OpenVPN Server na ntinye na nhazi nke ndị ahịa na Debian 7
Edemede a na-akọwa otu esi enweta njikọ IPv6 na OpenVPN site na iji Debian Linux. A nwalere usoro a na Debian 7 na KVM VPS nwere njikọ IPv6 dị ka ihe nkesa, yana desktọọpụ Debian 7. Iwu ndị a ga-agba ọsọ dị ka mgbọrọgwụ.
OpenVPN bụ mmemme VPN na-eji SSL/TLS iji mepụta njikọ VPN echekwara, ezoro ezo, na-ebugharị okporo ụzọ ịntanetị gị, si otú a na-egbochi snooping. Mepee VPN nwere ike nke ukwuu ịgafe n'ụzọ doro anya site na firewalls. N'ezie, ọ bụrụ na ọnọdụ ahụ chọrọ ya, ị nwere ike ịgba ya n'otu ọdụ ụgbọ mmiri TCP dị ka HTTPS (443), na-eme ka okporo ụzọ ghara ịdị iche ma si otú a na-agaghị ekwe omume igbochi.
OpenVPN nwere ike iji ụzọ dị iche iche dị ka igodo nzuzo ekekọrịtara mbụ, asambodo, ma ọ bụ aha njirimara/okwuntughe, ka ndị ahịa kwenye na sava ahụ. OpenVPN na-eji protocol OpenSSL wee mejuputa ọtụtụ atụmatụ nchekwa na njikwa dị ka njirimara nzaghachi ịma aka, ikike otu akara, nguzozi ibu na njirimara ọdịda yana nkwado daemon ọtụtụ.
Chee echiche nkwukọrịta echekwara - chere OpenVPN. Ọ bụrụ na ịchọghị ka onye ọ bụla snoo na okporo ụzọ ịntanetị gị, jiri OpenVPN mee njem gị niile site na ọwara ezoro ezo nke ukwuu.
Nke a dị mkpa karịsịa mgbe ị na-ejikọta na netwọk WIFI ọha na eze na ọdụ ụgbọ elu na ebe ndị ọzọ. Ị gaghị enwe ike ijide n'aka na onye na-agbapụ na okporo ụzọ gị. Ị nwere ike nyefee okporo ụzọ gị site na ihe nkesa OpenVPN nke gị iji gbochie snooping.
Ọ bụrụ na ịnọ na mba ọ bụla na-enyocha okporo ụzọ gị niile na-egbochi webụsaịtị ma ọ bụrụ na ịchọrọ, ị nwere ike iji OpenVPN n'elu ọdụ ụgbọ mmiri TCP 443, iji mee ka ọ pụta ìhè na okporo ụzọ HTTPS. Ị nwere ike ijikọ OpenVPN na atụmatụ nchekwa ndị ọzọ dị ka ịmegharị okporo ụzọ OpenVPN gị n'elu ọwara SSL, iji merie usoro nyocha Deep Packet nke nwere ike ịchọpụta akara ngosi OpenVPN.
OpenVPN chọrọ obere ihe achọrọ iji rụọ ọrụ. Sistemu nwere 64 MB Ram na ohere 1 GB HDD zuru iji mee OpenVPN. OpenVPN na-arụ ọrụ na sistemụ arụmọrụ niile.
Nwụnye na nhazi nke OpenVPN na Debian 7
Gbaa iwu a ka ịwụnye OpenVPN.
# apt-get install openvpn
Site na ndabara, a na-etinye scripts dị mfe n'okpuru '/ usr/ share/ easy-rsa /' ndekọ. Yabụ, anyị kwesịrị idetuo edemede ndị a ka ọ bụrụ ebe achọrọ ya bụ /root/easy-rsa.
# mkdir /root/easy-rsa cp -prv /usr/share/doc/openvpn/examples/easy-rsa/2.0 /root/easy-rsa
Mepee faịlụ 'vars'ma mee mgbanwe ndị a, mana tupu ịme mgbanwe m na-atụ aro ka ị were ndabere nke faịlụ mbụ.
# cp vars{,.orig}Iji editọ ederede gị, hazie ụkpụrụ ndabara maka mfe-rsa. Ọmụmaatụ.
KEY_SIZE=4096 KEY_COUNTRY="IN" KEY_PROVINCE="UP" KEY_CITY="Noida" KEY_ORG="Home" KEY_EMAIL="[email "
N'ebe a, m na-eji igodo 4096 bit. Ị nwere ike iji igodo 1024, 2048, 4096 ma ọ bụ 8192 bit dị ka achọrọ.
Bupụ ụkpụrụ ndabara site na iji iwu ahụ.
# source ./vars
Hichapụ asambodo ọ bụla ewepụtara na mbụ.
./clean-all
Na-esote, gbaa iwu na-esonụ ka ịmepụta asambodo CA na igodo CA.
# ./build-ca
Mepụta akwụkwọ nkesa site na iji iwu ahụ. Jiri aha sava gị dochie 'aha nkesa'.
# ./build-key-server server-name
Mepụta akwụkwọ ikike Diffie Hellman PEM.
# ./build-dh
Mepụta asambodo ndị ahịa. Jiri aha onye ahịa gị dochie 'aha ahịa'.
# ./build-key client-name
Mepụta koodu HMAC.
# openvpn --genkey --secret /root/easy-rsa/keys/ta.key
Detuo asambodo na igwe ahịa na igwe nkesa dịka ndị a.
- Gbaa mbọ hụ na ca.crt dị na ma onye ahịa yana nkesa.
- Igodo ca. kwesịrị ịdị na onye ahịa.
- Ihe nkesa ahụ chọrọ sava.crt, dh4096.pem, server.key na ta.key.
- client.crt, client.key na ta.key kwesịrị ịdị na onye ahịa.
Ka ịtọlite igodo na asambodo na ihe nkesa, mee iwu ndị a.
# mkdir -p /etc/openvpn/certs
# cp -pv /root/easy-rsa/keys/{ca.{crt,key},server-name.{crt,key},ta.key,dh4096.pem} /etc/openvpn/certs/Ugbu a ịkwesịrị ịhazi sava OpenVPN. Mepee faịlụ '/etc/openvpn/server.conf'. Biko mee mgbanwe dịka akọwara n'okpuru.
script security 3 system port 1194 proto udp dev tap ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server-name.crt key /etc/openvpn/certs/server-name.key dh /etc/openvpn/certs/dh4096.pem tls-auth /etc/openvpn/certs/ta.key 0 server 192.168.88.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 1800 4000 cipher DES-EDE3-CBC # Triple-DES comp-lzo max-clients 10 user nobody group nogroup persist-key persist-tun #log openvpn.log #status openvpn-status.log verb 5 mute 20
Kwado mbugharị IP na sava ahụ.
# echo 1 > /proc/sys/net/ipv4/ip_forward
Gbaa iwu a ka ịtọlite OpenVPN ka ịmalite na buut.
# update-rc.d -f openvpn defaults
Malite ọrụ OpenVPN.
# service openvpn restart
Gbaa iwu a ka ịwụnye OpenVPN na igwe ahịa.
# apt-get install openvpn
Iji ndezi ederede, hazie nhazi ndị ahịa OpenVPN na '/etc/openvpn/client.conf', na onye ahịa. Nhazi ihe atụ bụ nke a:
script security 3 system client remote vpn_server_ip ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/client.crt key /etc/openvpn/certs/client.key cipher DES-EDE3-CBC comp-lzo yes dev tap proto udp tls-auth /etc/openvpn/certs/ta.key 1 nobind auth-nocache persist-key persist-tun user nobody group nogroup
Gbaa iwu a ka ịtọlite OpenVPN ka ịmalite na buut.
# update-rc.d -f openvpn defaults
Malite ọrụ OpenVPN na onye ahịa.
# service openvpn restart
Ozugbo ị nwere afọ ojuju na OpenVPN na-arụ ọrụ nke ọma na IPv4, nke a bụ ka ị ga-esi nweta IPv6 na-arụ ọrụ n'elu OpenVPN.
Tinye ahịrị ndị a na njedebe nke nhazi ihe nkesa '/etc/openvpn/server.conf'faịlụ.
client-connect /etc/openvpn/client-connect.sh client-disconnect /etc/openvpn/client-disconnect.sh
Edemede abụọ a na-ewuli/na-emebi ọwara IPv6 oge ọ bụla onye ahịa na-ejikọ/kwụpụ.
Nke a bụ ọdịnaya nke client-connect.sh.
#!/bin/bash
BASERANGE="2a00:dd80:003d:000c"
ifconfig $dev up
ifconfig $dev add ${BASERANGE}:1001::1/64
ip -6 neigh add proxy 2a00:dd80:003d:000c:1001::2 dev eth0
exit 0Onye ọbịa m na-ekenye m adreesị IPV6 site na 2a00:dd80:003d:000c::/64. N'ihi ya, m na-eji
2a00:dd80:003d:000c ka BASERANGE. Gbanwee uru a dịka ihe onye ọbịa gị kenyere gị.
Oge ọ bụla onye ahịa jikọtara na OpenVPN, edemede a na-ekenye adreesị 2a00:dd80:003d:000c:1001::1 dị ka adreesị IPV6 nke interface tap0 nke sava ahụ.
Ahịrị ikpeazụ na-edozi Nchọpụta Agbata Obi maka ọwara anyị. Etinyere m adreesị IPv6 nke njikọ tap0 nke ndị ahịa dị ka adreesị proxy.
Nke a bụ ọdịnaya nke client-disconnect.sh.
#!/bin/bash
BASERANGE="2a00:dd80:003d:000c"
/sbin/ip -6 addr del ${BASERANGE}::1/64 dev $dev
exit 0Nke a na-ehichapụ adreesị ọwara IPv6 nke ihe nkesa, mgbe onye ahịa kwụsịrị. Gbanwee uru nke BASERANGE ka okwesịrị.
Mee ka scripts bụrụ ihe a ga-eme.
# chmod 700 /etc/openvpn/client-connect.sh # chmod 700 /etc/openvpn/client-disconnect.sh
Tinye ndenye ndị a na '/etc/rc.local' (Ị nwekwara ike gbanwee sysctls kwesịrị ekwesị na /etc/sysctl.conf).
echo 1 >/proc/sys/net/ipv6/conf/all/proxy_ndp echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv6/conf/all/forwarding /etc/init.d/firewall stop && /etc/init.d/firewall start
Ndenye ndị a na-eme ka nchọpụta agbataobi na-ebugharị. Etinyekwala m firewall.
Mepụta '/etc/init.d/firewall' wee tinye ọdịnaya ndị a.
#!/bin/sh
# description: Firewall
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
case "$1" in
start)
$IPT -F INPUT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
$IPT -A INPUT -i tap+ -j ACCEPT
$IPT -A FORWARD -i tap+ -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -F POSTROUTING
$IPT -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
$IPT -A INPUT -i eth0 -j DROP
$IPT6 -F INPUT
$IPT6 -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IPT6 -A INPUT -i eth0 -p icmpv6 -j ACCEPT
$IPT6 -A FORWARD -s 2a00:dd80:003d:000c::/64 -i tap0 -o eth0 -j ACCEPT
$IPT6 -A INPUT -i eth0 -j DROP
exit 0
;;
stop)
$IPT -F
$IPT6 -F
exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esacGbaa '/etc/rc.local' wee malite firewall.
# sh /etc/rc.local
Nke a na-emecha mgbanwe n'akụkụ ihe nkesa.
Tinye ihe ndị a dị ka ahịrị ikpeazụ nke faịlụ nhazi onye ahịa gị '/etc/openvpn/client.conf'.
# create the ipv6 tunnel up /etc/openvpn/up.sh down /etc/openvpn/down.sh # need this so when the client disconnects it tells the server explicit-exit-notify
Edemede elu na ala na-ewulite/bibie isi njedebe ndị ahịa IPV6 nke njikọ onye ahịa tap0 oge ọ bụla onye ahịa na-ejikọ/kwụpụ na ma ọ bụ site na sava OpenVPN.
Nke a bụ ọdịnaya nke up.sh.
#!/bin/bash
IPV6BASE="2a00:dd80:3d:c"
ifconfig $dev up
ifconfig $dev add ${IPV6BASE}:1001::2/64
ip -6 route add default via ${IPV6BASE}:1001::1
exit 0Edemede ahụ na-ekenye adreesị IPV6 2a00:dd80:3d:c:1001::2 dị ka adreesị IPV6 onye ahịa wee debe ụzọ IPV6 ndabara site na sava ahụ.
Gbanwee IPV6BASE ka ọ bụrụ otu BASERANGE na nhazi nkesa.
Nke a bụ ọdịnaya nke down.sh.
#!/bin/bash
IPV6BASE="2a00:dd80:3d:c"
/sbin/ip -6 addr del ${IPV6BASE}::2/64 dev $dev
/sbin/ip link set dev $dev down
/sbin/ip route del ::/0 via ${IPV6BASE}::1
exit 0Nke a na-ehichapụ adreesị IPV6 nke onye ahịa wee kwatuo ụzọ IPV6 mgbe onye ahịa kwụsịrị na sava ahụ.
Gbanwee IPV6BASE ka ọ bụrụ otu BASERANGE na nhazi ihe nkesa wee mee ka edemede rụọ ọrụ.
# chmod 700 /etc/openvpn/up.sh # chmod 700 /etc/openvpn/down.sh
Nhọrọ, gbanwee '/etc/resolv.conf' wee gbakwunye Google's IPV6 nameservers maka DNS mkpebi.
nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844
Malitegharịa openvpn na sava wee jikọọ na ya site na onye ahịa. Ekwesịrị ijikọ gị. Gaa na test-ipv6.com ka ịhụ na njikọ IPV6 gị karịrị OpenVPN na-arụ ọrụ.
Njikọ ntụaka
Mepee ibe obibi VPN