Tsis ntev los no, ntau tus tsis paub tias nws ua haujlwm hauv tsev li cas. Tus kab mob kis thoob ntiaj teb tau hloov pauv qhov xwm txheej hauv ntiaj teb no ntau heev; txhua tus tau pib hloov mus rau qhov xwm txheej tam sim no, uas yog qhov tseeb tias nws tau dhau los ua tsis muaj kev nyab xeeb tawm hauv tsev. Thiab ntau tus yuav tsum tau npaj ua haujlwm sai hauv tsev rau lawv cov neeg ua haujlwm.
Txawm li cas los xij, qhov tsis muaj peev xwm los xaiv cov kev daws teeb meem rau kev ua haujlwm hauv thaj chaw deb tuaj yeem ua rau poob tsis tau. Cov neeg siv lo lus zais tuaj yeem raug nyiag, thiab qhov no yuav tso cai rau tus neeg tawm tsam tsis tuaj yeem txuas rau lub network thiab IT cov peev txheej ntawm lub tuam txhab.
Tias yog vim li cas qhov xav tau los tsim kev txhim khu kev lag luam VPN network tau tam sim no tau nce. Kuv mam qhia koj txog ntseeg tau, nyab xeeb ΠΈ yooj yim hauv kev siv VPN network.
Nws ua haujlwm raws li IPsec / L2TP lub tswv yim, uas siv cov yuam sij uas tsis tuaj yeem rov qab tau thiab daim ntawv pov thawj khaws cia ntawm cov tokens kom paub tseeb cov neeg siv khoom, thiab tseem xa cov ntaub ntawv hla lub network hauv daim ntawv encrypted.
Ib tus neeg rau zaub mov nrog CentOS 7 (chaw nyob: centos.vpn.server.ad) thiab tus neeg siv khoom nrog Ubuntu 20.04, nrog rau tus neeg siv khoom nrog Windows 10, tau siv los ua qauv qhia sawv cev rau kev teeb tsa.
System Description
Lub VPN yuav ua haujlwm raws li IPSec + L2TP + PPP tswvyim. raws tu qauv Point-to-Point Protocol (PPP) ua haujlwm ntawm cov ntaub ntawv txuas txheej txheej ntawm OSI qauv thiab muab cov neeg siv kev lees paub thiab kev nkag siab ntawm cov ntaub ntawv xa mus. Nws cov ntaub ntawv yog encapsulated nyob rau hauv cov ntaub ntawv ntawm L2TP raws tu qauv, uas ua tau kom cov creation ntawm ib tug kev twb kev txuas nyob rau hauv lub VPN network, tab sis tsis muab authentication thiab encryption.
Qhov no feature tso cai rau koj mus authenticate cov neeg siv tsuas yog los ntawm tej yam khoom siv. Peb yuav siv IPSec raws tu qauv raws li nws yog thiab tso cai rau cov neeg siv kev lees paub los ntawm txhua lub cuab yeej.
Cov neeg siv authentication siv daim npav ntse yuav ua tiav ntawm PPP raws tu qauv siv EAP-TLS raws tu qauv.
Cov ncauj lus kom ntxaws ntxiv txog kev ua haujlwm ntawm qhov Circuit Court no tuaj yeem pom hauv qhov no tsab xov xwm.
Vim li cas cov tswv yim no ua tau raws li tag nrho peb qhov yuav tsum tau muaj ntawm VPN network zoo?
Kev ntseeg tau ntawm cov txheej txheem no tau raug sim los ntawm lub sijhawm. Nws tau raug siv los xa VPN network txij li xyoo 2000.
Kev ruaj ntseg neeg siv authentication yog muab los ntawm PPP raws tu qauv. Kev siv tus qauv ntawm PPP raws tu qauv tsim los ntawm Paul Mackerras tsis muab ib theem txaus ntawm kev ruaj ntseg, vim Rau authentication, hauv qhov zoo tshaj plaws, authentication siv tus ID nkag mus thiab lo lus zais yog siv. Peb txhua tus paub tias tus password nkag mus tuaj yeem raug soj ntsuam, kwv yees lossis nyiag. Txawm li cas los xij, rau lub sijhawm ntev tam sim no tus tsim tawm Jan Just Keijser Π² nws qhov kev siv Cov txheej txheem no kho qhov teeb meem no thiab ntxiv lub peev xwm los siv cov txheej txheem raws li asymmetric encryption, xws li EAP-TLS, rau kev lees paub. Tsis tas li ntawd, nws ntxiv lub peev xwm los siv cov npav ntse rau kev lees paub, uas ua rau lub kaw lus ruaj ntseg dua.
Tam sim no, kev sib tham ua haujlwm tseem tab tom ua los ua ke ob txoj haujlwm no thiab koj tuaj yeem paub tseeb tias sai lossis tom qab qhov no yuav tshwm sim. Piv txwv li, ib qho patched version ntawm PPP tau nyob hauv Fedora repositories ntev, siv cov txheej txheem ruaj ntseg rau kev lees paub.
Txog rau tam sim no, lub network no tsuas yog siv tau los ntawm cov neeg siv Windows, tab sis peb cov npoj yaig los ntawm Moscow State University Vasily Shokov thiab Alexander Smirnov pom. qub L2TP tus thov kev pabcuam rau Linux thiab hloov nws. Ua ke, peb tau kho ntau yam kab thiab qhov tsis zoo hauv cov neeg siv khoom, ua kom yooj yim rau kev teeb tsa thiab teeb tsa ntawm lub system, txawm tias thaum tsim los ntawm qhov chaw. Qhov tseem ceeb tshaj ntawm lawv yog:
Tshem tawm pppd los ntawm kev hla tus lej PIN los ntawm cov ntaub ntawv ib ntus.
Txhim kho qhov tsis raug tso tawm ntawm qhov kev thov tus password los ntawm kev sib cuam tshuam graphical. Qhov no tau ua tiav los ntawm kev txhim kho qhov raug ib puag ncig rau xl2tpd kev pabcuam.
Kev tsim ntawm L2tpIpsecVpn daemon yog tam sim no ua ke nrog kev tsim ntawm tus neeg siv khoom nws tus kheej, uas yooj yim rau kev tsim thiab teeb tsa txheej txheem.
Rau kev yooj yim ntawm kev txhim kho, Azure Pipelines system txuas nrog los ntsuas qhov tseeb ntawm kev tsim.
Ntxiv lub peev xwm los yuam downgrade kev ruaj ntseg qib nyob rau hauv cov ntsiab lus ntawm openssl. Qhov no yog qhov muaj txiaj ntsig zoo rau kev txhawb nqa kev ua haujlwm tshiab uas cov txheej txheem kev ruaj ntseg tau teeb tsa rau 2, nrog rau VPN cov tes hauj lwm uas siv cov ntawv pov thawj uas tsis ua raws li qhov yuav tsum tau muaj kev ruaj ntseg ntawm qib no. Qhov kev xaiv no yuav pab tau rau kev ua hauj lwm nrog cov qub VPN networks uas twb muaj lawm.
Cov neeg siv khoom no txhawb nqa kev siv daim npav ntse rau kev lees paub, thiab tseem zais ntau li ntau tau tag nrho cov kev nyuaj siab thiab kev nyuaj siab ntawm kev teeb tsa lub tswv yim no hauv Linux, ua rau cov neeg siv teeb tsa yooj yim thiab nrawm li sai tau.
Tau kawg, rau kev sib txuas yooj yim ntawm PPP thiab tus neeg siv khoom GUI, nws tsis tuaj yeem ua tsis tau yam tsis muaj kev hloov kho ntxiv rau txhua qhov haujlwm, tab sis txawm li cas los xij lawv tau txo qis thiab txo qis kom tsawg:
Yog tias tus neeg siv xav los ua tus tswv cuab ntawm VPN network, nws tsim ib khub tseem ceeb thiab daim ntawv pov thawj daim ntawv thov rau cov neeg siv khoom no. Yog tias tus neeg siv tau tso siab, ces daim ntawv thov no tuaj yeem kos npe, thiab daim ntawv pov thawj tuaj yeem sau rau hauv daim ntawv teev npe:
Xa daim ntawv thov client.req uas tshwm rau CA. Thaum koj tau txais daim ntawv pov thawj rau koj tus khub tseem ceeb, sau rau hauv lub token nrog tib tus id raws li tus yuam sij:
rau Windows thiab Linux cov neeg siv khoom (ntau txoj kev thoob ntiaj teb)
Txoj kev no yog ntau universal, vim hais tias tso cai rau koj los tsim ib qho tseem ceeb thiab daim ntawv pov thawj uas yuav ua tiav kev lees paub los ntawm Windows thiab Linux cov neeg siv, tab sis nws yuav tsum muaj lub tshuab Windows los ua cov txheej txheem tseem ceeb.
Ua ntej tsim kev thov thiab xa daim ntawv pov thawj, koj yuav tsum ntxiv VPN network daim ntawv pov thawj hauv paus rau cov npe ntawm cov neeg ntseeg siab. Txhawm rau ua qhov no, qhib nws thiab hauv qhov rai uas qhib, xaiv "Nruab daim ntawv pov thawj" kev xaiv:
Hauv qhov rai uas qhib, xaiv txhim kho daim ntawv pov thawj rau tus neeg siv hauv zos:
Cia peb nruab daim ntawv pov thawj hauv CA's trusted root certificate store:
Tom qab tag nrho cov kev ua no, peb pom zoo nrog tag nrho cov ntsiab lus ntxiv. Lub kaw lus tam sim no tau teeb tsa.
Cia peb tsim cov ntaub ntawv cert.tmp nrog cov ntsiab lus hauv qab no:
Tom qab no, peb yuav tsim ib khub tseem ceeb thiab tsim ib daim ntawv thov rau daim ntawv pov thawj. Txhawm rau ua qhov no, qhib powershell thiab nkag mus rau cov lus txib hauv qab no:
certreq.exe -new -pin $PIN .cert.tmp .client.req
Xa daim ntawv thov tsim client.req rau koj CA thiab tos kom tau txais daim ntawv pov thawj client.pem. Nws tuaj yeem sau rau ib qho token thiab ntxiv rau Windows daim ntawv pov thawj khw siv cov lus txib hauv qab no:
certreq.exe -accept .client.pem
Nws yog ib qho tsim nyog sau cia tias cov kev ua zoo sib xws tuaj yeem rov ua dua tshiab siv cov graphical interface ntawm mmc program, tab sis txoj kev no siv sijhawm ntau dua thiab tsawg dua programmable.
Teeb tsa tus neeg siv khoom Ubuntu
CEEB TOOM
Kev teeb tsa tus neeg siv khoom ntawm Linux tam sim no siv sijhawm ntau, vim tias ... yuav tsum tau tsim cov kev pab cuam cais los ntawm qhov chaw. Peb yuav sim xyuas kom meej tias txhua qhov kev hloov pauv tau suav nrog hauv cov chaw khaws ntaub ntawv raug cai nyob rau yav tom ntej.
Txhawm rau kom muaj kev sib txuas ntawm qib IPSec rau cov neeg rau zaub mov, pob khoom muaj zog thiab xl2tp daemon tau siv. Txhawm rau kom yooj yim txuas rau lub network siv cov npav ntse, peb yuav siv lub pob l2tp-ipsec-vpn, uas muab lub plhaub graphical rau kev sib txuas yooj yim.
Cia peb pib sib sau cov ntsiab lus los ntawm kauj ruam, tab sis ua ntej peb yuav nruab tag nrho cov pob tsim nyog rau VPN ua haujlwm ncaj qha:
sudo apt-get -y install git make gcc libssl-dev
git clone "https://github.com/jjkeijser/ppp"
cd ppp
./configure --prefix /usr
make -j4
sudo make install
Txhim kho tus neeg siv khoom L2tpIpsecVpn
Tam sim no, tus neeg siv khoom kuj yuav tsum tau muab tso ua ke los ntawm qhov chaws. Qhov no yog ua tiav siv cov lus txib nram qab no:
sudo apt-get -y install git qt5-qmake qt5-default build-essential libctemplate-dev libltdl-dev
git clone "https://github.com/Sander80/l2tp-ipsec-vpn"
cd l2tp-ipsec-vpn
make -j4
sudo make install
Teeb tsa tus neeg siv khoom L2tpIpsecVpn
Tua tawm tus neeg siv tau nruab:
Tom qab tso tawm, L2tpIpsecVPN applet yuav tsum qhib. Right-click rau nws thiab teeb tsa kev sib txuas:
Txhawm rau ua haujlwm nrog tokens, ua ntej ntawm tag nrho cov, peb qhia txoj hauv kev mus rau lub cav opensc ntawm OpenSSL lub cav thiab lub tsev qiv ntawv PKCS # 11. Txhawm rau ua qhov no, qhib qhov "Preferences" tab kom teeb tsa openssl tsis:
.
Cia peb kaw qhov OpenSSL qhov rai thiab txav mus rau kev teeb tsa lub network. Cia peb ntxiv ib lub network tshiab los ntawm nyem rau ntawm Add... khawm hauv cov chaw teeb tsa thiab nkag mus rau lub npe network:
Tom qab ntawd, lub network no yuav dhau los ua muaj nyob rau hauv cov chaw teeb tsa. Ob-txoj cai-nias ntawm lub network tshiab los teeb tsa nws. Ntawm thawj tab koj yuav tsum ua IPsec nqis. Cia peb teem lub server chaw nyob thiab pej xeem tus yuam sij:
Tom qab ntawd, mus rau PPP nqis tab thiab qhia tias muaj tus neeg siv lub npe hauv qab uas peb xav nkag mus rau lub network:
Tom qab no, qhib lub Properties tab thiab qhia txoj hauv kev rau tus yuam sij, daim ntawv pov thawj tus neeg siv khoom thiab CA:
Cia peb kaw lub tab no thiab ua qhov kev teeb tsa zaum kawg; ua qhov no, qhib "IP chaw" tab thiab kos lub thawv nyob ib sab ntawm "Tau txais DNS server chaw nyob" xaiv:
Qhov kev xaiv no yuav tso cai rau tus neeg siv tau txais tus kheej IP chaw nyob hauv lub network los ntawm lub server.
Tom qab tag nrho cov kev teeb tsa, kaw tag nrho cov tabs thiab pib dua tus neeg siv khoom:
Txuas mus rau lub network
Tom qab kev teeb tsa, koj tuaj yeem txuas rau lub network. Txhawm rau ua qhov no, qhib lub applet tab thiab xaiv lub network uas peb xav txuas:
Thaum lub sijhawm tsim kev sib txuas, tus neeg siv yuav nug peb kom nkag mus rau Rutoken PIN code:
Yog hais tias ib qho kev ceeb toom tshwm nyob rau hauv cov xwm txheej bar uas qhov kev twb kev txuas tau tiav lawm, nws txhais tau hais tias lub teeb tau tiav:
Txwv tsis pub, nws tsim nyog xav txog vim li cas qhov kev sib txuas tsis tau tsim. Txhawm rau ua qhov no, koj yuav tsum saib cov program log los ntawm kev xaiv "Cov ntaub ntawv sib txuas" hais kom ua hauv applet:
Teeb tsa tus neeg siv khoom Windows
Kev teeb tsa tus neeg siv khoom ntawm Windows yog qhov yooj yim dua li ntawm Linux, vim tias ... Tag nrho cov tsim nyog software twb tau tsim rau hauv lub system.
Kev teeb tsa
Peb yuav nruab tag nrho cov tsav tsheb tsim nyog rau kev ua haujlwm nrog Rutokens los ntawm rub tawm lawv los ntawm ntawm. qhov chaw.
Importing ib daim ntawv pov thawj hauv paus rau authentication
Download tau tus neeg rau zaub mov hauv paus daim ntawv pov thawj thiab nruab nws ntawm lub system. Txhawm rau ua qhov no, qhib nws thiab hauv qhov rai uas qhib, xaiv "Nruab daim ntawv pov thawj" kev xaiv:
Hauv qhov rai uas qhib, xaiv txhim kho daim ntawv pov thawj rau cov neeg siv hauv zos. Yog tias koj xav kom daim ntawv pov thawj muaj rau txhua tus neeg siv ntawm lub computer, ces koj yuav tsum xaiv rau nruab daim ntawv pov thawj ntawm lub computer hauv zos:
Cia peb nruab daim ntawv pov thawj hauv CA's trusted root certificate store:
Tom qab tag nrho cov kev ua no, peb pom zoo nrog tag nrho cov ntsiab lus ntxiv. Lub kaw lus tam sim no tau teeb tsa.
Teeb tsa kev sib txuas VPN
Txhawm rau teeb tsa VPN kev twb kev txuas, mus rau lub vaj huam sib luag tswj thiab xaiv qhov kev xaiv los tsim kev sib txuas tshiab.
Hauv qhov rai pop-up, xaiv qhov kev xaiv los tsim kev sib txuas los txuas rau koj qhov chaw ua haujlwm:
Kev teeb tsa tseem tsis tiav. Txhua yam uas tseem tshuav yog qhia tus yuam sij sib koom rau IPsec raws tu qauv; ua li no, mus rau "Network kev twb kev txuas teeb tsa" tab thiab tom qab ntawd mus rau "Properties for this connection" tab:
Hauv qhov rai uas qhib, mus rau "Kev Nyab Xeeb" tab, qhia "L2TP / IPsec Network" raws li hom network thiab xaiv "Advanced Settings":
Hauv lub qhov rai uas qhib, qhia qhov sib koom IPsec tus yuam sij:
Saum toj no
Tom qab ua tiav qhov teeb tsa, koj tuaj yeem sim txuas mus rau lub network:
Thaum lub sijhawm kev sib txuas, peb yuav tsum nkag mus rau tus lej PIN token:
Peb tau teeb tsa lub VPN ruaj ntseg network thiab ua kom paub tseeb tias nws tsis yooj yim.
Kev lees paub
Kuv xav ua tsaug ib zaug ntxiv ua tsaug rau peb cov npoj yaig Vasily Shokov thiab Alexander Smirnov rau txoj haujlwm lawv tau ua ua ke los ua kom yooj yim rau kev tsim cov kev sib txuas VPN rau Linux cov neeg siv khoom.