Maalmahan, tignoolajiyada VPN waxay noqotaa mid caan ah. Isticmaalayaasha caadiga ah waxay isticmaalaan VPN si ay si ammaan ah u galaan internetka. Waxa kale oo ay gacan ka geysataa agagaarka mareegaha iyo adeegyada maxalliga ah ee xannibay oo ay ka ilaaliso dhaqanka xaasidnimada dibadda ee suurtogalka ah. Marka aad ku xidhan tahay server-ka VPN, waxa jira tunnel badbaado leh oo u dhexeeya kombiyuutarkaaga iyo serferka kaas oo aan laga geli karin dibadda, markaa server-ka VPN waxa uu noqdaa barta internetka ee aad gasho. Waxaa jira adeegyo badan oo VPN ah, labadaba bilaash iyo lacag la'aan, laakiin haddii aysan kuu shaqeyn sabab qaar ka mid ah, waxaad had iyo jeer habeyn kartaa serverkaaga VPN.
Si aad u maamusho oun VPN, waa inaad kiro server VPS. Waxaa jira software kala duwan oo kuu ogolaanaya inaad abuurto xiriir VPN ah. Way ka duwan tahay midba midka kale ee hababka hawlgalka ee la taageeray iyo algorithms la isticmaalo. Waxaan eegi doonaa laba hab oo madax banaan si loo sameeyo server VPN ah. Midka hore waxa uu ku salaysan yahay hab-maamuuska PPTP kaas oo markii horeba loo arkay mid duugoobay oo aan ammaan ahayn laakiin runtii aad u fudud in la habeeyo. Midka kale wuxuu shaqeeyaa OpenVPN software casri ah oo ammaan ah laakiin wuxuu u baahan yahay rakibidda codsi macmiil oo dhinac saddexaad ah iyo hab habayn oo dhammaystiran.
Deegaankayaga tijaabada ah, waxaanu ku isticmaali doonaa server-ka farsamada gacanta ee Ubuntu Server 18.04. Dab-damiska waa la dami doonaa server-ka sababtoo ah qaabayntiisu waxay u qalantaa maqaal gaar ah. Waxaan ku tilmaami doonaa habka dejinta ee Windows 10.
Diyaarinta
Si kastaba ha ahaatee server-ka VPN ee aad doorato, gelitaanka internetka waxaa lagu dejin doonaa hab isku dhafan oo nidaamka hawlgalka ah. Si aad u furto gelitaanka internetka iyada oo loo marayo is dhexgalka adeegga dibadda waa in aad oggolaataa gudbinta baakooyinka inta u dhaxaysa is-dhexgalka oo aad dejiso tarjumaada ciwaanka shabakadda.
Si aad u shido gudbinta baakidhka fur faylka "/etc/sysctl.conf" iyo isbedel "net.ipv4.ip_forward" qiimaha halbeegga galay 1.
Si aad u codsato isbeddelada adigoon dib u kicin kombayutarka, socodsii amarka
sudo sysctl -p /etc/sysctl.confTurjumaada ciwaanka shabakada waxa lagu habeeyey habka Iptables. Marka hore, hubi magaca interfiyuuga shabakadaada dibadda ee ku shaqeeya amarka "IP link show" - waxaad u baahan doontaa tallaabada xigta. Magacayagu waa "ens3".
Daar tarjumaada ciwaanka shabakada interneedkaaga dibadeed dhamaan qanjidhada shabakada deegaanka
sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADEOgsoonow inaad u baahan tahay inaad qeexdo magaca dhabta ah ee server-kaaga, way ka duwanaan kartaa kuweena.
Sida caadiga ah, dhammaan sharciyada ay abuureen iptables waa dib loo dajinayaa ka dib marka serverku dib u bilaabo. Si taas looga hortago, isticmaal "iptables-joogta ah" utility. Ku rakib xirmadan soo socota:
sudo apt install iptables-persistentMar marka qaarkood lagu jiro habka rakibidda, waxaad arki doontaa daaqad qaabeynta kaas oo kuu soo jeedin doona inaad kaydiso xeerarka iptables ee hadda jira. Maadaama xeerarkii hore loo qeexay, kaliya xaqiiji oo guji "Haa" laba jeer. Tan iyo hadda sharciyada si toos ah ayaa loo dabaqi doonaa ka dib marka serverku dib u bilaabo.
Server PPTP
Qaabeynta server-ka
Ku rakib xirmada:
sudo apt install pptpdKa dib markii rakibidda dhammaato, fur faylka "/etc/pptpd.conf" Tafatire kasta oo qoraal ah oo u tafatir sidan:
option /etc/ppp/pptpd-options #path to the settings file
logwtmp #client connections logging mechanism
connections 100 #number of simultaneous connections
localip 172.16.0.1 #the address that will serve as a client gateway
remoteip 172.16.0.2-200 #range of addressesTaas ka dib, tafatir faylka "/etc/ppp/pptpd-options". Inta badan halbeegyada waxaa loo dejiyay si caadi ah.
#name of the service for new client records
name pptpd#restrict obsolete authentication methods
refuse-pap
refuse-chap
refuse-mschap#allow a more secure authentication method
require-mschap-v2#enable encryption
require-mppe-128#specify dns servers for clients (use any available servers)
ms-dns 8.8.8.8
ms-dns 8.8.4.4proxyarp
nodefaultroute
lock
nobsdcomp
novj
novjccomp
nologfdMarxaladda xigta, waxaad u baahan doontaa inaad samayso diiwaanka xidhiidhka macmiilka. Aynu sheegno inaad rabto inaad ku darto isticmaale "vpnuser" oo leh sir ah "1" una oggolow in uu si firfircoon ula hadlo isaga. Fur faylka "/etc/ppp/chap-sirta" oo ku dar xariiqan soo socota oo leh cabbirada isticmaalaha dhammaadka faylka:
vpnuser pptpd 1 *"pptpd" qiimaha waa magaca adeegga aan ku qeexnay faylka "pptpd-options". Halkii "*" waxaad cayimi kartaa ciwaanka IP go'an. Natiijada, faylka "sirta-cutubka" waa inuu u ekaado sidan:
Si aad u codsato dejinta dib u dajin pptpd adeega oo ku dar autoloading.
sudo systemctl restart pptpd
sudo systemctl enable pptpdQaabeynta adeegaha waa la dhameeyay.
Qaabeynta macmiilka
Open "Bilow" - "Xayawaanka" - Shabakadda & Internetka - "VPN" oo guji "Kudar xiriir VPN"
Geli xuduudaha isku xirka daaqada furan oo guji "Badbaadi"
- Bixiyaha VPN: "Windows (lagu dhisay)"
- Magaca isku xirka: "vpn_connect" (waxaad dooran kartaa magac kasta)
- Magaca serverka ama ciwaanka: (sheeg cinwaanka IP-ga dibadeed ee serferka)
- Nooca VPN: "Auto"
- Nooca macluumaadka gelitaanka: "Magaca isticmaalaha iyo erayga sirta ah"
- Magaca isticmaale: vpnuser (magaca lagu qeexay faylka "chap-sir" ee serverka)
- Password: 1 (sida ku jirta faylka "chap-sir")
Ka dib markaad kaydiso xuduudaha, waxaad arki doontaa xiriirka cusub ee VPN ee daaqada. Bidix-guji xidhiidhka oo dooro "Ku xir". Xaaladda xidhiidh guul leh, waad arki doontaa “Ku xidhan” xaaladda.
Xulashada, waxaad ka heli doontaa ciwaannada gudaha ee macmiilka iyo serverka. Garoonka "Cinwaanka Meesha" wuxuu muujinayaa ciwaanka serverka dibadda ah.
Marka la isku xiro, cinwaanka IP-ga gudaha ee server-ka, 172.16.0.1 Xaaladeena, waxay noqotaa albaabka hore ee dhammaan baakadaha baxaya.
Isticmaalka adeeg kasta oo khadka ah waxaad hubin kartaa in ciwaanka IP-ga ee kumbiyuutarku uu hadda la mid yahay ciwaanka IP-ga ee server-kaaga VPN.
Server OpenVPN
Qaabeynta server-ka
Aynu kor u qaadno heerka oggolaanshaha isticmaaleha hadda jira sababtoo ah qaabeyntayada dheeraadka ah waxaan u baahan doonaa helitaanka xididka.
sudo -sKu rakib dhammaan baakadaha lagama maarmaanka ah. Waxaan u baahan doonaa "fudud-RSA" xirmo lagu maamulo furayaasha sirta
apt install openvpn easy-rsa iptables-persistentOggolow isku xirka soo socda ee dekedda 1194 iyada oo loo marayo borotokoolka UDP oo dabaq xeerarka iptables.
sudo iptables -I INPUT -p udp --dport 1194 -j ACCEPT
sudo netfilter-persistent saveSamee hage wata faylal la koobiyeeyay oo ka socda xirmada "Easy-RSA" oo dhex gal.
make-cadir ~/openvpn
cd ~/openvpnAbuur Kaabayaasha Furaha Dadweynaha (PKI).
./easyrsa init-pkiSamee shahaadada xididka ee Maamulka Shahaadada (CA).
./easyrsa build-caInta lagu jiro habka abuurista, waxaa lagu weydiin doonaa inaad dejiso oo aad xasuusato erayga sirta ah. Waxaad sidoo kale u baahan doontaa inaad ka jawaabto su'aalaha oo aad geliso macluumaadka ku saabsan mulkiilaha muhiimka ah. Waxaad kaga tagi kartaa qiimayaasha caadiga ah ee lagu bixiyay xajin labajibbaaran. Riix "Enter" si aad u dhamaystirto gelinta
Samee fure gaar ah iyo codsi shahaado. Dood ahaan, sheeg magac aan sabab lahayn; Xaaladeena, waa "vpn-server".
./easyrsa gen-req vpn-server nopassU daa qiimaha Magaca Guud sida caadiga ah.
Saxeex codsiga shahaadadda serverka ee la sameeyay
./easyrsa sign-req server vpn-serverTallaabadan, ku jawaab "haa" si aad u xaqiijiso saxiixa, ka dibna geli erayga sirta ah ee la sameeyay intii lagu jiray jiilka shahaadada.
Samee halbeegyada Diffie-Hellman. Halbeegyadan waxaa loo isticmaalaa isweydaarsiga muhiimka ah ee badbaadada leh ee u dhexeeya serverka iyo macmiilka.
./easyrsa gen-dh
Dhammaan faylasha lagama maarmaanka ah waa la sameeyay Aynu ka abuurno gal "furaha" tusaha shaqada ee OpenVPN si aanu u kaydino furayaasha oo aanu nuqul ka samayno faylalka halkaa ku abuuray.
mkdir /etc/openvpn/keys
sudo cp pki/ca.crt pki/issued/vpn-server.crt pki/private/vpn-server.key pki/dh.pem /etc/openvpn/keysKu xidh NAT adoo isticmaalaya iptables xeerar. Samee fayl la magacaabay nat oo u fur si aad wax uga beddesho /etc/openvpn/ tusaha.
#!/bin/sh
# Reset firewall settings
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# (eth0 in our case, may vary)
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# (eth0 in our case, may vary)
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# Allow OpenVPN connections (eth0 in our case, may vary)
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
# (eth0 in our case, may vary):
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
# (eth0 in our case, may vary)
iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable masquerading for the local network (eth0 in our case, may vary)
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
# Deny incoming connections from outside
iptables -A INPUT -i eth0 -j DROP
# Deny transit traffic from outside (eth0 in our case, may vary)
iptables -A FORWARD -i eth0 -o tun0 -j DROP
sudo netfilter-persistent saveKaydi faylka oo ka dhig mid la fulin karo.
sudo chmod 755 /etc/openvpn/natNuqul ka samee qaabka qaabeynta serverka.
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/Furi feylka "/etc/openvpn/server.conf" Si aad wax u tafatirto, hubi inay ka kooban tahay sadarradan soo socda, oo tafatir haddii loo baahdo:
#Port, protocol, and interface
port 1194
proto udp
dev tun#Path to the encryption keys
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn-server.crt
key /etc/openvpn/keys/vpn-server.key
dh /etc/openvpn/keys/dh.pem
#SHA256 Hashing Algorithm
auth SHA256#Switching off additional encryption
#tls-auth ta.key 0#Network parameters
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"#Ping every 10 seconds to check the connection.
keepalive 10 120#Set up AES-256 encryption for the tunnel.
cipher AES-256-GCM#Demoting the service OpenVPN after launch
user nobody
group nogroup#Switching on parameters saving after reboot
persist-key
persist-tun#Set log verbosity
verb 3#Redirecting logs
log-append /var/log/openvpn/openvpn.log#Script the rule installation launch.
up /etc/openvpn/natDaar u gudbida taraafikada serverka
sudo sysctl -w net.ipv4.ip_forward=1
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.confBilow OpenVPN si aad u isticmaasho qaabaynta
systemctl restart openvpn@serverQaabaynta serverku waa dhammaatay!
Qaabeynta macmiilka
Aad bogga rasmiga ah ee OpenVPN"https://openvpn.net", u tag "BULSHADA" qaybta.
Hoos u deg oo soo deji rakibaha nooca nidaamkaaga hawlgalka. Xaaladeena, waa Windows 11 ARM64.
Ku rakib arjiga adigoo ka tagaya dhammaan xuduudaha si caadi ah.
Marxaladda xigta waxaad u baahan doontaa inaad ku diyaariso faylka soo socda ee server-ka oo aad u wareejiso kumbuyuutarka macmiilka:
- furayaasha guud iyo kuwa gaarka ah;
- koobiga furaha xarunta shahaadaynta;
- qaabka faylka config.
Ku xidh serfarka, sare u qaad mudnaanta, oo u gudub hagahayaga la abuuray "~/openvpn".
sudo -s
cd ~/openvpnU samee furaha gaarka ah iyo codsiga shahaado ee macmiilka. Dood ahaan, sheeg magac aan sabab lahayn; Xaaladeena, waa "macmiilka1".
./easyrsa gen-req client1 nopassGeli erayga sirta ah ee aanu dejinay marka la abuurayo shahaadada xididka oo ka tag qiimaha Magaca Guud sida default.
Saxeex codsiga shahaadada macmiilka ee la sameeyay
./easyrsa sign-req client client1Tallaabadan, ku jawaab "haa" si aad u xaqiijiso saxiixa, ka dibna geli erayga sirta ah ee la sameeyay intii lagu jiray jiilka shahaadada.
Si ay u sahlanaato, aynu ku abuurno gal la magac baxay 'client1' buugga guriga oo aanu koobiyeyno dhammaan faylalka loogu talagalay in lagu wareejiyo kombayutarka macmiilka.
mkdir ~/client1
cp pki/issued/client1.crt pki/private/client1.key pki/ca.crt ~/client1/Ku koobbi qaab-dhismeedka faylka macmiilka qaab tusaha la mid ah. U beddel kordhinta faylka ".ovpn" inta koobiyeynaysa.
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client1/client.ovpnBeddel mulkiilaha hagaha iyo dhammaan faylasha "~/macmiil1/" si ay u awoodaan in ay u qaybiyaan macaamiisha. Aan samayno "mihail" mulkiilaha kiiskeena.
chown -R mihail:mihail ~/client1U tag kombayutarka macmiilka oo koobi ka samee waxa ku jira "~/macmiil1/" gal. Waxaad taas ku samayn kartaa iyadoo la kaashanayo "PSCP" utility, taas oo la socota Putty.
PSCP -r mihail@[IP_сервера]:/home/mihail/client1 c:\client1Waxaad kaydin kartaa faylasha muhiimka ah "ca.crt", "macmiil1.crt", "client1.key" meel kasta oo aad rabto. Xaaladeena, waxay ku jiraan galkan "c: \ Files Program \ OpenVPN \ furayaasha", oo waxaanu habaynaynaa faylka qaabaynta "client.ovpn" galay "c: \ Files Program \ OpenVPN \ config" tusaha.
Hadda aan helno habaynta macmiilka. Fur faylka "c: \ Files Program \OpenVPN\config\client.ovpn" ku jira tifaftiraha qoraalka oo wax ka beddel khadadka soo socda:
#announce that this is the client
client#interface and protocol just like on the server
dev tun
proto udp#IP address of the server and port
remote ip_address 1194#saving parameters after reload
persist-key
persist-tun#key paths
ca “c:\\Program Files\\OpenVPN\\keys\\ca.cert”
cert “c:\\Program Files\\OpenVPN\\keys\\client1.crt”
key “c:\\Program Files\\OpenVPN\\keys\\client1.key”#enable server verification
remote-cert-tls server#disable extra encryption
#tls-auth ta.key 1
cipher AES-256-CBC
auth-nocache
verb 3Inta soo hartayna aan la taaban.
Kaydi faylka oo billow codsiga macmiilka "OpenVPN GUI".
Midig ku dhufo astaanta abka ee ku dhex taal bar-hawleedka oo dooro "Ku xir". Haddii xiriirku guulaysto calaamaddu waxay isu rogi doontaa cagaar.
Isticmaal adeeg kasta oo khadka ah si aad u hubiso in cinwaankaaga IP-ga ee dadweynaha uu isbeddelay oo uu hadda la mid yahay ciwaanka IP-ga ee serferka.
