个人工具
登录
查看“UbuntuHelp:VPNServer”的源代码 - Ubuntu中文
UbuntuHelp
讨论
查看源代码
历史
搜索
导航
首页
最近更改
随机页面
页面分类
帮助
编辑
编辑指南
沙盒
新闻动态
字词处理
工具
链入页面
相关更改
特殊页面
页面信息
查看“UbuntuHelp:VPNServer”的源代码
来自Ubuntu中文
←
UbuntuHelp:VPNServer
跳转至:
导航
,
搜索
因为以下原因,你没有权限编辑本页:
您所请求的操作仅限于该用户组的用户使用:
用户
您可以查看与复制此页面的源代码。
{{From|https://help.ubuntu.com/community/VPNServer}} {{Languages|UbuntuHelp:VPNServer}} Parent page: [[UbuntuHelp:InternetAndNetworking| Internet and Networking]] '''Securing a small Wireless network using VPN''' TODO: this document should be split into VPN and wireless specific parts. === Summary === While Wifi encryption generally provides a first protective layer for a wireless network, it is far from being perfect: * WEP is still widely used and must be considered as very insecure * WPA can also be broken (it requires more efforts), and many devices are still not WPA-enabled This document intends to provide a complementary approach to secure a wireless network, by using an additional encryption level using a Virtual Private Network (VPN). It is assumed that the reader understands basic IP networks routing and Linux system administration. However, in an attempt to widen the audience to non-experts, this document will not cover many technical aspects of VPN. This document contains instructions to setup a routed VPN using a static key, which will work with one client only. Multiple-clients setup requires a public key infrastructure (PKI), which is slightly more complex, and is not treated here. === Routing === Ideally, the wireless access point, as well as the Wifi machine, have no direct Internet access. It should be connected to the VPN server, so that all the routing can be handled by the router. In practice, the VPN server would be connected to the LAN_SUBNET with one network interface, and to the wireless access point with another network interface. It is highly recommended to configure different subnets for these two interfaces. In the document, the network topology is expected to look like: <pre><nowiki> [WIFI_MACHINE]----(WIFI)---->[WIRELESS_ACCESS_POINT]----(LAN)---->[VPN_SERVER]----->INTERNET (potentially via a local gateway) </nowiki></pre> ''Example:'' * The Internet gateway: eth0 inet adr:192.168.0.10 bcast:192.168.0.255 (LAN_SUBNET) * The VPN server: eth0 inet adr:192.168.0.1 bcast:192.168.0.255 (LAN_SUBNET) * The VPN server: eth1 inet adr:192.168.1.1 bcast:192.168.1.255 (WIFI_SUBNET) * The wireless access point: eth0 inet adr:192.168.1.2 bcast:192.168.1.255 (WIFI_SUBNET) * Wifi machine (SYSTEM): eth0 inet adr:192.168.1.3 bcast:192.168.1.255 (WIFI_SUBNET) The following [[UbuntuHelp:IptablesHowTo|iptables]] configuration could be installed on the VPN server to route the traffic: <pre><nowiki> *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -p all -j ACCEPT -A INPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d LAN_SUBNET -j DROP -A INPUT -i tun+ -j ACCEPT -A FORWARD -i tun+ -j ACCEPT -A INPUT -p udp --dport 1194 -j ACCEPT -A INPUT -s LAN_SUBNET -p all -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT COMMIT </nowiki></pre> === Configuring OpenVPN === ==== Setting up the server ==== * Install OpenVPN Install the following package: <code><nowiki>openvpn</nowiki></code> (see InstallingSoftware). * Generate a shared static key <pre><nowiki> cd /etc/openvpn/ && /usr/sbin/openvpn --genkey --secret static.key </nowiki></pre> * Comment all the lines from /etc/default/openvpn, and add: <pre><nowiki> AUTOSTART="openvpn" </nowiki></pre> * Populate the configuration file /etc/openvpn/openvpn.conf with: <pre><nowiki> dev tun local 192.168.1.1 ifconfig 10.1.0.1 10.1.0.2 up ./office.up secret static.key ping 15 tun-mtu 1200 mssfix 1400 verb 3 </nowiki></pre> * /etc/openvpn/office.up should be executable and contain: <pre><nowiki> route add -net 10.0.1.0 netmask 255.255.255.0 gw $5 </nowiki></pre> * Finally, we can complete the routing for the wireless network in the [[UbuntuHelp:IptablesHowTo|iptables]] configuration: <pre><nowiki> *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s VPN_CLIENT -o eth0 -j MASQUERADE COMMIT </nowiki></pre> * Start the OpenVPN service: <code><nowiki> /etc/init.d/openvpn start</nowiki></code> ==== Setting up the client ==== * Install OpenVPN <pre><nowiki> apt-get install openvpn </nowiki></pre> * Copy the static key /etc/openvpn/static.key to the client system in /etc/openvpn. * Comment all the lines from /etc/default/openvpn, and add: <pre><nowiki> AUTOSTART="openvpn" </nowiki></pre> * Populate the configuration file /etc/openvpn/openvpn.conf with: <pre><nowiki> dev tun local 192.168.1.3 remote 192.168.1.1 nobind ifconfig 10.1.0.2 10.1.0.1 up ./home.up down ./home.down secret static.key ping 15 tun-mtu 1200 mssfix 1400 verb 3 </nowiki></pre> * /etc/openvpn/home.up should be executable and contain: <pre><nowiki> route add -net 10.0.0.0 netmask 255.255.255.0 gw $5 route add -net 0.0.0.0 netmask 0.0.0.0 dev tun0 route del -net 0.0.0.0 netmask 0.0.0.0 dev eth0 </nowiki></pre> * /etc/openvpn/home.down should be executable and contain: <pre><nowiki> route add -net 0.0.0.0 netmask 0.0.0.0 dev eth0 </nowiki></pre> * Start the OpenVPN service: <code><nowiki> /etc/init.d/openvpn start</nowiki></code> * If the following ping commands do not return an error, it worked! <pre><nowiki> ping 10.1.0.1 ping 10.1.0.2 </nowiki></pre> [[category:CategoryDocumentação]] [[category:UbuntuHelp]]
该页面使用的模板:
模板:From
(
查看源代码
)
模板:Languages
(
查看源代码
)(受保护)
模板:Languages/Lang
(
查看源代码
)(受保护)
返回至
UbuntuHelp:VPNServer
。