VPN server setup paLinux: PPTP kana OpenVPN?

Mazuva ano, tekinoroji yeVPN inova yakakurumbira. Vashandisiwo zvavo vanoshandisa VPN kuwana zvakachengeteka Internet. Izvo zvinobatsirawo kutenderera munzvimbo dzakavharika mawebhusaiti uye masevhisi uye kudzivirira kubva kune inobvira yekunze maitiro akashata. Paunenge uchibatana neVPN sevha, pane nzira yakachengeteka pakati pekombuta yako neseva isingagone kuwanikwa kubva kunze, saka VPN sevha inova yako Internet yekuwana nzvimbo. Kune akawanda masevhisi eVPN kunze uko, ese emahara uye akabhadharwa, asi kana akasakushandira nekuda kwechimwe chikonzero, unogona kugara uchigadzirisa yako wega VPN server.

Kuti umhanye VPN yako, unofanirwa renda VPS server. Pane software yakasiyana inoita kuti iwe ugadzire VPN yekubatanidza. Iyo inosiyana kubva kune imwe neimwe neanoshanda masisitimu anotsigirwa uye algorithms anoshandiswa. Tichatarisa nzira mbiri dzakazvimiririra dzekumisikidza sevha yeVPN. Yekutanga yakavakirwa paPPTP protocol iyo yatoonekwa seyakasakara uye isina kuchengetedzeka asi iri nyore kugadzirisa. Imwe yacho inoshandisa yazvino uye yakachengeteka software OpenVPN asi inoda kuisa yechitatu-bato mutengi application uye yakanyatso kurongedza maitiro.

Munzvimbo yedu yekuyedza, tiri kuzoshandisa sevha inofambiswa neUbuntu Server 18.04. Firewall ichadzimwa pane sevha nekuti kumisikidzwa kwayo inokodzera chinyorwa chakasiyana. Isu tichatsanangura maitiro ekuseta pa Windows 10.

Kugadzirira

Hazvina mhosva kuti ndeipi sevha yeVPN yaunosarudza, iyo Internet yekuwana ichagadziriswa nenzira dzakabatanidzwa dzekushanda system. Kuti uvhure kuwanika kweInternet kuburikidza neyekunze sevhisi interface unofanirwa kubvumira kutakura kwepaketi pakati penzvimbo uye kugadzirisa netiweki kero yekushandura.

Kubatidza packet forward vhura faira "/etc/sysctl.conf" uye shanduka "net.ipv4.ip_forward" parameter value kupinda 1.

Kuti ushandise shanduko pasina kutangazve komputa, mhanyisa iwo mutemo

sudo sysctl -p /etc/sysctl.conf

Netiweki kero shanduro inogadziriswa nenzira dze iptables. Chekutanga, tarisa zita rekunze network yako interface inoshandisa murairo "ip link show" - iwe unozoida padanho rinotevera. Zita redu ndi "EN3".

Bvumira shandurudzo yekero yenetiweki pachiratidziro chako chekunze kune ese emuno network.

sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

Ziva kuti iwe unofanirwa kutsanangura zita chairo re server yako interface, inogona kusiyana neyedu.

Nekutadza, mitemo yese yakagadzirwa ne iptables inogadziriswazve mushure mekutanga sevha. Kuti udzivise izvozvo, shandisa "iptables-inopfuurira" utility. Isa pakiti inotevera:

sudo apt install iptables-persistent

Pane imwe nguva panguva yekuisa, iwe uchaona hwindo rekugadzirisa iro rinokurudzira iwe kuchengetedza ikozvino iptables mitemo. Sezvo mitemo yatotsanangurwa, ingosimbisa uye tinya "Ehe" kaviri. Kubva zvino iyo mitemo ichashandiswa otomatiki mushure mekutanga sevha.

PPTP server

Server configuration

Isa packet:

sudo apt install pptpd

Mushure mekunge kuiswa kwapera, vhura faira "/etc/pptpd.conf" mune chero mavara edhita uye woigadzirisa seizvi:

option /etc/ppp/pptpd-options #path to the settings file
logwtmp #client connections logging mechanism
connections 100 #number of simultaneous connections
localip 172.16.0.1 #the address that will serve as a client gateway
remoteip 172.16.0.2-200 #range of addresses

Mushure meizvozvo, gadzirisa faira "/etc/ppp/pptpd-options". Mazhinji ema parameter akaiswa nekusarudzika.

#name of the service for new client records
name pptpd

#restrict obsolete authentication methods
refuse-pap
refuse-chap
refuse-mschap

#allow a more secure authentication method
require-mschap-v2

#enable encryption
require-mppe-128

#specify dns servers for clients (use any available servers)
ms-dns 8.8.8.8
ms-dns 8.8.4.4

proxyarp
nodefaultroute
lock
nobsdcomp
novj
novjccomp
nologfd

Panhanho inotevera, iwe uchafanirwa kugadzira rekodhi yekubatanidza vatengi. Ngatiti iwe unoda kuwedzera mushandisi "vpnuser" ne password "1" uye bvumira kutaura kune simba kwaari. Vhura faira "/etc/ppp/chap-secrets" uye wedzera mutsara unotevera nemaparamita emushandisi pakupera kwefaira:

vpnuser pptpd 1 *

"pptpd" value izita rebasa ratakadoma mufaira "pptpd-sarudzo". Panzvimbo ye "*" unogona kutsanangura yakagadziriswa IP kero. Muchigumisiro, faira "chap-secrets" inofanira kutaridzika seizvi:

Kuti uise masettings reset the pptpd service uye woiwedzera kune autoloading.

sudo systemctl restart pptpd
sudo systemctl enable pptpd

Server configuration yapera.

Client configuration

Open “Kutanga” - "Zvirongwa" - Network & Internet - "VPN" uye baya "Wedzera kubatana kweVPN"

Pinda maparameter ekubatanidza mufafitera rakavhurwa wodzvanya “Ponesa”

• VPN mupi: "Windows (yakavakirwa-mukati)"
• Zita rekubatanidza: "vpn_connect" (unogona kusarudza chero zita)
• Zita reseva kana kero: (taura iyo yekunze IP kero ye server)
• VPN mhando: "Auto"
• Rudzi rweruzivo rwekusaina: "Zita remushandisi uye password"
• Zita rekushandisa: vpnuser (zita rinotsanangurwa mu "chap-secrets" faira pane server)
• Pasiwedhi: 1 (sezviri mu "chap-secrets" faira)

Mushure mekuchengetedza ma paramita, iwe uchaona iyo itsva VPN yekubatanidza pahwindo. Tinya-kuruboshwe kubatana uye sarudza "Unganidza". Panyaya yekubatana kwakabudirira, iwe uchaona "Yakabatana" Status.

Mune Sarudzo, iwe unowana emukati makero emutengi uye sevha. Munda "Kero yekuenda" inoratidza yekunze server kero.

Kana yakabatana, iyo yemukati IP kero ye server, 172.16.0.1 mune yedu, inova iyo yakasarudzika gedhi remapaketi ese anobuda.

Uchishandisa chero sevhisi yepamhepo unogona kuve nechokwadi chekuti yekunze IP kero yekombuta yave yakafanana neiyo VPN server yako IP kero.

OpenVPN server

Server configuration

Ngatisimudzirei nhanho yemvumo yemushandisi aripo nekuti kune yedu imwe gadziriso isu tichada midzi yekuwana.

sudo -s

Isa mapepa ose anodiwa. Tichada "Easy-RSA" packet kubata encryption kiyi.

apt install openvpn easy-rsa iptables-persistent

Bvumira zvinopinda zvinongedzo pachiteshi 1194 kuburikidza neUDP protocol uye shandisa iptables mitemo.

sudo iptables -I INPUT -p udp --dport 1194 -j ACCEPT

sudo netfilter-persistent save

Gadzira dhairekitori nemafaira akakopwa kubva pa "Easy-RSA" package uye famba mairi.

make-cadir ~/openvpn

cd ~/openvpn

Gadzira Public Key Infrastructure (PKI).

./easyrsa init-pki

Gadzira Chitupa Chiremera (CA) midzi chitupa.

./easyrsa build-ca

Munguva yekugadzira, iwe unozokurudzirwa kuseta uye kuyeuka password. Iwe zvakare unozofanirwa kupindura mibvunzo uye kuisa ruzivo nezve kiyi muridzi. Iwe unogona kusiya iyo yakasarudzika tsika yakapihwa mumabhuraketi akaenzana. Dzvanya "Enter" kuti upedze kuisa.

Gadzira kiyi yakavanzika uye chikumbiro chechitupa. Senharo, tsanangura zita rinopokana; kwatiri isu, "vpn-server".

./easyrsa gen-req vpn-server nopass

Siya iyo Common Name value seyekutanga.

Saina chikumbiro chechitupa cheseva yakagadzirwa.

./easyrsa sign-req server vpn-server

Pane iyi nhanho, pindura "hongu" kusimbisa siginecha, wobva waisa password yakagadzirwa panguva yekugadzira chitupa chemidzi.

Gadzira Diffie-Hellman parameters. Aya ma paramita anoshandiswa kune yakachengeteka kiyi yekutsinhana pakati pesevha nemutengi.

./easyrsa gen-dh

Mafaira ese anodiwa akagadzirwa. Ngatigadzirei "kiyi" folda muOpenVPN inoshanda dhairekitori kuchengetedza makiyi uye kukopa mafaera akagadzirwa ipapo.

mkdir /etc/openvpn/keys

sudo cp pki/ca.crt pki/issued/vpn-server.crt pki/private/vpn-server.key pki/dh.pem /etc/openvpn/keys

Gadzira NAT uchishandisa iptables mitemo. Gadzira faira rine zita nat woivhura kuti igadziriswe mu /etc/openvpn/ dhairetori.

#!/bin/sh

# Reset firewall settings
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

# (eth0 in our case, may vary)
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# (eth0 in our case, may vary)
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

# Allow OpenVPN connections (eth0 in our case, may vary)
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT

iptables -A INPUT -i tun0 -j ACCEPT

# (eth0 in our case, may vary):
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

# (eth0 in our case, may vary)
iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable masquerading for the local network (eth0 in our case, may vary)
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

# Deny incoming connections from outside
iptables -A INPUT -i eth0 -j DROP

# Deny transit traffic from outside (eth0 in our case, may vary)
iptables -A FORWARD -i eth0 -o tun0 -j DROP

sudo netfilter-persistent save

Sevha iyo faira uye ita kuti iite.

sudo chmod 755 /etc/openvpn/nat

Kopa sevha yekumisikidza template.

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/

Vhura faira "/etc/openvpn/server.conf" pakugadzirisa, ita shuwa kuti ine mitsara inotevera, uye woigadzirisa kana zvichidikanwa:

#Port, protocol, and interface

port 1194

proto udp

dev tun

#Path to the encryption keys

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/vpn-server.crt

key /etc/openvpn/keys/vpn-server.key

dh /etc/openvpn/keys/dh.pem

#SHA256 Hashing Algorithm

auth SHA256

#Switching off additional encryption

#tls-auth ta.key 0

#Network parameters

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist /var/log/openvpn/ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

#Ping every 10 seconds to check the connection.

keepalive 10 120

#Set up AES-256 encryption for the tunnel.

cipher AES-256-GCM

#Demoting the service OpenVPN after launch

user nobody

group nogroup

#Switching on parameters saving after reboot

persist-key

persist-tun

#Set log verbosity

verb 3

#Redirecting logs

log-append /var/log/openvpn/openvpn.log

#Script the rule installation launch.

up /etc/openvpn/nat

Ita kuti traffic ienderere mberi pane server.

sudo sysctl -w net.ipv4.ip_forward=1

echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf

Tanga OpenVPN kushandisa gadziriro.

systemctl restart openvpn@server

Sevha yekumisikidza yapera!

Client configuration

Enda kune webhusaiti yepamutemo yeOpenVPN "https://openvpn.net", enda ku “COMUNITY” chikamu.

Skroka pasi uye dhawunirodha iyo yekuisa kune yako yekushandisa system vhezheni. Kwatiri, zviri Windows 11 ARM64.

Isa iyo application uchisiya ese ma parameter nekukasira.

Pane inotevera nhanho iwe unozofanirwa kugadzirira inotevera faira pane server uye woiendesa kune mutengi komputa:

• makiyi eruzhinji neakavanzika;
• kopi yekiyi yetitifiketi yepakati;
• config file template.

Batanidza kune sevha, simudza ropafadzo, uye enda kune yedu yakagadzirwa dhairekitori "~/openvpn".

sudo -s

cd ~/openvpn

Gadzira kiyi yakavanzika uye chikumbiro chetifiketi chemutengi. Senharo, tsanangura zita rinopokana; kwatiri, "client1".

./easyrsa gen-req client1 nopass

Pinda password yatinoisa kana uchigadzira iyo midzi chitupa uye siya iyo Yakajairika Zita kukosha seyakasarudzika.

Saina chikumbiro chetifiketi chevatengi chakagadzirwa.

./easyrsa sign-req client client1

Pane iyi nhanho, pindura "hongu" kusimbisa siginecha, wobva waisa password yakagadzirwa panguva yekugadzira chitupa chemidzi.

Kuti zvive nyore, ngatigadzire dhairekitori rakanzi 'mutengi1' mudhairekitori repamba uye tikope mafaera ese akagadzirirwa kuendeswa kumutengi komputa mairi.

mkdir ~/client1

cp pki/issued/client1.crt pki/private/client1.key pki/ca.crt ~/client1/

Kopa mutengi config file template kune imwechete dhairekitori. Chinja faira rekuwedzera ku ".ovpn" uchikopa.

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client1/client.ovpn

Chinja muridzi wedhairekitori uye mafaera ese “~/client1/” kuti ndikwanise kuzvigovera kune mutengi. Ngatigadzirirei "mihail" muridzi wenyaya yedu.

chown -R mihail:mihail ~/client1

Enda kune komputa yemutengi uye tevedzera zvirimo mu “~/client1/” folder. Iwe unogona kuita izvozvo nerubatsiro rwe "PSCP" zvinoshandiswa, izvo zvinoenda naPutty.

PSCP -r mihail@[IP_сервера]:/home/mihail/client1 c:\client1

Unogona kuchengeta kiyi mafaira “ca.crt”, "client1.crt", "client1.kiyi" chero kwaunoda. Kwedu, ivo vari mune iyi folda "c:\Program Files\OpenVPN\makiyi", uye isu tinogadzirisa iyo config file "client.ovpn" into the "c:\Program Files\OpenVPN\config" dhairetori.

Zvino ngatitangei kugadzirisa mutengi. Vhura faira "c:\Program Files\OpenVPN\config\client.ovpn" mumutauro wekunyora uye gadzirisa mitsara inotevera:

#announce that this is the client

client

#interface and protocol just like on the server

dev tun

proto udp

#IP address of the server and port

remote ip_address 1194

#saving parameters after reload

persist-key

persist-tun

#key paths

ca “c:\\Program Files\\OpenVPN\\keys\\ca.cert”

cert “c:\\Program Files\\OpenVPN\\keys\\client1.crt”

key “c:\\Program Files\\OpenVPN\\keys\\client1.key”

#enable server verification

remote-cert-tls server

#disable extra encryption

#tls-auth ta.key 1

cipher AES-256-CBC

auth-nocache

verb 3

Rega zvasara zvisina.

Sevha iyo faira uye tanga iyo mutengi application "OpenVPN GUI".

Tinya-kurudyi pane icon yeapp mubhara rebasa uye sarudza "Unganidza". Kana iyo yekubatanidza ikabudirira icon inoshanduka girini.

Shandisa chero sevhisi yepamhepo kuti uone kuti yako yeruzhinji IP kero yachinja uye yave yakafanana nesevha yeIP kero.