VPNServer

Securing a small Wireless network using VPN

通过VPN实现对无线网络的保护

----
原文出处：

原文作者：

授权许可：

翻译人员：Ediml

校对人员：

贡献者：

适用版本：

文章状态：[[翻译中]]
----

This document intends to provide a complementary approach to secure a wireless network, by using an additional encryption level using a Virtual Private Network (VPN). It is assumed that the reader understands basic IP networks routing and Linux system administration. However, in an attempt to widen the audience to non-experts, this document will not cover many technical aspects of VPN.

This document contains instructions to setup a routed VPN using a static key, which will work with one client only. Multiple-clients setup requires a public key infrastructure (PKI), which is slightly more complex, and is not treated here.

概述

虽然Wifi(基于IEEE802.11b标准的无线局域网)通常为无线网络提供了最初的保护，但是它远没有达到完美的程度：

WEP(Wireless Equivalent Privacy)仍然被广泛应用，但WEP是很不安全的
WPA（Wi-Fi Protected Access）也是可破解的，并且很多设备不支持WPA

本文章将介绍一种无线网络的附加保护措施，即通过虚拟专用网实现的附加网络加密层。本文章假设读者已经了解了基本网络路由和Linux系统管理。为了扩大非专家的读者范围，本文章将不涉及VPN的很多专业方面的内容。本文章包括了已选择路由的静态密钥VPN的组建指南，此VPN只使用于单个用户的情况。多用户组织需要建立公钥基础设施（PKI），PKI稍微有些复杂，本文也不做过多的介绍。

Routing

Ideally, the wireless access point, as well as the Wifi machine, have no direct Internet access. It should be connected to the VPN server, so that all the routing can be handled by the router. In practice, the VPN server would be connected to the LAN_SUBNET with one network interface, and to the wireless access point with another network interface. It is highly recommended to configure different subnets for these two interfaces.

路由

理论上，无线接入点和Wifi一样是没有直接连接到因特网。它应该连接在VPN服务器上，从而所有的路由可以被路由器处理。在实践中，VPN服务器应该通过一个接口连接到局域网子网，并通过另一个网络接口连接到无线接入点。强烈建议为两个接口配置不同的子网。

In the document, the network topology is expected to look like:

本文中，网络拓扑预期结构如下：

[WIFI_MACHINE]----(WIFI)---->[WIRELESS_ACCESS_POINT]----(LAN)---->[VPN_SERVER]----->INTERNET (potentially via a local gateway)

Example:

The Internet gateway: eth0 inet adr:192.168.0.10 bcast:192.168.0.255 (LAN_SUBNET)
The VPN server: eth0 inet adr:192.168.0.1 bcast:192.168.0.255 (LAN_SUBNET)
The VPN server: eth1 inet adr:192.168.1.1 bcast:192.168.1.255 (WIFI_SUBNET)
The wireless access point: eth0 inet adr:192.168.1.2 bcast:192.168.1.255 (WIFI_SUBNET)
Wifi machine (SYSTEM): eth0 inet adr:192.168.1.3 bcast:192.168.1.255 (WIFI_SUBNET)

例如：

因特网的网关：eth0 inet adr:192.168.0.10 bcast:192.168.0.255 (LAN_SUBNET)
VPN服务器：eth0 inet adr:192.168.0.1 bcast:192.168.0.255 (LAN_SUBNET)
VPN服务器：eth1 inet adr:192.168.1.1 bcast:192.168.1.255 (WIFI_SUBNET)
无线接入点：eth0 inet adr:192.168.1.2 bcast:192.168.1.255 (WIFI_SUBNET)
Wifi设备（系统）：eth0 inet adr:192.168.1.3 bcast:192.168.1.255 (WIFI_SUBNET)

The following [[/VPNServer/IptablesHowTo /IptablesHowTo] iptables] configuration could be installed on the VPN server to route the traffic: 下面的[[/VPNServer/IptablesHowTo /IptablesHowTo] iptables]配置可以安装在VPN的服务器上，用来让路由通信数据：

# Default declaration, with DROP as a default INPUT policy
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Enable full access from localhost
-A INPUT -i lo -p all -j ACCEPT

# Allow connections initiated from this machine
-A INPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT

# WIFI --> LAN

# Preventing Wifi to reach LAN_SUBNET
# LAN_SUBNET: Ethernet LAN subnet. Ex: 192.168.0.0/24
-A FORWARD -d LAN_SUBNET -j DROP

# Enable VPN
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT

# Force the machine(s) identified as SYSTEM to use VPN.
# This means that without using VPN, SYSTEM will NOT access the Internet
# SYSTEM: A Wifi machine, or the whole Wifi subnet. Ex: 192.168.1.3
#
# -A FORWARD -s SYSTEM -j DROP

# Allow access to the VPN service
-A INPUT -p udp --dport 1194 -j ACCEPT


# INTERNET/WIFI -> LAN services

# Internal services on the VPN server can potentially
# be made available to LAN_SUBNET
# LAN_SUBNET: Ethernet LAN subnet. Ex: 192.168.0.0/24
-A INPUT -s LAN_SUBNET -p all -j ACCEPT

# Allow SSH from the Internet AND from the Wifi
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# DHCP may also be useful
# -A INPUT -p udp --dport 137:138 -j ACCEPT

# Log all rejected packets to syslog (useful for debugging)
# -A INPUT -j LOG --log-level warn --log-prefix "[DENIED] "

COMMIT

Configuring OpenVPN

配置OpenVPN

Setting up the server

配置服务器

Install OpenVPN

Install the following package: openvpn (see [[/VPNServer/InstallingSoftware /InstallingSoftware] [/InstallingSoftware InstallingSoftware]]). 安装以下安装包：openvpn (see [[/VPNServer/InstallingSoftware /InstallingSoftware] [/InstallingSoftware InstallingSoftware]]).

Generate a shared static key
产生共享静态密钥

cd /etc/openvpn/ && /usr/sbin/openvpn --genkey --secret static.key

Comment all the lines from /etc/default/openvpn, and add:
注释/etc/default/openvpn里的所有行，并加上以下内容：

AUTOSTART="openvpn"

Populate the configuration file /etc/openvpn/openvpn.conf with:
使用下面的内容替换/etc/openvpn/openvpn.conf配置文件中原来的内容：

dev tun
# Network interface used by the VPN server on WIFI_SUBNET
# eth1 (192.168.1.1) in the previous example
local 192.168.1.1
# The following line defines two new VPN interfaces
# ifconfig VPN_SERVER VPN_CLIENT
ifconfig 10.1.0.1 10.1.0.2
up ./office.up
secret static.key
ping 15
tun-mtu 1200
mssfix 1400
verb 3

/etc/openvpn/office.up should be executable and contain:
/etc/openvpn/office.up应该是可执行的并且包括以下内容：

#!/bin/sh
route add -net 10.0.1.0 netmask 255.255.255.0 gw $5

Finally, we can complete the routing for the wireless network in the [[/VPNServer/IptablesHowTo /IptablesHowTo] iptables] configuration:
最后，我们在[[/VPNServer/IptablesHowTo /IptablesHowTo] iptables]中完成无线网络的路由配置：

# ROUTING WIFI -> LAN/INTERNET
# Route the Wifi traffic to the Internet
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Route all the Wifi traffic -even without VPN!- to the Internet
# WIFI_SUBNET: Wifi subnet. Ex: 192.168.1.0/24
# -A POSTROUTING -s WIFI_SUBNET -o e

个人工具

VPNServer - Ubuntu中文

搜索

导航

编辑

工具