BudeVPN Server da Shigar da Abokin Ciniki da Tsara akan Debian 7

Wannan labarin yayi cikakken bayanin yadda ake samun haɗin IPV6 akan OpenVPN ta amfani da Debian Linux. An gwada tsarin akan Debian 7 akan KVM VPS tare da haɗin IPv6 azaman uwar garken, da tebur na Debian 7. Dole ne a gudanar da umarni azaman tushen.

OpenVPN shiri ne na VPN wanda ke amfani da SSL/TLS don ƙirƙirar amintattun hanyoyin haɗin yanar gizo na VPN, don tafiyar da zirga-zirgar Intanet ɗin ku, don haka yana hana snooping. Bude VPN yana da matukar ikon wucewa ta hanyar wuta a bayyane. A zahiri, idan yanayin yana buƙatar shi, zaku iya gudanar da shi akan tashar TCP guda ɗaya kamar HTTPS (443), yana sa ba za a iya bambanta zirga-zirgar ababen hawa ba kuma don haka kusan ba zai yiwu a toshe shi ba.

OpenVPN na iya amfani da hanyoyi daban-daban kamar maɓallan sirri da aka riga aka raba, takaddun shaida, ko sunayen mai amfani/kalmomin sirri, don barin abokan ciniki su tantance sabar. OpenVPN tana amfani da ka'idar OpenSSL kuma tana aiwatar da tsaro da yawa da fasalulluka masu sarrafawa kamar ƙalubalen tabbatar da amsawa, iyawar sa hannu guda ɗaya, daidaita nauyi da fasalulluka na gazawa da tallafin daemon da yawa.

Yi tunanin amintattun hanyoyin sadarwa - tunanin OpenVPN. Idan ba kwa son kowa ya yi saɓo a kan zirga-zirgar intanet ɗin ku, yi amfani da OpenVPN don tafiyar da duk zirga-zirgar ku ta hanyar rufaffiyar rufaffiyar, amintaccen rami.

Wannan yana da mahimmanci musamman lokacin haɗi zuwa cibiyoyin sadarwar WIFI na jama'a a filayen jirgin sama da sauran wurare. Ba za ku taɓa iya tabbatar da wanda ke sa ido kan zirga-zirgar zirga-zirgar ku ba. Kuna iya ba da zirga-zirgar zirga-zirgar ku ta hanyar uwar garken OpenVPN na ku don hana snooping.

Idan kana cikin kowace ƙasashen da ke sa ido kan duk zirga-zirgar zirga-zirgar ku da kuma toshe gidajen yanar gizon yadda kuke so, zaku iya amfani da OpenVPN akan tashar tashar TCP 443, don sa ba za a iya bambanta shi da zirga-zirgar HTTPS ba. Hakanan kuna iya haɗa OpenVPN tare da wasu dabarun tsaro kamar daidaita zirga-zirgar ku na OpenVPN akan ramin SSL, don doke dabarun Binciken Fakitin Deep wanda zai iya gano sa hannun OpenVPN.

OpenVPN yana buƙatar ƙananan buƙatu don gudana. Tsarin da ke da 64 MB RAM da 1 GB HDD sarari ya isa don gudanar da OpenVPN. OpenVPN yana gudana akan kusan dukkanin Tsarukan Ayyuka na yau da kullun.

Shigarwa da Tsarin OpenVPN akan Debian 7

Gudun umarni mai zuwa don shigar da OpenVPN.

# apt-get install openvpn

Ta hanyar tsoho, ana shigar da rubutun rsa mai sauƙi a ƙarƙashin'/usr/share/sauƙaƙi-rsa/' directory. Don haka, muna buƙatar kwafin waɗannan rubutun zuwa wurin da muke so wato /root/easy-rsa.

# mkdir /root/easy-rsa
cp -prv /usr/share/doc/openvpn/examples/easy-rsa/2.0 /root/easy-rsa

Bude fayil 'vars'kuma kuyi canje-canje masu zuwa, amma kafin yin canje-canje na ba ku shawarar ɗaukar madadin fayil na asali.

# cp vars{,.orig}

Amfani da editan rubutun ku, saita tsoffin ƙima don sauƙin-rsa. Misali.

KEY_SIZE=4096
KEY_COUNTRY="IN"
KEY_PROVINCE="UP"
KEY_CITY="Noida"
KEY_ORG="Home"
KEY_EMAIL="[email "

Anan, Ina amfani da maɓallin 4096 bit. Kuna iya amfani da maɓallin 1024, 2048, 4096 ko 8192 bit kamar yadda ake so.

Fitar da tsoffin ƙimomi ta hanyar gudanar da umarni.

# source ./vars

Tsaftace kowane takaddun shaida da aka ƙirƙira a baya.

./clean-all

Na gaba, gudanar da umarni mai zuwa don samar da takardar shaidar CA da maɓallin CA.

# ./build-ca

Ƙirƙirar takardar shaidar uwar garken ta gudanar da umarni. Sauya sunan 'uwar garke' da sunan uwar garken ku.

# ./build-key-server server-name

Ƙirƙirar takardar shaidar Diffie Hellman PEM.

# ./build-dh

Ƙirƙirar takardar shaidar abokin ciniki. Sauya 'sunan abokin ciniki' tare da sunan abokin ciniki.

# ./build-key client-name

Ƙirƙirar lambar HMAC.

# openvpn --genkey --secret /root/easy-rsa/keys/ta.key

Kwafi takaddun shaida zuwa abokin ciniki da injunan sabar kamar haka.

1. Tabbatar cewa ca.crt yana nan akan abokin ciniki da uwar garken.
2. Maɓallin ca. yakamata ya kasance akan abokin ciniki.
3. Sabar tana buƙatar uwar garken.crt, dh4096.pem, uwar garken.key da ta.key.
4. client.crt, client.key da ta.key yakamata su kasance akan abokin ciniki.

Don saita maɓallai da takaddun shaida akan uwar garken, gudanar da umarni.

# mkdir -p /etc/openvpn/certs
# cp -pv /root/easy-rsa/keys/{ca.{crt,key},server-name.{crt,key},ta.key,dh4096.pem} /etc/openvpn/certs/

Yanzu kuna buƙatar saita uwar garken OpenVPN. Bude fayil '/etc/openvpn/server.conf'. Da fatan za a yi canje-canje kamar yadda aka bayyana a ƙasa.

script security 3 system
port 1194
proto udp
dev tap

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server-name.crt
key /etc/openvpn/certs/server-name.key
dh /etc/openvpn/certs/dh4096.pem
tls-auth /etc/openvpn/certs/ta.key 0

server 192.168.88.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

keepalive 1800 4000

cipher DES-EDE3-CBC # Triple-DES
comp-lzo

max-clients 10

user nobody
group nogroup

persist-key
persist-tun

#log openvpn.log
#status openvpn-status.log
verb 5
mute 20

Kunna isar da IP akan sabar.

# echo 1 > /proc/sys/net/ipv4/ip_forward

Gudun umarni mai zuwa don saita OpenVPN don farawa akan taya.

# update-rc.d -f openvpn defaults

Fara sabis na OpenVPN.

# service openvpn restart

Gudun umarni mai zuwa don shigar da OpenVPN akan injin abokin ciniki.

# apt-get install openvpn

Yin amfani da editan rubutu, saita saitin abokin ciniki na OpenVPN a cikin '/etc/openvpn/client.conf', akan abokin ciniki. Tsarin misali shine kamar haka:

script security 3 system
client
remote vpn_server_ip
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/client.crt
key /etc/openvpn/certs/client.key
cipher DES-EDE3-CBC
comp-lzo yes
dev tap
proto udp
tls-auth /etc/openvpn/certs/ta.key 1
nobind
auth-nocache
persist-key
persist-tun
user nobody
group nogroup

Gudun umarni mai zuwa don saita OpenVPN don farawa akan taya.

# update-rc.d -f openvpn defaults

Fara sabis na OpenVPN akan abokin ciniki.

# service openvpn restart

Da zarar kun gamsu cewa OpenVPN yana gudana da kyau akan IPv4, ga yadda ake samun IPv6 yana aiki akan OpenVPN.

Ƙara layin masu zuwa zuwa ƙarshen saitin uwar garken '/etc/openvpn/server.conf'fayil.

client-connect /etc/openvpn/client-connect.sh
client-disconnect /etc/openvpn/client-disconnect.sh

Waɗannan rubutun guda biyu suna ginawa/lalata ramin IPv6 duk lokacin da abokin ciniki ya haɗu/cire haɗin.

Anan shine abun ciki na abokin ciniki-connect.sh.

#!/bin/bash
BASERANGE="2a00:dd80:003d:000c"
ifconfig $dev up
ifconfig $dev add ${BASERANGE}:1001::1/64
ip -6 neigh add proxy 2a00:dd80:003d:000c:1001::2 dev eth0
exit 0

Mai masaukina ya ba ni adiresoshin IPV6 daga 2a00:dd80:003d:000c::/64. Don haka, ina amfani da
2a00:dd80:003d:000c a matsayin BASERANGE. Gyara wannan ƙimar gwargwadon abin da mai gidan ku ya ba ku.

Duk lokacin da abokin ciniki ya haɗa zuwa OpenVPN, wannan rubutun yana sanya adireshin 2a00: dd80: 003d: 000c: 1001 :: 1 azaman adireshin IPV6 na mahallin tap0 na uwar garken.

Layi na ƙarshe yana saita Gano Neighbor don rami namu. Na ƙara adireshin IPv6 na haɗin gefen abokin ciniki tap0 azaman adireshin wakili.

Anan shine abun ciki na abokin ciniki-disconnect.sh.

#!/bin/bash
BASERANGE="2a00:dd80:003d:000c"
/sbin/ip -6 addr del ${BASERANGE}::1/64 dev $dev
exit 0

Wannan kawai yana share adireshin rami na IPv6 na uwar garken, lokacin da abokin ciniki ya yanke haɗin. Gyara darajar BASERANGE kamar yadda ya dace.

Sanya rubutun aiwatarwa.

# chmod 700 /etc/openvpn/client-connect.sh
# chmod 700 /etc/openvpn/client-disconnect.sh

Ƙara waɗannan shigarwar zuwa '/etc/rc.local' (Zaka iya kuma gyara sysctls masu dacewa a /etc/sysctl.conf).

echo 1 >/proc/sys/net/ipv6/conf/all/proxy_ndp
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
/etc/init.d/firewall stop && /etc/init.d/firewall start

Waɗannan shigarwar suna kunna Neighbor Discovery da Forwarding. Na kuma kara da Firewall.

Ƙirƙiri '/etc/init.d/firewall' kuma saka cikin abun ciki mai zuwa.

#!/bin/sh
# description: Firewall
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
case "$1" in
start)
$IPT -F INPUT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
$IPT -A INPUT -i tap+ -j ACCEPT
$IPT -A FORWARD -i tap+ -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -F POSTROUTING
$IPT -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
$IPT -A INPUT -i eth0 -j DROP
$IPT6 -F INPUT
$IPT6 -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IPT6 -A INPUT -i eth0 -p icmpv6 -j ACCEPT
$IPT6 -A FORWARD -s 2a00:dd80:003d:000c::/64 -i tap0 -o eth0 -j ACCEPT
$IPT6 -A INPUT -i eth0 -j DROP
exit 0
;;
stop)
$IPT -F
$IPT6 -F
exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac

Gudu '/etc/rc.local' kuma fara Tacewar zaɓi.

# sh /etc/rc.local

Wannan yana kammala gyare-gyaren gefen uwar garken.

Ƙara waɗannan azaman layin ƙarshe na fayil ɗin sanyi na abokin ciniki '/etc/openvpn/client.conf'.

# create the ipv6 tunnel
up /etc/openvpn/up.sh
down /etc/openvpn/down.sh
# need this so when the client disconnects it tells the server
explicit-exit-notify

Rubutun sama da ƙasa suna ginawa/lalata wuraren ƙarshen abokin ciniki na IPV6 na haɗin abokin ciniki tap0 duk lokacin da abokin ciniki ya haɗa/cire haɗin zuwa ko daga uwar garken OpenVPN.

Ga abun ciki na up.sh.

#!/bin/bash
IPV6BASE="2a00:dd80:3d:c"
ifconfig $dev up
ifconfig $dev add ${IPV6BASE}:1001::2/64
ip -6 route add default via ${IPV6BASE}:1001::1
exit 0

Rubutun yana sanya adireshin IPV6 2a00:dd80:3d:c:1001::2 azaman adireshin abokin ciniki na IPV6 kuma ya saita tsohuwar hanyar IPV6 ta uwar garken.

Gyara IPV6BASE don zama iri ɗaya da BASERANGE a cikin tsarin uwar garken.

Ga abun ciki na down.sh.

#!/bin/bash
IPV6BASE="2a00:dd80:3d:c"
/sbin/ip -6 addr del ${IPV6BASE}::2/64 dev $dev
/sbin/ip link set dev $dev down
/sbin/ip route del ::/0 via ${IPV6BASE}::1
exit 0

Wannan kawai yana share adireshin IPV6 na abokin ciniki kuma ya rushe hanyar IPV6 lokacin da abokin ciniki ya cire haɗin daga uwar garken.

Gyara IPV6BASE don zama iri ɗaya da BASERANGE a cikin tsarin uwar garken kuma sanya rubutun aiwatarwa.

# chmod 700 /etc/openvpn/up.sh
# chmod 700 /etc/openvpn/down.sh

Zabi, gyara '/etc/resolv.conf' kuma ƙara masu sabar IPV6 na Google don ƙudurin DNS.

nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844

Sake kunna openvpn akan uwar garken sa'an nan kuma haɗa shi daga abokin ciniki. Ya kamata a haɗa ku. Ziyarci test-ipv6.com don ganin cewa haɗin IPV6 ɗin ku akan OpenVPN yana aiki.

Rubutun Magana

Buɗe Shafin Farko na VPN