tun
(IP 層面的通道) 和 tap
(Ethernet 層面的通道) 介面。實務上,常用的是 tun
介面,除非 VPN 客戶端難以經由 Ethernet 橋接器整合入伺服器的區域網路。
openssl
命令的腳本內。
$
make-cadir pki-falcot
$
cd pki-falcot
vars
檔案內,特別是以 KEY_
開頭的部份;這些變數整合入環境:
$
vim vars
$
grep KEY_ vars
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_DIR="$EASY_RSA/keys" echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR export KEY_SIZE=2048 export KEY_EXPIRE=3650 export KEY_COUNTRY="FR" export KEY_PROVINCE="Loire" export KEY_CITY="Saint-Étienne" export KEY_ORG="Falcot Corp" export KEY_EMAIL="admin@falcot.com" export KEY_OU="Certificate authority" export KEY_NAME="Certificate authority for Falcot Corp" # If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below # export KEY_CN="CommonName" $
. ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/roland/pki-falcot/keys $
./clean-all
keys/ca.crt
和 keys/ca.key
):
$
./build-ca
Generating a 2048 bit RSA private key ...................................................................+++ ...+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [Loire]: Locality Name (eg, city) [Saint-Étienne]: Organization Name (eg, company) [Falcot Corp]: Organizational Unit Name (eg, section) [Certificate authority]: Common Name (eg, your name or your server's hostname) [Falcot Corp CA]: Name [Certificate authority for Falcot Corp]: Email Address [admin@falcot.com]:
vpn.falcot.com
識別;此名稱再次使用於新增鑰匙檔案 (keys/vpn.falcot.com.crt
供公鑰,keys/vpn.falcot.com.key
供私鑰):
$
./build-key-server vpn.falcot.com
Generating a 2048 bit RSA private key .....................................................................................................................+++ ...........+++ writing new private key to 'vpn.falcot.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [Loire]: Locality Name (eg, city) [Saint-Étienne]: Organization Name (eg, company) [Falcot Corp]: Organizational Unit Name (eg, section) [Certificate authority]: Common Name (eg, your name or your server's hostname) [vpn.falcot.com]: Name [Certificate authority for Falcot Corp]: Email Address [admin@falcot.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /home/roland/pki-falcot/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'FR' stateOrProvinceName :PRINTABLE:'Loire' localityName :T61STRING:'Saint-\0xFFFFFFC3\0xFFFFFF89tienne' organizationName :PRINTABLE:'Falcot Corp' organizationalUnitName:PRINTABLE:'Certificate authority' commonName :PRINTABLE:'vpn.falcot.com' name :PRINTABLE:'Certificate authority for Falcot Corp' emailAddress :IA5STRING:'admin@falcot.com' Certificate is to be certified until Mar 6 14:54:56 2025 GMT (3650 days) Sign the certificate? [y/n]:
y
1 out of 1 certificate requests certified, commit? [y/n]
y
Write out database with 1 new entries Data Base Updated $
./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time […]
$
./build-key JoeSmith
Generating a 2048 bit RSA private key ................................+++ ..............................................+++ writing new private key to 'JoeSmith.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [Loire]: Locality Name (eg, city) [Saint-Étienne]: Organization Name (eg, company) [Falcot Corp]: Organizational Unit Name (eg, section) [Certificate authority]:
Development unit
Common Name (eg, your name or your server's hostname) [JoeSmith]:
Joe Smith
[…]
keys/ca.crt
) 儲存在所有機器 (伺服器與客戶端) 的 /etc/ssl/certs/Falcot_CA.crt
。伺服器的認證僅安裝在伺服器 (keys/vpn.falcot.com.crt
的 /etc/ssl/vpn.falcot.com.crt
,以及 keys/vpn.falcot.com.key
在 /etc/ssl/private/vpn.falcot.com.key
限制其權限為管理者才能讀取),對應至 Diffie-Hellman 參數 (keys/dh2048.pem
) 安裝在 /etc/openvpn/dh2048.pem
。客戶端認證則類似的方式,安裝在對應的 VPN 各戶端。
/etc/openvpn/*.conf
啟動所有虛擬專用網路。設定 VPN 伺服器就是在此資料夾儲存對應的組態檔。/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
是個好的起點,建立相當標準伺服器。當然,還有若干參數需要調整:ca
、cert
、key
和 dh
需指定其地點 (分別是 /etc/ssl/certs/Falcot_CA.crt
、/etc/ssl/vpn.falcot.com.crt
、/etc/ssl/private/vpn.falcot.com.key
和 /etc/openvpn/dh2048.pem
)。server 10.8.0.0 255.255.255.0
設定 VPN 的次網路;此伺服器使用此範圍內的第一個 IP 位址 (10.8.0.1
) 然後把其他的位址保留給客戶端。
tun0
之名,新增 OpenVPN 的虛擬網路介面。然而,有時在啟動 OpenVPN 前,把防火牆組態成真實的網路介面。最好固定新增的虛擬網路介面,OpenVPN 使用預存的介面。進一步選擇介面的名稱。到了這個階段,openvpn --mktun --dev vpn --dev-type tun
新增一個虛擬網路介面名稱為 vpn
型態為 tun
;這個命令可以整合入防火牆組態腳本,或 up
指向 /etc/network/interfaces
檔案。OpenVPN 組態檔必須跟著更新,直接使用 dev vpn
和 dev-type tun
。
10.8.0.1
位址近用 VPN 伺服器。為了授權客戶近用在地網路 (192.168.0.0/24),需在 OpenVPN 組態中加入 推送路徑 192.168.0.0 255.255.255.0
,讓 VPN 客戶端自動取得網路路由,使其明瞭經由 VPN 可以進入該網路。此外,在地網路的機器也需被告知,經由 VPN 伺服器 (在閘道安裝 VPN 伺服器即自動啟用) 進入VPN。另外,VPN 伺服器可以組態後執行偽裝 IP 的工作,讓來自 VPN 客戶端的訊息顯示成來自 VPN 伺服器 (見 節 10.1, “閘道器”)。
/etc/openvpn/
內的檔案才能設定 OpenVPN 客戶端。標準的組態方法可從使用 /usr/share/doc/openvpn/examples/sample-config-files/client.conf
這個檔案開始。remote vpn.falcot.com 1194
介紹 OpenVPN 伺服器的位址及埠號;描述密鑰文件位址時,需參考 ca
、cert
和 key
。
AUTOSTART
為 none
於 /etc/default/openvpn
檔案內。以命令 service openvpn@name start
和 service openvpn@name stop
(其中的 name 就是在 /etc/openvpn/name.conf
中設定的名稱) 就能啟用或停用指定的 VPN 連結。
tun*
) 於 SSH 連結的兩端,且可以精準地組態這些虛擬介面,就像在實體介面環境下。必須先設定 PermitTunnel
為 “yes” 於 SSH 伺服器組態檔 (/etc/ssh/sshd_config
),才能啟用此隧道系統。啟用 SSH 連結後,新增的隧道必須以 -w any:any
選項 (any
可以用期望的 tun
設備名稱取代) 請求連結。兩端的使用者需有管理者權限,才能新增網路設備 (換句話說,必須以超級使用者的身份才能建立連結)。
/etc/ipsec-tools.conf
contains the parameters for IPsec tunnels (or Security Associations, in the IPsec terminology) that the host is concerned with; the /etc/init.d/setkey
script provides a way to start and stop a tunnel (each tunnel is a secure link to another host connected to the virtual private network). This file can be built by hand from the documentation provided by the setkey(8) manual page. However, explicitly writing the parameters for all hosts in a non-trivial set of machines quickly becomes an arduous task, since the number of tunnels grows fast. Installing an IKE daemon (for IPsec Key Exchange) such as racoon or strongswan makes the process much simpler by bringing administration together at a central point, and more secure by rotating the keys periodically.
/etc/ppp/options.pptp
, /etc/ppp/peers/falcot
, /etc/ppp/ip-up.d/falcot
, and /etc/ppp/ip-down.d/falcot
.
範例 10.2. The /etc/ppp/options.pptp
file
# PPP options used for a PPTP connection lock noauth nobsdcomp nodeflate
範例 10.3. The /etc/ppp/peers/falcot
file
# vpn.falcot.com is the PPTP server pty "pptp vpn.falcot.com --nolaunchpppd" # the connection will identify as the "vpn" user user vpn remotename pptp # encryption is needed require-mppe-128 file /etc/ppp/options.pptp ipparam falcot
pptpd
is the PPTP server for Linux. Its main configuration file, /etc/pptpd.conf
, requires very few changes: localip (local IP address) and remoteip (remote IP address). In the example below, the PPTP server always uses the 192.168.0.199
address, and PPTP clients receive IP addresses from 192.168.0.200
to 192.168.0.250
.
範例 10.6. The /etc/pptpd.conf
file
# TAG: speed # # Specifies the speed for the PPP daemon to talk at. # speed 115200 # TAG: option # # Specifies the location of the PPP options file. # By default PPP looks in '/etc/ppp/options' # option /etc/ppp/pptpd-options # TAG: debug # # Turns on (more) debugging to syslog # # debug # TAG: localip # TAG: remoteip # # Specifies the local and remote IP address ranges. # # You can specify single IP addresses separated by commas or you can # specify ranges, or both. For example: # # 192.168.0.234,192.168.0.245-249,192.168.0.254 # # IMPORTANT RESTRICTIONS: # # 1. No spaces are permitted between commas or within addresses. # # 2. If you give more IP addresses than MAX_CONNECTIONS, it will # start at the beginning of the list and go until it gets # MAX_CONNECTIONS IPs. Others will be ignored. # # 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238, # you must type 234-238 if you mean this. # # 4. If you give a single localIP, that's ok - all local IPs will # be set to the given one. You MUST still give at least one remote # IP for each simultaneous client. # #localip 192.168.0.234-238,192.168.0.245 #remoteip 192.168.1.234-238,192.168.1.245 #localip 10.0.1.1 #remoteip 10.0.1.2-100 localip 192.168.0.199 remoteip 192.168.0.200-250
/etc/ppp/pptpd-options
. The important parameters are the server name (pptp
), the domain name (falcot.com
), and the IP addresses for DNS and WINS servers.
範例 10.7. The /etc/ppp/pptpd-options
file
## turn pppd syslog debugging on #debug ## change 'servername' to whatever you specify as your server name in chap-secrets name pptp ## change the domainname to your local domain domain falcot.com ## these are reasonable defaults for WinXXXX clients ## for the security related settings # The Debian pppd package now supports both MSCHAP and MPPE, so enable them # here. Please note that the kernel support for MPPE must also be present! auth require-chap require-mschap require-mschap-v2 require-mppe-128 ## Fill in your addresses ms-dns 192.168.0.1 ms-wins 192.168.0.1 ## Fill in your netmask netmask 255.255.255.0 ## some defaults nodefaultroute proxyarp lock
vpn
user (and the associated password) in the /etc/ppp/chap-secrets
file. Contrary to other instances where an asterisk (*
) would work, the server name must be filled explicitly here. Furthermore, Windows PPTP clients identify themselves under the DOMAIN\\USER
form, instead of only providing a user name. This explains why the file also mentions the FALCOT\\vpn
user. It is also possible to specify individual IP addresses for users; an asterisk in this field specifies that dynamic addressing should be used.