HOWTO Setup Mac OS X L2TP VPN Server

首先, 先變成管理者模式

# sudo -s

在 /Library -> Preferences -> SystemConfiguration 建立 com.apple.RemoteAccessServers.plist 檔案

# vi /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>ActiveServers</key>
        <array>
                <string>com.apple.ppp.l2tp</string>
        </array>
        <key>Servers</key>
        <dict>
                <key>com.apple.ppp.l2tp</key>
                <dict>
                        <key>DNS</key>
                        <dict>
                                <key>OfferedSearchDomains</key>
                                <array/>
                                <key>OfferedServerAddresses</key>
                                <array>
                                        <string>168.95.1.1</string>
                                        <string>168.95.192.1</string>
                                </array>
                        </dict>
                        <key>IPv4</key>
                        <dict>
                                <key>ConfigMethod</key>
                                <string>Manual</string>
                                <key>DestAddressRanges</key>
                                <array>
                                        <string>192.168.x.101</string>
                                        <string>192.168.x.120</string>
                                </array>
                                <key>OfferedRouteAddresses</key>
                                <array/>
                                <key>OfferedRouteMasks</key>
                                <array/>
                                <key>OfferedRouteTypes</key>
                                <array/>
                        </dict>
                        <key>Interface</key>
                        <dict>
                                <key>SubType</key>
                                <string>L2TP</string>
                                <key>Type</key>
                                <string>PPP</string>
                        </dict>
                        <key>L2TP</key>
                        <dict>
                                <key>IPSecSharedSecret</key>
                                <string>com.apple.ppp.l2tp</string>
                                <key>IPSecSharedSecretEncryption</key>
                                <string>Keychain</string>
                                <key>Transport</key>
                                <string>IPSec</string>
                        </dict>
                        <key>PPP</key>
                        <dict>
                                <key>AuthenticatorProtocol</key>
                                <array>
                                        <string>MSCHAP2</string>
                                </array>
                                <key>LCPEchoEnabled</key>
                                <integer>1</integer>
                                <key>LCPEchoFailure</key>
                                <integer>5</integer>
                                <key>LCPEchoInterval</key>
                                <integer>60</integer>
                                <key>Logfile</key>
                                <string>/var/log/ppp/vpnd.log</string>
                                <key>VerboseLogging</key>
                                <integer>1</integer>
                        </dict>
                        <key>Server</key>
                        <dict>
                                <key>Logfile</key>
                                <string>/var/log/ppp/vpnd.log</string>
                                <key>MaximumSessions</key>
                                <integer>128</integer>
                                <key>VerboseLogging</key>
                                <integer>1</integer>
                        </dict>
                </dict>
        </dict>
</dict>
</plist>

記得把 OfferedServerAddresses裡面的值改成你要指定的dns server位址. 還有把 DestAddressRanges 內的值改成你要發放的 IP 位址

指定 root:wheel 到 com.apple.RemoteAccessServers.plist檔案

# chown root:wheel /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

建立好vpn的log檔案

# touch /var/log/ppp/vpnd.log

設定 secret 密碼到 system keychian

security add-generic-password -a com.apple.ppp.l2tp -s com.apple.net.racoon -p “TOP_SECRET” /Library/Keychains/System.keychain

打開 Utilities -> Keychain Access 程式 右上方 搜尋 racoon

點選”Access Control” Tab

打勾”Allow all applications to access this item”

設定撥號進來的帳號密碼 :

# vi /etc/ppp/chap-secrets

1
2
3
# Secret for authentication using CHAP
# client    server   secret        IP addresses
"YOUR_ACCOUNT" * "YOUR_PASSWORD" *

記得將 YOUR_ACCOUNT & YOUR_PASSWORD 改成你要設定的帳號密碼.

然後啟動vpn

# vpnd

這樣vpn就能運作了

如果你要讓vpn每次開機都啟動, 就要編輯下列檔案

# vi /System/Library/LaunchDaemons/com.apple.ppp.l2tp.plist

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Label</key>
        <string>com.apple.ppp.l2tp</string>
        <key>OnDemand</key>
        <false/>
        <key>Program</key>
        <string>/usr/sbin/vpnd</string>
        <key>ProgramArguments</key>
        <array>
                <string>vpnd</string>
                <string>-x</string>
                <string>-i</string>
                <string>com.apple.ppp.l2tp</string>
        </array>
        <key>ServiceIPC</key>
        <false/>
</dict>
</plist>

可以用下列指令測試是否可以載入 vpnd

launchctl load /System/Library/LaunchDaemons/com.apple.ppp.l2tp.plist

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.