I-ProHoster > Блог > Ukuphatha > Bhukha "Linux in Action"

Bhukha "Linux in Action"

Bhukha "Linux in Action" Sawubona, bahlali baseKhabro! Encwadini, u-David Clinton uchaza amaphrojekthi wempilo yangempela ayi-12, okuhlanganisa ukwenza ngokuzenzakalelayo ikhophi yakho nesistimu yokutakula, ukumisa ifu lefayela lomuntu siqu lesitayela se-Dropbox, nokudala iseva yakho ye-MediaWiki. Uzohlola i-virtualization, ukutakula kwenhlekelele, ukuphepha, ikhophi yasenqolobaneni, i-DevOps, nokuxazulula izinkinga zesistimu ngokusebenzisa izifundo ezithokozisayo. Isahluko ngasinye siphetha ngokubuyekezwa kwezinqubo ezihamba phambili, uhlu lwamagama amathemu amasha, nokuzivocavoca.

Isiqephu esithi “10.1. Ukudala umhubhe we-OpenVPN"

Sengivele ngikhulume okuningi mayelana nokubethela kule ncwadi. I-SSH ne-SCP ingavikela idatha edluliselwe ngoxhumo olukude (Isahluko 3), ukubethela kwefayela kungavikela idatha ngenkathi igcinwe kuseva (Isahluko 8), futhi izitifiketi ze-TLS/SSL zingavikela idatha edluliswa phakathi kwamasayithi neziphequluli zeklayenti (Isahluko 9) . Kodwa kwesinye isikhathi idatha yakho idinga ukuvikelwa ebangeni elibanzi lokuxhumana. Isibonelo, mhlawumbe amanye amalungu eqembu lakho asebenza emgwaqeni ngenkathi exhuma ku-Wi-Fi ngezindawo ezidonsela kuzo umphakathi. Akufanele neze ucabange ukuthi zonke lezi zindawo zokufinyelela zivikelekile, kodwa abantu bakho badinga indlela yokuxhumana nezinsiza zenkampani—futhi yilapho i-VPN ingasiza khona.

Umhubhe we-VPN oklanywe kahle unikeza ukuxhumana okuqondile phakathi kwamaklayenti akude kanye neseva ngendlela efihla idatha njengoba ihamba kunethiwekhi engavikelekile. Manje? Usuwabonile kakade amathuluzi amaningi angenza lokhu ngokubhala ngemfihlo. Inani langempela le-VPN liwukuthi ngokuvula umhubhe, ungaxhuma amanethiwekhi akude njengokungathi wonke asendaweni. Ngomqondo othile, usebenzisa i-bypass.

Ngokusebenzisa le nethiwekhi enwetshiwe, abalawuli bangenza umsebenzi wabo eziphakelini zabo noma yikuphi. Kodwa okubaluleke nakakhulu, inkampani enezinsiza ezisabalele ezindaweni eziningi ingenza zonke zibonakale futhi zifinyeleleke kuwo wonke amaqembu azidingayo, noma ngabe ziphi (Umfanekiso 10.1).

Umhubhe ngokwawo awuqinisekisi ukuphepha. Kodwa enye yezindinganiso zokubethela ingafakwa esakhiweni senethiwekhi, okwandisa kakhulu izinga lokuphepha. Amahubhu adalwe kusetshenziswa iphakheji ye-OpenVPN yomthombo ovulekile asebenzisa ukubethela okufanayo kwe-TLS/SSL osuvele ufunde ngakho. I-OpenVPN akuyona ukuphela kwenketho yomhubhe etholakalayo, kodwa ingenye eyaziwa kakhulu. Ibhekwa njengeshesha kancane futhi ivikeleke kakhulu kunephrothokholi yomhubhe we-Layer 2 ehlukile esebenzisa ukubethela kwe-IPsec.

Uyafuna ukuthi bonke abaseqenjini lakho baxhumane ngokuphephile ngenkathi besendleleni noma besebenza ezakhiweni ezahlukene? Ukwenza lokhu, udinga ukudala iseva ye-OpenVPN ukuze uvumele ukwabelana kohlelo lokusebenza kanye nokufinyelela endaweni yenethiwekhi yendawo yeseva. Ukuze lokhu kusebenze, okudingeka ukwenze ukusebenzisa imishini emibili ebonakalayo noma iziqukathi ezimbili: eyodwa ezosebenza njengeseva/umsingathi kanye neyokusebenza njengeklayenti. Ukwakha i-VPN akuyona inqubo elula, ngakho-ke kufanelekile ukuthatha amaminithi ambalwa ukuze uthole isithombe esikhulu engqondweni.

Bhukha "Linux in Action"

10.1.1. I-OpenVPN Server Configuration

Ngaphambi kokuthi uqale, ngizokunikeza izeluleko eziwusizo. Uma uzozenzela wena (futhi ngincoma kakhulu ukuthi ukwenze), cishe uzozithola usebenza namatheminali amaningi avuliwe ku-Desktop yakho, ngalinye lixhunywe emshinini ohlukile. Kukhona ingozi yokuthi ngesikhathi esithile uzofaka umyalo ongalungile efasiteleni. Ukuze ugweme lokhu, ungasebenzisa umyalo wegama lomethuleli ukushintsha igama lomshini eliboniswe kulayini womyalo libe into ekutshela ngokucacile ukuthi ukuphi. Uma usukwenzile lokhu, uzodinga ukuphuma kuseva bese ungena futhi ukuze izilungiselelo ziqale ukusebenza. Nansi indlela ebukeka ngayo:

Bhukha "Linux in Action"
Ngokulandela le ndlela futhi unikeze amagama afanelekile emshinini ngamunye osebenza nawo, ungakwazi ukulandelela kalula ukuthi ukuphi.

Ngemva kokusebenzisa igama lomethuleli, ungase uhlangabezane nokucasulayo. Ukubuyekeza ifayela /etc/hosts ngegama lomethuleli elisha elifanele kufanele kuxazulule inkinga.

Ilungiselela iseva yakho ye-OpenVPN

Ukufaka i-OpenVPN kuseva yakho, udinga amaphakheji amabili: i-openvpn ne-easy-rsa (ukuphatha inqubo yokukhiqiza ukhiye wokubethela). Abasebenzisi be-CentOS kufanele baqale bafake i-epel-release repository uma kudingeka, njengoba wenze eSahlukweni 2. Ukuze ukwazi ukuhlola ukufinyelela kuhlelo lokusebenza leseva, ungaphinda ufake iseva yewebhu ye-Apache (i-apache2 ku-Ubuntu ne-httpd ku-CentOS).

Ngenkathi usetha iseva yakho, ngincoma ukuthi uvule i-firewall evimba zonke izimbobo ngaphandle kuka-22 (SSH) no-1194 (imbobo ezenzakalelayo ye-OpenVPN). Lesi sibonelo sibonisa ukuthi i-ufw ingasebenza kanjani ku-Ubuntu, kodwa ngiqinisekile ukuthi usakhumbula uhlelo lwe-CentOS firewalld olusuka eSahlukweni 9:

# ufw enable
# ufw allow 22
# ufw allow 1194

Ukuze unike amandla umzila wangaphakathi phakathi kokuxhumana kwenethiwekhi kuseva, udinga ukukhulula umugqa owodwa (net.ipv4.ip_forward = 1) kufayela /etc/sysctl.conf. Lokhu kuzovumela amaklayenti akude ukuthi aqondiswe kabusha njengoba kudingeka uma esexhunyiwe. Ukuze wenze inketho entsha isebenze, sebenzisa i-sysctl -p:

# nano /etc/sysctl.conf
# sysctl -p

Indawo yeseva yakho manje isilungiselelwe ngokugcwele, kodwa kusenento eyodwa okumele uyenze ngaphambi kokuthi ulunge: uzodinga ukuqedela izinyathelo ezilandelayo (sizozimboza ngokuningiliziwe ngokulandelayo).

  1. Dala isethi yezikhiye zokubethela zokhiye womphakathi (i-PKI) kuseva usebenzisa imibhalo enikezwe nephakheji ye-rsa elula. Empeleni, iseva ye-OpenVPN nayo isebenza njengegunya layo lesitifiketi (CA).
  2. Lungiselela iklayenti okhiye abafanelekile
  3. Lungiselela ifayela le-server.conf leseva
  4. Setha iklayenti lakho le-OpenVPN
  5. Hlola i-VPN yakho

Ikhiqiza okhiye bokubethela

Ukuze ugcine izinto zilula, ungasetha ingqalasizinda yakho engukhiye emshinini ofanayo lapho iseva ye-OpenVPN isebenza khona. Kodwa-ke, izinqubo ezihamba phambili zokuphepha ngokuvamile ziphakamisa ukusebenzisa iseva ehlukile ye-CA ukuze kusetshenziswe ukukhiqiza. Inqubo yokukhiqiza nokusabalalisa izinsiza ezibalulekile zokubethela ukuze zisetshenziswe ku-OpenVPN iboniswa ku-Fig. 10.2.

Bhukha "Linux in Action"
Lapho ufaka i-OpenVPN, inkomba ye-/etc/openvpn/ idalwe ngokuzenzakalelayo, kodwa akukho lutho kuyo okwamanje. Amaphakheji e-openvpn kanye ne-easy-rsa eza namafayela ezifanekiso eziyisibonelo ongawasebenzisa njengesisekelo sokucushwa kwakho. Ukuqala inqubo yesitifiketi, kopisha umkhombandlela wethempulethi elula-rsa kusuka ku-/usr/share/ kuya ku-/etc/openvpn bese ushintshela ku-easy-rsa/ directory:

# cp -r /usr/share/easy-rsa/ /etc/openvpn
$ cd /etc/openvpn/easy-rsa

Uhla lwemibhalo olulula lwe-rsa manje seluzoqukatha imibhalo embalwa impela. Etafuleni I-10.1 ibala amathuluzi ozowasebenzisa ukudala okhiye.

Bhukha "Linux in Action"

Imisebenzi engenhla idinga amalungelo ezimpande, ngakho-ke udinga ukuba yizimpande nge-sudo su.

Ifayela lokuqala ozosebenza nalo libizwa ngokuthi ama-vars futhi liqukethe izinto eziguquguqukayo zemvelo ezisetshenziswa kalula yi-rsa lapho ikhiqiza okhiye. Udinga ukuhlela ifayela ukuze usebenzise amanani akho esikhundleni samanani azenzakalelayo asevele ekhona. Yile ndlela ifayela lami elizobukeka ngayo (Ukufakwa kuhlu 10.1).

Ukufakwa ohlwini 10.1. Izingcezu eziyinhloko zefayela /etc/openvpn/easy-rsa/vars

export KEY_COUNTRY="CA"
export KEY_PROVINCE="ON"
export KEY_CITY="Toronto"
export KEY_ORG="Bootstrap IT"
export KEY_EMAIL="[email protected]"
export KEY_OU="IT"

Ukuqalisa ifayela le-vars kuzodlulisela amanani ayo endaweni yegobolondo, lapho azofakwa khona kokuqukethwe okhiye bakho abasha. Kungani umyalo we-sudo ungasebenzi ngokwawo? Ngoba esinyathelweni sokuqala sihlela iskripthi esiqanjwe ngama-vars bese sisisebenzisa. Ukusebenzisa futhi kusho ukuthi ifayela le-vars lidlulisela amanani alo endaweni yegobolondo, lapho azofakwa khona kokuqukethwe okhiye bakho abasha.

Qiniseka ukuthi uqalisa kabusha ifayela usebenzisa igobolondo elisha ukuze uqedele inqubo engaqediwe. Uma lokhu sekwenziwe, iskripthi sizokwazisa ukuthi usebenzise esinye iskripthi, uhlanze-konke, ukuze ususe noma yikuphi okuqukethwe kuhla lwemibhalo /etc/openvpn/easy-rsa/keys/:

Bhukha "Linux in Action"
Ngokwemvelo, isinyathelo esilandelayo siwukusebenzisa umbhalo ohlanzekile-konke, olandelwa i-build-ca, esebenzisa iskripthi se-pkitool ukuze udale isitifiketi sempande. Uzocelwa ukuthi uqinisekise izilungiselelo zobunikazi ezinikezwe ama-vars:

# ./clean-all
# ./build-ca
Generating a 2048 bit RSA private key

Okulandelayo kuza iskripthi se-build-key-server. Njengoba isebenzisa umbhalo we-pkitool ofanayo kanye nesitifiketi esisha sempande, uzobona imibuzo efanayo ukuze uqinisekise ukudalwa kokubhanqwa kokhiye. Okhiye bazoqanjwa ngokusekelwe kumaphuzu owadlulayo, okuthi, ngaphandle uma usebenzisa ama-VPN amaningi kulo mshini, ngokuvamile kuzoba yiseva, njengakusibonelo:

# ./build-key-server server
[...]
Certificate is to be certified until Aug 15 23:52:34 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

I-OpenVPN isebenzisa amapharamitha akhiqizwe i-algorithm ye-Diffie-Hellman (isebenzisa i-build-dh) ukuze kuxoxiswane ngokufakazela ubuqiniso bokuxhumana okusha. Ifayela elidalwe lapha akudingeki libe yimfihlo, kodwa kufanele lenziwe kusetshenziswa iskripthi se-build-dh sokhiye be-RSA abasebenzayo njengamanje. Uma udala okhiye abasha be-RSA ngokuzayo, uzodinga futhi ukubuyekeza ifayela le-Diffie-Hellman:

# ./build-dh

Okhiye baseceleni kweseva yakho manje sebezogcina ku-/etc/openvpn/easy-rsa/keys/ directory, kodwa i-OpenVPN ayikwazi lokhu. Ngokuzenzakalelayo, i-OpenVPN izobheka okhiye ku-/etc/openvpn/, ngakho-ke bakopishe:

# cp /etc/openvpn/easy-rsa/keys/server* /etc/openvpn
# cp /etc/openvpn/easy-rsa/keys/dh2048.pem /etc/openvpn
# cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn

Ilungiselela Okhiye Bokubethela Beklayenti

Njengoba usubonile kakade, ukubethela kwe-TLS kusebenzisa amapheya okhiye abafanayo: oyedwa ofakwe kuseva noyedwa ofakwe kuklayenti elikude. Lokhu kusho ukuthi uzodinga okhiye beklayenti. I-pkitool yomngane wethu wakudala iyona kanye oyidingayo kulokhu. Kulesi sibonelo, lapho sisebenzisa uhlelo kuhla lwemibhalo /etc/openvpn/easy-rsa/, sidlulisela ingxabano yeklayenti ukuze sikhiqize amafayela abizwa ngokuthi i-client.crt kanye ne-client.key:

# ./pkitool client

Amafayela eklayenti amabili, kanye nefayela lokuqala le-ca.crt elisesezinkinobho/uhlu lwemibhalo, kufanele manje adluliselwe ngokuvikelekile eklayenti lakho. Ngenxa yobunikazi babo namalungelo okufinyelela, lokhu kungase kungabi lula kangako. Indlela elula ukukopisha mathupha okuqukethwe kwefayela elingumthombo (futhi akukho lutho ngaphandle kwalokho okuqukethwe) endaweni yokugcina esebenza kudeskithophu ye-PC yakho (khetha umbhalo, uchofoze kwesokudla kuwo bese ukhetha Kopisha kumenyu). Bese unamathisele lokhu efayeleni elisha elinegama elifanayo nalelo olidalayo kusiphetho sesibili esixhunywe kuklayenti lakho.

Kodwa noma ubani angakwazi ukusika futhi anamathisele. Kunalokho, cabanga njengomlawuli ngoba ngeke uhlale unokufinyelela ku-GUI lapho imisebenzi yokusika/unamathisele ingenzeka khona. Kopisha amafayela kuhla lwemibhalo lwasekhaya lomsebenzisi wakho (ukuze umsebenzi we-scp oqhelile ukwazi ukuwafinyelela), bese usebenzisa i-chown ukuze uguqule ubunikazi bamafayela ukusuka empandeni kuya kumsebenzisi ongeyona impande evamile ukuze kwenziwe isenzo se-scp esikude. Qiniseka ukuthi wonke amafayela akho afakiwe futhi ayafinyeleleka. Uzowahambisa kuklayenti ngemva kwesikhashana:

# cp /etc/openvpn/easy-rsa/keys/client.key /home/ubuntu/
# cp /etc/openvpn/easy-rsa/keys/ca.crt /home/ubuntu/
# cp /etc/openvpn/easy-rsa/keys/client.crt /home/ubuntu/
# chown ubuntu:ubuntu /home/ubuntu/client.key
# chown ubuntu:ubuntu /home/ubuntu/client.crt
# chown ubuntu:ubuntu /home/ubuntu/ca.crt

Ngesethi egcwele yokhiye bokubethela isilungele ukuhamba, udinga ukutshela iseva ukuthi ufuna ukuyidala kanjani i-VPN. Lokhu kwenziwa kusetshenziswa ifayela le-server.conf.

Ukunciphisa inombolo yezinkinobho

Ingabe kukhona ukuthayipha okuningi? Ukunwetshwa ngabakaki kuzosiza ukunciphisa le miyalo eyisithupha iye kwemibili. Ngiyaqiniseka ukuthi ungazitadisha lezi zibonelo ezimbili futhi uqonde ukuthi kwenzakalani. Okubaluleke nakakhulu, uzokwazi ukuqonda ukuthi ungasebenzisa kanjani lezi zimiso ekusebenzeni okubandakanya amashumi noma amakhulu ezinto:

# cp /etc/openvpn/easy-rsa/keys/{ca.crt,client.{key,crt}} /home/ubuntu/
# chown ubuntu:ubuntu /home/ubuntu/{ca.crt,client.{key,crt}}

Isetha ifayela le-server.conf

Ungazi kanjani ukuthi ifayela le-server.conf kufanele libukeke kanjani? Khumbula isifanekiso somkhombandlela we-rsa osikopishe kusuka ku-/usr/share/? Ngesikhathi ufaka i-OpenVPN, ushiywe nefayela lesifanekiso sokumisa elicindezelwe ongalikopishela kulo /etc/openvpn/. Ngizokwakhela phezu kokuthi isifanekiso sigcinwe kungobo yomlando futhi ngikwethulele ithuluzi eliwusizo: zcat.

Usuvele uyazi mayelana nokuphrinta okuqukethwe kombhalo wefayela esikrinini usebenzisa umyalo wekati, kodwa kuthiwani uma ifayela licindezelwe kusetshenziswa i-gzip? Ungakwazi njalo ukuvula ifayela bese ikati lizoyikhipha ngenjabulo, kodwa leso yisinyathelo esisodwa noma ezimbili ngaphezu kwesidingo. Esikhundleni salokho, njengoba ubungase uqagele, ungakhipha umyalo we-zcat wokulayisha umbhalo ongapakishiwe enkumbulweni ngesinyathelo esisodwa. Esibonelweni esilandelayo, esikhundleni sokuphrinta umbhalo esikrinini, uzowuqondisa kabusha kufayela elisha elibizwa ngokuthi i-server.conf:

# zcat 
  /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz 
  > /etc/openvpn/server.conf
$ cd /etc/openvpn

Ake sibeke eceleni imibhalo ebanzi futhi ewusizo eza nefayela futhi sibone ukuthi ingase ibukeke kanjani uma uqeda ukuhlela. Qaphela ukuthi isemicolon (;) itshela i-OpenVPN ukuthi ingafundi noma isebenzise umugqa olandelayo (Uhlu 10.2).

Bhukha "Linux in Action"
Ake sidlule kwezinye zalezi zilungiselelo.

  • Ngokuzenzakalelayo, i-OpenVPN isebenza ku-port 1194. Ungakwazi ukushintsha lokhu, isibonelo, ukuze uqhubeke ufihla imisebenzi yakho noma ugweme ukungqubuzana namanye amathaneli asebenzayo. Njengoba i-1194 idinga ukusebenzisana okuncane namakhasimende, kungcono ukukwenza ngale ndlela.
  • I-OpenVPN isebenzisa i-Transmission Control Protocol (TCP) noma i-User Datagram Protocol (UDP) ukuze idlulise idatha. I-TCP ingase ihambe kancane, kodwa ithembeke kakhulu futhi ingase iqondwe izinhlelo zokusebenza ezisebenza kuzo zombili iziphetho zomhubhe.
  • Ungacacisa i-dev tun uma ufuna ukudala umhubhe we-IP olula, osebenza kahle kakhudlwana ophethe okuqukethwe kwedatha hhayi okunye. Uma, ngakolunye uhlangothi, udinga ukuxhuma izixhumanisi zenethiwekhi eziningi (kanye namanethiwekhi abamele), udale ibhuloho le-Ethernet, kuzodingeka ukhethe i-dev tap. Uma ungaqondi ukuthi lokhu kusho ukuthini konke, sebenzisa i- tun argument.
  • Imigqa emine elandelayo inika i-OpenVPN amagama wamafayela amathathu okuqinisekisa kuseva kanye nefayela lezinketho ze-dh2048 olidale ngaphambili.
  • Ulayini weseva ubeka ububanzi kanye nemaski ye-subnet ezosetshenziselwa ukwabela amakheli e-IP kumakhasimende lapho engena ngemvume.
  • Ipharamitha yokuphusha ongayikhetha "umzila 10.0.3.0 255.255.255.0" ivumela amaklayenti akude ukuthi afinyelele amanethi angaphansi ayimfihlo ngemuva kweseva. Ukwenza lo msebenzi futhi kudinga ukusetha inethiwekhi kuseva ngokwayo ukuze i-subnet eyimfihlo yazi nge-OpenVPN subnet (10.8.0.0).
  • Ulayini we-port-share localhost 80 ikuvumela ukuthi uqondise kabusha ithrafikhi yeklayenti ezayo ku-port 1194 kuseva yewebhu yendawo elalele ku-port 80. (Lokhu kuzoba usizo uma uzosebenzisa iseva yewebhu ukuhlola i-VPN yakho.) Lokhu kusebenza kuphela bese kuthi uma iphrothokholi ye-tcp ikhethiwe.
  • Umsebenzisi akekho noyedwa nemigqa yeqembu le-nogroup kufanele inikwe amandla ngokukhipha ama-semicolon (;). Ukuphoqelela amaklayenti akude ukuthi asebenze njengomuntu ongahlangene neqembu kuqinisekisa ukuthi izikhathi kuseva azinamalungelo.
  • log icacisa ukuthi okufakiwe kwamalogu kwamanje kuzosula okufakiwe okudala isikhathi ngasinye lapho i-OpenVPN iqaliswa, kuyilapho ukufakwa kwe-log-append kwenezela okufakiwe okusha kufayela lokungena elikhona. Ifayela le-openvpn.log ngokwalo libhalwe ku-directory /etc/openvpn/.

Ukwengeza, inani leklayenti-ku-iklayenti nalo livame ukungezwa kufayela lokumisa ukuze amaklayenti amaningi akwazi ukubonana ngaphezu kweseva ye-OpenVPN. Uma wenelisekile ngokucushwa kwakho, ungaqala iseva ye-OpenVPN:

# systemctl start openvpn

Ngenxa yokushintsha kwemvelo yobudlelwano phakathi kwe-OpenVPN ne-systemd, i-syntax elandelayo ngezinye izikhathi ingase idingeke ukuze kuqalwe isevisi: systemctl qala openvpn@server.

Ukuqalisa i-ip addr ukuze kufakwe kuhlu izixhumanisi zenethiwekhi yesiphakeli sakho kufanele manje kukhiphe isixhumanisi esibonakalayo esisha esibizwa nge-tun0. I-OpenVPN izoyidala ukuze inikeze amaklayenti angenayo:

$ ip addr
[...]
4: tun0: mtu 1500 qdisc [...]
      link/none
      inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
          valid_lft forever preferred_lft forever

Ungase udinge ukuqalisa kabusha iseva ngaphambi kokuthi yonke into iqale ukusebenza ngokugcwele. Isitobhi esilandelayo yikhompyutha yeklayenti.

10.1.2. Ilungiselela iklayenti le-OpenVPN

Ngokwesiko, imigudu yakhiwe enezindawo zokuphuma okungenani ezimbili (uma kungenjalo singayibiza ngokuthi imigede). I-OpenVPN emiswe kahle kuseva iqondisa ukugcwala nokuphuma emhubheni ohlangothini olulodwa. Kepha futhi uzodinga isoftware ethile esebenza ohlangothini lweklayenti, okungukuthi, ngakolunye uhlangothi lomhubhe.

Kulesi sigaba, ngizogxila ekusetheni ngesandla uhlobo oluthile lwekhompyutha ye-Linux ukuze isebenze njengeklayenti le-OpenVPN. Kodwa lena akuyona ukuphela kwendlela leli thuba elitholakala ngayo. I-OpenVPN isekela izinhlelo zokusebenza zamaklayenti ezingafakwa futhi zisetshenziswe kumadeskithophu namakhompyutha aphathekayo asebenzisa iWindows noma i-macOS, kanye nama-smartphones namathebulethi e-Android ne-iOS. Bona i-openvpn.net ukuze uthole imininingwane.

Iphakheji ye-OpenVPN izodinga ukufakwa emshinini weklayenti njengoba ifakwe kuseva, nakuba singekho isidingo se-rsa elula lapha njengoba okhiye osebenzisayo sebevele bekhona. Udinga ukukopisha ifayela lesifanekiso se-client.conf kumkhombandlela /etc/openvpn/ osanda kuwenza. Kulokhu ifayela ngeke liziphu, ngakho umyalo we-cp ojwayelekile uzokwenza umsebenzi kahle:

# apt install openvpn
# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf 
  /etc/openvpn/

Izilungiselelo eziningi kufayela lakho le-client.conf zizozichaza kahle: kufanele zifane namanani akuseva. Njengoba ungabona efayeleni eliyisibonelo elilandelayo, ipharamitha ehlukile ikude 192.168.1.23 1194, etshela iklayenti ikheli lasesizindeni se-inthanethi leseva. Futhi, qiniseka ukuthi leli ikheli lakho leseva. Kufanele futhi uphoqe ikhompuyutha yeklayenti ukuthi iqinisekise ubuqiniso besitifiketi seseva ukuze uvimbele ukuhlasela okungaba khona komuntu ophakathi nendawo. Enye indlela yokwenza lokhu iwukwengeza iseva ye-remote-cert-tls (Uhlu 10.3).

Bhukha "Linux in Action"
Manje usungaya ku-directory /etc/openvpn/ bese ukhipha okhiye besitifiketi kuseva. Faka esikhundleni ikheli le-IP leseva noma igama lesizinda esibonelweni ngamavelu akho:

Bhukha "Linux in Action"
Akukho okujabulisayo okuzokwenzeka uze usebenzise i-OpenVPN kuklayenti. Njengoba udinga ukudlulisa izimpikiswano ezimbalwa, uzokwenza usuka kulayini womyalo. Ingxabano --tls-client itshela i-OpenVPN ukuthi uzosebenza njengeklayenti futhi uxhume ngokubethela kwe-TLS, futhi --config ukhomba ifayela lakho lokumisa:

# openvpn --tls-client --config /etc/openvpn/client.conf

Funda okuphumayo komyalo ngokucophelela ukuze uqiniseke ukuthi uxhumeke ngendlela efanele. Uma okuthile kungahambi kahle okokuqala ngqa, kungase kube ngenxa yokungafani kwezilungiselelo phakathi kweseva namafayela okumisa amaklayenti noma inkinga yokuxhumana kwenethiwekhi/i-firewall. Nawa amanye amathiphu okuxazulula inkinga.

  • Funda ngokucophelela okukhiphayo kokusebenza kwe-OpenVPN kuklayenti. Ivamise ukuqukethe izeluleko ezibalulekile mayelana nokuthi yini ngempela engeke yenziwe nokuthi kungani.
  • Hlola imilayezo yephutha kufayela le-openvpn.log kanye ne-openvpn-status.log ku-directory /etc/openvpn/ kuseva.
  • Hlola amalogi esistimu kuseva kanye neklayenti ukuze uthole imilayezo ehlobene ne-OpenVPN nenesikhathi. (i-journalctl -ce izobonisa okufakiwe kwakamuva.)
  • Qiniseka ukuthi unoxhumano lwenethiwekhi olusebenzayo phakathi kweseva neklayenti (ngaphezulu ngalokhu eSahlukweni 14).

Mayelana nomlobi

UDavid Clinton - umlawuli wesistimu, uthisha nombhali. Uye waphatha, wabhala mayelana, futhi wadala izinto zokufundisa zemikhakha eminingi yezobuchwepheshe ebalulekile, okuhlanganisa nezinhlelo ze-Linux, i-cloud computing (ikakhulukazi i-AWS), kanye nobuchwepheshe beziqukathi obufana ne-Docker. Ubhale incwadi ethi Funda I-Amazon Web Services Ngenyanga Yesidlo (Manning, 2017). Izifundo zakhe eziningi zokuqeqeshwa kwevidiyo zingatholakala ku-Pluralsight.com, futhi izixhumanisi eziya kwezinye izincwadi zakhe (ezimayelana nokuphathwa kwe-Linux kanye nokubonwa kweseva) ziyatholakala ku- bootstrap-it.com.

»Imininingwane eyengeziwe mayelana nencwadi ingatholakala kokuthi iwebhusayithi yomshicileli
» Uhlu lokuqukethwe
» Ingcaphuno

Ngesaphulelo esingu-25% se-Khabrozhiteley usebenzisa isigqebhezana - Linux
Ngemva kokukhokhwa kwenguqulo yephepha yencwadi, incwadi ye-elekthronikhi izothunyelwa nge-imeyili.

Source: www.habr.com

Engeza amazwana