Posts Tagged Vyatta

Windows VPN客户端连接Linux服务端访问慢现象解决

Posted by on 星期二, 13 一月, 2015

我的Vyatta运行一直很好,用ROS和Cisco做Tunnel连接到Vyatta跑OSPF用来翻墙,效果一直不错。可是当使用Windows连接vpn时,经常打开网页超时,但ping各处均正常,所以怀疑是MTU或MSS的问题。

经过几番周折,发现网页超时时,Vyatta日志内出现大量异常:

Jan 12 21:02:39 Xirang kernel: [4838172.516489] pptp2: ppp: compressor dropped pkt

然后学习了一下,出现这个问题是因为,Windows VPN客户端的MPPE(Microsoft point-to-point Encryption)加密需要占用4个字节长度,原始报文加上MPPE报文头开销会超过Linux服务端pptp接口MTU,最终导致报文过大被丢弃。

所以解决问题的本质就是增加Linux服务端pptp接口MTU。

解决办法有三种:

  1. 编辑pptpd源码,增加MTU;
  2. 使用脚本,在pptp接口连接up以后增加MTU;
  3. 不使用MPPE加密;

第一种虽然从根本上解决了问题,但是由于水平问题放弃了;第三种由于取消了传输加密,心理上觉得不安全,也放弃了;

从网上找到了第二种解决办法,如下:

创建脚本(下载):/etc/ppp/ip-up.d/mppefixmtu.sh

#!/bin/sh
CURRENT_MTU=”`ip link show $1 | grep -Po ‘(?<=mtu )([0-9]+)’`”
FIXED_MTU=”`expr $CURRENT_MTU + 4`”
ip link set $1 mtu $FIXED_MTU

确保脚本具有可执行权限
chmod 755 /etc/ppp/ip-up.d/mppefixmtu.sh
这样MTU加上4以后就可以兼容Windows的MPPE了。
参考原文:https://wiki.archlinux.org/index.php/PPTP_server
Tags: , , , , , , Category: 网络 Comments (0)

vyatta更新zoneedit动态域名

Posted by on 星期一, 10 五月, 2010

直接上代码:


vyatta@vyatta# show service dns
 dynamic {
     interface pppoe0 {
         service zoneedit {
             host-name vyatta.awolf.net
             login yourusername
             password userpassword
         }
     }
 }
 forwarding {
     cache-size 150
     listen-on eth2
     name-server 8.8.8.8
     name-server 8.8.4.4
     name-server 4.2.2.1
     name-server 4.2.2.2
     name-server 208.67.220.220
     name-server 208.67.222.222
     name-server 202.96.69.38
     name-server 202.96.64.68
 }
[edit]
vyatta@vyatta#

其中eth2是内网接口。

Tags: , , , , , , Category: 网络 Comments (3)

vyatta配置实例1

Posted by on 星期四, 15 四月, 2010


vyatta@kmipv6:~$ show configuration
interfaces {
ethernet eth0 {
address 192.168.0.254/24
description LAN
hw-id 00:15:17:4a:21:1d
}
ethernet eth1 {
address 220.163.111.154/24
description WAN
hw-id 00:13:72:2e:a3:2c
}
loopback lo {
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 220.163.111.153 {
}
}
}
}
service {
dhcp-server {
disabled false
shared-network-name dhcpserver {
authoritative disable
subnet 192.168.0.0/24 {
default-router 192.168.0.254
dns-server 222.172.200.68
dns-server 61.166.150.123
start 192.168.0.1 {
stop 192.168.0.250
}
}
}
}
https
nat {
rule 1 {
destination {
}
outbound-interface eth1
protocol all
source {
address 192.168.0.0/24
}
type masquerade
}
rule 100 {
destination {
address 220.163.111.154
port 80
}
inbound-interface eth1
inside-address {
address 192.168.0.150
}
protocol tcp
source {
address 0.0.0.0/0
}
type destination
}
}
ssh {
allow-root true
protocol-version all
}
telnet {
allow-root false
}
}
system {
gateway-address 220.163.111.153
host-name kmipv6
login {
user root {
authentication {
encrypted-password ****************
}
}
user vyatta {
authentication {
encrypted-password ****************
}
}
}
name-server 222.172.200.68
name-server 61.166.150.123
ntp-server 69.59.150.135
package {
auto-sync 1
repository community {
components main
distribution stable
url http://packages.vyatta.com/vyatta
}
}
}
vpn {
ipsec {
ipsec-interfaces {
interface eth1
}
nat-networks {
allowed-network 192.168.0.0/24 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username vpn {
password ****************
}
}
mode local
}
client-ip-pool {
start 192.168.0.211
stop 192.168.0.220
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
}
outside-address 220.163.111.154
outside-nexthop 220.163.111.153
}
}
pptp {
remote-access {
authentication {
local-users {
username vpn {
password ****************
}
}
mode local
}
client-ip-pool {
start 192.168.0.201
stop 192.168.0.210
}
outside-address 220.163.111.154
}
}
}

Tags: , Category: 网络 Comments (0)