Teeb meem
Tsis ntev los no, ntau tus tsis paub tias nws ua haujlwm hauv tsev li cas. Tus kab mob kis thoob ntiaj teb tau hloov pauv qhov xwm txheej hauv ntiaj teb no ntau heev; txhua tus tau pib hloov mus rau qhov xwm txheej tam sim no, uas yog qhov tseeb tias nws tau dhau los ua tsis muaj kev nyab xeeb tawm hauv tsev. Thiab ntau tus yuav tsum tau npaj ua haujlwm sai hauv tsev rau lawv cov neeg ua haujlwm.
Txawm li cas los xij, qhov tsis muaj peev xwm los xaiv cov kev daws teeb meem rau kev ua haujlwm hauv thaj chaw deb tuaj yeem ua rau poob tsis tau. Cov neeg siv lo lus zais tuaj yeem raug nyiag, thiab qhov no yuav tso cai rau tus neeg tawm tsam tsis tuaj yeem txuas rau lub network thiab IT cov peev txheej ntawm lub tuam txhab.
Tias yog vim li cas qhov xav tau los tsim kev txhim khu kev lag luam VPN network tau tam sim no tau nce. Kuv mam qhia koj txog ntseeg tau, nyab xeeb ΠΈ yooj yim hauv kev siv VPN network.
Nws ua haujlwm raws li IPsec / L2TP lub tswv yim, uas siv cov yuam sij uas tsis tuaj yeem rov qab tau thiab daim ntawv pov thawj khaws cia ntawm cov tokens kom paub tseeb cov neeg siv khoom, thiab tseem xa cov ntaub ntawv hla lub network hauv daim ntawv encrypted.
Ib tus neeg rau zaub mov nrog CentOS 7 (chaw nyob: centos.vpn.server.ad) thiab tus neeg siv khoom nrog Ubuntu 20.04, nrog rau tus neeg siv khoom nrog Windows 10, tau siv los ua qauv qhia sawv cev rau kev teeb tsa.
System Description
Lub VPN yuav ua haujlwm raws li IPSec + L2TP + PPP tswvyim. raws tu qauv Point-to-Point Protocol (PPP) ua haujlwm ntawm cov ntaub ntawv txuas txheej txheej ntawm OSI qauv thiab muab cov neeg siv kev lees paub thiab kev nkag siab ntawm cov ntaub ntawv xa mus. Nws cov ntaub ntawv yog encapsulated nyob rau hauv cov ntaub ntawv ntawm L2TP raws tu qauv, uas ua tau kom cov creation ntawm ib tug kev twb kev txuas nyob rau hauv lub VPN network, tab sis tsis muab authentication thiab encryption.
L2TP cov ntaub ntawv yog encapsulated nyob rau hauv IPSec, uas kuj muab authentication thiab encryption, tab sis tsis zoo li PPP, authentication thiab encryption tshwm sim nyob rau hauv lub ntaus ntawv theem, tsis nyob rau hauv cov neeg siv.
Qhov no feature tso cai rau koj mus authenticate cov neeg siv tsuas yog los ntawm tej yam khoom siv. Peb yuav siv IPSec raws tu qauv raws li nws yog thiab tso cai rau cov neeg siv kev lees paub los ntawm txhua lub cuab yeej.
Cov neeg siv authentication siv daim npav ntse yuav ua tiav ntawm PPP raws tu qauv siv EAP-TLS raws tu qauv.
Cov ncauj lus kom ntxaws ntxiv txog kev ua haujlwm ntawm qhov Circuit Court no tuaj yeem pom hauv .
Vim li cas cov tswv yim no ua tau raws li tag nrho peb qhov yuav tsum tau muaj ntawm VPN network zoo?
- Kev ntseeg tau ntawm cov txheej txheem no tau raug sim los ntawm lub sijhawm. Nws tau raug siv los xa VPN network txij li xyoo 2000.
- Kev ruaj ntseg neeg siv authentication yog muab los ntawm PPP raws tu qauv. tsis muab ib theem txaus ntawm kev ruaj ntseg, vim Rau authentication, hauv qhov zoo tshaj plaws, authentication siv tus ID nkag mus thiab lo lus zais yog siv. Peb txhua tus paub tias tus password nkag mus tuaj yeem raug soj ntsuam, kwv yees lossis nyiag. Txawm li cas los xij, rau lub sijhawm ntev tam sim no tus tsim tawm Π² Cov txheej txheem no kho qhov teeb meem no thiab ntxiv lub peev xwm los siv cov txheej txheem raws li asymmetric encryption, xws li EAP-TLS, rau kev lees paub. Tsis tas li ntawd, nws ntxiv lub peev xwm los siv cov npav ntse rau kev lees paub, uas ua rau lub kaw lus ruaj ntseg dua.
Tam sim no, kev sib tham ua haujlwm tseem tab tom ua los ua ke ob txoj haujlwm no thiab koj tuaj yeem paub tseeb tias sai lossis tom qab qhov no yuav tshwm sim. Piv txwv li, ib qho patched version ntawm PPP tau nyob hauv Fedora repositories ntev, siv cov txheej txheem ruaj ntseg rau kev lees paub. - Txog rau tam sim no, lub network no tsuas yog siv tau los ntawm cov neeg siv Windows, tab sis peb cov npoj yaig los ntawm Moscow State University Vasily Shokov thiab Alexander Smirnov pom. thiab hloov nws. Ua ke, peb tau kho ntau yam kab thiab qhov tsis zoo hauv cov neeg siv khoom, ua kom yooj yim rau kev teeb tsa thiab teeb tsa ntawm lub system, txawm tias thaum tsim los ntawm qhov chaw. Qhov tseem ceeb tshaj ntawm lawv yog:
- Tsau teeb meem kev sib raug zoo ntawm cov neeg siv khoom qub nrog kev sib txuas ntawm cov tshiab versions ntawm openssl thiab qt.
- Tshem tawm pppd los ntawm kev hla tus lej PIN los ntawm cov ntaub ntawv ib ntus.
- Txhim kho qhov tsis raug tso tawm ntawm qhov kev thov tus password los ntawm kev sib cuam tshuam graphical. Qhov no tau ua tiav los ntawm kev txhim kho qhov raug ib puag ncig rau xl2tpd kev pabcuam.
- Kev tsim ntawm L2tpIpsecVpn daemon yog tam sim no ua ke nrog kev tsim ntawm tus neeg siv khoom nws tus kheej, uas yooj yim rau kev tsim thiab teeb tsa txheej txheem.
- Rau kev yooj yim ntawm kev txhim kho, Azure Pipelines system txuas nrog los ntsuas qhov tseeb ntawm kev tsim.
- Ntxiv lub peev xwm los yuam downgrade nyob rau hauv cov ntsiab lus ntawm openssl. Qhov no yog qhov muaj txiaj ntsig zoo rau kev txhawb nqa kev ua haujlwm tshiab uas cov txheej txheem kev ruaj ntseg tau teeb tsa rau 2, nrog rau VPN cov tes hauj lwm uas siv cov ntawv pov thawj uas tsis ua raws li qhov yuav tsum tau muaj kev ruaj ntseg ntawm qib no. Qhov kev xaiv no yuav pab tau rau kev ua hauj lwm nrog cov qub VPN networks uas twb muaj lawm.
Cov kho tshiab tuaj yeem pom hauv .
Cov neeg siv khoom no txhawb nqa kev siv daim npav ntse rau kev lees paub, thiab tseem zais ntau li ntau tau tag nrho cov kev nyuaj siab thiab kev nyuaj siab ntawm kev teeb tsa lub tswv yim no hauv Linux, ua rau cov neeg siv teeb tsa yooj yim thiab nrawm li sai tau.
Tau kawg, rau kev sib txuas yooj yim ntawm PPP thiab tus neeg siv khoom GUI, nws tsis tuaj yeem ua tsis tau yam tsis muaj kev hloov kho ntxiv rau txhua qhov haujlwm, tab sis txawm li cas los xij lawv tau txo qis thiab txo qis kom tsawg:
- Tsau
- Tsau . Qhov kev ua yuam kev no tsis tau tso cai rau peb thauj ib yam dab tsi los ntawm lub zos /etc/ppp/openssl.cnf configuration file tshwj tsis yog cov ntaub ntawv hais txog openssl cav rau kev ua haujlwm nrog cov ntawv ntse, uas yog qhov tsis yooj yim yog tias, piv txwv li, ntxiv rau cov ntaub ntawv hais txog lub tshuab, peb xav teem ib yam dab tsi ntxiv. Piv txwv li, txhim kho qib kev ruaj ntseg thaum tsim kev sib txuas.
Tam sim no koj tuaj yeem pib teeb tsa.
Server Tuning
Cia peb nruab tag nrho cov pob tsim nyog.
Txhim kho strongswan (IPsec)
Ua ntej tshaj plaws, cia peb teeb tsa lub firewall rau kev ua haujlwm ipsec
sudo firewall-cmd --permanent --add-port=1701/{tcp,udp}
sudo firewall-cmd --permanent --add-service=ipsec
sudo firewall-cmd --reloadCes cia peb pib installation
sudo yum install epel-release ipsec-tools dnf
sudo dnf install strongswanTom qab kev teeb tsa, koj yuav tsum teeb tsa lub zog muaj zog (ib qho ntawm IPSec kev siv). Ua li no, kho cov ntaub ntawv /etc/strongswan/ipsec.conf :
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=%any
leftprotoport=udp/1701
right=%any
rightprotoport=udp/%any
ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024Peb kuj tseem yuav teeb tsa tus password nkag mus. Tus password sib koom yuav tsum raug paub rau txhua tus neeg koom hauv network kom paub tseeb. Txoj kev no yog obviously unreliable, vim tus password no tuaj yeem paub tau yooj yim rau cov tib neeg uas peb tsis xav muab kev nkag mus rau lub network.
Txawm li cas los xij, txawm tias qhov tseeb no yuav tsis cuam tshuam rau kev ruaj ntseg ntawm lub network, vim Basic ntaub ntawv encryption thiab cov neeg siv authentication yog ua los ntawm PPP raws tu qauv. Tab sis nyob rau hauv kev ncaj ncees, nws yog tsim nyog sau cia tias strongswan txhawb ntau ruaj ntseg technologies rau authentication, piv txwv li, siv cov yuam sij ntiag tug. Strongswan kuj muaj peev xwm muab kev lees paub siv cov npav ntse, tab sis txog tam sim no tsuas yog qee qhov txwv ntawm cov khoom siv tau txais kev txhawb nqa thiab yog li kev lees paub siv Rutoken tokens thiab cov npav ntse tseem nyuaj. Cia peb teeb tus password dav dav ntawm cov ntaub ntawv /etc/strongswan/ipsec.secrets:
# ipsec.secrets - strongSwan IPsec secrets file
%any %any : PSK "SECRET_PASSPHRASE"Cia peb rov pib dua strongswan:
sudo systemctl enable strongswan
sudo systemctl restart strongswanInstall xl2tp
sudo dnf install xl2tpdWb configure nws ntawm cov ntaub ntawv /etc/xl2tpd/xl2tpd.conf:
[global]
force userspace = yes
listen-addr = 0.0.0.0
ipsec saref = yes
[lns default]
exclusive = no
; ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΠ΅Ρ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΉ Π°Π΄ΡΠ΅Ρ ΡΠ΅ΡΠ²Π΅ΡΠ° Π² Π²ΠΈΡΡΡΠ°Π»ΡΠ½ΠΎΠΉ ΡΠ΅ΡΠΈ
local ip = 100.10.10.1
; Π·Π°Π΄Π°Π΅Ρ Π΄ΠΈΠ°ΠΏΠ°Π·ΠΎΠ½ Π²ΠΈΡΡΡΠ°Π»ΡΠ½ΡΡ
Π°Π΄ΡΠ΅ΡΠΎΠ²
ip range = 100.10.10.1-100.10.10.254
assign ip = yes
refuse pap = yes
require authentication = yes
; Π΄Π°Π½Π½ΡΡ ΠΎΠΏΡΠΈΡ ΠΌΠΎΠΆΠ½ΠΎ ΠΎΡΠΊΠ»ΡΡΠΈΡΡ ΠΏΠΎΡΠ»Π΅ ΡΡΠΏΠ΅ΡΠ½ΠΎΠΉ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ ΡΠ΅ΡΠΈ
ppp debug = yes
length bit = yes
pppoptfile = /etc/ppp/options.xl2tpd
; ΡΠΊΠ°Π·ΡΠ²Π°Π΅Ρ Π°Π΄ΡΠ΅Ρ ΡΠ΅ΡΠ²Π΅ΡΠ° Π² ΡΠ΅ΡΠΈ
name = centos.vpn.server.adCia peb rov pib qhov kev pabcuam:
sudo systemctl enable xl2tpd
sudo systemctl restart xl2tpdPPP kev teeb tsa
Nws yog advisable rau nruab qhov tseeb version ntawm pppd. Txhawm rau ua qhov no, ua raws li cov lus txib hauv qab no:
sudo yum install git make gcc openssl-devel
git clone "https://github.com/jjkeijser/ppp"
cd ppp
./configure --prefix /usr
make -j4
sudo make installSau rau ntawv /etc/ppp/options.xl2tpd cov hauv qab no (yog tias muaj qhov tseem ceeb nyob ntawd, koj tuaj yeem rho tawm lawv):
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 1.1.1.1
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000Peb muab daim ntawv pov thawj hauv paus thiab daim ntawv pov thawj server:
#Π΄ΠΈΡΠ΅ΠΊΡΠΎΡΠΈΡ Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°ΠΌΠΈ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Π΅ΠΉ, Π£Π¦ ΠΈ ΡΠ΅ΡΠ²Π΅ΡΠ°
sudo mkdir /etc/ppp/certs
#Π΄ΠΈΡΠ΅ΠΊΡΠΎΡΠΈΡ Ρ Π·Π°ΠΊΡΡΡΡΠΌΠΈ ΠΊΠ»ΡΡΠ°ΠΌΠΈ ΡΠ΅ΡΠ²Π΅ΡΠ° ΠΈ Π£Π¦
sudo mkdir /etc/ppp/keys
#Π·Π°ΠΏΡΠ΅ΡΠ°Π΅ΠΌ Π»ΡΠ±ΠΎΠΉ Π΄ΠΎΡΡΡΠΏ ΠΊ ΡΡΠΎΠΉ Π΄ΠΈΡΡΠ΅ΠΊΡΠΎΡΠΈΠΈ ΠΊΡΠΎΠΌΠ΅ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΠ°ΡΠΎΡΠ°
sudo chmod 0600 /etc/ppp/keys/
#Π³Π΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ ΠΊΠ»ΡΡ ΠΈ Π²ΡΠΏΠΈΡΡΠ²Π°Π΅ΠΌ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ Π£Π¦
sudo openssl genrsa -out /etc/ppp/keys/ca.pem 2048
sudo openssl req -key /etc/ppp/keys/ca.pem -new -x509 -out /etc/ppp/certs/ca.pem -subj "/C=RU/CN=L2TP CA"
#Π³Π΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ ΠΊΠ»ΡΡ ΠΈ Π²ΡΠΏΠΈΡΡΠ²Π°Π΅ΠΌ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΡΠ΅ΡΠ²Π΅ΡΠ°
sudo openssl genrsa -out /etc/ppp/keys/server.pem 2048
sudo openssl req -new -out server.req -key /etc/ppp/keys/server.pem -subj "/C=RU/CN=centos.vpn.server.ad"
sudo openssl x509 -req -in server.req -CAkey /etc/ppp/keys/ca.pem -CA /etc/ppp/certs/ca.pem -out /etc/ppp/certs/server.pem -CAcreateserialYog li, peb tau ua tiav nrog kev teeb tsa server yooj yim. Tus so ntawm server configuration yuav ntxiv cov neeg siv khoom tshiab.
Ntxiv tus neeg siv khoom tshiab
Txhawm rau ntxiv tus neeg siv khoom tshiab rau lub network, koj yuav tsum ntxiv nws daim ntawv pov thawj rau cov npe ntawm cov neeg ntseeg siab rau cov neeg siv khoom no.
Yog tias tus neeg siv xav los ua tus tswv cuab ntawm VPN network, nws tsim ib khub tseem ceeb thiab daim ntawv pov thawj daim ntawv thov rau cov neeg siv khoom no. Yog tias tus neeg siv tau tso siab, ces daim ntawv thov no tuaj yeem kos npe, thiab daim ntawv pov thawj tuaj yeem sau rau hauv daim ntawv teev npe:
sudo openssl x509 -req -in client.req -CAkey /etc/ppp/keys/ca.pem -CA /etc/ppp/certs/ca.pem -out /etc/ppp/certs/client.pem -CAcreateserialCia peb ntxiv ib kab rau /etc/ppp/eaptls-server cov ntaub ntawv kom phim tus neeg siv lub npe thiab nws daim ntawv pov thawj:
"client" * /etc/ppp/certs/client.pem /etc/ppp/certs/server.pem /etc/ppp/certs/ca.pem /etc/ppp/keys/server.pem *CEEB TOOM
Txhawm rau kom tsis txhob muaj kev ntxhov siab, nws yog qhov zoo dua tias: Lub Npe Lub Npe, daim ntawv pov thawj cov ntaub ntawv npe thiab tus neeg siv lub npe yuav txawv.
Nws tseem tsim nyog kuaj xyuas tias lub npe ntawm tus neeg siv peb tab tom ntxiv tsis tshwm sim nyob qhov twg hauv lwm cov ntaub ntawv pov thawj, txwv tsis pub yuav muaj teeb meem nrog txoj hauv kev uas tus neeg siv tau lees paub.
Tib daim ntawv pov thawj yuav tsum xa rov qab rau tus neeg siv.
Tsim ib tug khub tseem ceeb thiab daim ntawv pov thawj
Txhawm rau kom ua tiav authentication, tus neeg siv yuav tsum:
- tsim ib khub tseem ceeb;
- muaj daim ntawv pov thawj CA hauv paus;
- muaj daim ntawv pov thawj rau koj tus khub tseem ceeb kos npe los ntawm lub hauv paus CA.
rau cov neeg siv khoom ntawm Linux
Ua ntej, cia peb tsim ib khub tseem ceeb ntawm lub token thiab tsim ib daim ntawv thov rau daim ntawv pov thawj:
#ΠΈΠ΄Π΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΎΡ ΠΊΠ»ΡΡΠ° (ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡ --id) ΠΌΠΎΠΆΠ½ΠΎ Π·Π°ΠΌΠ΅Π½ΠΈΡΡ Π½Π° Π»ΡΠ±ΠΎΠΉ Π΄ΡΡΠ³ΠΎΠΉ.
pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --keypairgen --key-type rsa:2048 -l --id 45
openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:librtpkcs11ecp.so
...
OpenSSL> req -engine pkcs11 -new -key 45 -keyform engine -out client.req -subj "/C=RU/CN=client"Xa daim ntawv thov client.req uas tshwm rau CA. Thaum koj tau txais daim ntawv pov thawj rau koj tus khub tseem ceeb, sau rau hauv lub token nrog tib tus id raws li tus yuam sij:
pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -l -y cert -w ./client.pem --id 45rau Windows thiab Linux cov neeg siv khoom (ntau txoj kev thoob ntiaj teb)
Txoj kev no yog ntau universal, vim hais tias tso cai rau koj los tsim ib qho tseem ceeb thiab daim ntawv pov thawj uas yuav ua tiav kev lees paub los ntawm Windows thiab Linux cov neeg siv, tab sis nws yuav tsum muaj lub tshuab Windows los ua cov txheej txheem tseem ceeb.
Ua ntej tsim kev thov thiab xa daim ntawv pov thawj, koj yuav tsum ntxiv VPN network daim ntawv pov thawj hauv paus rau cov npe ntawm cov neeg ntseeg siab. Txhawm rau ua qhov no, qhib nws thiab hauv qhov rai uas qhib, xaiv "Nruab daim ntawv pov thawj" kev xaiv:
Hauv qhov rai uas qhib, xaiv txhim kho daim ntawv pov thawj rau tus neeg siv hauv zos:
Cia peb nruab daim ntawv pov thawj hauv CA's trusted root certificate store:
Tom qab tag nrho cov kev ua no, peb pom zoo nrog tag nrho cov ntsiab lus ntxiv. Lub kaw lus tam sim no tau teeb tsa.
Cia peb tsim cov ntaub ntawv cert.tmp nrog cov ntsiab lus hauv qab no:
[NewRequest]
Subject = "CN=client"
KeyLength = 2048
KeySpec = "AT_KEYEXCHANGE"
ProviderName = "Microsoft Base Smart Card Crypto Provider"
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = PKCS10
SMIME = FALSETom qab no, peb yuav tsim ib khub tseem ceeb thiab tsim ib daim ntawv thov rau daim ntawv pov thawj. Txhawm rau ua qhov no, qhib powershell thiab nkag mus rau cov lus txib hauv qab no:
certreq.exe -new -pin $PIN .cert.tmp .client.reqXa daim ntawv thov tsim client.req rau koj CA thiab tos kom tau txais daim ntawv pov thawj client.pem. Nws tuaj yeem sau rau ib qho token thiab ntxiv rau Windows daim ntawv pov thawj khw siv cov lus txib hauv qab no:
certreq.exe -accept .client.pemNws yog ib qho tsim nyog sau cia tias cov kev ua zoo sib xws tuaj yeem rov ua dua tshiab siv cov graphical interface ntawm mmc program, tab sis txoj kev no siv sijhawm ntau dua thiab tsawg dua programmable.
Teeb tsa tus neeg siv khoom Ubuntu
CEEB TOOM
Kev teeb tsa tus neeg siv khoom ntawm Linux tam sim no siv sijhawm ntau, vim tias ... yuav tsum tau tsim cov kev pab cuam cais los ntawm qhov chaw. Peb yuav sim xyuas kom meej tias txhua qhov kev hloov pauv tau suav nrog hauv cov chaw khaws ntaub ntawv raug cai nyob rau yav tom ntej.
Txhawm rau kom muaj kev sib txuas ntawm qib IPSec rau cov neeg rau zaub mov, pob khoom muaj zog thiab xl2tp daemon tau siv. Txhawm rau kom yooj yim txuas rau lub network siv cov npav ntse, peb yuav siv lub pob l2tp-ipsec-vpn, uas muab lub plhaub graphical rau kev sib txuas yooj yim.
Cia peb pib sib sau cov ntsiab lus los ntawm kauj ruam, tab sis ua ntej peb yuav nruab tag nrho cov pob tsim nyog rau VPN ua haujlwm ncaj qha:
sudo apt-get install xl2tpd strongswan libp11-3Txhim kho software rau ua haujlwm nrog tokens
Nruab qhov tshiab librtpkcs11ecp.so tsev qiv ntawv los ntawm , kuj muaj cov tsev qiv ntawv rau kev ua haujlwm nrog cov npav ntse:
sudo apt-get install pcscd pcsc-tools opensc libengine-pkcs11-opensslTxuas Rutoken thiab xyuas tias nws tau lees paub los ntawm lub kaw lus:
pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O -lTxhim kho patched ppp
sudo apt-get -y install git make gcc libssl-dev
git clone "https://github.com/jjkeijser/ppp"
cd ppp
./configure --prefix /usr
make -j4
sudo make installTxhim kho tus neeg siv khoom L2tpIpsecVpn
Tam sim no, tus neeg siv khoom kuj yuav tsum tau muab tso ua ke los ntawm qhov chaws. Qhov no yog ua tiav siv cov lus txib nram qab no:
sudo apt-get -y install git qt5-qmake qt5-default build-essential libctemplate-dev libltdl-dev
git clone "https://github.com/Sander80/l2tp-ipsec-vpn"
cd l2tp-ipsec-vpn
make -j4
sudo make installTeeb tsa tus neeg siv khoom L2tpIpsecVpn
Tua tawm tus neeg siv tau nruab:
Tom qab tso tawm, L2tpIpsecVPN applet yuav tsum qhib. Right-click rau nws thiab teeb tsa kev sib txuas:
Txhawm rau ua haujlwm nrog tokens, ua ntej ntawm tag nrho cov, peb qhia txoj hauv kev mus rau lub cav opensc ntawm OpenSSL lub cav thiab lub tsev qiv ntawv PKCS # 11. Txhawm rau ua qhov no, qhib qhov "Preferences" tab kom teeb tsa openssl tsis:
.
Cia peb kaw qhov OpenSSL qhov rai thiab txav mus rau kev teeb tsa lub network. Cia peb ntxiv ib lub network tshiab los ntawm nyem rau ntawm Add... khawm hauv cov chaw teeb tsa thiab nkag mus rau lub npe network:
Tom qab ntawd, lub network no yuav dhau los ua muaj nyob rau hauv cov chaw teeb tsa. Ob-txoj cai-nias ntawm lub network tshiab los teeb tsa nws. Ntawm thawj tab koj yuav tsum ua IPsec nqis. Cia peb teem lub server chaw nyob thiab pej xeem tus yuam sij:
Tom qab ntawd, mus rau PPP nqis tab thiab qhia tias muaj tus neeg siv lub npe hauv qab uas peb xav nkag mus rau lub network:
Tom qab no, qhib lub Properties tab thiab qhia txoj hauv kev rau tus yuam sij, daim ntawv pov thawj tus neeg siv khoom thiab CA:
Cia peb kaw lub tab no thiab ua qhov kev teeb tsa zaum kawg; ua qhov no, qhib "IP chaw" tab thiab kos lub thawv nyob ib sab ntawm "Tau txais DNS server chaw nyob" xaiv:
Qhov kev xaiv no yuav tso cai rau tus neeg siv tau txais tus kheej IP chaw nyob hauv lub network los ntawm lub server.
Tom qab tag nrho cov kev teeb tsa, kaw tag nrho cov tabs thiab pib dua tus neeg siv khoom:
Txuas mus rau lub network
Tom qab kev teeb tsa, koj tuaj yeem txuas rau lub network. Txhawm rau ua qhov no, qhib lub applet tab thiab xaiv lub network uas peb xav txuas:
Thaum lub sijhawm tsim kev sib txuas, tus neeg siv yuav nug peb kom nkag mus rau Rutoken PIN code:
Yog hais tias ib qho kev ceeb toom tshwm nyob rau hauv cov xwm txheej bar uas qhov kev twb kev txuas tau tiav lawm, nws txhais tau hais tias lub teeb tau tiav:
Txwv tsis pub, nws tsim nyog xav txog vim li cas qhov kev sib txuas tsis tau tsim. Txhawm rau ua qhov no, koj yuav tsum saib cov program log los ntawm kev xaiv "Cov ntaub ntawv sib txuas" hais kom ua hauv applet:
Teeb tsa tus neeg siv khoom Windows
Kev teeb tsa tus neeg siv khoom ntawm Windows yog qhov yooj yim dua li ntawm Linux, vim tias ... Tag nrho cov tsim nyog software twb tau tsim rau hauv lub system.
Kev teeb tsa
Peb yuav nruab tag nrho cov tsav tsheb tsim nyog rau kev ua haujlwm nrog Rutokens los ntawm rub tawm lawv los ntawm .
Importing ib daim ntawv pov thawj hauv paus rau authentication
Download tau tus neeg rau zaub mov hauv paus daim ntawv pov thawj thiab nruab nws ntawm lub system. Txhawm rau ua qhov no, qhib nws thiab hauv qhov rai uas qhib, xaiv "Nruab daim ntawv pov thawj" kev xaiv:
Hauv qhov rai uas qhib, xaiv txhim kho daim ntawv pov thawj rau cov neeg siv hauv zos. Yog tias koj xav kom daim ntawv pov thawj muaj rau txhua tus neeg siv ntawm lub computer, ces koj yuav tsum xaiv rau nruab daim ntawv pov thawj ntawm lub computer hauv zos:
Cia peb nruab daim ntawv pov thawj hauv CA's trusted root certificate store:
Tom qab tag nrho cov kev ua no, peb pom zoo nrog tag nrho cov ntsiab lus ntxiv. Lub kaw lus tam sim no tau teeb tsa.
Teeb tsa kev sib txuas VPN
Txhawm rau teeb tsa VPN kev twb kev txuas, mus rau lub vaj huam sib luag tswj thiab xaiv qhov kev xaiv los tsim kev sib txuas tshiab.
Hauv qhov rai pop-up, xaiv qhov kev xaiv los tsim kev sib txuas los txuas rau koj qhov chaw ua haujlwm:
Hauv lub qhov rais tom ntej, xaiv qhov txuas VPN:
thiab nkag mus rau cov ntsiab lus kev sib txuas VPN, thiab tseem qhia qhov kev xaiv siv daim npav ntse:
Kev teeb tsa tseem tsis tiav. Txhua yam uas tseem tshuav yog qhia tus yuam sij sib koom rau IPsec raws tu qauv; ua li no, mus rau "Network kev twb kev txuas teeb tsa" tab thiab tom qab ntawd mus rau "Properties for this connection" tab:
Hauv qhov rai uas qhib, mus rau "Kev Nyab Xeeb" tab, qhia "L2TP / IPsec Network" raws li hom network thiab xaiv "Advanced Settings":
Hauv lub qhov rai uas qhib, qhia qhov sib koom IPsec tus yuam sij:
Saum toj no
Tom qab ua tiav qhov teeb tsa, koj tuaj yeem sim txuas mus rau lub network:
Thaum lub sijhawm kev sib txuas, peb yuav tsum nkag mus rau tus lej PIN token:
Peb tau teeb tsa lub VPN ruaj ntseg network thiab ua kom paub tseeb tias nws tsis yooj yim.
Kev lees paub
Kuv xav ua tsaug ib zaug ntxiv ua tsaug rau peb cov npoj yaig Vasily Shokov thiab Alexander Smirnov rau txoj haujlwm lawv tau ua ua ke los ua kom yooj yim rau kev tsim cov kev sib txuas VPN rau Linux cov neeg siv khoom.
Tau qhov twg los: www.hab.com