ot Zerg(17-06-2005)
reiting (18)
[ dobre ]
[ zle ]
Variant za otpechatvane
Virtualen tunel na bazata na Linux
Tova e vtora statiia po vuprosa, po preporukata na komentarite ot purvata statiia za drug po-dobur produkt.
Otnovo e prevod i originala mozhete da otkriete tuk.
Mnogo shte se radvam, ako niakoi ia dopulni i obogati.
Zashto OpenVPN?
---------------
Kogato potursih dumata vpn v Google ogovoriha 17 000 000 prepratki.
Tova me udivi priiatno. Sled malko svivane na turseneto se natuknah na saita openvpn.sourceforge.net.
Vuvezhdashtata statiia obeshtavashe prostota na instaliraneto i konfiguriraneto, a nai-veche,vuzmozhnost za
suzdavane na tunel za povecheto razprostraneni operatsionni sistemi,
vklyuchitelno Linux,SUN Solaris,*BSD, Mac OS X, w2k, w2k3.
Tova mi be i neobhodimo...
Vunshen interfeis Vunshen interfeis
100.100.100.1 101.101.101.1
+--------------+ +-------------+
| SuSE 8.2 | Internet | FreeBSD 5.3 |
| |-----------| |
| NAT,FireWall | | NAT, ipfw |
| | | |
+-----+--------+ +-------+-----+
^ ^ ^ ^
| | VPN | |
| +---------------------+ |
| 10.1.1.0 |
+-----+---+ +--+------+
|Lokalünaia| |Lokalünaia|
| setü | | setü |
+---------+ +---------+
10.0.0.0 192.168.1.0
Ris.1. Shema na moiata virtualna chastna mrezha.
Tui kato planirah da rabotia s VPN-a "zavinagi", prekompilirah iadroto na SuSE s poddruzhka na tun/tap draiverite.
V suvremennite distributsii na FreeBSD poddruzhkata na tun/tap e vgradena v iadroto.
Sled tova instalirah paketa. Za SuSE:
#cp openvpn-1.6.0.tar.gz /usr/src
#tar -xzvf openvpn-1.6.0.tar.gz.
#./configure
#./make
#./make install
Po vreme na instalatsiiata SuSE poiska da se instalira predvaritelno i bibliotekata lzo.
Pod FreeBSD vsichko premina gladko:
#cd /usr/ports/security/openvpn
#./make
#./make install
OpenVPN ima dva rezhima na zashtita. Purviia se bazira na SSL/TLS s izpolzvane na sertifikati i klyuchove.
Vtoriia,- na izpolzvaneto na statichni klyuchove.
Za suzdavaneto na sertifikatite se nalozhi da redaktiram vuv faila /etc/ssl/openssl.cnf niakolko reda:
#
...
dir = /usr/local/etc/openvpn
certificate = $dir/my-ca.crt
private_key = $dir/private/my-ca.key
I za da ne se zanimavam s tazi protsedura (suzdavane na klyuchove i sertifikati)vsiaka godina (naviarno shte zabravia).
default_days = 3650 #(10 let) shte stigne do pensiia...
...
Sled tova generiram klyuchove i sertifikati:
openvpn reg -nodes -new -x509 -keyout my-ca.key -out my-ca.crt -day 3650
Dadenata komanda suzdava dvoika sertifikat/klyuch deistvashti 10 godini.
Sled tova suzdavam dvoika sertifikat/chasten klyuch za vseki ofis:
openvpn reg -nodes -new -x509 -keyout office1.key -out office1.csr
openvpn reg -nodes -new -x509 -keyout office2.key -out office2.csr
openvpn ca -out office1.crt -in office1.csr
openvpn ca -out office2.crt -in office2.csr
Az ne sum mnogo silen v zashtitata, no sled kato iskat da se suzdadat parametri Diffi Helüman za office2,suzdavame:
openvpn dhparam -out dh1024.pem 1024
Ne zabraviam da prenesa klyuchovete i sertifikatite na mashinata office2.
Tova e vsichko s klyuchovete. Preminavam kum konfigurirane na vpn.
Vsushtnost konfiguriraneto se svezhda do suzdavane na konfiguratsionni failove za ofis1 i ofis2.
Pri men ofis1 e survur i sudurzha:
#office1
dev tun
port 5000
ifconfig 10.1.1.1 10.1.1.2
#Tuk vdigame marshutizatsiiata
up /etc/openvpn/office1.up
#Tuk premahvame marshutizatsiiata
down /etc/openvpn/office1.down
tls-server
dh dh1024.pem
ca my-ca.crt
cert office1.crt
key office1.key
verb3
#end office1
A tova e pri klienta:
#office2
dev tun
port 5000
remote 100.100.100.1
ifconfig 10.1.1.2 10.1.1.1
#Tuk vdigame marshutizatsiiata
up /etc/openvpn/office2.up
#Tuk premahvame marshutizatsiiata
down /etc/openvpn/office2.down
tls-client
dh dh1024.pem
ca my-ca.crt
cert office2.crt
key office2.key
verb3
#end office2
Za da mogat da se vizhdat mrezhite edna druga faila office1.up sudurzha:
#up routing
route add -net 192.168.10.0/24 10.1.1.2
Stsenariia down triabva da premahne marshruta
office1.down
#down
route del -net 192.168.10.0/24
office2.up sudurzha:
#up routing FreeBSD
route add -net 10.0.0.0/24 10.1.1.1 netmask 255.255.255.0
office2.down:
#down FreeBSD
route delete -net 10.0.0.0/24
Startirame:
openvpn --config office1 na survura;
openvpn --config office2 na klienta.
I proveriavame.
SuSE:
$ ifconfig
tun0 Link encap:Point-to-Point Protocol
inet addr:10.1.1.1 P-t-P:10.1.1.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1259 Metric:1
RX packets:79017 errors:0 dropped:0 overruns:0 frame:0
TX packets:85421 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:11237151 (10.7 Mb) TX bytes:34079868 (32.5 Mb)
$ ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=271 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=419 ms
64 bytes from 10.1.1.2: icmp_seq=3 ttl=64 time=277 ms
64 bytes from 10.1.1.2: icmp_seq=4 ttl=64 time=184 ms
64 bytes from 10.1.1.2: icmp_seq=5 ttl=64 time=137 ms
--- 10.1.1.2 ping statistics ---
6 packets transmitted, 5 received, 16% packet loss, time 5039ms
rtt min/avg/max/mdev = 137.763/258.168/419.546/96.461 ms
FreeBSD:
$ ifconfig
tun0: flags=8051 mtu 1259
inet6 fe80::202:44ff:fe92:7ac6%tun0 prefixlen 64 scopeid 0x5
inet 10.1.1.2 --> 10.1.1.1 netmask 0xffffffff
Opened by PID 429
$ ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=159.315 ms
64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=426.403 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=64 time=352.940 ms
64 bytes from 10.1.1.1: icmp_seq=3 ttl=64 time=394.593 ms
64 bytes from 10.1.1.1: icmp_seq=4 ttl=64 time=249.855 ms
64 bytes from 10.1.1.1: icmp_seq=5 ttl=64 time=203.441 ms
^C
--- 10.1.1.1 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max/stddev = 159.315/297.758/426.403/99.439 ms
$
Razrabotchitsite na OpenVPN lyubezno sa predostavili nastroika na firewall-a za Linux,koiato se vklyuchva
v stsenariia za avtostartirane na OpenVPN.
#!/bin/sh
dir=/etc/openvpn
$dir/firewall.sh
openvpn --cd $dir --daemon --config office1
Za FreeBSD,kakto vinagi e dosta po-prosto:
/usr/local/etc/rc.d/openvpn.sh
#!/bin/sh
dir=/etc/openvpn
case $1 in
start) openvpn --cd $dir --daemon --config office1;;
stop) killall -TERM openvpn;;
*) echo "Use: {start|stop}"
esac
rc.firewall
#
vpn="tun0"
#vpn
${fwcmd} add allow ip from any to any via ${vpn}
#nat
${fwcmd} add divert natd all from any to any via ${oif}
#
Tova e.
Ogromno blagodaria na razrabotchitsite na OpenVPN!
<< Suzdavane na rezervni kopiia s TAR | Malko vissh pilotazh - izgrazhdane na statistika s Cacti i RRDt >>
|