Hshh's Website

构建一个简单的VPN NAT环境(ipfw,natd,mpd)

目的：架设一个VPN服务器，通过VPN连接到该服务器，然后连接其他公网地址。
环境：FreeBSD 6.1

使用程序：ipfw, natd, mpd.

准备：

内核配置ipfw和divert的支持:
options         IPFIREWALL
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPDIVERT
重新编译内核后重启。不编译内核加载模块应该也行。

安装mpd:
/usr/ports/net/mpd 或 /usr/ports/net/mpd4

配置mpd:
在/usr/local/etc/mpd (mpd4为 /usr/local/etc/mpd4)
mpd.conf:
------------------------------------------------
default:
                load vpn1
                load vpn2
                load vpn3
                load vpn4
                load vpn5
vpn1:
                new -i ng0 vpn1 vpn1
                set ipcp ranges 10.1.1.1/32 10.1.1.11/32
                load vpn
vpn2:
                new -i ng1 vpn2 vpn2
                set ipcp ranges 10.1.1.1/32 10.1.1.12/32
                load vpn
vpn3:
                new -i ng2 vpn3 vpn3
                set ipcp ranges 10.1.1.1/32 10.1.1.13/32
                load vpn
vpn4:
                new -i ng3 vpn4 vpn4
                set ipcp ranges 10.1.1.1/32 10.1.1.14/32
                load vpn
vpn5:
                new -i ng4 vpn5 vpn5
                set ipcp ranges 10.1.1.1/32 10.1.1.15/32
                load vpn
vpn:
                set iface disable on-demand
                set iface enable proxy-arp
                set iface idle 0
                set iface enable tcpmssfix
                set bundle enable multilink
                set bundle enable compression
                set bundle yes crypt-reqd
                set link yes acfcomp protocomp
                set link no pap chap
                set link enable chap-msv2
                set link keep-alive 10 60
                set link mtu 1460
                set ipcp yes vjcomp
                set ipcp dns 65.23.128.2 65.23.128.3
                set ccp yes mppc
                set ccp yes mpp-e128
                set ccp yes mpp-stateless
------------------------------------------------
mpd.links
------------------------------------------------
vpn1:
        set link type pptp
        set pptp enable incoming
        set pptp disable originate
        set pptp disable windowing
vpn2:
        set link type pptp
        set pptp enable incoming
        set pptp disable originate
        set pptp disable windowing
vpn3:
        set link type pptp
        set pptp enable incoming
        set pptp disable originate
        set pptp disable windowing
vpn4:
        set link type pptp
        set pptp enable incoming
        set pptp disable originate
        set pptp disable windowing
vpn5:
        set link type pptp
        set pptp enable incoming
        set pptp disable originate
        set pptp disable windowing
------------------------------------------------
mpd.secret
------------------------------------------------
vpn "vpn1234567"
------------------------------------------------
启动mpd: /usr/local/etc/mpd.sh start(根据要求需要设置/etc/rc.conf mpd_enable="yes", mpd4不需要)

设置natd,ipfw:
设置/etc/rc.conf
gateway_enable="yes"
natd_enable="yes"
natd_interface="rl0" #该设置为公网ip所在网卡，下同
firewall_enable="yes"
firewall_script="/root/ipfw.rules"

启动natd和使gateway_enable生效:
/etc/rc.d/natd start
sysctl net.inet.ip.forwarding=1

设置ipfw
编辑/root/ipfw.rules
#!/bin/sh
IPFW="/sbin/ipfw -q"
$IPFW -f flush
$IPFW add 100 divert natd all from any to any via rl0
$IPFW add 65535 allow ip from any to any
保存后设置ipfw.rules为可执行chmod +x /root/ipfw.rules
运行/root/ipfw.rules，然后使用ipfw show应可显示规则已经加载

上面已经全部设置完毕，可以连接vpn了。
其实用pf做nat的话会更好

Navigation

Lastest

WoW

构建一个简单的VPN NAT环境(ipfw,natd,mpd)