LoginSignup
17
12

More than 5 years have passed since last update.

@w2-yamaguchi

VyOSでL2TP Over IPsecによるVPNサーバ構築

Last updated at Posted at 2016-01-04

ログイン

ユーザ名、パスワードともに「vyos」

ネットワークの設定

$ configure
# set interfaces ethernet eth0 address [IPADDRESS]/[MASK]
# set system gateway-address [GATEWAY ADDRESS]
# set system name-server [NAME SERVER ADDRESS]
# set system time-zone Asia/Tokyo
# delete system ntp server
# set system ntp server ntp.jst.mfeed.ad.jp
# set service ssh
# commit
# save
# exit

疎通確認

$ ping 8.8.8.8

ユーザ作成

$ configure
# set system login user [USERNAME]
# set system login user [USERNAME] authentication plaintext-password [PASSWORD]
# commit
# save
# exit

初期ユーザ削除

$ configure
# delete system login user vyos
# commit
# save
# exit

公開鍵認証の設定

$ ssh-keygen
$ cat ~/.ssh/id_rsa.pub
$ cat ~/.ssh/id_rsa
$ configure
# set system login user [USERNAME] authentication public-keys [USERNAME]@[HOSTNAME] type ssh-rsa
# set system login user [USERNAME] authentication public-keys [USERNAME]@[HOSTNAME] key [PUBKEY]
# set service ssh disable-password-authentication
# commit
# save
# exit

IPsecの設定

$ configure
# set vpn ipsec ipsec-interfaces interface eth0
# set vpn ipsec nat-traversal enable
# set vpn ipsec nat-networks allowed-network 0.0.0.0/0
# commit
# save

L2TPの設定

# set vpn l2tp remote-access outside-address [IPADDRESS]
# set vpn l2tp remote-access outside-nexthop [GATEWAY ADDRESS]
# set vpn l2tp remote-access client-ip-pool start 192.168.110.1
# set vpn l2tp remote-access client-ip-pool stop 192.168.110.100
# set vpn l2tp remote-access dns-servers server-1 8.8.8.8
# set vpn l2tp remote-access dns-servers server-2 8.8.4.4
# set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
# set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret [SHARED SECRET]
# set vpn l2tp remote-access authentication mode local
# set vpn l2tp remote-access authentication local-users username [USERNAME] password [PASSWORD]
# commit
# save

NAT設定

# set nat source rule 999 outbound-interface eth0
# set nat source rule 999 translation address masquerade
# commit
# save
# exit

運用中に使うかもなコマンド

クライアント側IPアドレス固定

set vpn l2tp remote-access authentication local-users username TESTUSER static-ip 192.168.1.105

ユーザ無効化

set vpn l2tp remote-access authentication local-users username TESTUSER disable

参考

さくらのVPSでVyattaを使ったVPNトンネルの構築
さくらのVPSにVyOSをインストールする
VyOSでIPSec VPNの設定

17
12
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
17
12