启用 IP 转发

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@vps:~# cp /etc/sysctl.conf /etc/sysctl.conf.orig
root@vps:~# vim /etc/sysctl.conf
root@vps:~# diff -Nurp /etc/sysctl.conf.orig /etc/sysctl.conf
--- /etc/sysctl.conf.orig 2017-07-12 00:34:57.895163590 +0800
+++ /etc/sysctl.conf 2017-07-12 00:35:08.901163583 +0800
@@ -25,7 +25,7 @@
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
-#net.ipv4.ip_forward=1
+net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
root@vps:~# sysctl -p
net.ipv4.ip_forward = 1

添加防火墙规则

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
root@vps:~# iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE && iptables-save
# Generated by iptables-save v1.4.21 on Wed Jul 12 00:35:47 2017
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o venet0:0 -j MASQUERADE
COMMIT
# Completed on Wed Jul 12 00:35:47 2017
# Generated by iptables-save v1.4.21 on Wed Jul 12 00:35:47 2017
*raw
:PREROUTING ACCEPT [230033293:95027439296]
:OUTPUT ACCEPT [213236589:107877339733]
COMMIT
# Completed on Wed Jul 12 00:35:47 2017
# Generated by iptables-save v1.4.21 on Wed Jul 12 00:35:47 2017
*mangle
:PREROUTING ACCEPT [230033293:95027439296]
:INPUT ACCEPT [230033293:95027439296]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [213236589:107877339733]
:POSTROUTING ACCEPT [213236589:107877339733]
COMMIT
# Completed on Wed Jul 12 00:35:47 2017
# Generated by iptables-save v1.4.21 on Wed Jul 12 00:35:47 2017
*filter
:INPUT ACCEPT [230033293:95027439296]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [213236589:107877339733]
COMMIT
# Completed on Wed Jul 12 00:35:47 2017
root@vps:~# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3 packets, 257 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * venet0:0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3 packets, 257 bytes)
pkts bytes target prot opt in out source destination

观察日志

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@vps:~# tail -f /var/log/syslog
Dec 19 19:44:21 huzhifeng rsyslogd: [origin software="rsyslogd" swVersion="7.4.4" x-pid="337" x-info="http://www.rsyslog.com"] start
Dec 19 19:44:21 huzhifeng rsyslogd-3003: invalid or yet-unknown config file command 'KLogPermitNonKernelFacility' - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
Dec 19 19:44:21 huzhifeng rsyslogd: rsyslogd's groupid changed to 104
Dec 19 19:44:21 huzhifeng rsyslogd: rsyslogd's userid changed to 101
Dec 19 19:44:21 huzhifeng rsyslogd-2039: Could no open output pipe '/dev/xconsole': No such file or directory [try http://www.rsyslog.com/e/2039 ]
Jul 11 12:30:40 huzhifeng pptpd[6326]: MGR: Manager process started
Jul 11 12:30:40 huzhifeng pptpd[6326]: MGR: Maximum of 100 connections available
Jul 11 12:34:35 huzhifeng pptpd[6403]: MGR: connections limit (100) reached, extra IP addresses ignored
Jul 11 12:34:35 huzhifeng pptpd[6404]: MGR: Manager process started
Jul 11 12:34:35 huzhifeng pptpd[6404]: MGR: Maximum of 100 connections available
Jul 11 12:37:23 huzhifeng pptpd[6451]: CTRL: Client 118.250.157.17 control connection started
Jul 11 12:37:24 huzhifeng pptpd[6451]: CTRL: Starting call (launching pppd, opening GRE)
Jul 11 12:37:24 huzhifeng pppd[6454]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Jul 11 12:37:24 huzhifeng pppd[6454]: Couldn't open the /dev/ppp device: No such file or directory
Jul 11 12:37:29 huzhifeng pppd[6454]: You need to create the /dev/ppp device node by#012executing the following command as root:#012#011mknod /dev/ppp c 108 0
Jul 11 12:37:29 huzhifeng pptpd[6451]: GRE: read(fd=6,buffer=7f04348d44a0,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Jul 11 12:37:29 huzhifeng pptpd[6451]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Jul 11 12:37:29 huzhifeng pptpd[6451]: CTRL: Reaping child PPP[6454]
Jul 11 12:37:29 huzhifeng pptpd[6451]: CTRL: Client 118.250.157.17 control connection finished
^C
root@vps:~#

开启 PPP 和 Tun 内核支持

进入 VPS 控制面板, 开启 PPP 和 Tun,自动触发重启

1
2
3
4
root@huzhifeng:~# ls -lh /dev/ppp /dev/tun
crw------- 1 root root 108, 0 Jul 12 00:43 /dev/ppp
crw-r--r-- 1 root 500 10, 200 Jul 12 00:43 /dev/tun
root@huzhifeng:~#

PPTP 客户端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[huzhifeng@CentOS72 ~]$ sudo yum -y install pptp
[huzhifeng@CentOS72 ~]$ sudo modprobe ppp_mppe
[huzhifeng@CentOS72 ~]$ lsmod | grep ppp
ppp_mppe 13002 0
ppp_generic 33029 1 ppp_mppe
slhc 13450 1 ppp_generic
[huzhifeng@CentOS72 ~]$ sudo vim /etc/ppp/peers/pptpserver
[huzhifeng@CentOS72 ~]$ cat /etc/ppp/peers/pptpserver
pty "pptp 35.187.158.96 --nolaunchpppd"
name test
password huzhifeng
remotename PPTP
require-mppe-128
[huzhifeng@CentOS72 ~]$ sudo pppd call pptpserver
[huzhifeng@CentOS72 ~]$ sudo pppd call pptpserver logfile /tmp/pppd.log

EOF

如果本文对您有所帮助,请随意打赏,您的支持将鼓励我继续创作!