Ukusethwa kweseva ye-VPN ku-Linux: PPTP noma i-OpenVPN?

Namuhla, ubuchwepheshe be-VPN buthandwa kakhulu. Abasebenzisi abajwayelekile basebenzisa i-VPN ukuze bafinyelele i-inthanethi ngokuphephile. Kuphinde kusize ukuzulazula kumawebhusayithi avinjwe endaweni namasevisi futhi kuvikelwe ekuziphatheni okunonya okungaba khona kwangaphandle. Uma uxhuma kuseva ye-VPN, kunomhubhe ophephile phakathi kwekhompyutha yakho neseva ongakwazi ukufinyeleleka kuyo ngaphandle, ngakho iseva ye-VPN iba yindawo yakho yokufinyelela ku-inthanethi. Kunezinsizakalo eziningi ze-VPN laphaya, zombili zamahhala nezikhokhelwayo, kepha uma zingakusebenzeli ngesizathu esithile, ungahlala ulungisa iseva yakho ye-VPN.

Ukuze usebenzise i-VPN yakho, kufanele qasha iseva ye-VPS. Kukhona isofthiwe ehlukile ekuvumela ukuthi udale uxhumano lwe-VPN. Ihlukile komunye nomunye ngamasistimu wokusebenza asekelwayo kanye nama-algorithms asetshenzisiwe. Sizobheka izindlela ezimbili ezizimele zokusetha iseva ye-VPN. Esokuqala sisekelwe kuphrothokholi ye-PPTP esivele ibhekwa njengesasetshenziswa futhi engavikelekile kodwa ekulula ngempela ukuyilungisa. Enye isebenzisa isofthiwe yesimanje nevikelekile i-OpenVPN kodwa idinga ukufaka isicelo seklayenti lenkampani yangaphandle kanye nenqubo yokusetha ephelele.

Endaweni yethu yokuhlola, sizosebenzisa iseva ebonakalayo enikwa amandla yi-Ubuntu Server 18.04. I-firewall izocishwa kuseva ngoba ukucushwa kwayo kudinga i-athikili ehlukile. Sizochaza inqubo yokusetha ku-Windows 10.

Ukulungiselela

Kungakhathaliseki ukuthi iyiphi iseva ye-VPN oyikhethayo, ukufinyelela ku-inthanethi kuzosethwa ngezindlela ezihlanganisiwe zesistimu yokusebenza. Ukuze uvule ukufinyelela ku-inthanethi ngokusebenzisa isixhumi esibonakalayo sesevisi yangaphandle kufanele uvumele ukudluliselwa kwephakethe phakathi kwezindawo zokusebenzelana futhi ulungiselele ukuhunyushwa kwekheli lenethiwekhi.

Ukushintsha ukudlulisa iphakethe vula ifayela "/etc/sysctl.conf" futhi ushintshe “net.ipv4.ip_forward” inani lepharamitha phakathi 1.

Ukuze usebenzise izinguquko ngaphandle kokuqalisa kabusha ikhompuyutha, sebenzisa umyalo

sudo sysctl -p /etc/sysctl.conf

Ukuhumusha ikheli lenethiwekhi kumiswa ngendlela ye iptables. Okokuqala, hlola igama lenethiwekhi yakho yangaphandle esebenzisa umyalo "i-ip link show" - uzoyidinga esinyathelweni esilandelayo. Igama lethu ngu "EN3".

Nika amandla ukuhumusha kwekheli lenethiwekhi kusixhumi esibonakalayo sangaphandle kuzo zonke izindawo zenethiwekhi yendawo.

sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

Qaphela ukuthi udinga ukucacisa igama langempela lesixhumi esibonakalayo seseva yakho, lingahluka kwelethu.

Ngokuzenzakalelayo, yonke imithetho edalwe ama-iptables ihlelwa kabusha ngemuva kokuthi iseva iqale kabusha. Ukuze uvimbele lokho, sebenzisa "iptables-persistent" usizo. Faka iphakethe elilandelayo:

sudo apt install iptables-persistent

Ngesinye isikhathi phakathi nenqubo yokufaka, uzobona iwindi lokucushwa elizophakamisa ukuthi ulondoloze imithetho yamanje ye-iptables. Njengoba imithetho isivele ichaziwe, vele uqinisekise futhi uchofoze "Yebo" kabili. Kusukela manje imithetho izosetshenziswa ngokuzenzakalelayo ngemva kokuba iseva iqale kabusha.

Iseva ye-PPTP

Ukucushwa kweseva

Faka iphakethe:

sudo apt install pptpd

Ngemva kokuphela kokufaka, vula ifayela "/etc/pptpd.conf" kunoma yimuphi umhleli wombhalo bese uwuhlela kanje:

option /etc/ppp/pptpd-options #path to the settings file logwtmp #client connections logging mechanism connections 100 #number of simultaneous connections localip 172.16.0.1 #the address that will serve as a client gateway remoteip 172.16.0.2-200 #range of addresses

Ngemva kwalokho, hlela ifayela "/etc/ppp/pptpd-izinketho". Iningi lamapharamitha asethwa ngokuzenzakalelayo.

#name of the service for new client records name pptpd

#restrict obsolete authentication methods refuse-pap refuse-chap refuse-mschap

#allow a more secure authentication method require-mschap-v2

#enable encryption require-mppe-128

#specify dns servers for clients (use any available servers) ms-dns 8.8.8.8 ms-dns 8.8.4.4

proxyarp nodefaultroute lock nobsdcomp novj novjccomp nologfd

Esigabeni esilandelayo, uzodinga ukwenza irekhodi lokuxhumana namaklayenti. Ake sithi ufuna ukwengeza umsebenzisi "vpnuser" ngephasiwedi "1" futhi uvumele ukukhuluma okunamandla kuye. Vula ifayela “/etc/ppp/chap-secrets” bese wengeza umugqa olandelayo namapharamitha womsebenzisi ekupheleni kwefayela:

vpnuser pptpd 1 *

"pptpd" inani igama lesevisi esiyicacisile kufayela "izinketho ze-pptpd". Esikhundleni se "*" ungacacisa ikheli le-IP elingashintshi. Ngomphumela, ifayela "chap-secrets" kufanele ubukeke kanje:

Ukusebenzisa izilungiselelo setha kabusha i pptpd service futhi uyengeze ekulayisheni ngokuzenzakalela.

sudo systemctl restart pptpd sudo systemctl enable pptpd

Ukucushwa kweseva kuqediwe.

Ukucushwa kweklayenti

Vula "Qala" - "Izilungiselelo" - Inethiwekhi ne-inthanethi - "VPN" bese uchofoza "Engeza uxhumano lwe-VPN"

Faka amapharamitha okuxhumana efasiteleni elivuliwe bese uchofoza “Gcina”

• Umhlinzeki we-VPN: "IWindows (eyakhelwe ngaphakathi)"
• Igama lokuxhuma: "vpn_connect" (ungakhetha noma yiliphi igama)
• Igama leseva noma ikheli: (chaza ikheli le-IP langaphandle leseva)
• Uhlobo lwe-VPN: “Okuzenzakalelayo”
• Uhlobo lolwazi lokungena ngemvume: “Igama lomsebenzisi nephasiwedi”
• Igama lomsebenzisi: i-vpnuser (igama elichazwe efayeleni elithi “chap-secrets” kuseva)
• Iphasiwedi: 1 (njengakufayela elithi “chap-secrets”)

Ngemva kokulondoloza amapharamitha, uzobona uxhumo olusha lwe-VPN efasiteleni. Chofoza kwesokunxele ukuxhumana bese ukhetha "Xhuma". Endabeni yokuxhumana okuphumelelayo, uzobona "Kuxhunyiwe" isimo.

Ezinkethweni, uzothola amakheli angaphakathi eklayenti kanye neseva. Inkambu "Ikheli lendawo" ibonisa ikheli leseva yangaphandle.

Lapho ixhunyiwe, ikheli le-IP langaphakathi leseva, 172.16.0.1 esimweni sethu, iba isango elizenzakalelayo lawo wonke amaphakethe aphumayo.

Ngokusebenzisa noma iyiphi isevisi eku-inthanethi ungaqinisekisa ukuthi ikheli le-IP langaphandle lekhompyutha manje selifana nekheli le-IP leseva yakho ye-VPN.

Iseva ye-OpenVPN

Ukucushwa kweseva

Masikhuthaze ileveli yezimvume zomsebenzisi wamanje ngoba ekucupheni kwethu okwengeziwe sizodinga ukufinyelela kwezimpande.

sudo -s

Faka wonke amaphakethe adingekayo. Sizodinga “Easy-RSA” iphakethe lokuphatha okhiye bokubethela.

apt install openvpn easy-rsa

Dala isixhumanisi esingokomfanekiso sefayela lokumisa le-OpenSSL. Kungenjalo. isistimu izophonsa iphutha uma izama ukulayisha okuguquguqukayo.

ln -s /usr/share/easy-rsa/openssl-1.0.0.cnf /usr/share/easy-rsa/openssl.cnf

Iya kumkhombandlela womsebenzi wokusetshenziswa okulula kwe-rsa, layisha okuguquguqukayo futhi usule ukucupha okudala.

cd /usr/share/easy-rsa/ source ./vars ./clean-all

Bese uqhubeka nokudala okhiye. Khiqiza ukhiye we-Diffie-Hellman. Kungase kuthathe isikhathi.

./build-dh

./build-ca

Phakathi naleyo nqubo, kuzodingeka uphendule imibuzo ethile futhi ufake ulwazi lomnikazi oyinhloko. Ungashiya amanani azenzakalelayo kubakaki. Chofoza “Ngena” Ukuqeda.

Dala okhiye beseva. Setha noma yiliphi inani njengepharamitha. Esimweni sethu, kunjalo "vpn-server"

./build-key-server vpn-server

Phendula imibuzo, njengasesinyathelweni sangaphambilini noma shiya amanani azenzakalelayo. Cindezela "Y" esigabeni sokugcina kabili.

Ukukhiqiza okhiye kuphelile. Ungathola wonke amafayela ku- “/usr/share/easy-rsa/keys” ifolda manje.

Manje ake sakhe i- "okhiye" kufolda yomsebenzi we-OpenVPN ukuze ugcine okhiye futhi ukopishe wonke amafayela adingekayo lapho.

mkdir /etc/openvpn/keys cp ca.crt dh2048.pem vpn-server.key vpn-server.crt /etc/openvpn/keys/

Kopisha ithempulethi yefayela lokumisa bese uyikhiphela kuyo "/etc/openvpn/" isiqondisi.

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ gzip -d /etc/openvpn/server.conf.gz

Vula ifayela "/etc/openvpn/server.conf" ukuze uhlele, qiniseka ukuthi iqukethe imigqa elandelayo, futhi uyihlele uma kudingeka:

#Port, protocol, and interface port 1194 proto udp dev tun

#Path to the encryption keys ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/vpn-server.crt key /etc/openvpn/keys/vpn-server.key dh /etc/openvpn/keys/dh2048.pem

#Network parameters topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "redirect-gateway def1 bypass-dhcp" push “dhcp-option DNS 8.8.8.8” push “dhcp-option DNS 8.8.4.4”

#Switching off additional encryption #tls-auth ta.key 0

#Switching on compression compress lz4-v2 push "compress lz4-v2"

#Demoting the service OpenVPN after launch user nobody group nogroup

#Switching on parameters saving after reboot persist-key persist-tun

#Redirecting logs log /var/log/openvpn/openvpn.log

Shiya okunye kungashintshile.

Qala kabusha i-OpenVPN ukuze usebenzise ukucushwa.

systemctl restart openvpn

Ukucushwa kweseva kuqediwe!

Ukucushwa kweklayenti

Iya kuwebhusayithi esemthethweni ye-OpenVPN "https://openvpn.net”, hamba uye “UMPHAKATHI” - “OKULANDIWE” ingxenye

bese ulanda ifayela lokufaka lesistimu yakho yokusebenza. Esimweni sethu, yi-Windows 10.

Faka uhlelo lokusebenza ushiya wonke amapharamitha ngokuzenzakalelayo.

Esigabeni esilandelayo uzodinga ukulungisa ifayela elilandelayo kuseva bese ulidlulisela kukhompyutha yeklayenti:

• okhiye basesidlangalaleni nabayimfihlo;
• ikhophi yokhiye wesikhungo sesitifiketi;
• config ifayela ithempulethi.

Xhuma kuseva, thuthukisa izinga lezimvume, bese uya kunkomba yomsebenzi we- "Easy-rsa" sebenzisa futhi ulayishe okuguquguqukayo

sudo -s cd /usr/share/easy-rsa/ source ./vars

Dala ipheya yokhiye yeklayenti. Setha noma yiliphi igama njengepharamitha (kithi "iklayenti1").

./build-key client1

Phendula imibuzo efaka ulwazi lwakho noma vele ucindezele "FAKA" ukushiya amanani azenzakalelayo. Ngemva kwalokho, cindezela "Y" kabili.

Ungathola okhiye abakhiqiziwe ku- “/usr/share/easy-rsa/keys/” ifolda. Ukuze wenze kube lula, dala "iklayenti1" ifolda kuhla lwemibhalo lwasekhaya bese ukopisha wonke amafayela okuyo okudingeka uwasabalalise kuklayenti.

cd /usr/share/easy-rsa/keys/ mkdir ~/client1 cp client1.crt client1.key ca.crt ~/client1/

Kopisha ithempulethi yefayela lokulungiselela iklayenti kuhla lwemibhalo efanayo. Shintsha isandiso sefayela sibe ".ovpn" ngenkathi ukopisha.

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client1/client.ovpn

Shintsha umnikazi wohla lwemibhalo nawo wonke amafayela “~/iklayenti1/” ukuze ukwazi ukuwasabalalisa eklayentini. Masenze "mihail" umnikazi ecaleni lethu.

chown -R mihail:mihail ~/client1

Iya kukhompyutha yeklayenti bese ukopisha okuqukethwe kwefayela “~/iklayenti1/” ifolda. Ungakwenza lokho ngosizo lwe "PSCP" utility, ehambisana noPutty.

PSCP -r mihail@[IP_сервера]:/home/mihail/client1 c:\client1

Ungakwazi ukugcina amafayela angukhiye "ca.crt", "iklayenti1.crt", "iklayenti1.key" nomaphi lapho ufuna. Esimweni sethu, zikule folda "c:\Program Files\OpenVPN\keys", futhi simode ifayela le-config "iklayenti.ovpn" ukungena "c:\Program Files\OpenVPN\config" isiqondisi.

Manje ake siqale ukumisa iklayenti. Vula ifayela "c:\Program Files\OpenVPN\config\client.ovpn" kusihleli sombhalo bese uhlela imigqa elandelayo:

#announce that this is the client client

#interface and protocol just like on the server dev tun proto udp

#IP address of the server and port remote ip_address 1194

#saving parameters after reload persist-key persist-tun

#key paths ca “c:\\Program Files\\OpenVPN\\keys\\ca.cert” cert “c:\\Program Files\\OpenVPN\\keys\\client1.crt” key “c:\\Program Files\\OpenVPN\\keys\\client1.key”

#enable server verification remote-cert-tls server

#disable extra encryption #tls-auth ta.key 1 cipher AES-256-CBC comp-lzo auth-nocache verb 3

Shiya okunye ungathinteki.

Londoloza ifayela bese uvula uhlelo lokusebenza lweklayenti "OpenVPN GUI".

Chofoza kwesokudla kusithonjana sohlelo lokusebenza kubha yomsebenzi bese ukhetha "Xhuma". Uma uxhumano luphumelele isithonjana sizoba luhlaza.

Sebenzisa noma iyiphi isevisi ye-inthanethi ukuze uqiniseke ukuthi ikheli lakho le-IP lomphakathi lishintshile futhi manje selifana nekheli le-IP leseva.