Tatūnga tūmau VPN i runga i Linux: PPTP OpenVPN ranei?

I enei wa, ka kaha ake te rongonui o te hangarau VPN. Ka whakamahi nga kaiwhakamahi noa i te VPN ki te uru haumaru ki te Ipurangi. Ka awhina ano ia ki te huri haere i nga paetukutuku me nga ratonga kua aukatihia e te rohe me te tiaki i nga whanonga kino o waho. Ina hono koe ki te tūmau VPN, he kauhanga haumaru kei waenga i to rorohiko me te tūmau e kore e taea te uru atu i waho, na reira ka noho te tūmau VPN hei wāhi uru Ipurangi. He maha nga ratonga VPN kei ​​reira, he kore utu me te utu, engari ki te kore e mahi mo koe mo etahi take, ka taea e koe te whirihora i a koe ake VPN i nga wa katoa.

Hei whakahaere i to VPN, me tika koe reti tūmau VPS. He raupaparorohiko rereke ka taea e koe te hanga hononga VPN. He rereke tetahi ki tetahi ma nga punaha whakahaere e tautokohia ana me nga algorithm e whakamahia ana. Ka titiro tatou ki nga huarahi motuhake e rua ki te whakatu i tetahi tūmau VPN. Ko te mea tuatahi kei runga i te kawa PPTP kua kiia kua tawhitotia me te kore e mau engari he tino ngawari ki te whirihora. Ko tetahi atu e whakamahi ana i nga punaha hou me te haumaru OpenVPN engari me whakauru he tono a te kiritaki tuatoru me tetahi tukanga tatūnga tino pai.

I roto i ta maatau taiao whakamatautau, ka whakamahia e matou he tūmau mariko e whakahaerehia ana e te Ubuntu Server 18.04. Ka whakawetohia he papaahi i runga i te tūmau na te mea ka tika tana whirihoranga he tuhinga motuhake. Ka whakaahuahia e matou te tukanga tatūnga Windows 10.

takanga

Ahakoa ko tehea VPN ka tohua e koe, ka whakatuu te uru Ipurangi ma nga tikanga whakauru o te punaha whakahaere. Hei whakatuwhera i te uru Ipurangi ma te atanga ratonga o waho me whakaae koe ki te tuku whakamua i waenga i nga atanga me te whirihora i te whakamaoritanga wahitau whatunga.

Hei huri i te tuku whakamua paatete whakatuwheratia te konae “/etc/sysctl.conf” me te panoni “net.ipv4.ip_forward” uara tawhā ki 1.

Hei tono huringa me te kore e whakaara ano i te rorohiko, whakahaerehia te whakahau

sudo sysctl -p /etc/sysctl.conf

Ko te whakamaoritanga wahitau whatunga kua whirihorahia e te tikanga o iptables. Tuatahi, tirohia te ingoa o to atanga whatunga o waho e whakahaere ana i te whakahau "whakakitenga hononga ip" - ka hiahia koe i te taahiraa e whai ake nei. Ko to matou ingoa “ens3”.

Whakahohehia te whakamaoritanga wahitau whatunga ki to atanga o waho mo nga pona whatunga paetata katoa.

sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

Kia mahara me tohu e koe te ingoa tuturu o te atanga o to tūmau, he rereke pea i to maatau.

Ma te taunoa, ka tautuhia nga ture katoa i hangaia e nga iptables i muri i te tiimata o te tūmau. Hei aukati i tera, whakamahia “iptables-mau tonu” whaipainga. Tāutahia te mōkihi e whai ake nei:

sudo apt install iptables-persistent

I etahi wa i te wa o te whakaurunga, ka kite koe i te matapihi whirihoranga e kii ana kia tiakina e koe nga ture iptables o naianei. I te mea kua tautuhia nga ture, whakauhia ka paato "Ae" rua. Inaianei ka tukuna aunoa nga ture i muri i te tiimata o te tūmau.

Tūmau PPTP

whirihoranga tūmau

Tāutahia te pākete:

sudo apt install pptpd

Ka mutu te whakaurunga, whakatuwheratia te konae “/etc/pptpd.conf” i roto i tetahi ētita kuputuhi ka whakatika penei:

option /etc/ppp/pptpd-options #path to the settings file
logwtmp #client connections logging mechanism
connections 100 #number of simultaneous connections
localip 172.16.0.1 #the address that will serve as a client gateway
remoteip 172.16.0.2-200 #range of addresses

I muri i tera, whakatikahia te konae "/etc/ppp/pptpd-options". Ko te nuinga o nga tawhā kua whakaritea ma te taunoa.

#name of the service for new client records
name pptpd

#restrict obsolete authentication methods
refuse-pap
refuse-chap
refuse-mschap

#allow a more secure authentication method
require-mschap-v2

#enable encryption
require-mppe-128

#specify dns servers for clients (use any available servers)
ms-dns 8.8.8.8
ms-dns 8.8.4.4

proxyarp
nodefaultroute
lock
nobsdcomp
novj
novjccomp
nologfd

I te wa e whai ake nei, me hanga e koe he rekoata mo nga hononga kiritaki. Me kii kei te hiahia koe ki te taapiri i tetahi kaiwhakamahi "vpnuser" me te kupuhipa "1" me te tuku korero hihiri mo ia. Whakatuwheratia te kōnae "/etc/ppp/chap-secrets" me te taapiri i te rarangi e whai ake nei me nga tawhā o te kaiwhakamahi ki te mutunga o te konae:

vpnuser pptpd 1 *

“pptpd” ko te uara te ingoa o te ratonga i tohua e matou ki te konae “pptpd-kōwhiringa”. Tuhinga o mua "*" ka taea e koe te tautuhi i tetahi wahitau IP kua whakaritea. I te mutunga, ko te konae "nga mea ngaro" me penei te ahua:

Hei tono i nga tautuhinga tautuhi i te pptpd ratonga ka taapiri atu ki te uta aunoa.

sudo systemctl restart pptpd
sudo systemctl enable pptpd

Kua oti te whirihoranga tūmau.

whirihoranga kiritaki

tuwhera "Tīmata" - "Ngā Tautuhinga" - Whatunga me te Ipurangi - “VPN” a pāwhiri "Taapirihia he hononga VPN"

E tomo nga tawhā hononga i roto i te matapihi tuwhera, ka pāwhiri "Tiaki"

• Kaiwhakarato VPN: “Windows (i roto)”
• Ingoa Hononga: "vpn_connect" (ka taea e koe te whiriwhiri i tetahi ingoa)
• Ingoa tūmau, wāhitau rānei: (whakapūtāhia te wāhitau IP waho o te tūmau)
• Momo VPN: “Aunoa”
• Momo korero takiuru: "Ingoa Kaiwhakamahi me te kupuhipa"
• Ingoa Kaiwhakamahi: vpnuser (ingoa kua tohua i roto i te konae "chap-secrets" kei runga i te tūmau)
• Kupuhipa: 1 (penei i te konae "chap-secrets")

I muri i te tiaki i nga tawhā, ka kite koe i te hononga VPN hou i te matapihi. Pāwhiri-mauī te hononga ka kōwhiri "Hono". Mena he hononga angitu, ka kite koe "Hononga" tūnga.

I roto i nga Kōwhiringa, ka kitea e koe nga wahitau o roto o te kiritaki me te tūmau. Mara “Wāhitau ūnga” ka whakaatu i te wāhitau tūmau o waho.

Ina hono, ko te wahitau IP o roto o te tūmau, 172.16.0.1 i roto i a maatau, ka waiho hei keeti taunoa mo nga paanui puta katoa.

Ma te whakamahi i tetahi ratonga ipurangi ka taea e koe te whakarite kei te rite te wahitau IP o waho o te rorohiko ki te wahitau IP o to tūmau VPN.

Tūmau OpenVPN

whirihoranga tūmau

Kia whakatairangahia te taumata whakaaetanga o te kaiwhakamahi o naianei na te mea mo to maatau whirihoranga ka hiahia matou ki te uru pakiaka.

sudo -s

Tāutahia ngā pākete e tika ana. Ka hiahia tatou "Ngawari-RSA" mōkī hei whakahaere i ngā kī whakamunatanga.

apt install openvpn easy-rsa iptables-persistent

Whakaaetia nga hononga taumai i runga i te tauranga 1194 ma te kawa UDP me te whakamahi i nga ture iptables.

sudo iptables -I INPUT -p udp --dport 1194 -j ACCEPT

sudo netfilter-persistent save

Waihangahia he whaiaronga me nga konae kua kapehia mai i te kete "Easy-RSA" ka whakatere ki roto.

make-cadir ~/openvpn

cd ~/openvpn

Hanga Hanganga Matua Matua (PKI).

./easyrsa init-pki

Hangaia te tiwhikete pakiaka Tiwhikete Mana (CA).

./easyrsa build-ca

I te wa o te hangahanga, ka akiakihia koe ki te tautuhi me te mahara ki tetahi kupuhipa. Me whakautu ano koe i nga patai me te whakauru korero mo te rangatira matua. Ka taea e koe te waiho i nga uara taunoa e whakaratohia ana ki nga taiapa tapawha. Patohia te "Enter" ki te whakaoti i te whakaurunga.

Hangaia he kī tūmataiti me te tono tiwhikete. Hei tautohe, whakapūtāhia he ingoa noa; i roto i to maatau, he "vpn-server".

./easyrsa gen-req vpn-server nopass

Waiho te uara Ingoa noa hei taunoa.

Waitohuhia te tono tiwhikete tūmau i hangaia.

./easyrsa sign-req server vpn-server

I tenei taahiraa, whakautu "ae" ki te whakaū i te hainatanga, ka uru ki te kupuhipa i hangaia i te wa o te whakatipuranga tiwhikete pakiaka.

Hangaia nga tawhā Diffie-Hellman. Ka whakamahia enei tawhā mo te whakawhiti matua haumaru i waenga i te tūmau me te kiritaki.

./easyrsa gen-dh

Kua hangaia nga konae e tika ana. Me hanga he kōpaki "ki" ki roto i te raarangi mahi OpenVPN hei penapena i nga ki me te kape i nga konae i hangaia ki reira.

mkdir /etc/openvpn/keys

sudo cp pki/ca.crt pki/issued/vpn-server.crt pki/private/vpn-server.key pki/dh.pem /etc/openvpn/keys

Whirihorahia te NAT ma te whakamahi iptables ture. Waihangatia he konae kua whakaingoatia nat ka whakatuwheratia hei whakatika i roto i te /etc/openvpn/ whaiaronga.

#!/bin/sh

# Reset firewall settings
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

# (eth0 in our case, may vary)
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# (eth0 in our case, may vary)
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

# Allow OpenVPN connections (eth0 in our case, may vary)
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT

iptables -A INPUT -i tun0 -j ACCEPT

# (eth0 in our case, may vary):
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

# (eth0 in our case, may vary)
iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable masquerading for the local network (eth0 in our case, may vary)
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

# Deny incoming connections from outside
iptables -A INPUT -i eth0 -j DROP

# Deny transit traffic from outside (eth0 in our case, may vary)
iptables -A FORWARD -i eth0 -o tun0 -j DROP

sudo netfilter-persistent save

Tiakina te konae ka taea te whakahaere.

sudo chmod 755 /etc/openvpn/nat

Tāruatia te tauira whirihoranga tūmau.

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/

Whakatūwheratia te kōnae “/etc/openvpn/server.conf” mo te whakatika, me mohio kei roto nga rarangi e whai ake nei, ka whakatika ina hiahiatia:

#Port, protocol, and interface

port 1194

proto udp

dev tun

#Path to the encryption keys

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/vpn-server.crt

key /etc/openvpn/keys/vpn-server.key

dh /etc/openvpn/keys/dh.pem

#SHA256 Hashing Algorithm

auth SHA256

#Switching off additional encryption

#tls-auth ta.key 0

#Network parameters

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist /var/log/openvpn/ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

#Ping every 10 seconds to check the connection.

keepalive 10 120

#Set up AES-256 encryption for the tunnel.

cipher AES-256-GCM

#Demoting the service OpenVPN after launch

user nobody

group nogroup

#Switching on parameters saving after reboot

persist-key

persist-tun

#Set log verbosity

verb 3

#Redirecting logs

log-append /var/log/openvpn/openvpn.log

#Script the rule installation launch.

up /etc/openvpn/nat

Whakahohea te tuku whakamua i runga i te tūmau.

sudo sysctl -w net.ipv4.ip_forward=1

echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf

Tīmata OpenVPN ki te tono i te whirihoranga.

systemctl restart openvpn@server

Kua oti te whirihoranga tūmau!

whirihoranga kiritaki

Haere ki te paetukutuku mana o OpenVPN "https://openvpn.net”, haere ki te “HApori” wāhanga.

Panuku ki raro ka tango i te kaiwhakaputa mo to putanga punaha whakahaere. I a maatau, ko te Windows 11 ARM64.

Tāutahia te tono ka waiho taunoa nga tawhā katoa.

I te wa e whai ake nei ka hiahia koe ki te whakarite i te konae e whai ake nei i runga i te tūmau ka whakawhiti ki te rorohiko kiritaki:

• nga taviri a te iwi me te tangata motuhake;
• kape o te kī pokapū tohu;
• whirihora tauira tauira.

Hono atu ki te tūmau, whakanuia ngā mana, ka whakatere ki tā mātou whaiaronga i hangaia "~/openvpn".

sudo -s

cd ~/openvpn

Hangaia he kī tūmataiti me te tono tiwhikete mo te kiritaki. Hei tautohe, whakapūtāhia he ingoa noa; i roto i to maatau, he "kiritaki1".

./easyrsa gen-req client1 nopass

Whakauruhia te kupuhipa i whakatakotoria e matou i te wa e hanga ana i te tiwhikete pakiaka ka waiho te uara Ingoa Common hei taunoa.

Waitohuhia te tono tiwhikete kiritaki i hangaia.

./easyrsa sign-req client client1

I tenei taahiraa, whakautu "ae" ki te whakaū i te hainatanga, ka uru ki te kupuhipa i hangaia i te wa o te whakatipuranga tiwhikete pakiaka.

Mo te pai, me hanga he kōpaki ko 'client1' ki roto i te whaiaronga o te kainga me te kape i nga konae katoa hei whakawhiti ki te rorohiko kiritaki ki roto.

mkdir ~/client1

cp pki/issued/client1.crt pki/private/client1.key pki/ca.crt ~/client1/

Tāruatia te tauira kōnae whirihora kiritaki ki te whaiaronga kotahi. Hurihia te toronga kōnae ki “.ovpn” i te kape.

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client1/client.ovpn

Hurihia te rangatira o te whaiaronga me nga konae katoa “~/kiritaki1/” kia kaha ki te tohatoha ki te kaihoko. Kia hanga tatou “mihail” te rangatira i roto i to tatou take.

chown -R mihail:mihail ~/client1

Haere ki te rorohiko kiritaki ka kape i nga ihirangi o te “~/kiritaki1/” kōpaki. Ka taea e koe te mahi ma te awhina o “PSCP” whaipainga, e haere ana me Putty.

PSCP -r mihail@[IP_сервера]:/home/mihail/client1 c:\client1

Ka taea e koe te penapena i nga konae matua “ca.crt”, “kiritaki1.crt”, “client1.key” ki hea e hiahia ana koe. I roto i to maatau, kei roto i tenei kōpaki "c:\Rarangi Papatono\OpenVPN\key", ka aratauhia te konae whirihora “kiritaki.ovpn” Tuhinga o mua "c:\Program Files\OpenVPN\config" whaiaronga.

Inaianei me haere ki te whirihora i te kiritaki. Whakatuwheratia te kōnae "c:\Program Files\OpenVPN\config\client.ovpn" i roto i te ētita kuputuhi me te whakatika i nga rarangi e whai ake nei:

#announce that this is the client

client

#interface and protocol just like on the server

dev tun

proto udp

#IP address of the server and port

remote ip_address 1194

#saving parameters after reload

persist-key

persist-tun

#key paths

ca “c:\\Program Files\\OpenVPN\\keys\\ca.cert”

cert “c:\\Program Files\\OpenVPN\\keys\\client1.crt”

key “c:\\Program Files\\OpenVPN\\keys\\client1.key”

#enable server verification

remote-cert-tls server

#disable extra encryption

#tls-auth ta.key 1

cipher AES-256-CBC

auth-nocache

verb 3

Waiho te toenga kia kaua e pa.

Tiakina te konae ka whakarewahia te tono a te kiritaki "OpenVPN GUI".

Pāwhiri-matau ki te ata taupānga kei te paetaumahi ka kowhiri "Hono". Ki te angitu te hononga ka huri kakariki te ata.

Whakamahia tetahi ratonga ipurangi kia mohio kua huri to wahitau IP tūmatanui me te rite inaianei ki te wahitau IP o te tūmau.