A zamanin yau, fasahar VPN ta zama mafi shahara. Masu amfani na yau da kullun suna amfani da VPN don samun damar Intanet cikin aminci. Hakanan yana taimakawa wajen kewaya gidajen yanar gizo da ayyuka da aka katange tare da kariya daga yiwuwar mugun hali na waje. Lokacin da kake haɗawa da uwar garken VPN, akwai amintaccen rami tsakanin kwamfutarka da uwar garken da ba za a iya shiga daga waje ba, don haka uwar garken VPN ya zama wurin shiga Intanet. Akwai sabis na VPN da yawa a can, duka kyauta da biya, amma idan ba su yi muku aiki ba saboda wasu dalilai, koyaushe kuna iya saita sabar VPN naku koyaushe.
Don gudanar da oun VPN, ya kamata ku hayar uwar garken VPS. Akwai software daban-daban waɗanda ke ba ku damar ƙirƙirar haɗin VPN. Ya bambanta da juna ta hanyar tsarin aiki masu goyan baya da algorithms da aka yi amfani da su. Za mu dubi hanyoyi biyu masu zaman kansu don kafa uwar garken VPN. Na farko yana dogara ne akan ka'idar PPTP wanda aka riga an ɗauka mara amfani kuma ba amintacce ba amma yana da sauƙin daidaitawa. Ɗayan yana aiki na zamani kuma amintaccen software OpenVPN amma yana buƙatar shigar da aikace-aikacen abokin ciniki na ɓangare na uku da ingantaccen tsarin saiti.
A cikin yanayin gwajin mu, za mu yi amfani da uwar garken kama-da-wane da Ubuntu Server 18.04 ke ƙarfafawa. Za a kashe wutan wuta akan uwar garken saboda tsarin sa ya cancanci labarin daban. Za mu bayyana tsarin saitin akan Windows 10.
Shiri
Komai uwar garken VPN da kuka zaɓa, za a saita hanyar shiga Intanet ta hanyar haɗaɗɗiyar tsarin aiki. Domin buɗe hanyar Intanet ta hanyar sadarwar sabis na waje dole ne ka ba da izinin isar da fakiti tsakanin musaya da daidaita fassarar adireshin cibiyar sadarwa.
Don kunna tura fakiti buɗe fayil ɗin "/etc/sysctl.conf" da canji "net.ipv4.ip_forward" siga darajar cikin 1.
Domin aiwatar da canje-canje ba tare da sake kunna kwamfutar ba, gudanar da umarni
sudo sysctl -p /etc/sysctl.confAn saita fassarar adireshin hanyar sadarwa ta hanyar iptables. Da farko, duba sunan cibiyar sadarwar ku ta waje da ke gudanar da umarni "IP link show" - za ku buƙaci shi a mataki na gaba. Sunanmu shine "ens3".
Kunna fassarar adireshin cibiyar sadarwa a keɓantawar ku ta waje don duk kudurorin cibiyar sadarwar gida.
sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADELura cewa kana buƙatar saka ainihin sunan cibiyar sadarwar uwar garken ku, yana iya bambanta da namu.
Ta hanyar tsoho, duk ƙa'idodin da iptables suka ƙirƙira ana sake saita su bayan sabar ta sake farawa. Don hana wannan, amfani "iptables-cirewa" mai amfani. Shigar fakiti mai zuwa:
sudo apt install iptables-persistentA wani lokaci yayin aiwatar da shigarwa, zaku ga taga sanyi wanda zai ba da shawarar ku adana ka'idodin iptables na yanzu. Tun da an riga an ayyana dokokin, kawai tabbatarwa kuma danna "I" sau biyu. Tunda yanzu za a yi amfani da dokokin ta atomatik bayan uwar garken ta sake farawa.
Uwar garken PPTP
Tsarin uwar garken
Shigar fakitin:
sudo apt install pptpdBayan an gama shigarwa, buɗe fayil ɗin "/etc/pptpd.conf" a kowane editan rubutu kuma a gyara shi kamar haka:
option /etc/ppp/pptpd-options #path to the settings file
logwtmp #client connections logging mechanism
connections 100 #number of simultaneous connections
localip 172.16.0.1 #the address that will serve as a client gateway
remoteip 172.16.0.2-200 #range of addressesBayan haka, gyara fayil ɗin "/etc/ppp/pptpd-options". Yawancin sigogi ana saita su ta tsohuwa.
#name of the service for new client records
name pptpd#restrict obsolete authentication methods
refuse-pap
refuse-chap
refuse-mschap#allow a more secure authentication method
require-mschap-v2#enable encryption
require-mppe-128#specify dns servers for clients (use any available servers)
ms-dns 8.8.8.8
ms-dns 8.8.4.4proxyarp
nodefaultroute
lock
nobsdcomp
novj
novjccomp
nologfdA mataki na gaba, kuna buƙatar ƙirƙirar rikodin don haɗin gwiwar abokin ciniki. Bari mu ce kuna son ƙara mai amfani "vpnuser" tare da kalmar sirri "1" da kuma ba da damar yin magana mai ƙarfi a gare shi. Bude fayil ɗin "/etc/ppp/chap-asirin" kuma ƙara layin mai zuwa tare da sigogin mai amfani a ƙarshen fayil ɗin:
vpnuser pptpd 1 *"pptpd" darajar shine sunan sabis ɗin da muka ayyana a cikin fayil ɗin "pptpd-zaɓuɓɓuka". Maimakon "*" za ka iya saka kafaffen adireshin IP. A sakamakon haka, fayil ɗin "asirin sirri" yakamata yayi kama da haka:
Don amfani da saitunan sake saita pptpd sabis kuma ƙara shi zuwa yin lodi ta atomatik.
sudo systemctl restart pptpd
sudo systemctl enable pptpdAn gama saitin uwar garken.
Tsarin abokin ciniki
Bude "Fara" - "Saitunan" - Network & Intanet - "VPN" kuma danna "Ƙara haɗin VPN"
Shigar da sigogin haɗin kai a cikin taga da aka buɗe kuma danna "Ajiye"
- Mai ba da VPN: "Windows (gina-ciki)"
- Sunan haɗi: "vpn_connect" (zaka iya zaɓar kowane suna)
- Sunan uwar garken ko adireshin: (bayyana adireshin IP na waje na uwar garken)
- Nau'in VPN: "Auto"
- Nau'in bayanin shiga: "Sunan mai amfani da kalmar wucewa"
- Sunan mai amfani: vpnuser (sunan da aka ƙayyade a cikin fayil ɗin "chap-asiri" akan uwar garken)
- Kalmar wucewa: 1 (kamar yadda yake a cikin "fayilolin sirri")
Bayan adana sigogi, za ku ga sabon haɗin VPN a cikin taga. Danna haɗin hagu kuma zaɓi "Haɗa". A cikin yanayin haɗin gwiwa mai nasara, za ku gani "Haɗa" matsayi.
A cikin Zaɓuɓɓuka, za ku sami adiresoshin ciki na abokin ciniki da uwar garken. Filin "Adreshin zuwa" yana nuna adireshin uwar garken waje.
Lokacin da aka haɗa, adireshin IP na ciki na uwar garken, 172.16.0.1 a yanayinmu, ya zama tsohuwar ƙofa ga duk fakiti masu fita.
Yin amfani da kowane sabis na kan layi zaku iya tabbatar da cewa adireshin IP na waje na kwamfutar yanzu daidai yake da adireshin IP na uwar garken VPN ɗin ku.
Sabar uwar garken OpenVPN
Tsarin uwar garken
Bari mu inganta matakin izini na mai amfani na yanzu saboda don ƙarin tsarin mu za mu buƙaci samun tushen tushen.
sudo -sSanya duk fakitin da suka dace. Za mu bukata "Sauki-RSA" fakiti don sarrafa maɓallan ɓoyewa.
apt install openvpn easy-rsa iptables-persistentBada izinin haɗi mai shigowa akan tashar jiragen ruwa 1194 ta hanyar ka'idar UDP kuma a yi amfani da dokokin iptables.
sudo iptables -I INPUT -p udp --dport 1194 -j ACCEPT
sudo netfilter-persistent saveƘirƙiri kundin adireshi tare da kwafi fayiloli daga fakitin "Easy-RSA" kuma kewaya cikinsa.
make-cadir ~/openvpn
cd ~/openvpnƘirƙirar Kayan Aikin Maɓalli na Jama'a (PKI).
./easyrsa init-pkiƘirƙirar tushen takaddun shaida (CA) Certificate Authority.
./easyrsa build-caYayin aikin ƙirƙira, za a sa ka saita da tuna kalmar sirri. Hakanan kuna buƙatar amsa tambayoyi da shigar da bayanai game da mai maɓalli. Kuna iya barin tsoffin ƙimar da aka bayar a maƙallan murabba'i. Danna "Shigar" don kammala shigarwar.
Ƙirƙirar maɓalli na sirri da buƙatar takaddun shaida. A matsayin hujja, saka sunan sabani; a yanayinmu, “vpn-server” ne.
./easyrsa gen-req vpn-server nopassBar ƙimar Suna gama gari azaman tsoho.
Shiga buƙatar takardar shaidar uwar garken da aka samar.
./easyrsa sign-req server vpn-serverA wannan mataki, amsa "Ee" don tabbatar da sa hannu, sannan shigar da kalmar sirrin da aka ƙirƙira yayin ƙirƙirar takaddun shaida.
Ƙirƙirar sigogin Diffie-Hellman. Ana amfani da waɗannan sigogi don amintaccen musayar maɓalli tsakanin uwar garken da abokin ciniki.
./easyrsa gen-dh
An ƙirƙiro duk fayilolin da suka dace. Bari mu ƙirƙiri babban fayil na "maɓallai" a cikin kundin aiki na OpenVPN don adana maɓallan da kwafi fayilolin da aka ƙirƙira a wurin.
mkdir /etc/openvpn/keys
sudo cp pki/ca.crt pki/issued/vpn-server.crt pki/private/vpn-server.key pki/dh.pem /etc/openvpn/keysSanya NAT ta amfani da iptables dokoki. Ƙirƙiri fayil mai suna nat kuma bude shi don gyarawa a cikin /etc/openvpn/ directory.
#!/bin/sh
# Reset firewall settings
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# (eth0 in our case, may vary)
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# (eth0 in our case, may vary)
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# Allow OpenVPN connections (eth0 in our case, may vary)
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
# (eth0 in our case, may vary):
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
# (eth0 in our case, may vary)
iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable masquerading for the local network (eth0 in our case, may vary)
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
# Deny incoming connections from outside
iptables -A INPUT -i eth0 -j DROP
# Deny transit traffic from outside (eth0 in our case, may vary)
iptables -A FORWARD -i eth0 -o tun0 -j DROP
sudo netfilter-persistent saveAjiye fayil ɗin kuma sanya shi aiwatarwa.
sudo chmod 755 /etc/openvpn/natKwafi samfurin sanyi na uwar garken.
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/Bude fayil "/etc/openvpn/server.conf" don gyarawa, tabbatar yana ƙunshe da layin masu zuwa, kuma a gyara su idan an buƙata:
#Port, protocol, and interface
port 1194
proto udp
dev tun#Path to the encryption keys
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn-server.crt
key /etc/openvpn/keys/vpn-server.key
dh /etc/openvpn/keys/dh.pem
#SHA256 Hashing Algorithm
auth SHA256#Switching off additional encryption
#tls-auth ta.key 0#Network parameters
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"#Ping every 10 seconds to check the connection.
keepalive 10 120#Set up AES-256 encryption for the tunnel.
cipher AES-256-GCM#Demoting the service OpenVPN after launch
user nobody
group nogroup#Switching on parameters saving after reboot
persist-key
persist-tun#Set log verbosity
verb 3#Redirecting logs
log-append /var/log/openvpn/openvpn.log#Script the rule installation launch.
up /etc/openvpn/natKunna isar da zirga-zirga akan sabar.
sudo sysctl -w net.ipv4.ip_forward=1
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.confFara OpenVPN don amfani da sanyi.
systemctl restart openvpn@serverAn gama saitin uwar garken!
Tsarin abokin ciniki
Jeka gidan yanar gizon hukuma na OpenVPN"https://openvpn.net", je zuwa "AL'UMMA" sashe.
Gungura ƙasa kuma zazzage mai sakawa don sigar tsarin aikin ku. A cikin yanayinmu, yana da Windows 11 ARM64.
Shigar da aikace-aikacen barin duk sigogi ta tsohuwa.
A mataki na gaba kuna buƙatar shirya fayil ɗin mai zuwa akan uwar garken kuma canza su zuwa kwamfutar abokin ciniki:
- maɓallan jama'a da na sirri;
- kwafin maɓallin cibiyar takaddun shaida;
- samfurin fayil ɗin config.
Haɗa zuwa uwar garken, ɗaukaka gata, kuma kewaya zuwa kundin adireshi da aka ƙirƙira "~/openvpn".
sudo -s
cd ~/openvpnƘirƙirar maɓalli mai zaman kansa da buƙatar takardar shedar ga abokin ciniki. A matsayin hujja, saka sunan sabani; a yanayinmu, “abokin ciniki1 ne”.
./easyrsa gen-req client1 nopassShigar da kalmar wucewa da muka saita lokacin ƙirƙirar takaddun shaida kuma bar ƙimar Suna gama gari azaman tsoho.
Shiga buƙatar takardar shaidar abokin ciniki da aka samar.
./easyrsa sign-req client client1A wannan mataki, amsa "Ee" don tabbatar da sa hannu, sannan shigar da kalmar sirrin da aka ƙirƙira yayin ƙirƙirar takaddun shaida.
Don saukakawa, bari mu ƙirƙiri babban fayil mai suna 'client1' a cikin littafin gida kuma mu kwafi duk fayilolin da aka yi nufin canjawa zuwa kwamfutar abokin ciniki a ciki.
mkdir ~/client1
cp pki/issued/client1.crt pki/private/client1.key pki/ca.crt ~/client1/Kwafi samfurin fayil ɗin abokin ciniki na daidaitawa zuwa ga directory iri ɗaya. Canja tsawo na fayil zuwa ".ovpn" yayin yin kwafa.
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client1/client.ovpnCanja mai gidan directory da duk fayilolin "~/abokin ciniki1/" don samun damar rarraba su ga abokin ciniki. Mu yi "mihail" mai shi a wajenmu.
chown -R mihail:mihail ~/client1Jeka kwamfutar abokin ciniki ka kwafi abun ciki na "~/abokin ciniki1/" babban fayil. Kuna iya yin hakan tare da taimakon "PSCP" mai amfani, wanda ke tafiya tare da Putty.
PSCP -r mihail@[IP_сервера]:/home/mihail/client1 c:\client1Kuna iya adana fayilolin maɓalli "ca.crt", "abokin ciniki1.crt", "client1.key" duk inda kuke so. A cikin yanayinmu, suna cikin wannan babban fayil ɗin "c: \ Fayilolin Shirin \ OpenVPN \ maɓallan", kuma muna tsara fayil ɗin daidaitawa "client.ovpn" cikin "c: \ Files Program \ OpenVPN \ config" directory.
Yanzu bari mu sami damar daidaita abokin ciniki. Bude fayil ɗin "c: \ Fayilolin Shirin \OpenVPN\config\client.ovpn" a cikin editan rubutu kuma gyara layin masu zuwa:
#announce that this is the client
client#interface and protocol just like on the server
dev tun
proto udp#IP address of the server and port
remote ip_address 1194#saving parameters after reload
persist-key
persist-tun#key paths
ca “c:\\Program Files\\OpenVPN\\keys\\ca.cert”
cert “c:\\Program Files\\OpenVPN\\keys\\client1.crt”
key “c:\\Program Files\\OpenVPN\\keys\\client1.key”#enable server verification
remote-cert-tls server#disable extra encryption
#tls-auth ta.key 1
cipher AES-256-CBC
auth-nocache
verb 3Bar sauran ba a taɓa ba.
Ajiye fayil ɗin kuma ƙaddamar da aikace-aikacen abokin ciniki "OpenVPN GUI".
Danna-dama akan gunkin ƙa'idar a cikin taskbar kuma zaɓi "Haɗa". Idan haɗin ya yi nasara gunkin zai juya kore.
Yi amfani da kowane sabis na kan layi don tabbatar da adireshin IP na jama'a ya canza kuma yanzu yayi daidai da adireshin IP na uwar garken.
