ProHoster > Блог > Gudanarwa > Littafin "Linux in Action"

Littafin "Linux in Action"

Littafin "Linux in Action" Sannu, mazauna Khabro! A cikin littafin, David Clinton ya bayyana ayyuka na rayuwa guda 12, gami da sarrafa sarrafa tsarin ajiyar ku da tsarin dawo da ku, kafa gajimaren fayil ɗin nau'in Dropbox, da ƙirƙirar sabar MediaWiki na ku. Za ku binciko ƙirƙira, dawo da bala'i, tsaro, wariyar ajiya, DevOps, da warware matsalar tsarin ta hanyar nazarin yanayin ban sha'awa. Kowane babi yana ƙarewa tare da bitar mafi kyawun ayyuka, ƙamus na sababbin kalmomi, da motsa jiki.

Shafin "10.1. Ƙirƙirar rami na OpenVPN"

Na riga na yi magana da yawa game da boye-boye a cikin wannan littafin. SSH da SCP na iya kare bayanan da aka canjawa wuri ta hanyar sadarwa mai nisa (Babi na 3), boye-boye na fayil zai iya kare bayanai yayin da aka adana shi akan uwar garken (Babi na 8), kuma takaddun shaida na TLS/SSL na iya kare bayanan da aka canjawa wuri tsakanin shafuka da masu binciken abokin ciniki (Babi na 9) . Amma wani lokacin ana buƙatar kiyaye bayanan ku a cikin kewayon haɗin kai. Misali, ƙila wasu membobin ƙungiyar ku suna aiki akan hanya yayin haɗawa da Wi-Fi ta wuraren zama na jama'a. Tabbas bai kamata ku ɗauka cewa duk irin waɗannan wuraren samun amintacce ba ne, amma mutanen ku suna buƙatar hanyar haɗi zuwa albarkatun kamfani - kuma anan ne VPN zai iya taimakawa.

Ramin VPN da aka tsara yadda ya kamata yana ba da haɗin kai kai tsaye tsakanin abokan ciniki na nesa da uwar garken ta hanyar da ke ɓoye bayanai yayin da take tafiya akan hanyar sadarwa mara tsaro. To me? Kun riga kun ga kayan aiki da yawa waɗanda za su iya yin wannan tare da ɓoyewa. Haƙiƙanin ƙimar VPN ita ce ta buɗe rami, zaku iya haɗa cibiyoyin sadarwa masu nisa kamar duk na gida ne. A wata ma'ana, kuna amfani da hanyar wucewa.

Yin amfani da wannan tsawaita hanyar sadarwa, masu gudanarwa na iya yin aikinsu akan sabar su daga ko'ina. Amma mafi mahimmanci, kamfani tare da albarkatun da aka yada a wurare da yawa na iya sa su duka a bayyane kuma suna iya isa ga duk ƙungiyoyin da suke buƙatar su, a duk inda suke (Figure 10.1).

Ramin da kansa baya bada tabbacin tsaro. Amma ɗaya daga cikin ma'auni na ɓoyewa za a iya haɗa shi a cikin tsarin cibiyar sadarwa, wanda ke ƙara yawan matakan tsaro. Tunnels ɗin da aka ƙirƙira ta amfani da buɗaɗɗen tushen buɗaɗɗen buɗaɗɗen OpenVPN suna amfani da ɓoyayyen TLS/SSL iri ɗaya da kuka riga kuka karanta game da su. OpenVPN ba shine kawai zaɓin tunneling ba, amma yana ɗaya daga cikin sanannun. Ana ɗaukan ya zama ɗan sauri da aminci fiye da madadin layin ramin Layer 2 wanda ke amfani da ɓoyewar IPsec.

Kuna son kowa da kowa a cikin ƙungiyar ku don sadarwa cikin aminci da juna yayin kan hanya ko aiki a cikin gine-gine daban-daban? Don yin wannan, kuna buƙatar ƙirƙirar uwar garken OpenVPN don ba da damar raba aikace-aikacen da samun damar mahallin cibiyar sadarwar gida ta sabar. Don wannan ya yi aiki, duk abin da kuke buƙatar yi shine gudanar da injunan kama-da-wane biyu ko kwantena biyu: ɗaya don yin aiki azaman uwar garken / mai watsa shiri kuma ɗaya don yin aiki azaman abokin ciniki. Gina VPN ba tsari ba ne mai sauƙi, don haka yana da ƙila ya cancanci ɗaukar ƴan mintuna don samun babban hoto a zuciya.

Littafin "Linux in Action"

10.1.1. BudeVPN Kanfigareshan Sabar

Kafin ka fara, zan baka shawara mai amfani. Idan za ku yi shi da kanku (kuma ina ba da shawarar ku sosai), wataƙila za ku sami kanku kuna aiki tare da manyan windows masu yawa da aka buɗe akan Desktop ɗinku, kowannensu yana da alaƙa da na'ura daban. Akwai haɗarin cewa a wani lokaci zaku shigar da umarnin da ba daidai ba a cikin taga. Don guje wa wannan, zaku iya amfani da umarnin sunan mai masauki don canza sunan injin da aka nuna akan layin umarni zuwa wani abu da ke bayyana muku inda kuke. Da zarar kun yi haka, kuna buƙatar fita daga uwar garken kuma ku koma don sabbin saitunan su fara aiki. Ga yadda yake kama:

Littafin "Linux in Action"
Ta hanyar bin wannan hanya da ba da sunayen da suka dace ga kowane injin da kuke aiki da su, zaku iya lura da inda kuke cikin sauƙi.

Bayan amfani da sunan mai masauki, ƙila za ku gamu da rashin iya warware saƙon BuɗeVPN-Server mai watsa shiri lokacin aiwatar da umarni na gaba. Ana ɗaukaka fayil ɗin /etc/hosts tare da sabon sunan mai masaukin da ya dace yakamata ya warware matsalar.

Ana shirya uwar garken ku don OpenVPN

Don shigar da OpenVPN akan uwar garken ku, kuna buƙatar fakiti biyu: openvpn da sauƙi-rsa (don sarrafa tsarin ƙirƙirar maɓallin ɓoyewa). Masu amfani da CentOS yakamata su fara shigar da ma'ajiyar epel-release idan ya cancanta, kamar yadda kuka yi a Babi na 2. Don samun damar gwada damar zuwa aikace-aikacen uwar garken, kuna iya shigar da sabar gidan yanar gizon Apache (apache2 akan Ubuntu da httpd akan CentOS).

Yayin da kuke saita uwar garken ku, Ina ba da shawarar kunna Tacewar zaɓi wanda ke toshe duk tashar jiragen ruwa ban da 22 (SSH) da 1194 (Tsoffin tashar jiragen ruwa na OpenVPN). Wannan misalin yana kwatanta yadda ufw zai yi aiki akan Ubuntu, amma na tabbata har yanzu kuna tunawa da shirin CentOS Firewalld daga Babi na 9:

# ufw enable
# ufw allow 22
# ufw allow 1194

Don ba da damar gudanar da zirga-zirgar cikin gida tsakanin mu'amalar cibiyar sadarwa akan sabar, kuna buƙatar rashin daidaituwar layi ɗaya (net.ipv4.ip_forward = 1) a cikin fayil ɗin /etc/sysctl.conf. Wannan zai ba da damar karkatar da abokan ciniki na nesa kamar yadda ake buƙata da zarar an haɗa su. Don sa sabon zaɓi yayi aiki, gudanar da sysctl -p:

# nano /etc/sysctl.conf
# sysctl -p

Yanzu an daidaita yanayin uwar garken ku, amma har yanzu akwai sauran abu guda da za ku yi kafin ku shirya: kuna buƙatar kammala waɗannan matakai (za mu rufe su dalla-dalla na gaba).

  1. Ƙirƙiri saitin maɓallan ɓoye na maɓalli na jama'a (PKI) akan sabar ta amfani da rubutun da aka tanadar tare da kunshin rsa mai sauƙi. Mahimmanci, uwar garken OpenVPN kuma tana aiki a matsayin ikon takardar shaidarta (CA).
  2. Shirya maɓallan da suka dace don abokin ciniki
  3. Sanya fayil ɗin uwar garken.conf don uwar garken
  4. Saita abokin ciniki na OpenVPN
  5. Duba VPN ɗin ku

Ƙirƙirar maɓallan ɓoyewa

Don sauƙaƙe abubuwa, zaku iya saita mahimman kayan aikin ku akan injin guda ɗaya inda uwar garken OpenVPN ke gudana. Koyaya, mafi kyawun ayyuka na tsaro yawanci suna ba da shawarar amfani da sabar CA daban don tura kayan aiki. An kwatanta tsarin ƙirƙira da rarraba albarkatun ɓoye don amfani a cikin OpenVPN a cikin siffa. 10.2.

Littafin "Linux in Action"
Lokacin da kuka shigar da OpenVPN, an ƙirƙiri /etc/openvpn/ directory ta atomatik, amma har yanzu babu komai a ciki. Fakitin openvpn da Easy-rsa sun zo tare da misalin fayilolin samfuri waɗanda za ku iya amfani da su azaman tushen tsarin ku. Don fara aiwatar da takaddun shaida, kwafi jagorar samfuri mai sauƙi-rsa daga /usr/share/ zuwa /etc/openvpn kuma canza zuwa sauƙi-rsa/ directory:

# cp -r /usr/share/easy-rsa/ /etc/openvpn
$ cd /etc/openvpn/easy-rsa

Littafin jagora mai sauƙi-rsa yanzu zai ƙunshi rubutun kaɗan. A cikin tebur 10.1 yana lissafin kayan aikin da zaku yi amfani da su don ƙirƙirar maɓalli.

Littafin "Linux in Action"

Ayyukan da ke sama suna buƙatar tushen gata, don haka kuna buƙatar zama tushen ta hanyar sudo su.

Fayil na farko da za ku yi aiki da shi ana kiransa vars kuma yana ƙunshe da masu canjin yanayi waɗanda mai sauƙin-rsa ke amfani da shi lokacin samar da maɓalli. Kuna buƙatar gyara fayil ɗin don amfani da ƙimar ku maimakon tsoffin ƙimar da ke can. Wannan shine abin da fayil na zai yi kama (Jeri 10.1).

Lissafi 10.1. Babban gutsuttsuran fayil ɗin /etc/openvpn/easy-rsa/vars

export KEY_COUNTRY="CA"
export KEY_PROVINCE="ON"
export KEY_CITY="Toronto"
export KEY_ORG="Bootstrap IT"
export KEY_EMAIL="[email protected]"
export KEY_OU="IT"

Gudun fayil ɗin vars zai wuce ƙimarsa zuwa yanayin harsashi, inda za a haɗa su cikin abubuwan da ke cikin sabbin maɓallan ku. Me yasa umarnin sudo da kansa baya aiki? Domin a mataki na farko muna gyara rubutun mai suna vars sannan mu yi amfani da shi. Aiwatar da nufin cewa fayil ɗin vars ya wuce ƙimarsa zuwa yanayin harsashi, inda za a haɗa su cikin abubuwan da ke cikin sabbin maɓallan ku.

Tabbatar sake kunna fayil ɗin ta amfani da sabon harsashi don kammala aikin da ba a gama ba. Lokacin da aka yi haka, rubutun zai sa ka gudanar da wani rubutun, mai tsabta-duk, don cire duk wani abun ciki a cikin /etc/openvpn/easy-rsa/keys/ directory:

Littafin "Linux in Action"
A zahiri, mataki na gaba shine gudanar da rubutun tsafta, sannan gina-ca, wanda ke amfani da rubutun pkitool don ƙirƙirar takaddun shaida. Za a tambaye ku don tabbatar da saitunan ainihi ta hanyar vars:

# ./clean-all
# ./build-ca
Generating a 2048 bit RSA private key

Na gaba yana zuwa rubutun ginin-key-server. Tunda yana amfani da rubutun pkitool iri ɗaya tare da sabon takardar shaidar tushe, zaku ga tambayoyin iri ɗaya don tabbatar da ƙirƙirar maɓallin biyu. Za a ba da sunan maɓallan bisa ga gardamar da kuka wuce, wanda, sai dai idan kuna gudanar da VPNs da yawa akan wannan na'ura, yawanci za su zama uwar garken, kamar a cikin misali:

# ./build-key-server server
[...]
Certificate is to be certified until Aug 15 23:52:34 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

OpenVPN yana amfani da sigogi waɗanda Diffie-Hellman algorithm ke samarwa (ta amfani da ginin-dh) don yin shawarwarin tabbatarwa don sabbin hanyoyin sadarwa. Fayil ɗin da aka ƙirƙira a nan baya buƙatar zama sirri, amma dole ne a ƙirƙira ta amfani da rubutun ginin-dh don maɓallan RSA waɗanda ke aiki a halin yanzu. Idan kun ƙirƙiri sababbin maɓallan RSA a nan gaba, kuna buƙatar sabunta fayil ɗin Diffie-Hellman:

# ./build-dh

Maɓallan gefen uwar garken ku yanzu za su ƙare a cikin /etc/openvpn/easy-rsa/keys/ directory, amma OpenVPN bai san wannan ba. Ta hanyar tsoho, OpenVPN zai nemi maɓallai a /etc/openvpn/, don haka kwafi su:

# cp /etc/openvpn/easy-rsa/keys/server* /etc/openvpn
# cp /etc/openvpn/easy-rsa/keys/dh2048.pem /etc/openvpn
# cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn

Ana Shirya Maɓallan boye-boye na Abokin ciniki

Kamar yadda kuka riga kuka gani, boye-boye na TLS yana amfani da nau'i-nau'i na maɓallai masu dacewa: wanda aka shigar akan sabar da kuma wanda aka shigar akan abokin ciniki mai nisa. Wannan yana nufin kuna buƙatar maɓallan abokin ciniki. Tsohon abokinmu pkitool shine ainihin abin da kuke buƙata don wannan. A cikin wannan misalin, lokacin da muke gudanar da shirin a cikin /etc/openvpn/easy-rsa/ directory, mu wuce shi mahawarar abokin ciniki don samar da fayiloli da ake kira client.crt da client.key:

# ./pkitool client

Fayilolin abokin ciniki guda biyu, tare da ainihin fayil ɗin ca.crt wanda har yanzu yake cikin maɓallai/littafi, yanzu yakamata a tura su cikin aminci zuwa abokin ciniki. Saboda ikon mallakarsu da haƙƙin samun dama, wannan na iya zama ba mai sauƙi ba. Hanya mafi sauƙi ita ce kwafin abubuwan da ke cikin fayil ɗin tushen da hannu (kuma ba komai ba sai wannan abun ciki) zuwa tashar tashar da ke gudana akan tebur ɗin PC ɗinku (zaɓa rubutu, danna-dama akansa kuma zaɓi Kwafi daga menu). Sannan liƙa wannan a cikin sabon fayil mai suna iri ɗaya da kuka ƙirƙira a cikin tasha ta biyu da aka haɗa da abokin ciniki.

Amma kowa zai iya yanka ya manna. Madadin haka, yi tunani kamar mai gudanarwa saboda ba koyaushe za ku sami damar shiga GUI ba inda ayyukan yanke / manna zai yiwu. Kwafi fayilolin zuwa littafin adireshin gida na mai amfani (domin aikin scp na nesa zai iya samun dama gare su), sannan yi amfani da chown don canza ikon mallakar fayilolin daga tushen zuwa mai amfani na yau da kullun wanda ba tushen tushen ba domin a iya aiwatar da aikin scp na nesa. Tabbatar cewa an shigar da duk fayilolinku a halin yanzu kuma suna samun dama. Za ku matsar da su ga abokin ciniki kaɗan daga baya:

# cp /etc/openvpn/easy-rsa/keys/client.key /home/ubuntu/
# cp /etc/openvpn/easy-rsa/keys/ca.crt /home/ubuntu/
# cp /etc/openvpn/easy-rsa/keys/client.crt /home/ubuntu/
# chown ubuntu:ubuntu /home/ubuntu/client.key
# chown ubuntu:ubuntu /home/ubuntu/client.crt
# chown ubuntu:ubuntu /home/ubuntu/ca.crt

Tare da cikakkun saitin maɓallan ɓoyayyen da aka shirya don tafiya, kuna buƙatar gaya wa uwar garken yadda kuke son ƙirƙirar VPN. Ana yin wannan ta amfani da fayil ɗin server.conf.

Rage adadin maɓallai

Akwai da yawa da yawa? Fadadawa tare da maɓalli zai taimaka rage waɗannan umarni shida zuwa biyu. Na tabbata za ku iya nazarin waɗannan misalai guda biyu kuma ku fahimci abin da ke faruwa. Mafi mahimmanci, za ku iya fahimtar yadda ake amfani da waɗannan ƙa'idodin zuwa ayyukan da suka haɗa da goma ko ma ɗaruruwan abubuwa:

# cp /etc/openvpn/easy-rsa/keys/{ca.crt,client.{key,crt}} /home/ubuntu/
# chown ubuntu:ubuntu /home/ubuntu/{ca.crt,client.{key,crt}}

Saita fayil ɗin uwar garken.conf

Ta yaya za ku san yadda fayil ɗin server.conf ya kamata ya yi kama? Tuna da samfurin directory mai sauƙi-rsa da kuka kwafi daga /usr/share/? Lokacin da kuka shigar da OpenVPN, an bar ku da madaidaicin fayil ɗin samfuri wanda zaku iya kwafa zuwa /etc/openvpn/. Zan gina kan gaskiyar cewa samfurin yana adana kuma in gabatar muku da kayan aiki mai amfani: zcat.

Kun riga kun san game da buga abun ciki na fayil zuwa allon ta amfani da umarnin cat, amma idan an matsa fayil ɗin ta amfani da gzip fa? Kuna iya buɗe fayil ɗin koyaushe sannan cat zai fitar da shi cikin farin ciki, amma wannan shine ƙarin matakai ɗaya ko biyu fiye da larura. Madadin haka, kamar yadda kuke tsammani, zaku iya ba da umarnin zcat don loda rubutun da ba a tattara ba cikin ƙwaƙwalwar ajiya a mataki ɗaya. A cikin misali mai zuwa, maimakon buga rubutu zuwa allon, zaku tura shi zuwa sabon fayil mai suna server.conf:

# zcat 
  /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz 
  > /etc/openvpn/server.conf
$ cd /etc/openvpn

Bari mu ajiye ɗimbin takaddun taimako waɗanda ke zuwa tare da fayil ɗin mu ga yadda zai yi kama da lokacin da kuka gama gyarawa. Lura cewa semicolon (;) yana gaya wa OpenVPN kar ya karanta ko aiwatar da layi na gaba (Jeri 10.2).

Littafin "Linux in Action"
Bari mu shiga cikin wasu daga cikin waɗannan saitunan.

  • Ta hanyar tsoho, OpenVPN yana aiki akan tashar jiragen ruwa 1194. Kuna iya canza wannan, alal misali, don ƙara ɓoye ayyukanku ko guje wa rikici tare da wasu ramukan aiki. Tun da 1194 yana buƙatar ƙaramin daidaituwa tare da abokan ciniki, yana da kyau a yi ta wannan hanyar.
  • OpenVPN yana amfani da ko dai Transmission Control Protocol (TCP) ko User Datagram Protocol (UDP) don watsa bayanai. TCP na iya zama ɗan hankali kaɗan, amma ya fi aminci kuma mafi kusantar fahimtar aikace-aikacen da ke gudana a kan iyakar biyu na rami.
  • Kuna iya ƙayyade dev tun lokacin da kuke son ƙirƙirar rami mai sauƙi, ingantaccen IP wanda ke ɗaukar abun ciki na bayanai ba wani abu ba. Idan, a gefe guda, kuna buƙatar haɗa hanyoyin sadarwa na cibiyar sadarwa da yawa (da cibiyoyin sadarwar da suke wakilta), ƙirƙirar gadar Ethernet, dole ne ku zaɓi dev tap. Idan ba ku fahimci abin da wannan duka ke nufi ba, yi amfani da hujjar tun.
  • Layukan huɗu na gaba suna ba OpenVPN sunayen fayilolin tabbatarwa guda uku akan uwar garken da fayil ɗin zaɓuɓɓukan dh2048 da kuka ƙirƙira a baya.
  • Layin uwar garken yana saita kewayon da abin rufe fuska na subnet wanda za a yi amfani da shi don sanya adiresoshin IP ga abokan ciniki bayan shiga.
  • Ma'aunin turawa na zaɓi "hanyar 10.0.3.0 255.255.255.0" yana ba abokan ciniki masu nisa damar samun dama ga keɓaɓɓun hanyoyin sadarwa na bayan sabar. Yin wannan aikin kuma yana buƙatar saita hanyar sadarwa akan uwar garken da kanta domin subnet ɗin mai zaman kansa ya san game da buɗewar OpenVPN (10.8.0.0).
  • Layin 80 mai tashar jiragen ruwa-share localhost yana ba ku damar tura zirga-zirgar abokin ciniki da ke zuwa tashar jiragen ruwa 1194 zuwa sabar gidan yanar gizon da ke sauraron tashar jiragen ruwa 80. (Wannan zai zama da amfani idan zaku yi amfani da sabar yanar gizo don gwada VPN ɗin ku.) Wannan kawai yana aiki. sannan lokacin da aka zaɓi tsarin tcp.
  • Babu wanda ya kamata a kunna mai amfani da layukan rukunonin rukuni ta hanyar cire maɓallan (;). Tilasta abokan ciniki masu nisa suyi gudu kamar babu kowa da ƙungiyar ba ta tabbatar da cewa zaman kan sabar ba ta da gata.
  • log yana ƙayyade cewa shigarwar log na yanzu za su sake rubuta tsoffin shigarwar duk lokacin da aka fara OpenVPN, yayin da log-append yana ƙara sabbin shigarwar zuwa fayil ɗin log ɗin data kasance. Fayil ɗin openvpn.log da kansa an rubuta shi zuwa /etc/openvpn/ directory.

Bugu da ƙari, ƙimar abokin ciniki-zuwa-abokin ciniki kuma galibi ana ƙara shi cikin fayil ɗin daidaitawa don abokan ciniki da yawa su iya ganin juna baya ga uwar garken OpenVPN. Idan kun gamsu da tsarin ku, zaku iya fara sabar OpenVPN:

# systemctl start openvpn

Saboda canjin yanayin alakar da ke tsakanin OpenVPN da systemd, ana iya buƙatar wannan haɗin gwiwa wani lokaci don fara sabis: systemctl fara openvpn@server.

Gudun ip addr don jera mu'amalar cibiyar sadarwar uwar garken ku ya kamata yanzu fitar da hanyar haɗi zuwa sabon haɗin yanar gizo mai suna tun0. OpenVPN zai ƙirƙira shi don bawa abokan ciniki masu shigowa:

$ ip addr
[...]
4: tun0: mtu 1500 qdisc [...]
      link/none
      inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
          valid_lft forever preferred_lft forever

Kuna iya buƙatar sake yin sabar kafin komai ya fara aiki cikakke. Tasha ta gaba ita ce kwamfutar abokin ciniki.

10.1.2. Ana saita abokin ciniki na OpenVPN

A al'adance, ana gina ramuka tare da aƙalla mafita biyu (in ba haka ba za mu kira su kogo). OpenVPN da aka tsara yadda ya kamata akan uwar garken yana jagorantar zirga-zirga a ciki da wajen rami a gefe ɗaya. Amma kuma kuna buƙatar wasu software da ke gudana a gefen abokin ciniki, wato, a ɗayan ƙarshen rami.

A cikin wannan sashe, zan mayar da hankali kan kafa wasu nau'in kwamfutar Linux da hannu don yin aiki azaman abokin ciniki na OpenVPN. Amma ba wannan ba ita ce kawai hanyar da wannan damar ke samuwa ba. OpenVPN yana goyan bayan aikace-aikacen abokin ciniki waɗanda za'a iya shigar da amfani da su akan kwamfutoci da kwamfutoci masu aiki da Windows ko macOS, da kuma Android da iOS wayowin komai da ruwan da Allunan. Duba openvpn.net don cikakkun bayanai.

Za a buƙaci kunshin OpenVPN akan na'urar abokin ciniki kamar yadda aka sanya shi akan uwar garken, kodayake babu buƙatar sauƙin-rsa a nan tunda maɓallan da kuke amfani da su sun wanzu. Kuna buƙatar kwafin fayil ɗin samfuri na abokin ciniki.conf zuwa /etc/openvpn/ directory ɗin da kuka ƙirƙira yanzu. A wannan lokacin fayil ɗin ba za a zipped ba, don haka umarnin cp na yau da kullun zai yi aikin daidai:

# apt install openvpn
# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf 
  /etc/openvpn/

Yawancin saitunan da ke cikin fayil ɗin abokin ciniki.conf za su zama kyakkyawan bayanin kansu: yakamata su dace da ƙimar kan uwar garke. Kamar yadda kake gani daga fayil ɗin misali mai zuwa, ƙayyadaddun siga na musamman shine 192.168.1.23 1194, wanda ke gaya wa abokin ciniki adireshin IP na uwar garken. Bugu da ƙari, tabbatar cewa wannan shine adireshin uwar garken ku. Hakanan yakamata ku tilasta kwamfutar abokin ciniki don tabbatar da sahihancin takardar shaidar uwar garken don hana yuwuwar harin mutum-in-tsakiya. Hanya ɗaya don yin wannan ita ce ƙara layin remote-cert-tls uwar garken (Jeri 10.3).

Littafin "Linux in Action"
Yanzu zaku iya zuwa /etc/openvpn/ directory kuma ku cire maɓallan takaddun shaida daga uwar garken. Sauya adireshin IP na uwar garken ko sunan yanki a cikin misali tare da ƙimar ku:

Littafin "Linux in Action"
Babu wani abu mai ban sha'awa da zai iya faruwa har sai kun gudanar da OpenVPN akan abokin ciniki. Tun da kuna buƙatar ƙaddamar da mahawara biyu, zaku yi ta daga layin umarni. Hujjar --tls-abokin ciniki ta gaya wa OpenVPN cewa za ku yi aiki a matsayin abokin ciniki kuma ku haɗa ta hanyar ɓoye TLS, da --config yana nuna fayil ɗin sanyi:

# openvpn --tls-client --config /etc/openvpn/client.conf

Karanta fitarwar umarni a hankali don tabbatar da an haɗa ku daidai. Idan wani abu ya yi kuskure a karon farko, yana iya kasancewa saboda rashin daidaituwa a cikin saitunan tsakanin uwar garken da fayilolin sanyi na abokin ciniki ko haɗin hanyar sadarwa/ batun tacewar zaɓi. Anan akwai wasu shawarwarin magance matsala.

  • A hankali karanta fitarwa na aikin OpenVPN akan abokin ciniki. Yakan ƙunshi shawarwari masu mahimmanci a kan abin da ba za a iya yi daidai da abin da ya sa ba.
  • Duba saƙon kuskure a cikin openvpn.log da fayilolin openvpn-status.log a cikin /etc/openvpn/ directory akan uwar garken.
  • Bincika rajistan ayyukan akan sabar da abokin ciniki don saƙon da ke da alaƙa da OpenVPN. (journalctl -ce zai nuna mafi yawan shigarwar kwanan nan.)
  • Tabbatar cewa kana da hanyar sadarwa mai aiki tsakanin uwar garken da abokin ciniki (ƙari akan wannan a Babi na 14).

Game da marubucin

David Clinton - mai kula da tsarin, malami kuma marubuci. Ya gudanar, rubuce-rubuce game da, kuma ya ƙirƙiri kayan ilimi don yawancin mahimman fannonin fasaha, gami da tsarin Linux, ƙididdigar girgije (musamman AWS), da fasahar kwantena kamar Docker. Ya rubuta littafin Koyi Ayyukan Yanar Gizo na Amazon a cikin Watan Abincin Abinci (Manning, 2017). Ana iya samun yawancin darussan horarwar bidiyo nasa a Pluralsight.com, kuma ana samun hanyoyin haɗi zuwa sauran littattafansa (kan sarrafa Linux da haɓakar sabar uwar garke) bootstrap-it.com.

» Ana iya samun ƙarin bayani game da littafin a gidan yanar gizon mawallafi
» Abubuwan da ke ciki
» Musamman

Don Khabrozhiteley 25% rangwame ta amfani da coupon - Linux
Bayan biyan nau'in takarda na littafin, za a aika da littafin lantarki ta imel.

source: www.habr.com

Add a comment