在百度搜索了很多关于CentOS7搭建VPN的教程，但是有很多走不完全套的，因此浪费了很多时间，在这里我把查到能走通的教程整理了一遍，分享给大家。
更新组件　　整个安装过程不用经过编译，组件都是在yum中下载，首先我们更新一下所有组件：
yum update -y　　这里有个地方需要注意的是：有些主机的硬件并不支持最新内核，因此在不确定的情况下就不要升级内核了，用以下的命令：
yum –exclude=kernel* update -y　　更新需要较长时间，请耐心等待。
非常重要的小插曲　　撰写这篇文章并且共享出来，主要是为了能和大家互相学习和交流，但是正在看这篇文章的不乏一些现在就有自己的服务器或VPS，急着马上搭建好一台自己的VPN服务器的同学，如果你是这类同学，请不用心急，因为我制作好了自动运行脚本，脚本的内容和文章内容是一样的，把脚本下载到服务器，运行并配置自己的账号密码、ip和客户端ip即可。
　　脚本下载地址：https://github.com/BoizZ/PPTP-L2TP-IPSec-VPN-auto-installation-script-for-CentOS-7
　　运行脚本：sh vpn-script-for-centos7.sh
　　好，那么希望继续学习的同学请往下看。
安装epel源　　为什么要安装epel源呢？是因为必要组件xl2tpd在基础的yum源里面是没有的。
yum install epel-release -y安装依赖组件　　安装完epel源以后就可以直接安装依赖组件了。
yum install -y openswan ppp pptpd xl2tpd wget修改配置文件　　需要等待所有依赖组件安装完成才能执行以下步骤（小标题括号内是文件路径）。
ipsec.conf配置文件（/etc/ipsec.conf）# /etc/ipsec.conf - Libreswan IPsec configuration file# This file: /etc/ipsec.conf## Enable when using this configuration file with openswan instead of libreswan#version 2## Manual: ipsec.conf.5# basic configurationconfig setup # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey force_keepalive=yes keep_alive=1800conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNATconn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=$serverip leftid=$serverip leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=40 dpdtimeout=130 dpdaction=clear# For example connections, see your distribution's documentation directory,# or the documentation which could be located at# /usr/share/docs/libreswan-3.*/ or look at https://www.libreswan.org/## There is also a lot of information in the manual page, "man ipsec.conf"# You may put your configuration (.conf) file in the "/etc/ipsec.d/" directory# by uncommenting this line#include /etc/ipsec.d/*.conf设置预共享密钥配置文件（/etc/ipsec.secrets）#include /etc/ipsec.d/*.secrets$serverip username PSK password　　注解：第二行中username为登录名，password为登录密码
pptpd.conf配置文件(/etc/pptpd.conf)#ppp /usr/sbin/pppdoption /etc/ppp/options.pptpd#debug# stimeout 10#noipparamlogwtmp#vrf test#bcrelay eth1#delegate#connections 100localip 10.0.1.2remoteip 10.0.1.200-254xl2tpd.conf配置文件(/etc/xl2tpd/xl2tpd.conf);; This is a minimal sample xl2tpd configuration file for use; with L2TP over IPsec.;; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec; clients connect. In this example, the internal (protected) network; is 192.168.1.0/24. A special IP range within this network is reserved; for the remote clients: 192.168.1.128/25; (i.e. 192.168.1.128 ... 192.168.1.254);; The listen-addr parameter can be used if you want to bind the L2TP daemon; to a specific IP address instead of to all interfaces. For instance,; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99); will be used by xl2tpd as its address on pppX interfaces.[global]; ipsec saref = yeslisten-addr = 104.171.165.91auth file = /etc/ppp/chap-secretsport = 1701[lns default]ip range = 10.0.1.100-10.0.1.254local ip = 10.0.1.1refuse chap = yesrefuse pap = yesrequire authentication = yesname = L2TPVPNppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yesoptions.pptpd配置文件(/etc/ppp/options.pptpd)# Authenticationname pptpd#chapms-strip-domain# Encryption# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o# {{{refuse-paprefuse-chaprefuse-mschap# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft# Challenge Handshake Authentication Protocol, Version 2] authentication.require-mschap-v2# Require MPPE 128-bit encryption# (note that MPPE requires the use of MSCHAP-V2 during authentication)require-mppe-128# }}}# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o# {{{#-chap#-chapms# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft# Challenge Handshake Authentication Protocol, Version 2] authentication.#+chapms-v2# Require MPPE encryption# (note that MPPE requires the use of MSCHAP-V2 during authentication)#mppe-40 # enable either 40-bit or 128-bit, not both#mppe-128#mppe-stateless# }}}ms-dns 8.8.4.4ms-dns 8.8.8.8#ms-wins 10.0.0.3#ms-wins 10.0.0.4proxyarp#10.8.0.100# Logging#debug#dumplocknobsdcomp novjnovjccompnologfdoptions.xl2tpd配置文件(/etc/ppp/options.xl2tpd)rm -f /etc/ppp/options.xl2tpdcat >>/etc/ppp/options.xl2tpd<<EOF#require-pap#require-chap#require-mschapipcp-accept-localipcp-accept-remoterequire-mschap-v2ms-dns 8.8.8.8ms-dns 8.8.4.4asyncmap 0authcrtsctslockhide-passwordmodemdebugname l2tpdproxyarplcp-echo-interval 30lcp-echo-failure 4mtu 1400noccpconnect-delay 5000# To allow authentication against a Windows domain EXAMPLE, and require the# user to be in a group "VPN Users". Requires the samba-winbind package# require-mschap-v2# plugin winbind.so# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\VPN Users"'# You need to join the domain on the server, for example using samba:# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html创建chap-secrets配置文件，即用户列表及密码(/etc/ppp/chap-secrets)# Secrets for authentication using CHAP# client server secret IP addressesusername pptpd password *username l2tpd password *　　注解：第三第四行中username为登录名，password为登录密码
系统配置允许IP转发sysctl -w net.ipv4.ip_forward=1sysctl -w net.ipv4.conf.all.rp_filter=0sysctl -w net.ipv4.conf.default.rp_filter=0sysctl -w net.ipv4.conf.$eth.rp_filter=0sysctl -w net.ipv4.conf.all.send_redirects=0sysctl -w net.ipv4.conf.default.send_redirects=0sysctl -w net.ipv4.conf.all.accept_redirects=0sysctl -w net.ipv4.conf.default.accept_redirects=0　　注解：以上均是命令，复制上去运行即可
也可以修改配置文件(/etc/sysctl.conf)：
net.ipv4.ip_forward = 1net.ipv4.conf.all.rp_filter = 0net.ipv4.conf.default.rp_filter = 0net.ipv4.conf.$eth.rp_filter = 0net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0允许防火墙端口　　创建文件/usr/lib/firewalld/services/pptpd.xml并修改：
<?xml version="1.0" encoding="utf-8"?><service> <short>pptpd</short> <description>PPTP</description> <port protocol="tcp" port="1723"/></service>　　创建文件/usr/lib/firewalld/services/l2tpd.xml并修改：
<?xml version="1.0" encoding="utf-8"?><service> <short>l2tpd</short> <description>L2TP IPSec</description> <port protocol="udp" port="500"/> <port protocol="udp" port="4500"/> <port protocol="udp" port="1701"/></service>初始化并重启防火墙：firewall-cmd --reloadfirewall-cmd --permanent --add-service=pptpdfirewall-cmd --permanent --add-service=l2tpdfirewall-cmd --permanent --add-service=ipsecfirewall-cmd --permanent --add-masqueradefirewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -p tcp -i ppp+ -j TCPMSS --syn --set-mss 1356firewall-cmd --reload　　这里是由于CentOS7自带firewall，并且不预装iptables，因此自己也不多此一举去安装了，因为效果都是一样的。
启动并设置开机自启动服务systemctl enable pptpd ipsec xl2tpdsystemctl restart pptpd ipsec xl2tpd大功告成　　最后一步，并且是最重要的一步，当然是连接一下自己刚建好的VPN服务器啦！
　　现在估计你和我有同样的喜悦，当然如果中间出现什么问题的话，交流区在下方，很乐意大家踊跃参与！