Ṣii olupin ServerVPN ati Fifi sori ẹrọ Alabara ati Iṣeto ni Debian 7


Nkan yii ṣe alaye bi o ṣe le gba isopọmọ IPv6 lori ṢiiVPN lilo Debian Linux. Ilana ti ni idanwo lori Debian 7 lori KVM VPS pẹlu isopọmọ IPv6 bi olupin, ati tabili Debian 7 kan. Awọn aṣẹ ni lati ṣiṣe bi gbongbo.

OpenVPN jẹ eto VPN kan ti o lo SSL/TLS lati ṣẹda aabo, awọn isopọ VPN ti a paroko, lati tọka si ijabọ Intanẹẹti rẹ, nitorinaa ṣe idiwọ lilọ kiri. Open VPN jẹ agbara giga ti lilọ kiri gbangba nipasẹ awọn ogiriina. Ni otitọ, ti ipo ba nilo rẹ, o le ṣiṣẹ lori ibudo TCP kanna bi HTTPS (443), ṣiṣe aiṣedeede ijabọ ati nitorinaa ko ṣee ṣe lati ṣe idiwọ.

OpenVPN le lo ọpọlọpọ awọn ọna bii awọn bọtini ikoko ti a ṣaju, awọn iwe-ẹri, tabi awọn orukọ olumulo/awọn ọrọigbaniwọle, lati jẹ ki awọn alabara jẹrisi si olupin naa. OpenVPN nlo ilana OpenSSL ati awọn imuse ọpọlọpọ aabo ati awọn ẹya iṣakoso gẹgẹbi ijẹrisi esi ipenija, agbara ibuwolu wọle kan, iwọntunwọnsi fifuye ati awọn ẹya ailagbara ati atilẹyin daemon pupọ.

Ronu awọn ibaraẹnisọrọ to ni aabo - ronu ṢiiVPN. Ti o ko ba fẹ ki ẹnikẹni ki o tẹ lori ijabọ intanẹẹti rẹ, lo OpenVPN lati ṣe ipa ọna gbogbo ijabọ rẹ nipasẹ ohun ti paroko giga, eefin to ni aabo.

Eyi ṣe pataki ni pataki nigba sisopọ si awọn nẹtiwọọki WIFI ti gbogbo eniyan ni awọn papa ọkọ ofurufu ati awọn aaye miiran. O ko le rii daju pe tani o n tẹriba lori ijabọ rẹ. O le ṣe ikanni ijabọ rẹ nipasẹ olupin OpenVPN tirẹ lati yago fun lilọ kiri.

Ti o ba wa ni eyikeyi awọn orilẹ-ede ti o ṣe abojuto gbogbo ijabọ rẹ nigbagbogbo ati dènà awọn oju opo wẹẹbu ni ifẹ, o le lo OpenVPN lori ibudo TCP 443, lati jẹ ki o ṣe iyatọ si ijabọ HTTPS. O le paapaa darapọ OpenVPN pẹlu awọn ọgbọn aabo miiran bi eefin ṣiṣii OpenVPN rẹ lori oju eefin SSL, lati lu awọn ilana Iyẹwo Jin Packet ti o le ni anfani lati ṣe idanimọ awọn ibuwọlu OpenVPN.

OpenVPN nilo awọn ibeere ti o kere pupọ lati ṣiṣe. Eto kan pẹlu Ramu 64 MB ati aaye 1 GB HDD ti to lati ṣiṣe OpenVPN. OpenVPN n ṣiṣẹ lori fere gbogbo Awọn Ẹrọ Ṣiṣẹ akọkọ.

Fifi sori ẹrọ ati iṣeto ni ti OpenVPN lori Debian 7

Ṣiṣe aṣẹ wọnyi lati fi sii OpenVPN.

# apt-get install openvpn

Nipa aiyipada, awọn iwe afọwọkọ rọrun-rsa ti fi sii labẹ itọsọna '/ usr/share/easy-rsa /' directory. Nitorinaa, a nilo lati daakọ awọn iwe afọwọkọ wọnyi si ipo ti o fẹ ie/root/easy-rsa.

# mkdir /root/easy-rsa
cp -prv /usr/share/doc/openvpn/examples/easy-rsa/2.0 /root/easy-rsa

Ṣii faili 'vars' ki o ṣe awọn ayipada wọnyi, ṣugbọn ṣaaju ṣiṣe awọn ayipada Mo daba fun ọ lati mu afẹyinti faili akọkọ.

# cp vars{,.orig}

Lilo olootu ọrọ rẹ, ṣeto awọn iye aiyipada fun irọrun-rsa. Fun apere.

KEY_SIZE=4096
KEY_COUNTRY="IN"
KEY_PROVINCE="UP"
KEY_CITY="Noida"
KEY_ORG="Home"
KEY_EMAIL="[email "

Nibi, Mo n lo bọtini bit 4096 kan. O le lo bọtini bit 1024, 2048, 4096 tabi 8192 bi o ṣe fẹ.

Gbe awọn iye aiyipada jade nipasẹ ṣiṣe pipaṣẹ.

# source ./vars

Nu awọn iwe-ẹri eyikeyi ti o ṣẹda tẹlẹ.

./clean-all

Nigbamii, ṣiṣe aṣẹ atẹle lati ṣe ijẹrisi CA ati bọtini CA.

# ./build-ca

Ṣe ijẹrisi olupin nipasẹ ṣiṣe pipaṣẹ. Rọpo ‘orukọ olupin’ pẹlu orukọ olupin rẹ.

# ./build-key-server server-name

Ṣe iwe-ẹri DIFie Hellman PEM.

# ./build-dh

Ṣe ijẹrisi alabara. Rọpo ‘orukọ alabara’ pẹlu orukọ alabara rẹ.

# ./build-key client-name

Ina koodu HMAC.

# openvpn --genkey --secret /root/easy-rsa/keys/ta.key

Daakọ awọn iwe-ẹri si alabara ati awọn ẹrọ olupin bi atẹle.

  1. Rii daju pe ca.crt wa lori alabara ati olupin naa.
  2. Bọtini ca.key yẹ ki o wa lori alabara.
  3. Olupin nilo olupin.crt, dh4096.pem, server.key ati ta.key.
  4. client.crt, client.key ati ta.key yẹ ki o wa lori alabara naa.

Lati ṣeto awọn bọtini ati awọn iwe-ẹri lori olupin, ṣiṣe awọn aṣẹ naa.

# mkdir -p /etc/openvpn/certs
# cp -pv /root/easy-rsa/keys/{ca.{crt,key},server-name.{crt,key},ta.key,dh4096.pem} /etc/openvpn/certs/

Bayi o nilo lati tunto olupin OpenVPN. Ṣii faili ‘/etc/openvpn/server.conf‘. Jọwọ ṣe awọn ayipada bi a ti salaye rẹ ni isalẹ.

script security 3 system
port 1194
proto udp
dev tap

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server-name.crt
key /etc/openvpn/certs/server-name.key
dh /etc/openvpn/certs/dh4096.pem
tls-auth /etc/openvpn/certs/ta.key 0

server 192.168.88.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

keepalive 1800 4000

cipher DES-EDE3-CBC # Triple-DES
comp-lzo

max-clients 10

user nobody
group nogroup

persist-key
persist-tun

#log openvpn.log
#status openvpn-status.log
verb 5
mute 20

Mu ifiranšẹ IP ṣiṣẹ lori olupin naa.

# echo 1 > /proc/sys/net/ipv4/ip_forward

Ṣiṣe aṣẹ atẹle lati ṣeto OpenVPN lati bẹrẹ lori bata.

# update-rc.d -f openvpn defaults

Bẹrẹ OpenVPN iṣẹ.

# service openvpn restart

Ṣiṣe aṣẹ atẹle lati fi sii OpenVPN lori ẹrọ alabara.

# apt-get install openvpn

Lilo olootu ọrọ kan, ṣeto iṣeto alabara OpenVPN ni '/etc/openvpn/client.conf', lori alabara naa. Iṣeto apẹẹrẹ jẹ bi atẹle:

script security 3 system
client
remote vpn_server_ip
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/client.crt
key /etc/openvpn/certs/client.key
cipher DES-EDE3-CBC
comp-lzo yes
dev tap
proto udp
tls-auth /etc/openvpn/certs/ta.key 1
nobind
auth-nocache
persist-key
persist-tun
user nobody
group nogroup

Ṣiṣe aṣẹ atẹle lati ṣeto OpenVPN lati bẹrẹ lori bata.

# update-rc.d -f openvpn defaults

Bẹrẹ OpenVPN iṣẹ lori alabara.

# service openvpn restart

Lọgan ti o ba ni itẹlọrun pe OpenVPN n ṣiṣẹ daradara lori IPv4, eyi ni bi o ṣe le gba IPv6 ṣiṣẹ lori OpenVPN.

Ṣafikun awọn ila wọnyi si opin ti iṣeto olupin ’faili’ /etc/openvpn/server.conf

client-connect /etc/openvpn/client-connect.sh
client-disconnect /etc/openvpn/client-disconnect.sh

Awọn iwe afọwọkọ meji wọnyi kọ/run oju eefin IPv6 nigbakugba ti alabara kan ba sopọ/ge asopọ.

Eyi ni akoonu ti client-connect.sh.

#!/bin/bash
BASERANGE="2a00:dd80:003d:000c"
ifconfig $dev up
ifconfig $dev add ${BASERANGE}:1001::1/64
ip -6 neigh add proxy 2a00:dd80:003d:000c:1001::2 dev eth0
exit 0

Ogun mi fi awọn adirẹsi IPV6 fun mi lati 2a00: dd80: 003d: 000c ::/64 bulọọki. Nitorinaa, Mo lo
2a00: dd80: 003d: 000c bi BASERANGE. Ṣe atunṣe iye yii gẹgẹbi fun ohun ti olupin rẹ ti fi le ọ.

Ni igbakugba ti alabara kan ba sopọ si OpenVPN, iwe afọwọkọ yii fun adirẹsi 2a00: dd80: 003d: 000c: 1001 :: 1 bi adiresi IPV6 ti iwoye tap0 ti olupin naa.

Laini to kẹhin ṣeto Awari Aladugbo fun eefin wa. Mo ti ṣafikun adirẹsi IPv6 ti asopọ alabara tap0 asopọ bi adirẹsi aṣoju.

Eyi ni akoonu ti client-disconnect.sh.

#!/bin/bash
BASERANGE="2a00:dd80:003d:000c"
/sbin/ip -6 addr del ${BASERANGE}::1/64 dev $dev
exit 0

Eyi kan npa adiresi oju eefin IPv6 ti olupin naa, nigbati alabara naa ge asopọ. Ṣe atunṣe iye ti BASERANGE bi o ṣe yẹ.

Ṣe awọn iwe afọwọkọ naa ṣiṣẹ.

# chmod 700 /etc/openvpn/client-connect.sh
# chmod 700 /etc/openvpn/client-disconnect.sh

Ṣafikun awọn titẹ sii wọnyi si '/etc/rc.local' (O tun le ṣe atunṣe awọn sysctls ti o yẹ ni /etc/sysctl.conf).

echo 1 >/proc/sys/net/ipv6/conf/all/proxy_ndp
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
/etc/init.d/firewall stop && /etc/init.d/firewall start

Awọn titẹ sii wọnyi mu Awari Aladugbo ati Ndari siwaju ṣiṣẹ. Mo tun ti ṣafikun ogiriina kan.

Ṣẹda '/etc/init.d/firewall' ki o fi sinu akoonu atẹle.

#!/bin/sh
# description: Firewall
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
case "$1" in
start)
$IPT -F INPUT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
$IPT -A INPUT -i tap+ -j ACCEPT
$IPT -A FORWARD -i tap+ -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -F POSTROUTING
$IPT -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
$IPT -A INPUT -i eth0 -j DROP
$IPT6 -F INPUT
$IPT6 -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IPT6 -A INPUT -i eth0 -p icmpv6 -j ACCEPT
$IPT6 -A FORWARD -s 2a00:dd80:003d:000c::/64 -i tap0 -o eth0 -j ACCEPT
$IPT6 -A INPUT -i eth0 -j DROP
exit 0
;;
stop)
$IPT -F
$IPT6 -F
exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac

Ṣiṣe '/etc/rc.local' ki o bẹrẹ ogiriina.

# sh /etc/rc.local

Eyi pari awọn iyipada ẹgbẹ olupin.

Ṣafikun atẹle naa bi awọn ila ti o kẹhin ti faili iṣeto alabara rẹ ‘/etc/openvpn/client.conf‘.

# create the ipv6 tunnel
up /etc/openvpn/up.sh
down /etc/openvpn/down.sh
# need this so when the client disconnects it tells the server
explicit-exit-notify

Awọn iwe afọwọkọ oke ati isalẹ kọ/run awọn aaye ipari opin alabara IPV6 ti ibara tap0 asopọ ni igbakugba ti alabara kan ba sopọ/ge asopọ si tabi lati olupin OpenVPN.

Eyi ni akoonu ti up.sh.

#!/bin/bash
IPV6BASE="2a00:dd80:3d:c"
ifconfig $dev up
ifconfig $dev add ${IPV6BASE}:1001::2/64
ip -6 route add default via ${IPV6BASE}:1001::1
exit 0

Iwe afọwọkọ naa fun adirẹsi IPV6 2a00: dd80: 3d: c: 1001 :: 2 bi adirẹsi IPV6 alabara ati ṣeto ọna IPV6 aiyipada nipasẹ olupin naa.

Ṣe atunṣe IPV6BASE lati jẹ kanna bii BASERANGE ninu iṣeto olupin.

Eyi ni akoonu ti down.sh.

#!/bin/bash
IPV6BASE="2a00:dd80:3d:c"
/sbin/ip -6 addr del ${IPV6BASE}::2/64 dev $dev
/sbin/ip link set dev $dev down
/sbin/ip route del ::/0 via ${IPV6BASE}::1
exit 0

Eyi kan npa adiresi IPV6 ti alabara naa kuro ki o si ya ọna IPV6 lulẹ nigbati alabara naa ge asopọ lati olupin naa.

Ṣe atunṣe IPV6BASE lati jẹ bakanna bi BASERANGE ninu iṣeto olupin ki o jẹ ki iwe afọwọkọ ṣiṣẹ.

# chmod 700 /etc/openvpn/up.sh
# chmod 700 /etc/openvpn/down.sh

Ni aṣayan, ṣe atunṣe '/etc/resolv.conf' ki o ṣafikun awọn orukọ orukọ IPV6 Google fun ipinnu DNS.

nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844

Tun bẹrẹ openvpn lori olupin ati lẹhinna sopọ si ọdọ alabara. O yẹ ki o sopọ. Ṣabẹwo test-ipv6.com lati rii pe Asopọmọra IPV6 rẹ lori OpenVPN n ṣiṣẹ.

Itọkasi Awọn ọna asopọ

Ṣii oju-iwe akọọkanVPN