So Tired !_! 逆水行舟, 不进则退!

24Jun/14

linux升级openssl和php_openssl模块

Posted by Nick Xu

一、OpenSSL源码升级

2014年4月8日,XP宣布正式停止服务的日子,也是OpenSSL爆出大漏洞的日子。

OpenSSL主要是负责在一些敏感的数据提交上面被广泛使用,不乏大家经常访问的一些网站:支付宝、微信、淘宝、网银、社交、门户等知名网站。

官方上面推荐大家将OpenSSL升级到OpenSSL 1.0.1g

这不火急火燎的加入的升级大军,先查看下自己机器上的OpenSSL版本。

1
2
openssl version
#OpenSSL 1.0.0-fips 29 Mar 2010

很明显不是官方所说的版本,必须要升级好吧,我们以源码的形式。先去下载相对应的OpenSSL版本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cd /usr/local/src/
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -zxvf openssl-1.0.1g.tar.gz
cd  openssl-1.0.1g
./config shared zlib
make && make install
#修改历史的OpenSSL文件设置备份
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/include/openssl /usr/include/openssl.old
#设置软连接使其使用新的OpenSSL版本 刚刚安装的OpenSSL默认安装在/usr/local/ssl
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
#更新动态链接库数据
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig -v

我们再来看看OpenSSL版本信息.

1
2
3
openssl version
#OpenSSL 1.0.1g 7 Apr 2014

如果是1.0.1g,说明你安装正确了。

二、php_openssl组件版本更新

1、与php一同设置的编译参数情况

如果你和我一样很久很久以前安装了php的版本,而且又是在编译php版本的时候直接使用“–with-openssl”的话,似乎也没有添加什么路径的话,那么你现在可能需要重新再编译你的php版本了,首先我们要获取到当时编译php的参数,注意你的php源码版本要一致哦,当然你可以重新升级你的php版本也无妨(如果你选择升级php版本可能会导致你安装的一些组件无法使用,或者在启动php-fpm时候会有错误提示,我还是不太建议大家升级php版本,最好是找当前版本一直的源码进行重新编译)。

1
2
3
4
5
6
7
#查看php版本
/usr/local/php/bin/php -v
#获取php编译时的参数
/usr/local/php/bin/php -i | grep Command
#./configure'  '--prefix=/usr/local/php' '--with-mysql' '--with-mysqli' '--with-iconv-dir' '--with-zlib' '--with-libxml-dir' '--enable-xml' '--with-curl' '--enable-fpm' '--enable-mbstring' '--with-gd' '--with-openssl' '--with-mhash' '--enable-sockets' '--with-xmlrpc' '--enable-zip' '--enable-soap' '--disable-fileinfo'

注意把这些“’”都去掉,因为我们采用了源码升级OpenSSL的方式,所以新的OpenSSL安装路径在上面提到了

1
2
3
4
5
cd /usr/local/src/php-5.5.6
./configure  --prefix=/usr/local/php --with-mysql --with-mysqli --with-iconv-dir --with-zlib --with-libxml-dir --enable-xml --with-curl --enable-fpm --enable-mbstring --with-gd --with-openssl=/usr/local/ssl/ --with-mhash --enable-sockets --with-xmlrpc --enable-zip --enable-soap --disable-fileinfo
make && make install

你采用的是和之前源码安装一样的版本库无非就是重新编译一次需要点时间,其他都不需要修改就可以安装对openssl的升级了。我们重启下php-fpm服务。

1
service php-fpm restart

然后我们去phpinfo()函数输出里面去找找openssl的版本是否是OpenSSL 1.0.1g,是的话就证明一切操作都顺利了。
到这里或许你可能会说我为什么不用phpize了,这不是有点累死人的节奏,我是尝试过了,一开始就对php_openssl进行单独模块编译,编译好了之后,重新去启动php-fpm告诉我下面这个提示。

1
PHP Warning: Module 'openssl' already loaded in Unknown on line 0 ……

也就是说OpenSSL已经被加载了请不要重复加载,可是我将php.ini文件仔细查看也没有重复添加openssl组件,我的猜想应该是在php编译的时候配置了,所以你使用phpize添加进去的模块当然是重复的模块了。

2、未启用php_openssl模块

貌似这种情况有点差强人意的感觉,因为你从来没有使用过openssl,何必要升级呢?除非你有新的业务需要。咳咳,扯淡了。
如果你没有上面第一种情况的话,那么这种方式应该是你的最佳方式了。

1
2
3
4
5
6
7
cd /usr/local/src/php-5.5.6/ext/openssl
/usr/local/php/bin/phpize
./configure --with-openssl=/usr/local/ssl/ --with-php-config=/usr/local/php/bin/php-config
make && make install

最后就在/usr/local/php/lib/php.ini文件中添加一行

1
extension=openssl.so

重启php-fpm,去phpinfo()找找openssl的版本看看。

openssl_php_update

2Nov/12

Setup a Git server on Windows machine, with MSysGit and CopSSH(使用msysgit与copssh搭建基于windows的git服务器)

Posted by Nick Xu

On Server Box

1. install CopSSH
Be sure to install it to a folder without space in its name. I used C:\SSH. Then just press next until it finishes.
 
2. install MSysGit  

Be sure to install it to a folder without space in its name. I used C:\Git. The default values suits me well.
3. Config CopSSH
a. I would like to user a separate user for git access. So create a user from command line
 
net user git userspassword /add
b. Then, goto "Start | Programs | Copssh | 01. Activate a user" to activate the user.
Note, you should clear the 2nd checkbox, we'll generate keys later.
c. goto C:\SSH\etc folder, open the sshd_config file using wordpad (ornotepad2), don't use notepad, it's a UNIX format file. Remove the leading # character for item "PasswordAuthentication" and change the "yes" to "no". Also you can review the rest of the config file and change if necessary. For me, most of the default settings works fine.
 

d. Goto C:\SSH\home\git\.ssh folder, create a file named authorized_keys. Open this file using wordpad.

e. Install/extract Putty if you have not. Invoke PUTTYGEN.EXE to generate a pair of keys:
I used a 4096 bit SSH2 key. Save the private key to a folder and remember it. We'll use it later. Copy the content in the text box labelled with "Public key for pasting...." to the wordpad window you opened at step d, and save it, close the wordpad.

f. (Re)Start SSH Server. You can either reboot your PC, or use below command line:
net stop opensshserver
net start opensshserver

g. Now it's ready to test SSH connection. Invoke Putty.EXE, put localhost as host name, if you changed port in step c, don't forget to change it here. Navigate to Connection/SSH/Auth node, press the "Browse" button to select the private file you generated and stored in step e, as shown below:

You can save the settings to save you some typing next time. Google it if you don't know how. Now press "Open" button, you will see a warning window on first connection, press "Yes" to accept the key. Then a block terminal window pops up, with prompt "login as:", input "git" (without quote), and you should be prompted for a key-phrase if you set it when you saved the private key. Note, this is not the password of the git user you created during step a!!!. And with some luck (which you don't need if you know what you are doing), you should see some window similar to this:
If you've made it, congratulations, the hardest part is behind you. If you don't see it, then please review carefully what you have missed.

h. invoke a command window if you have not (where have you executed those "net xxx" commands?), and type
cd /d %USERPROFILE%
echo export HOME=/c/SSH/home/git > .bashrc

i. goto C:\SSH\home\git folder, open the .bashrc file (yes, the same name as in the above line). Insert below line to the first line: (AGAIN, THIS IS A UNIX FILE!)
export PATH=/cygdrive/c/Git/bin:/cygdrive/c/Git/libexec/git-core:$PATH
 

NOTE, above "export PATH=..." must be in the same line!
4. setup a Git repository.
goto C:\SSH\home\git and make a folder named test.git. Right click the folder and select "Git Bash" from context menu. (What? You did not choose the explorer integration? Goto start menu, find Git|Git Bash, and use command line to goto this folder). Then input below lines:
$ git init --bare
Initialized empty Git repository in C:/SSH/home/git/test.git/

Now the server setup is DONE. You might need a cup of coffee of a cake to ease your nerve.

Special notes no 2003 server. It seems the sshd will experience error if the user account used to login is not a member of administrator (thanks for the comment from Raphael). So if you experience problem, try to add the user's account to administrator group and try again.


On Client PC

1. Install MSysGit, as on server. You can choose any folder you like (better a folder without space in it's path).

2. Test connection, using Putty. Change the host name and port as in your environment. Don't forget the Connection | SSH | Auth node setting. Copy the private key file to client machine and point the file in this node. Then press "Open" button, you should find it similar to what you have experienced at step g above. But this time, after you logged in, you are actually logged in to another computer! After you logged in, type "git", and see if you have the familiar git help screen before you. If you see

-bash: git: command not found
then please check if you have step i done correctly.

3. Opne a command window, type

cd /d %USERPROFILE%
md .ssh

Then use windows explorer to open this folder. create a files (id_rsa.pub) if they don't exist.

4. Fire up PuttyGen.EXE again, load the private key you used at step 2. Paste the content of the text box to file id_ras.pub, and use menu "Conversions | Export OpenSSH key" to save to the folder you created at step 3, in name "id_rsa". Now the folder %USERPROFILE"\.ssh should have at least 2 files: id_rsa and id_rsa.pub

5. create a empty folder and invoke the Git Bash and navigate to that folder. Type
ssh git@your.remote.host "echo something"

input "yes" to accept the remote key. Then you should get an echo "something"


6. Now we are ready to clone the empty project we created at server
$ git clone ssh://git@tst/SSH/home/git/test.git
Initialized empty Git repository in D:/g/gt/test/.git/
warning: You appear to have cloned an empty repository.

Now you can make some change and push it back

$cd test
$vim readme.txt
$git add readme.txt
$git commit -a -m "first commit"
[master (root-commit) f216dfe] first commit

1 files changed, 1 insertions(+), 0 deletions(-)

create mode 100644 readme.txt
$ git push origin master

Counting objects: 3, done.
Writing objects: 100% (3/3), 236 bytes, done.
Total 3 (delta 0), reused 0 (delta 0)
To ssh://git@oti-tst/SSH/home/git/test.git
* [new branch] master -> master

Congratulations, you can clone and push back. It's not as hard as it sounds, after all 😀


 Setting up multiple accounts

I just realized that I forgot the part on how to make your repository accessible to multiple users. It's simple once you have gone through above steps: adding another user is just to generate another key-pair, and put the public-key into the authorized-key file. That's all. Then the new user can access your repository. (just follow the client setup, no other server settings needs to be changed).
I know a better way is to use Gitosis, but I'm not able to run it without cygwin yet :(
Tagged as: , , , No Comments
16Jul/12

Setting up a Mercurial server under IIS7 on Windows Server 2008 R2

Posted by Nick Xu

This guide walks you through setting up a Mercurial server under IIS7 on Windows Server 2008 R2.

Note: This post uses Mercurial 1.4.3 and Python 2.5.4, although this process will also work with Mercurial 1.5 and Python 2.6.4

Install Mercurial

First you’ll need to download and install Mercurial. I won’t walk through this as it’s a simple case of pressing "next" several times.

Install Python

Next you’ll need to install Python. Note that you need to use the same version of Python that was used to build Mercurial. This guide uses Mercurial 1.4.3 with Python 2.5.4, but if you’re installing Mercurial 1.5 then you’ll need to use Python 2.6 instead.

Be sure to install the x86 version of Python even if you’re running on an x64 system.

Get hgwebdir

Next you’ll need to download hgwebdir.cgi. This is the python script that will allow serving Mercurial repositories through a web server.

Hgwebdir is part of the Mercurial source code, so you’ll need to download the source package to get it. This can be found on the Mercurial site or you can check out the hg source by running the following command:

hg clone http://selenic.com/repo/hg

Once downloaded, hgwebdir.cgi is in the root of the source distribution.

Install IIS

Under Windows Server 2008 you can install IIS under the Server Manager and clicking "Add Roles". Proceed through the wizard and select the "Web Server (IIS)" role.

Under "Role Services" ensure that you enable Basic Authentication as well as CGI extensibility.

Configure Python for IIS

First, create a new directory under the wwwroot directory (C:inetpubwwwroot). I’m going to call it "hg".

In the "Handler mappings" section for this directory select "Add Script Map":

Next, enter *.cgi as the Request Path and the Executable Path should be set toc:Python25python.exe -u "%s". Enter "Python" as the Name.

At this point, you can test whether Python is working properly by creating a simple python script:

print 'Status: 200 OK'
print 'Content-type: text/html'
print

print '<html><head>'
print ''
print '<h1>It works!</h1>'
print ''
print ''

Save this in the directory that you created (C:inetpubwwwroothg) as test.cgi. Now, when you point your browser to http://localhost/hg/test.cgi you should see the following output:

Enabling hgwebdir.cgi

First, copy hgwebdir.cgi (that you downloaded in step 3) and paste it into c:inetpubwwwroothg. Open this file in a text editor and scroll down to the end. The last lines should look like this:

application = hgwebdir('hgweb.config')
wsgicgi.launch(application)

Change the first line to explicitly specify the path to your hg directory:

application = hgwebdir('c:inetpubwwwroothghgweb.config')
wsgicgi.launch(application)

Next, you’ll need to unzip the Mercurial library into c:inetpubwwwroothg. This can be found inLibrary.zip under the c:program files (x86)Mercurial directory.

You’ll now need to copy the hgweb templates directory into c:inetpubwwwroothg. This is located in the root of the Mercurial installation directory (C:program files (x86)Mercurial)

Finally, create a file called hgweb.config in c:inetpubwwwroothg. This file can be empty for now (we’ll be putting something in it shortly).

At this point, visiting http://localhost/hg/hgwebdir.cgi will show you an empty repository page:

Configuring Repositories

Now you’ll need to create some repositories to publish. To do this, create a directory in the root of the C: drive called "Repositories". This is where our repositories are going to be stored.

Next, I’m going to create a "test" repository by issuing the following commands:

cd c:repositories
mkdir test
hg init test

Now we have a repository created, we need to tell hgwebdir where to find it. We can do this by opening up the hgweb.config file we created earlier and adding the following lines:

[collections]
C:repositories = C:repositories

Now, visiting http://localhost/hg/hgwebdir.cgi should display our "test" repository

At this point it should now be possible to clone the test repository from the server with the following command:

hg clone http://localhost/hg/hgwebdir.cgi/test

Pretty URLs

Personally, I don’t like having to specify "hgwebdir.cgi" in the URLs. I’d much prefer something like http://localhost/hg/test to access my test repository.

This can be achived by using the URL rewriting extension for IIS which can be downloaded from Microsoft.

Once installed, you can access the URL rewriting settings though the "URL Rewrite" section of the IIS Manager. Select the "hg" subdirectory in the Connections pane and then select "URL Rewrite":

In the URL rewrite section add a new blank rule. The name of the rule is going to be "rewrite to hgwebdir".

Under the "Match URL" section set "Using" to "Wildcards" and set the "Pattern" to "*"

Under "Conditions" we want to ensure that we do not re-write URLs to any physical files, so add a condition for "Is Not a File":

In the "Rewrite URL" box at the bottom of the screen enter hgwebdir.cgi/{R:1}

The end result will look like this:

Finally, re-open your hgweb.config and add the following section:

[web]
baseurl = /hg

This will ensure that hgwebdir generates urls to /hg rather than /hg/hgwebdir.cgi

Now, visiting http://localhost/hg will display our repositories page and http://localhost/hg/test will show our test repository. Likewise, we can now clone repositories using this url format.

Pushing Changes

By default, all repositores served via hgwebdir are read only – you cannot push changes to them. To change this, we can specify the users that should be able to push to the repositores by adding an "allow_push" section to our hgweb.config:

[collections]
c:repositories = c:repositories

[web]
baseurl = /hg
allow_push = Jeremy

This means that the user account "Jeremy" (a local user account on the server) will have push access to the repository.

However, if we try and push changes we’ll get an error:

c:projectstest&gt;hg push
pushing to http://localhost/hg/hgwebdir.cgi/test
searching for changes
ssl required

For now, we’ll disable SSL by setting push_ssl to false in our hgweb.config:

[collections]
c:repositories = c:repositories

[web]
baseurl = /hg
allow_push = Jeremy
push_ssl = false

Now when we try and push we get a different error:

c:projectstest&gt;hg push
pushing to http://localhost/hg/hgwebdir.cgi/test
searching for changes
abort: authorization failed

This happens because by default IIS is serving up our site without authentication. We need to enable Basic Authentication in the Authentication area of IIS:

Now you’ll be prompted to enter your username and password:

After specifying the credetails, the changes will be pushed up. We can view the commit in our web UI:

Enabling SSL

When you use Basic authentication, your username and password will be sent over the wire in plain text. To make this more secure we can enable SSL. For this example I’m going to use a self-signed certificate, although this will also work with a real SSL certificate purchased from a provider.

First, you’ll need to go into the IIS manager, select "Server Certificates" and click "Create Self-Signed Certificate"

Now, add a binding for your Web Site for https on port 443 by right clicking on the site and selecting "Edit Bindings".

Add a new binding for https on port 443:

Once this is done, you should now be able to access the hgwebdir site by using https (https://localhost/hg). You’ll probably get an invalid certificate warning in your browser.

Now you can re-clone the repository using the secure url (also be sure to remove the "push_ssl = false" line from hgweb.config)

All done!

At this point, you should have successfully set up everything you need to use Mercurial in IIS7.

1Jul/11

sql server 2005结束sleeping的进程语句

Posted by Nick Xu

SET NOCOUNT ON;
DECLARE @host VARCHAR(50), @login NVARCHAR(128);
SET @host = 'dawoo'; --客户端名称,NULL to kill sessions from all hosts.
SET @login = 'tscn'; --登录名
DECLARE @cmd NVARCHAR(255);
DECLARE @possition INT, @total INT, @selSpid SMALLINT;
DECLARE @spidInfo TABLE
(
[id] INT IDENTITY(1,1),
spid SMALLINT,
loginame NVARCHAR(128)
);
INSERT @spidInfo(spid, loginame)
SELECT session_id, login_name
FROM sys.dm_exec_sessions
WHERE is_user_process = 1 AND [status] = 'sleeping' AND
login_name = @login AND [host_name] = COALESCE(@host, [host_name]);
SELECT @total = @@IDENTITY, @selSpid = 0, @possition = 0;
WHILE @possition < @total BEGIN SELECT TOP 1 @selSpid = spid, @possition = [id] FROM @spidInfo WHERE [ID] > @possition
SET @cmd = N'KILL ' + CAST(@selSpid AS NVARCHAR(10));
EXEC sp_executesql @cmd;
PRINT 'SessionId = ' + CAST(@selSpid AS NVARCHAR(10)) + '[' + @login +
'] killed by ' + system_user + ' at ' + CAST(GETDATE() AS VARCHAR(50));
END;
IF (@total = 0)
PRINT 'No sessions owned by user ' + '[' + @login + ']';

Tagged as: , , No Comments
21May/10

单网卡 Ubuntu 服务器打造 PPTP/L2TP VPN Server

Posted by Nick Xu

自从实验室放了台 Linux 服务器后,可玩的东西就越来越多了。虽然这台服务器主要的工作是 Web Server,但鉴于我们那小站压力非常之小,服务器资源绝大多数还是浪费着,所以让它多干些活是个不错的选择。实验室的内部网络中有不少非常有用的资 源,例如科研用的文献资料,个人的实验数据等等,这些内容一旦离开实验室就不那么容易访问到了。解决这个问题最好的办法就是 VPN。在 Ubuntu 上搭建 VPN 服务器的方法非常多,比较著名的有 PPTP, L2TP/IPSec 和 OpenVPN。这三种方式中后两者的安全性比较好,但配置较麻烦。其中 OpenVPN 在 Windows/Mac 平台上还需要额外的客户端。而 L2TP/IPSec 方式虽然比较好,但我配置后,虽然 Windows 和 Linux 用户没有问题,但 Mac/iPhone 却始终无法连上,所以暂时删掉了,日后搞清楚是什么问题再换到这种方式。

只剩下 PPTP 了。事实上 PPTP 是这三者中配置最容易的方式,而且由于 Windows/Mac 系统中都内建相应的客户端,使用起来非常方便。下面我就简单写写我的安装过程,希望对需要的朋友有用。当然如果您有什么高见,也欢迎您提出。

首先,我所有的操作都是在之前文 章中介绍的 Ubuntu 8.04 Server 系统中操作的,如果您的系统和我的不一样,请参考之前的两 篇文章。我的服务器环境是单网卡 eth0。

在 Ubuntu 中建立 pptp server 需要的软件包为 pptpd,用 apt-get 即可安装:

sudo apt-get install pptpd

系统会自动解决依赖关系,安装好后,需要进行一番设置。首先编辑 /etc/pptpd.conf

sudo nano /etc/pptpd.conf

去掉文件最末端的 localip 和 remoteip 两个参数的注释,并进行相应修改。这里,localip 是 VPN 连通后服务器的 ip 地址,而 remoteip 则是客户端的可分配 ip 地址。下面是我的配置:

localip 10.100.0.1
remoteip 10.100.0.2-10

编辑好这个文件后,我们需要编辑 /etc/ppp/pptpd-options 文件,还是用 nano 编辑,命令这里就不写了。这里绝大多数参数只需维持原来的默认值即可,我们只需要改变其中的 ms-dns 选项,为 VPN 客户端指派 DNS 服务器地址:

ms-dns 202.113.16.10
ms-dns 208.67.222.222

修改 /etc/ppp/chap-secrets 文件,这里面存放着 VPN 的用户名和密码,根据你的实际情况填写即可。如文件中注释所示,第一列是用户名,第二列是服务器名(默认写 pptpd 即可,如果在 pptpd-options 文件中更改过的话,注意这里保持一致),第三列是密码,第四列是 IP 限制(不做限制写 * 即可)。这里就不贴我的配置了

全部搞定后,我们需要重启 pptpd 服务使新配置生效:

sudo /etc/init.d/pptpd restart

找一台 Windows 电脑,新建个 VPN 链接,地址填服务器的 IP(或域名),用户名密码填刚才设置好的,域那项空着(如果你在 pptpd-options 中设置了,这里就保持一致),点连接就可以了。正常情况下您应该能够建立与服务器的 VPN 链接了。

建立连接之后,您会发现除了可以访问服务器的资源,其余内外和互联网的内容均无法访问。如果需要访问这些内容的话,我们还需要进一步设置:

首先,开启 ipv4 forward。方法是,修改 /etc/sysctl.conf,找到类似下面的行并取消它们的注释:

net.ipv4.ip_forward=1

然后使新配置生效:

sudo sysctl -p

有些时候,经过这样设置,客户端机器就可以上网了(我在虚拟机上这样操作后就可以了)。但我在实验室的服务器上这样操作后仍然无法访问网络,这样我 们就需要建立一个 NAT。这里我们使用强大的 iptables 来建立 NAT。首先,先安装 iptables:

sudo apt-get intall iptables

装好后,我们向 nat 表中加入一条规则:

sudo iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE

这样操作后,客户端机器应该就可以上网了。

但是,只是这样,iptables 的规则会在下次重启时被清除,所以我们还 需要把它保存下来,方法是使用 iptables-save 命令:

sudo iptables-save > /etc/iptables-rules

然后修改 /etc/network/interfaces 文件,找到 eth0 那一节,在对 eth0 的设置最末尾加上下面这句:

pre-up iptables-restore < /etc/iptables-rules

这样当网卡 eth0 被加载的时候就会自动载入我们预先用 iptables-save 保存下的配置。

到此,一个 VPN Server/Gateway 基本就算架设完毕。当然,也许你按照我的方法做了,还是无法成功,那么下面总结一些我碰到的问题和解决方案:

无法建立 VPN 连接

安装好 pptpd 并设置后,客户端还是无法建立到服务器的连接。造成的原因可能有以下几种:

  1. 服务器端的防火墙设置:PPTP 服务需要使用 1723(tcp) 端口和 gre 协议,因此请确保您的防火墙设置允许这两者通行。
  2. 如果服务器在路由器后面,请确保路由器上做好相应的设置和端口转发。
  3. 如果服务器在路由器后面,那么请确保你的服务器支持 VPN Passthrough。
  4. 如果客户端在路由器后面,那么客户端所使用的路由器也必须支持 VPN Passthrough。其实市面上稍微好点的路由器都是支持 VPN Passthrough 的,当然也不排除那些最最最便宜的便宜货确实不支持。当然,如果你的路由器可以刷 DD-Wrt 的话就刷上吧,DD-Wrt 是支持的。

能建立链接,但“几乎”无法访问互联网

这里我使用“几乎”这个词,是因为并不是完全不能访问互联网。 症状为,打开 Google 搜索没问题,但其它网站均无法打开;SSH 可用,但 scp 不行;ftp 能握手,但传不了文件。我就遇到了这种情况,仔细 Google 后发现原来是 MTU 的问题,用 ping 探测了一下果然是包过大了。知道问题就好办了,我们可以通过 iptables 来修正这一问题。具体原理就不讲了,需要的自己 Google。这里只说解决方案,在 filter 表中添加下面的规则:

sudo iptables -A FORWARD -s 10.100.0.0/24 -p tcp -m tcp --tcp-flags SYN,RST SYN
-j TCPMSS --set-mss 1200

上面规则中的 1200 可以根据你的实际情况修改,为了保证最好的网络性能,这个值应该不断修改,直至能保证网络正常使用情况下的最大值。

好了,至此,一台单网卡 pptp-server 就算完成了。

pptp上网解决方法

代理服务器更换centos6半月有余,更换后发现wint系统拨号后访问 sina.com.cn / iciba.com / 360.com / abot.cn 等部分网站时页面打不开,而在服务器上或和机房内直接用通过服务器做网关的其它机器都能正常访问,一直不到其解。
今晚搜索了一下,找到些资料,发现是PPTPD默认的MTU太大,导致链路上有些设备堵塞。
解决思路就是把MTU改小些,方法大概有三种:
一、如果开启了iptables的(验证过可行)
iptables -A FORWARD -p tcp --syn -s 10.0.0.0/24 -j TCPMSS --set-mss 1356
其中粗体部分换上你的pptp client的IP段
二 、在 /etc/ppp/ip-up 中,exit 0行前添加 (验证过可行)
ifconfig $1 mtu 1356
看到ip-up中有一行:
[ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@"
所以也在 ip-up.local文件中添加ifconfig $1 mtu 1356也同效。
三、在PPTPD配置文件中设置:
打开/etc/ppp/options.pptpd
在文件最后添加 mtu1356
 继续前篇博文的内容继续谈谈mtu导致访问非常慢的问题或者直接访问不了。我们的服务器是aliyun的新加坡服务器,pptp连接成功后,访问墙外的大多数网站基本毫无压力,但是放不了百度,好奇怪,都能访问到被墙的谷歌了,百度难道也被新加坡的墙档上了吗?
    经过一番百度+谷歌后,发现果真有很多人有这样的情况。在linux系统下面的ppp0的网卡接口的mtu是1396,而我们windows 客户端的默认mtu是1496。本来在mtu在路由通信的时候会自协商,可是有些运营商或者主机管理着为了防止DDOS,禁用了ping的功能(不知道能起到防ddos的作用),mtu自协商正好利用ICMP协议来通信的,导致不能协商mtu,发送到pptp服务器的数据包,就会有问题,自然有些网站就访问不了,有些网站超时的情况。
    下面来看看解决ppp0接口mtu的几种方式。
  1. 在PPTP的服务端/etc/ppp/options.pptpd 中配置上mtu 1496.
  2. 给ppp0的接口直接修改mtu值,然后重启pptp服务即可生效。
ifconfig ppp0 mtu 1496 /etc/init.d/pptpd restart
修改iptables实现
iptables -A FORWARD -p tcp -syn -s 192.168.100.0/24 -j TCPMSS -set-mss 1496
最后重新连接,就能访问一些因为mtu不统一的问题,访问不了的网站了。

 

Ubuntu server 12 上搭建 L2TP/IPSec VPN

一、简单的原理介绍

通过上次和 Paveo 大叔聊天,还有平时一些肤浅的了解,我们知道,所谓 L2TP/IPSec 就是 L2TP over IPSec。也就是说,这种 VPN 方式分两个部分,IPSec 和 L2TP。我们要先做好 IPSec 的部分。

在这个应用场景下,我的理解,IPSec 使用预共享密钥(PSK)进行加密和验证,L2TP 负责封包,PPP 负责具体的用户验证。

二、IPSEC 部分

在这里,我们使用 Openswan 来实现 IPSec。

sudo apt-get install openswan

 编辑 IPSec 配置文件

请使用您喜欢的编辑器打开 /etc/ipsec.conf 文件。

sudo nano /etc/ipsec.conf

找到 protostack 一行,将其值改为 netkey。应该是这个样子的:

protostack=netkey

好的,现在请将光标移动到文件末尾(末尾应该是一些注释说明,在它的下面),复制如下一段内容,

conn %default
        forceencaps=yes

conn L2TP-PSK-NAT
        rightsubnet=vhost:%no,%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
        left=您服务器的公网IPv4地址
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any

 

嗯,IPSec 部分就快完成了。下面我们来设置 PSK 预共享密钥,用编辑器打开(没有就创建) /etc/ipsec.secrets 文件。

sudo nano /etc/ipsec.secrets

输入下面一行内容

您服务器的公网IPv4地址 %any: PSK "您的预共享密钥"

下面我们需要对系统的网络策略进行一些调整,请运行(一行一行地输入,输入完按回车,请忽略行首的空格):

for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done

同时,将上面这段代码完整地复制一次,加入到 /etc/rc.local 中,使其在每次系统启动时都生效。具体方法是,运行 vi /etc/rc.local,将光标移动到 exit 0 之前的行,复制代码。

接下来,我们来重启一次 IPSec 服务,

service ipsec restart

测试我们的 IPSec 部分配置是否成功

ipsec verify

如果在结果中看到「Opportunistic Encryption Support」被禁用了,没关系,其他项 OK 即可。

三、L2TP 部分

我们先来进行 L2TP 部分的配置,在这里,我们使用 xl2tpd 来实现。

1. 从源安装 xl2tpd

运行:

sudo apt-get install xl2tpd

2. 编辑 L2TP 配置文件

请打开 /etc/xl2tpd/xl2tpd.conf 文件,编辑方法您应该在上面已经学习过了,这里不再赘述。

sudo nano /etc/xl2tpd/xl2tpd.conf

删除文件所有内容,替换成:

[global] ; listen-addr = 192.168.1.98 [lns default] ip range = 10.1.1.2-10.1.1.255 local ip = 10.1.1.1 require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes

做一下简单的解释,这里的 ip range 项是连接上来的用户所获得到的服务器端内网的 IPv4 地址段。而 local ip 是在新建的网络接口 pppX 所占用的那个 IP 地址。因此,它们都不能和服务器端内网的任何 IP 地址(段)相重复或冲突。若不能理解,没关系,就请不要修改这个值。

修改完请保存。

注意到了吗,pppoptfile 这一项的值,指向到了一个现在也许不存在的目录下面的options.xl2tpd 文件。对,我们现在就来配置 PPP。

四、PPP 的配置

首先应该安装 ppp 包:

sudo apt-get instal ppp

从 xl2tpd 文档中复制一个配置文件样例到我们的配置文件目录:

cp /usr/share/doc/xl2tpd/examples/ppp-options.xl2tpd \ /etc/ppp/options.xl2tpd

出于网页宽度的限制,这是个多行命令,您可一次复制进终端,或是选择逐行输入。

下面打开编辑这个 /etc/ppp/options.xl2tpd

sudo nano /etc/ppp/options.xl2tpd

将光标移动到 ms-wins 的所在行,删除它们。并将 ms-dns 项调整为 Google Public DNS

ms-dns 8.8.8.8
ms-dns 8.8.4.4

其它的都不要动,保存。

添加用户账户,“账户”都在 /etc/ppp/chap-secrets 中:

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
用户名           *       "密码"                   *
userA           *       "password"              *

 

重启一下 xl2tpd :

service xl2tpd restart

至此,IPSec、L2TP、PPP 应该都配置完毕了。您可以测试连接,xl2tpd 的日志文件应该包含在 /var/log/daemon.log 中。

这时虽然可以连接上 VPN,但是只能访问内网。需要说明的是,VPN 的功能就是这些。至于我们所说的“上网”,那就是下面数据转发的事情了,和 VPN 已经无关了。

 

如果在syslog里看到ipsec出现授权错误可进行以下操作:

openswan@openswanbox:~$ sudo cp /etc/ipsec.d/private/{openswanboxKey.pem,openswanboxkey_copy.pem}
openswan@openswanbox:~$ sudo openssl rsa -in /etc/ipsec.d/private/openswanboxkey_copy.pem -outform pem -out /etc/ipsec.d/private/openswanboxKey.pem
writing RSA key
openswan@openswanbox:~$ sudo service ipsec restart

五、转发设置

首先在系统的 /etc/sysctl.conf 将 net.ipv4.ip_forward 启用,具体方法是:

sudo nano /etc/sysctl.conf

找到 net.ipv4.ip_forward 一行,将光标移动至其前面的 # 号上,删除 # 号,应该看起来是这样的:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

请保存。再运行

sysctl -p

以直接令其生效。

我们使用发行版中通常包含了的 iptables 来配置更具体的转发。为避免繁琐的 iptables “永久”规则设定,我们让服务器每次启动时都设置一次,还需要用到 /etc/rc.local,请运行:

sudo nano /etc/rc.local

将下面内容复制进来,复制之前这里应该已经有 5 行我们之前添加的代码,现在可以将下面这行添加在它的上面或下面,唯不要将其加在 5 行中间 ……

iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE

这将应用我们刚刚设置的子网 10.1.1.0/24 的数据包可以从 eth0 接口被转发。

这时,您可以运行 reboot 重启您的服务器,或在终端运行一次上述 iptables 命令,即可令转发立即生效。

 

 

如果服务器在内网可在网关影射端口: TCP: 1723  UDP: 500,4500,1701

Tagged as: , , No Comments
   
site
site