åé¡
ã€ãæè¿ãŸã§ãå€ãã®äººãåšå® å€åãã©ã®ãããªãã®ããç¥ããŸããã§ããã ãã³ãããã¯ã¯äžçã®ç¶æ³ãåçã«å€ãã誰ããçŸåšã®ç¶æ³ãã€ãŸã家ããåºãããšãåã«å®å šã§ãªããªã£ããšããäºå®ã«é©å¿ãå§ããŠããŸãã ãããŠãå€ãã¯åŸæ¥å¡ã®åšå® å€åãè¿ éã«æºåããå¿ èŠããããŸããã
ãã ãããªã¢ãŒãã¯ãŒã¯ã®ããã®ãœãªã¥ãŒã·ã§ã³ãéžæããããã®é©åãªã¢ãããŒããæ¬ åŠããŠãããšãåãè¿ãã®ã€ããªãæ倱ã«ã€ãªããå¯èœæ§ããããŸãã ãŠãŒã¶ãŒã®ãã¹ã¯ãŒããçãŸããå¯èœæ§ããããæ»æè ãäŒæ¥ã®ãããã¯ãŒã¯ã IT ãªãœãŒã¹ã«å¶åŸ¡äžèœã«æ¥ç¶ã§ããããã«ãªããŸãã
ãã®ãããä¿¡é Œæ§ã®é«ãäŒæ¥ VPN ãããã¯ãŒã¯ãæ§ç¯ããå¿ èŠæ§ãé«ãŸã£ãŠããŸãã ã«ã€ããŠã話ããŸã ä¿¡é Œæ§ã®ãã, å®å šãª О ã·ã³ãã« VPN ãããã¯ãŒã¯ã䜿çšããå Žåã
ãã㯠IPsec/L2TP ã¹ããŒã ã«åŸã£ãŠåäœããããŒã¯ã³ã«ä¿åãããååŸäžå¯èœãªããŒãšèšŒææžã䜿çšããŠã¯ã©ã€ã¢ã³ããèªèšŒãããããã¯ãŒã¯äžã§ããŒã¿ãæå·åããã圢åŒã§éä¿¡ããŸãã
CentOS 7 ãæèŒãããµãŒã㌠(ã¢ãã¬ã¹: centos.vpn.server.ad) ãš Ubuntu 20.04 ãæèŒããã¯ã©ã€ã¢ã³ããããã³ Windows 10 ãæèŒããã¯ã©ã€ã¢ã³ããæ§æçšã®ãã¢ã³ã¹ãã¬ãŒã·ã§ã³ ã¹ã¿ã³ããšããŠäœ¿çšãããŸããã
ã·ã¹ãã ã®èª¬æ
VPN ã¯ãIPSec + L2TP + PPP ã¹ããŒã ã«åŸã£ãŠåäœããŸãã ãããã³ã« ãã€ã³ãããŒãã€ã³ããããã³ã« (PPP) OSI ã¢ãã«ã®ããŒã¿ ãªã³ã¯å±€ã§åäœãããŠãŒã¶ãŒèªèšŒãšéä¿¡ããŒã¿ã®æå·åãæäŸããŸãã ãã®ããŒã¿ã¯ L2TP ãããã³ã«ã®ããŒã¿ã«ã«ãã»ã«åãããŠãããå®éã«ã¯ VPN ãããã¯ãŒã¯ã§ã®æ¥ç¶ã®äœæãä¿èšŒãããŸãããèªèšŒãšæå·åã¯æäŸãããŸããã
L2TP ããŒã¿ã¯ IPSec ã§ã«ãã»ã«åãããèªèšŒãšæå·åãæäŸãããŸãããPPP ãšã¯ç°ãªããèªèšŒãšæå·åã¯ãŠãŒã¶ãŒ ã¬ãã«ã§ã¯ãªãããã€ã¹ ã¬ãã«ã§è¡ãããŸãã
ãã®æ©èœã䜿çšãããšãç¹å®ã®ããã€ã¹ããã®ã¿ãŠãŒã¶ãŒãèªèšŒã§ããŸãã IPSecãããã³ã«ããã®ãŸãŸå©çšããã©ã®ããã€ã¹ããã§ããŠãŒã¶ãŒèªèšŒãå¯èœã«ããŸãã
ã¹ããŒã ã«ãŒãã䜿çšãããŠãŒã¶ãŒèªèšŒã¯ãEAP-TLS ãããã³ã«ã䜿çšã㊠PPP ãããã³ã« ã¬ãã«ã§å®è¡ãããŸãã
ãã®åè·¯ã®åäœã«é¢ãã詳现æ
å ±ã¯ã次ã®å Žæã«ãããŸãã
ãã®æ¹åŒãåªãã VPN ãããã¯ãŒã¯ã® XNUMX ã€ã®èŠä»¶ããã¹ãŠæºãããŠããã®ã¯ãªãã§ãã?
- ãã®èšç»ã®ä¿¡é Œæ§ã¯æéã®çµéãšãšãã«ãã¹ããããŠããŸããã 2000 幎以æ¥ãVPN ãããã¯ãŒã¯ã®å±éã«äœ¿çšãããŠããŸããã
- å®å
šãªãŠãŒã¶ãŒèªèšŒã¯ PPP ãããã³ã«ã«ãã£ãŠæäŸãããŸãã
Paul Mackerras ã«ãã£ãŠéçºããã PPP ãããã³ã«ã®æšæºå®è£ ååãªã¬ãã«ã®ã»ãã¥ãªãã£ãæäŸãããªãããã èªèšŒã«ã¯ãæè¯ã®å Žåããã°ã€ã³ãšãã¹ã¯ãŒãã䜿çšããèªèšŒã䜿çšãããŸãã ãã°ã€ã³ ãã¹ã¯ãŒããèŠãèŠãããããæšæž¬ãããããçãŸãããããå¯èœæ§ãããããšã¯èª°ããç¥ã£ãŠããŸãã ããããéçºè ã¯é·ãéãã€ã³ã»ãžã¥ã¹ãã»ã«ã€ã¶ãŒ вãã®å®è£ ãã®ãããã³ã«ã§ã¯ãã®åé¡ãä¿®æ£ãããèªèšŒã« EAP-TLS ãªã©ã®é察称æå·åã«åºã¥ããããã³ã«ã䜿çšããæ©èœãè¿œå ãããŸããã ããã«ãèªèšŒã«ã¹ããŒã ã«ãŒãã䜿çšããæ©èœãè¿œå ããã·ã¹ãã ã®å®å šæ§ãé«ããŸããã
çŸåšãããã XNUMX ã€ã®ãããžã§ã¯ããçµ±åããããã®æŽ»çºãªäº€æžãé²è¡äžã§ããããããã«ããŠãé ããæ©ãããããå®çŸããããšã¯ç¢ºå®ã§ãã ããšãã°ãPPP ã®ãããé©çšæžã¿ããŒãžã§ã³ã¯ãèªèšŒã«å®å šãªãããã³ã«ã䜿çšããŠé·ãé Fedora ãªããžããªã«ååšããŠããŸãã - æè¿ãŸã§ããã®ãããã¯ãŒã¯ã¯ Windows ãŠãŒã¶ãŒã®ã¿ã䜿çšã§ããŸããããã¢ã¹ã¯ã¯å·ç«å€§åŠã®ååã§ãã Vasily Shokov ãš Alexander Smirnov ãçºèŠããŸããã
Linux çšã®å€ã L2TP ã¯ã©ã€ã¢ã³ã ãããžã§ã¯ã ãããŠãããä¿®æ£ããŸããã ç§ãã¡ã¯ååããŠãã¯ã©ã€ã¢ã³ãã®äœæ¥ã«ãããå€ãã®ãã°ãæ¬ ç¹ãä¿®æ£ãããœãŒã¹ããæ§ç¯ããå Žåã§ããã·ã¹ãã ã®ã€ã³ã¹ããŒã«ãšæ§æãç°¡çŽ åããŸããã ãã®äžã§æãéèŠãªãã®ã¯æ¬¡ã®ãšããã§ãã- openssl ããã³ qt ã®æ°ããããŒãžã§ã³ã®ã€ã³ã¿ãŒãã§ã€ã¹ãšå€ãã¯ã©ã€ã¢ã³ãã®äºææ§ã®åé¡ãä¿®æ£ããŸããã
- pppd ãäžæãã¡ã€ã«ãä»ããŠããŒã¯ã³ PIN ãæž¡ãããšããåé€ãããŸããã
- ã°ã©ãã£ã«ã« ã€ã³ã¿ãŒãã§ã€ã¹ãä»ãããã¹ã¯ãŒãèŠæ±ããã°ã©ã ã®èª€ã£ãèµ·åãä¿®æ£ããŸããã ããã¯ãxl2tpd ãµãŒãã¹çšã®æ£ããç°å¢ãã€ã³ã¹ããŒã«ããããšã§è¡ãããŸããã
- L2tpIpsecVpn ããŒã¢ã³ã®ãã«ãã¯ã¯ã©ã€ã¢ã³ãèªäœã®ãã«ããšäžç·ã«å®è¡ãããããã«ãªãããã«ããšæ§æã®ããã»ã¹ãç°¡çŽ åãããŸãã
- éçºã容æã«ããããã«ããã«ãã®æ£ç¢ºæ§ããã¹ãããããã« Azure Pipelines ã·ã¹ãã ãæ¥ç¶ãããŠããŸãã
- 匷å¶ããŠã³ã°ã¬ãŒãæ©èœãè¿œå ããŸãã
ã»ãã¥ãªãã£ã¬ãã« openssl ã®ã³ã³ããã¹ãã§ã ããã¯ãæšæºã»ãã¥ãªã㣠ã¬ãã«ã 2 ã«èšå®ãããŠããæ°ãããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ãšããã®ã¬ãã«ã®ã»ãã¥ãªãã£èŠä»¶ãæºãããªã蚌ææžã䜿çšãã VPN ãããã¯ãŒã¯ãæ£ãããµããŒãããå Žåã«åœ¹ç«ã¡ãŸãã ãã®ãªãã·ã§ã³ã¯ãæ¢åã®å€ã VPN ãããã¯ãŒã¯ãæäœããå Žåã«åœ¹ç«ã¡ãŸãã
ä¿®æ£ãããããŒãžã§ã³ã¯æ¬¡ã®å Žæã«ãããŸãã
ãã®ã¯ã©ã€ã¢ã³ãã¯ãèªèšŒã«ã¹ããŒã ã«ãŒãã®äœ¿çšããµããŒãããŠãããLinux ã§ãã®ã¹ããŒã ãã»ããã¢ããããéã®ãã¹ãŠã®å°é£ãå°é£ãå¯èœãªéãé ããã¯ã©ã€ã¢ã³ãã®ã»ããã¢ãããå¯èœãªéãã·ã³ãã«ãã€è¿ éã«ããŸãã
ãã¡ãããPPP ãšã¯ã©ã€ã¢ã³ã GUI ã®éã®æ¥ç¶ã䟿å©ã«ããããã«ãåãããžã§ã¯ããããã«ç·šéããããšãªãã«ã¯äžå¯èœã§ããããããã§ãããããžã§ã¯ãã¯æå°éã«æããããæå°éã«æããããŸããã
- ä¿®çæžã¿
ããŒã¯ã³ PIN ã³ãŒãã PPP ãã openssl ã³ã³ããã¹ãã«èª€ã£ãŠè»¢éãããšã©ãŒ - ä¿®çæžã¿
èšå®ã®ããŒããš openssl ã³ã³ããã¹ãã®åæåã®é åºã§ãšã©ãŒãçºçããŸãã ã ãã®ãšã©ãŒã«ãããã¹ããŒã ã«ãŒããæäœããããã® openssl ãšã³ãžã³ã«é¢ããæ å ±ãé€ããŠãããŒã«ã«ã® /etc/ppp/openssl.cnf èšå®ãã¡ã€ã«ããäœãããŒãã§ããªããªããŸãããããã¯ãããšãã°ããšã³ãžã³ã«é¢ããæ å ±ã«å ããŠãäœãå¥ã®ãã®ãèšå®ãããã£ãã®ã§ãã ããšãã°ãæ¥ç¶ã確ç«ãããšãã«ã»ãã¥ãªã㣠ã¬ãã«ãåºå®ããŸãã
ããã§ã»ããã¢ãããéå§ã§ããŸãã
ãµãŒããŒã®ãã¥ãŒãã³ã°
å¿ èŠãªããã±ãŒãžããã¹ãŠã€ã³ã¹ããŒã«ããŸãããã
ã¹ããã³ã°ã¹ã¯ã³ (IPsec) ã®ã€ã³ã¹ããŒã«
ãŸããipsec ãåäœããããã«ãã¡ã€ã¢ãŠã©ãŒã«ãèšå®ããŸããã
sudo firewall-cmd --permanent --add-port=1701/{tcp,udp}
sudo firewall-cmd --permanent --add-service=ipsec
sudo firewall-cmd --reload
ããã§ã¯ã€ã³ã¹ããŒã«ãéå§ããŸããã
sudo yum install epel-release ipsec-tools dnf
sudo dnf install strongswan
ã€ã³ã¹ããŒã«åŸãstrongswan (IPSec å®è£ ã® XNUMX ã€) ãæ§æããå¿ èŠããããŸãã ãããè¡ãã«ã¯ããã¡ã€ã«ãç·šéããŸã /etc/strongswan/ipsec.conf :
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=%any
leftprotoport=udp/1701
right=%any
rightprotoport=udp/%any
ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
å
±éã®ãã°ã€ã³ãã¹ã¯ãŒããèšå®ãããŠããã ããŸãã å
±æãã¹ã¯ãŒãã¯ãèªèšŒã®ããã«ãã¹ãŠã®ãããã¯ãŒã¯åå è
ã«ç¥ãããŠããå¿
èŠããããŸãã ãã®æ¹æ³ã¯æããã«ä¿¡é Œæ§ããããŸããã ãã®ãã¹ã¯ãŒãã¯ããããã¯ãŒã¯ãžã®ã¢ã¯ã»ã¹ãèš±å¯ããããªãå人ã«ç°¡åã«ç¥ãããå¯èœæ§ããããŸãã
ãã ãããã®äºå®ã§ããããã¯ãŒã¯ã®ã»ãã¥ãªãã£ã«ã¯åœ±é¿ããŸããã åºæ¬çãªããŒã¿æå·åãšãŠãŒã¶ãŒèªèšŒã¯ PPP ãããã³ã«ã«ãã£ãŠå®è¡ãããŸãã ãããå
¬å¹³ãæãããã«ãstrongswan ã¯ç§å¯ããŒã䜿çšãããªã©ãããå®å
šãªèªèšŒæè¡ããµããŒãããŠããããšã¯æ³šç®ã«å€ããŸãã Strongswan ã«ã¯ã¹ããŒã ã«ãŒãã䜿çšããèªèšŒãæäŸããæ©èœããããŸããããããŸã§ã®ãšãããµããŒããããŠããããã€ã¹ã®ç¯å²ã¯éãããŠãããããRutoken ããŒã¯ã³ãšã¹ããŒã ã«ãŒãã䜿çšããèªèšŒã¯äŸç¶ãšããŠå°é£ã§ãã ãã¡ã€ã«çµç±ã§äžè¬çãªãã¹ã¯ãŒããèšå®ããŸããã /etc/strongswan/ipsec.secrets:
# ipsec.secrets - strongSwan IPsec secrets file
%any %any : PSK "SECRET_PASSPHRASE"
ã¹ããã³ã°ã¹ã¯ã³ãåèµ·åããŸããã:
sudo systemctl enable strongswan
sudo systemctl restart strongswan
xl2tpã®ã€ã³ã¹ããŒã«
sudo dnf install xl2tpd
ãã¡ã€ã«çµç±ã§èšå®ããŸããã /etc/xl2tpd/xl2tpd.conf:
[global]
force userspace = yes
listen-addr = 0.0.0.0
ipsec saref = yes
[lns default]
exclusive = no
; ПпÑеЎелÑÐµÑ ÑÑаÑОÑеÑкОй аЎÑÐµÑ ÑеÑвеÑа в вОÑÑÑалÑМПй ÑеÑО
local ip = 100.10.10.1
; Ð·Ð°ÐŽÐ°ÐµÑ ÐŽÐžÐ°Ð¿Ð°Ð·ÐŸÐœ вОÑÑÑалÑÐœÑÑ
аЎÑеÑПв
ip range = 100.10.10.1-100.10.10.254
assign ip = yes
refuse pap = yes
require authentication = yes
; ЎаММÑÑ ÐŸÐ¿ÑÐžÑ ÐŒÐŸÐ¶ÐœÐŸ ПÑклÑÑОÑÑ Ð¿ÐŸÑле ÑÑпеÑМПй МаÑÑÑПйкО ÑеÑО
ppp debug = yes
length bit = yes
pppoptfile = /etc/ppp/options.xl2tpd
; ÑказÑÐ²Ð°ÐµÑ Ð°ÐŽÑÐµÑ ÑеÑвеÑа в ÑеÑО
name = centos.vpn.server.ad
ãµãŒãã¹ãåèµ·åããŸãããã
sudo systemctl enable xl2tpd
sudo systemctl restart xl2tpd
PPP ã»ããã¢ãã
pppd ã®ææ°ããŒãžã§ã³ãã€ã³ã¹ããŒã«ããããšããå§ãããŸãã ãããè¡ãã«ã¯ã次ã®äžé£ã®ã³ãã³ããå®è¡ããŸãã
sudo yum install git make gcc openssl-devel
git clone "https://github.com/jjkeijser/ppp"
cd ppp
./configure --prefix /usr
make -j4
sudo make install
ãã¡ã€ã«ã«æžã蟌ã /etc/ppp/options.xl2tpd 以äžã®ãšããã§ã (å€ãååšããå Žåã¯åé€ã§ããŸã)ã
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 1.1.1.1
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
ã«ãŒã蚌ææžãšãµãŒããŒèšŒææžãçºè¡ããŸãã
#ЎОÑекÑПÑÐžÑ Ñ ÑеÑÑОÑОкаÑаЌО пПлÑзПваÑелей, УЊ О ÑеÑвеÑа
sudo mkdir /etc/ppp/certs
#ЎОÑекÑПÑÐžÑ Ñ Ð·Ð°ÐºÑÑÑÑЌО клÑÑаЌО ÑеÑвеÑа О УЊ
sudo mkdir /etc/ppp/keys
#запÑеÑаеЌ лÑбПй ЎПÑÑÑп к ÑÑПй ЎОÑÑекÑПÑОО кÑПЌе аЎЌОМОÑÑаÑПÑа
sudo chmod 0600 /etc/ppp/keys/
#геМеÑОÑÑеЌ клÑÑ Ðž вÑпОÑÑваеЌ ÑеÑÑОÑÐžÐºÐ°Ñ Ð£ÐŠ
sudo openssl genrsa -out /etc/ppp/keys/ca.pem 2048
sudo openssl req -key /etc/ppp/keys/ca.pem -new -x509 -out /etc/ppp/certs/ca.pem -subj "/C=RU/CN=L2TP CA"
#геМеÑОÑÑеЌ клÑÑ Ðž вÑпОÑÑваеЌ ÑеÑÑОÑÐžÐºÐ°Ñ ÑеÑвеÑа
sudo openssl genrsa -out /etc/ppp/keys/server.pem 2048
sudo openssl req -new -out server.req -key /etc/ppp/keys/server.pem -subj "/C=RU/CN=centos.vpn.server.ad"
sudo openssl x509 -req -in server.req -CAkey /etc/ppp/keys/ca.pem -CA /etc/ppp/certs/ca.pem -out /etc/ppp/certs/server.pem -CAcreateserial
ããã§ãåºæ¬çãªãµãŒããŒã®ã»ããã¢ãããå®äºããŸããã ãµãŒããŒæ§æã®æ®ãã®éšåã«ã¯ãæ°ããã¯ã©ã€ã¢ã³ãã®è¿œå ãå«ãŸããŸãã
æ°ããã¯ã©ã€ã¢ã³ãã®è¿œå
æ°ããã¯ã©ã€ã¢ã³ãããããã¯ãŒã¯ã«è¿œå ããã«ã¯ããã®èšŒææžããã®ã¯ã©ã€ã¢ã³ãã®ä¿¡é Œã§ãã蚌ææžã®ãªã¹ãã«è¿œå ããå¿ èŠããããŸãã
ãŠãŒã¶ãŒã VPN ãããã¯ãŒã¯ã®ã¡ã³ããŒã«ãªãããå Žåã¯ããã®ã¯ã©ã€ã¢ã³ãçšã®ã㌠ãã¢ãšèšŒææžã¢ããªã±ãŒã·ã§ã³ãäœæããŸãã ãŠãŒã¶ãŒãä¿¡é ŒãããŠããå Žåããã®ã¢ããªã±ãŒã·ã§ã³ã«çœ²åããããšãã§ããçµæã®èšŒææžã蚌ææžãã£ã¬ã¯ããªã«æžã蟌ãããšãã§ããŸãã
sudo openssl x509 -req -in client.req -CAkey /etc/ppp/keys/ca.pem -CA /etc/ppp/certs/ca.pem -out /etc/ppp/certs/client.pem -CAcreateserial
/etc/ppp/eaptls-server ãã¡ã€ã«ã«ã¯ã©ã€ã¢ã³ãåãšãã®èšŒææžãäžèŽãããè¡ãè¿œå ããŸãããã
"client" * /etc/ppp/certs/client.pem /etc/ppp/certs/server.pem /etc/ppp/certs/ca.pem /etc/ppp/keys/server.pem *
泚æ
æ··ä¹±ãé¿ããããã«ãå
±éåã蚌ææžãã¡ã€ã«åãããã³ãŠãŒã¶ãŒåã¯äžæã§ããããšããå§ãããŸãã
è¿œå ãããŠãŒã¶ãŒã®ååãä»ã®èªèšŒãã¡ã€ã«ã®ã©ãã«ãå«ãŸããŠããªãããšã確èªããããšãéèŠã§ããããã§ãªãå ŽåããŠãŒã¶ãŒã®èªèšŒæ¹æ³ã«åé¡ãçºçããŸãã
åã蚌ææžããŠãŒã¶ãŒã«éãè¿ãå¿ èŠããããŸãã
ããŒãã¢ãšèšŒææžã®çæ
èªèšŒãæåãããã«ã¯ãã¯ã©ã€ã¢ã³ãã¯æ¬¡ã®ããšãè¡ãå¿ èŠããããŸãã
- ããŒãã¢ãçæããŸãã
- CA ã«ãŒã蚌ææžãæã£ãŠããã
- ã«ãŒã CA ã«ãã£ãŠçœ²åãããã㌠ãã¢ã®èšŒææžãæã£ãŠããããšã
Linux äžã®ã¯ã©ã€ã¢ã³ãã®å Žå
ãŸããããŒã¯ã³ã«ã㌠ãã¢ãçæãã蚌ææžã®ã¢ããªã±ãŒã·ã§ã³ãäœæããŸãããã
#ОЎеМÑОÑОкаÑÐŸÑ ÐºÐ»ÑÑа (паÑаЌеÑÑ --id) ЌПжМП заЌеМОÑÑ ÐœÐ° лÑбПй ÐŽÑÑгПй.
pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --keypairgen --key-type rsa:2048 -l --id 45
openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:librtpkcs11ecp.so
...
OpenSSL> req -engine pkcs11 -new -key 45 -keyform engine -out client.req -subj "/C=RU/CN=client"
衚瀺ããã client.req ã¢ããªã±ãŒã·ã§ã³ã CA ã«éä¿¡ããŸãã ã㌠ãã¢ã®èšŒææžãåãåã£ããããããããŒãšåã ID ãæã€ããŒã¯ã³ã«æžã蟌ã¿ãŸãã
pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -l -y cert -w ./client.pem --id 45
Windows ããã³ Linux ã¯ã©ã€ã¢ã³ãã®å Žå (ããæ±çšçãªæ¹æ³)
ãã®æ¹æ³ã¯ããæ®éçã§ãã ã䜿çšãããšãWindows ããã³ Linux ãŠãŒã¶ãŒã«æ£åžžã«èªèãããããŒãšèšŒææžãçæã§ããŸãããããŒã®çææé ãå®è¡ããã«ã¯ Windows ãã·ã³ãå¿ èŠã§ãã
ãªã¯ãšã¹ããçæããŠèšŒææžãã€ã³ããŒãããåã«ãVPN ãããã¯ãŒã¯ã®ã«ãŒã蚌ææžãä¿¡é Œã§ãã蚌ææžã®ãªã¹ãã«è¿œå ããå¿ èŠããããŸãã ãããè¡ãã«ã¯ããããéããéãããŠã£ã³ããŠã§ã蚌ææžã®ã€ã³ã¹ããŒã«ããªãã·ã§ã³ãéžæããŸãã
éãããŠã£ã³ããŠã§ãããŒã«ã« ãŠãŒã¶ãŒã®èšŒææžã®ã€ã³ã¹ããŒã«ãéžæããŸãã
CA ã®ä¿¡é Œãããã«ãŒã蚌ææžã¹ãã¢ã«èšŒææžãã€ã³ã¹ããŒã«ããŸãããã
ããããã¹ãŠã®è¡åãçµãŠãç§ãã¡ã¯ãã®ä»ãã¹ãŠã®ç¹ã«åæããŸãã ããã§ã·ã¹ãã ãèšå®ãããŸããã
次ã®å 容ãå«ããã¡ã€ã« cert.tmp ãäœæããŸãããã
[NewRequest]
Subject = "CN=client"
KeyLength = 2048
KeySpec = "AT_KEYEXCHANGE"
ProviderName = "Microsoft Base Smart Card Crypto Provider"
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = PKCS10
SMIME = FALSE
ãã®åŸãããŒãã¢ãçæãã蚌ææžã®ã¢ããªã±ãŒã·ã§ã³ãäœæããŸãã ãããè¡ãã«ã¯ãpowershell ãéããŠæ¬¡ã®ã³ãã³ããå ¥åããŸãã
certreq.exe -new -pin $PIN .cert.tmp .client.req
äœæããã¢ããªã±ãŒã·ã§ã³ client.req ã CA ã«éä¿¡ããclient.pem 蚌ææžãåä¿¡ããããŸã§åŸ ã¡ãŸãã 次ã®ã³ãã³ãã䜿çšããŠãããŒã¯ã³ã«æžã蟌ã¿ãWindows 蚌ææžã¹ãã¢ã«è¿œå ã§ããŸãã
certreq.exe -accept .client.pem
mmc ããã°ã©ã ã®ã°ã©ãã£ã«ã« ã€ã³ã¿ãŒãã§ã€ã¹ã䜿çšããŠåæ§ã®ã¢ã¯ã·ã§ã³ãåçŸã§ããããšã¯æ³šç®ã«å€ããŸããããã®æ¹æ³ã¯æéãããããããã°ã©ã å¯èœæ§ãäœããªããŸãã
Ubuntuã¯ã©ã€ã¢ã³ãã®ã»ããã¢ãã
泚æ
çŸåšãLinux äžã§ã¯ã©ã€ã¢ã³ããã»ããã¢ããããã®ã¯éåžžã«æéãããããŸãã ãœãŒã¹ããå¥ã®ããã°ã©ã ãæ§ç¯ããå¿
èŠããããŸãã è¿ãå°æ¥ããã¹ãŠã®å€æŽãå
¬åŒãªããžããªã«ç¢ºå®ã«å«ãŸããããåªããäºå®ã§ãã
ãµãŒããŒãžã® IPSec ã¬ãã«ã§ã®æ¥ç¶ã確ä¿ããã«ã¯ãstrongswan ããã±ãŒãžãš xl2tp ããŒã¢ã³ã䜿çšãããŸãã ã¹ããŒã ã«ãŒãã䜿çšãããããã¯ãŒã¯ãžã®æ¥ç¶ãç°¡çŽ åããããã«ãl2tp-ipsec-vpn ããã±ãŒãžã䜿çšããŸãããã®ããã±ãŒãžã¯ãæ¥ç¶ã»ããã¢ãããç°¡ç¥åããããã®ã°ã©ãã£ã«ã« ã·ã§ã«ãæäŸããŸãã
èŠçŽ ã段éçã«çµã¿ç«ãŠå§ããŸãããããã®åã«ãVPN ãçŽæ¥åäœããããã«å¿ èŠãªããã±ãŒãžããã¹ãŠã€ã³ã¹ããŒã«ããŸãã
sudo apt-get install xl2tpd strongswan libp11-3
ããŒã¯ã³ãæäœããããã®ãœãããŠã§ã¢ã®ã€ã³ã¹ããŒã«
ææ°ã® librtpkcs11ecp.so ã©ã€ãã©ãªã次ããã€ã³ã¹ããŒã«ããŸãã
sudo apt-get install pcscd pcsc-tools opensc libengine-pkcs11-openssl
Rutoken ãæ¥ç¶ããã·ã¹ãã ã«ãã£ãŠèªèãããŠããããšã確èªããŸãã
pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O -l
ãããé©çšæžã¿ ppp ã®ã€ã³ã¹ããŒã«
sudo apt-get -y install git make gcc libssl-dev
git clone "https://github.com/jjkeijser/ppp"
cd ppp
./configure --prefix /usr
make -j4
sudo make install
L2tpIpsecVpn ã¯ã©ã€ã¢ã³ãã®ã€ã³ã¹ããŒã«
çŸæç¹ã§ã¯ãã¯ã©ã€ã¢ã³ãããœãŒã¹ ã³ãŒãããã³ã³ãã€ã«ããå¿ èŠããããŸãã ããã¯ã次ã®äžé£ã®ã³ãã³ãã䜿çšããŠå®è¡ãããŸãã
sudo apt-get -y install git qt5-qmake qt5-default build-essential libctemplate-dev libltdl-dev
git clone "https://github.com/Sander80/l2tp-ipsec-vpn"
cd l2tp-ipsec-vpn
make -j4
sudo make install
L2tpIpsecVpn ã¯ã©ã€ã¢ã³ãã®ã»ããã¢ãã
ã€ã³ã¹ããŒã«ãããã¯ã©ã€ã¢ã³ããèµ·åããŸãã
èµ·ååŸãL2tpIpsecVPN ã¢ãã¬ãããéããŸãã ãããå³ã¯ãªãã¯ããŠæ¥ç¶ãæ§æããŸãã
ããŒã¯ã³ãæäœããã«ã¯ããŸããOpenSSL ãšã³ãžã³ã® opensc ãšã³ãžã³ãš PKCS#11 ã©ã€ãã©ãªãžã®ãã¹ãæå®ããŸãã ãããè¡ãã«ã¯ã[èšå®] ã¿ããéã㊠openssl ãã©ã¡ãŒã¿ãèšå®ããŸãã
.
OpenSSL èšå®ãŠã£ã³ããŠãéããŠããããã¯ãŒã¯ã®èšå®ã«é²ã¿ãŸãããã èšå®ããã«ã® [è¿œå ...] ãã¿ã³ãã¯ãªãã¯ãããããã¯ãŒã¯åãå ¥åããŠãæ°ãããããã¯ãŒã¯ãè¿œå ããŸãããã
ãã®åŸããã®ãããã¯ãŒã¯ã¯èšå®ããã«ã§å©çšã§ããããã«ãªããŸãã æ°ãããããã¯ãŒã¯ãå³ããã«ã¯ãªãã¯ããŠæ§æããŸãã æåã®ã¿ãã§ã¯ãIPsec èšå®ãè¡ãå¿ èŠããããŸãã ãµãŒããŒã¢ãã¬ã¹ãšå ¬éããŒãèšå®ããŸãããã
ãã®åŸã[PPP èšå®] ã¿ãã«ç§»åãããããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ããéã®ãŠãŒã¶ãŒåãæå®ããŸãã
ãã®åŸããããããã£ãã¿ããéããããŒãã¯ã©ã€ã¢ã³ã蚌ææžãããã³ CA ãžã®ãã¹ãæå®ããŸãã
ãã®ã¿ããéããŠãæçµèšå®ãå®è¡ããŸãããããããè¡ãã«ã¯ããIP èšå®ãã¿ããéããŠããDNS ãµãŒã㌠ã¢ãã¬ã¹ãèªåçã«ååŸããããªãã·ã§ã³ã®æšªã®ããã¯ã¹ããã§ãã¯ããŸãã
ãã®ãªãã·ã§ã³ã䜿çšãããšãã¯ã©ã€ã¢ã³ãã¯ãããã¯ãŒã¯å
ã®å人 IP ã¢ãã¬ã¹ããµãŒããŒããåãåãããšãã§ããŸãã
ãã¹ãŠã®èšå®ãå®äºãããããã¹ãŠã®ã¿ããéããŠã¯ã©ã€ã¢ã³ããåèµ·åããŸãã
ãããã¯ãŒã¯ã«æ¥ç¶ãã
èšå®åŸããããã¯ãŒã¯ã«æ¥ç¶ã§ããããã«ãªããŸãã ãããè¡ãã«ã¯ãã¢ãã¬ãã ã¿ããéããæ¥ç¶ãããããã¯ãŒã¯ãéžæããŸãã
æ¥ç¶ç¢ºç«ããã»ã¹äžã«ãã¯ã©ã€ã¢ã³ã㯠Rutoken PIN ã³ãŒãã®å ¥åãæ±ããŸãã
æ¥ç¶ãæ£åžžã«ç¢ºç«ãããããšã瀺ãéç¥ãã¹ããŒã¿ã¹ ããŒã«è¡šç€ºãããå Žåã¯ãã»ããã¢ãããæåããããšãæå³ããŸãã
ãã以å€ã®å Žåã¯ãæ¥ç¶ã確ç«ãããªãã£ãçç±ãç解ãã䟡å€ããããŸãã ãããè¡ãã«ã¯ãã¢ãã¬ããã§ãæ¥ç¶æ å ±ãã³ãã³ããéžæããŠããã°ã©ã ãã°ã確èªããå¿ èŠããããŸãã
Windows ã¯ã©ã€ã¢ã³ãã®ã»ããã¢ãã
Windows ã§ã®ã¯ã©ã€ã¢ã³ãã®ã»ããã¢ããã¯ãLinux ãããã¯ããã«ç°¡åã§ãã å¿ èŠãªãœãããŠã§ã¢ã¯ãã¹ãŠã·ã¹ãã ã«çµã¿èŸŒãŸããŠããŸãã
ã·ã¹ãã ã»ããã¢ãã
Rutoken ã䜿çšããããã«å¿
èŠãªãã¹ãŠã®ãã©ã€ããŒã以äžããããŠã³ããŒãããŠã€ã³ã¹ããŒã«ããŸãã
èªèšŒçšã®ã«ãŒã蚌ææžã®ã€ã³ããŒã
ãµãŒããŒã®ã«ãŒã蚌ææžãããŠã³ããŒãããã·ã¹ãã ã«ã€ã³ã¹ããŒã«ããŸãã ãããè¡ãã«ã¯ããããéããéãããŠã£ã³ããŠã§ã蚌ææžã®ã€ã³ã¹ããŒã«ããªãã·ã§ã³ãéžæããŸãã
éãããŠã£ã³ããŠã§ãããŒã«ã« ãŠãŒã¶ãŒã®èšŒææžã®ã€ã³ã¹ããŒã«ãéžæããŸãã ã³ã³ãã¥ãŒã¿ãŒäžã®ãã¹ãŠã®ãŠãŒã¶ãŒã蚌ææžãå©çšã§ããããã«ããå Žåã¯ãããŒã«ã« ã³ã³ãã¥ãŒã¿ãŒã«èšŒææžãã€ã³ã¹ããŒã«ããããšãéžæããå¿ èŠããããŸãã
CA ã®ä¿¡é Œãããã«ãŒã蚌ææžã¹ãã¢ã«èšŒææžãã€ã³ã¹ããŒã«ããŸãããã
ããããã¹ãŠã®è¡åãçµãŠãç§ãã¡ã¯ãã®ä»ãã¹ãŠã®ç¹ã«åæããŸãã ããã§ã·ã¹ãã ãèšå®ãããŸããã
VPNæ¥ç¶ã®ã»ããã¢ãã
VPN æ¥ç¶ãã»ããã¢ããããã«ã¯ãã³ã³ãããŒã« ããã«ã«ç§»åããæ°ããæ¥ç¶ãäœæãããªãã·ã§ã³ãéžæããŸãã
ãããã¢ãã ãŠã£ã³ããŠã§ãè·å Žã«æ¥ç¶ããããã®æ¥ç¶ãäœæãããªãã·ã§ã³ãéžæããŸãã
次ã®ãŠã£ã³ããŠã§ãVPN æ¥ç¶ãéžæããŸãã
VPN æ¥ç¶ã®è©³çŽ°ãå ¥åããã¹ããŒã ã«ãŒãã䜿çšãããªãã·ã§ã³ãæå®ããŸãã
ã»ããã¢ããã¯ãŸã å®äºããŠããŸããã æ®ã£ãŠããã®ã¯ãIPsec ãããã³ã«ã®å ±æããŒãæå®ããããšã ãã§ãããããè¡ãã«ã¯ã[ãããã¯ãŒã¯æ¥ç¶èšå®] ã¿ãã«ç§»åãã次㫠[ãã®æ¥ç¶ã®ããããã£] ã¿ãã«ç§»åããŸãã
éãããŠã£ã³ããŠã§ãã»ãã¥ãªãã£ãã¿ãã«ç§»åãããããã¯ãŒã¯ã®çš®é¡ãšããŠãL2TP/IPsec ãããã¯ãŒã¯ããæå®ããã詳现èšå®ããéžæããŸãã
éãããŠã£ã³ããŠã§ãå
±æ IPsec ããŒãæå®ããŸãã
ÐПЎклÑÑеМОе
ã»ããã¢ãããå®äºãããããããã¯ãŒã¯ãžã®æ¥ç¶ãè©Šè¡ã§ããŸãã
æ¥ç¶ããã»ã¹äžã«ãããŒã¯ã³ PIN ã³ãŒããå ¥åããå¿ èŠããããŸãã
ç§ãã¡ã¯å®å šãª VPN ãããã¯ãŒã¯ãã»ããã¢ãããããããé£ãããªãããšã確èªããŸããã
æè¬
Linux ã¯ã©ã€ã¢ã³ãåãã® VPN æ¥ç¶ã®äœæãç°¡çŽ åããããã«å ±åã§åãçµãã§ããååã® Vasily Shokov æ°ãš Alexander Smirnov æ°ã«æ¹ããŠæè¬ããããšæããŸãã
åºæïŒ habr.com