10.3. 虚拟专用网络
虚拟专用网络 (VPN) 是以信道方式,经由互联网链接两个局域网路的方式;通常以加密方式在信道内发送信息。VPN 通常用于集成公司内部远程机器。
Several tools provide this functionality. OpenVPN is an efficient solution, easy to deploy and maintain, based on SSL/TLS. Another possibility is using IPsec to encrypt IP traffic between two machines; this encryption is transparent, which means that applications running on these hosts need not be modified to take the VPN into account. SSH can also be used to provide a VPN, in addition to its more conventional features. Finally, a VPN can be established using Microsoft’s PPTP protocol. Other solutions exist, but are beyond the focus of this book.
10.3.1. OpenVPN
OpenVPN 用于创建虚拟专用网络的一个软件。在 VPN 服务器及客户端创建虚拟专用网络;支持 tun
(IP 层面的信道) 和 tap
(Ethernet 层面的信道) 接口。实务上,常用的是 tun
接口,除非 VPN 客户端难以经由 Ethernet 桥接器集成入服务器的局域网路。
OpenVPN 所有的 SSL/TLS 加密与其他功能 (机密性、认证、完整性、不可否认性),均有赖于 OpenSSL。可以用公钥基础设施的共享私钥或使用 X.509 认证的方式配置它。建议使用后者的方式配置,以漫游方式近用 VPN 的用户可享有更多的弹性。
10.3.1.1. 配置 OpenVPN 服务器
After all certificates have been created (follow the instructions from 第 10.2.2 节 “公钥基础设施:easy-rsa”), they need to be copied where appropriate: the root certificate’s public key (pki/ca.crt
) will be stored on all machines (both server and clients) as /etc/ssl/certs/Falcot_CA.crt
. The server’s certificate is installed only on the server (pki/issued/vpn.falcot.com.crt
goes to /etc/ssl/certs/vpn.falcot.com.crt
, and pki/private/vpn.falcot.com.key
goes to /etc/ssl/private/vpn.falcot.com.key
with restricted permissions so that only the administrator can read it), with the corresponding Diffie-Hellman parameters (pki/dh.pem
) installed to /etc/openvpn/dh.pem
. Client certificates are installed on the corresponding VPN client in a similar fashion.
10.3.1.2. 配置 OpenVPN 服务器
By default, the OpenVPN initialization script tries starting all virtual private networks defined in /etc/openvpn/*.conf
. Setting up a VPN server is therefore a matter of storing a corresponding configuration file in this directory. A good starting point is /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
, which leads to a rather standard server. Of course, some parameters need to be adapted: ca
, cert
, key
and dh
need to describe the selected locations (respectively, /etc/ssl/certs/Falcot_CA.crt
, /etc/ssl/vpn.falcot.com.crt
, /etc/ssl/private/vpn.falcot.com.key
and /etc/openvpn/dh.pem
). The server 10.8.0.0 255.255.255.0
directive defines the subnet to be used by the VPN; the server uses the first IP address in that range (10.8.0.1
) and the rest of the addresses are allocated to clients.
With this configuration, starting OpenVPN creates the virtual network interface, usually under the tun0
name. However, firewalls are often configured at the same time as the real network interfaces, which happens before OpenVPN starts. Good practice therefore recommends creating a persistent virtual network interface, and configuring OpenVPN to use this pre-existing interface. This further allows choosing the name for this interface. To this end, openvpn --mktun --dev vpn --dev-type tun
creates a virtual network interface named vpn
with type tun
; this command can easily be integrated in the firewall configuration script, or in an up
directive of the /etc/network/interfaces
file, or a udev rule can be added to that end. The OpenVPN configuration file must also be updated accordingly, with the dev vpn
and dev-type tun
directives.
禁止进一步的行动,VPN 客户端只能经由 10.8.0.1
地址近用 VPN 服务器。为了授权客户近用本地网络 (192.168.0.0/24),需在 OpenVPN 配置中加入 推送路径 192.168.0.0 255.255.255.0
,让 VPN 客户端自动取得网络路由,使其明了经由 VPN 可以进入该网络。此外,本地网络的机器也需被告知,经由 VPN 服务器 (在闸道安装 VPN 服务器即自动启用) 进入VPN。另外,VPN 服务器可以配置后运行伪装 IP 的工作,让来自 VPN 客户端的消息显示成来自 VPN 服务器 (见 第 10.1 节 “网关”)。
10.3.1.3. 配置 OpenVPN 客户端
需配置 /etc/openvpn/
内的文件才能设置 OpenVPN 客户端。标准的配置方法可从使用 /usr/share/doc/openvpn/examples/sample-config-files/client.conf
这个文件开始。remote vpn.falcot.com 1194
介绍 OpenVPN 服务器的地址及端口号;描述密钥文档地址时,需参考 ca
、cert
和 key
。
If the VPN should not be started automatically on boot, set the AUTOSTART
directive to none
in the /etc/default/openvpn
file. Starting or stopping a given VPN connection is always possible with the commands systemctl start openvpn@*name*
and systemctl stop openvpn@*name*
(where the connection name matches the one defined in /etc/openvpn/*name*.conf
).
此 network-manager-openvpn-gnome 软件包包括允许管理 OpenVPN 虚拟专属网络的延伸网络管理者 (见 第 8.2.5 节 “Automatic Network Configuration for Roaming Users”)。允许每个用户以图形接口配置 OpenVPN 且从网络管理图标控制它们。
10.3.2. SSH 下的虚拟专属网络
There are actually two ways of creating a virtual private network with SSH. The historic one involves establishing a PPP layer over the SSH link. This method is described in a HOWTO document:
→ https://www.tldp.org/HOWTO/ppp-ssh/
第二个方法较新,适用于 OpenSSH 4.3;可以在 OpenSSH 之下创建虚拟网络接口 (tun*
) 于 SSH 链接的两端,且可以精准地配置这些虚拟接口,就像在实体接口环境下。必须先设置 PermitTunnel
为 “yes” 于 SSH 服务器配置档 (/etc/ssh/sshd_config
),才能启用此隧道系统。启用 SSH 链接后,添加的隧道必须以 -w any:any
选项 (any
可以用期望的 tun
设备名称取代) 请求链接。两端的用户需有管理者权限,才能添加网络设备 (换句话说,必须以超级用户的身份才能创建链接)。
以 SSH 创建虚拟专属网络的两种方法都很直接。然而,它们提供的 VPN 不是最有效的;特别是,无法有效处理高端的流量。
The explanation is that when a TCP/IP stack is encapsulated within a TCP/IP connection (for SSH), the TCP protocol is used twice, once for the SSH connection and once within the tunnel. This leads to problems, especially due to the way TCP adapts to network conditions by altering timeout delays. The following site describes the problem in more detail:
→ http://sites.inka.de/sites/bigred/devel/tcp-tcp.html
VPNs over SSH should therefore be restricted to one-off tunnels with no performance constraints.
10.3.3. 互联网安全协议
IPsec, despite being the standard in IP VPNs, is rather more involved in its implementation. The IPsec engine itself is integrated in the Linux kernel; the required user-space parts, the control and configuration tools, are provided by the libreswan package or the strongswan package. Here we describe briefly the libreswan option.
First, we install the libreswan package. In concrete terms, each host’s /etc/ipsec.conf
contains the parameters for IPsec tunnels (or Security Associations, in the IPsec terminology) that the host is concerned with. There are many configuration examples in /usr/share/doc/libreswan/
, but Libreswan’s online documentation has more examples with explanations:
The IPsec service can be controlled with systemctl
; for example, systemctl start ipsec
will start the IPsec service.
仅管其状态为参照,IPsec 的设置限制其用途。必备的信道不多也不是动态时,OpenVPN-based 解决方案较受用。
注意 IPsec 与 NAT
NAT 的防火墙与 IPsec 无法并用:因为 IPsec 是软件包,任何改变将引发防火墙的作用,软件包就会被拒绝。不同的 IPsec 应用包括:NAT-T 技术 (给 NAT Traversal),把 IPsec 软件包包装在标准的 UDP 封包内。
安全 IPsec 与防火墙
IPsec 的标准操作模式在 UDP 端口号 500 做键值交换 (使用 NAT-T 时,也可在 UDP 端口号 4500)。而且,IPsec 封包使用两个固定的 IP 协议允许防火墙通过;收到这些封包的基础是其协议编号,50 (ESP) 与 51 (AH)。
10.3.4. PPTP
PPTP (𪅈原文是 Point-to-Point Tunneling Protocol) 用到两种通信闸道,一个控制数据另个酬载数据;后者使用 GRE 协议 (Generic Routing Encapsulation)。标准的 PPP 链接创建在数据交换闸道。
10.3.4.1. 设置客户端
此 pptp-linux 封包含有易于配置的 Linux 客户端 PPTP。以下说明取自官方文档:
→ http://pptpclient.sourceforge.net/howto-debian.phtml
Falcot 管理者添加若干文件:/etc/ppp/options.pptp
、/etc/ppp/peers/falcot
、/etc/ppp/ip-up.d/falcot
、与 /etc/ppp/ip-down.d/falcot
。
例 10.2. /etc/ppp/options.pptp
文件
- # PPP options used for a PPTP connection
- lock
- noauth
- nobsdcomp
- nodeflate
例 10.3. /etc/ppp/peers/falcot
文件
- # vpn.falcot.com is the PPTP server
- pty "pptp vpn.falcot.com --nolaunchpppd"
- # the connection will identify as the "vpn" user
- user vpn
- remotename pptp
- # encryption is needed
- require-mppe-128
- file /etc/ppp/options.pptp
- ipparam falcot
例 10.4. /etc/ppp/ip-up.d/falcot
文件
- # Create the route to the Falcot network
- if [ "$6" = "falcot" ]; then
- # 192.168.0.0/24 is the (remote) Falcot network
- ip route add 192.168.0.0/24 dev $1
- fi
例 10.5. /etc/ppp/ip-down.d/falcot
文件
- # Delete the route to the Falcot network
- if [ "$6" = "falcot" ]; then
- # 192.168.0.0/24 is the (remote) Falcot network
- ip route del 192.168.0.0/24 dev $1
- fi
安全 MPPE
加密的 PPTP 涉及使用 MPPE 功能 (Microsoft Point-to-Point Encryption),可从 Debian 官方的核心取得模块。
10.3.4.2. 配置服务器
注意 PPTP 与防火墙
需配置中间防火墙让 IP 封包使用端口号 47 (GRE)。此外,需打开 PPTP 服务器的端口号 1723以使用通信闸道。
pptpd
是 Linux 的 PPTP 服务器。它的主要配置档是,/etc/pptpd.conf
,应做若干改变:localip (内网 IP 地址) 与 remoteip (外网 IP 地址)。在下例中,PPTP 服务器总是使用 192.168.0.199
地址,以及从 192.168.0.200
至 192.168.0.250
之间接收 PPTP 客户端的 IP 地址。
例 10.6. /etc/pptpd.conf
文件
- # TAG: speed
- #
- # Specifies the speed for the PPP daemon to talk at.
- #
- speed 115200
- # TAG: option
- #
- # Specifies the location of the PPP options file.
- # By default PPP looks in '/etc/ppp/options'
- #
- option /etc/ppp/pptpd-options
- # TAG: debug
- #
- # Turns on (more) debugging to syslog
- #
- # debug
- # TAG: localip
- # TAG: remoteip
- #
- # Specifies the local and remote IP address ranges.
- #
- # You can specify single IP addresses separated by commas or you can
- # specify ranges, or both. For example:
- #
- # 192.168.0.234,192.168.0.245-249,192.168.0.254
- #
- # IMPORTANT RESTRICTIONS:
- #
- # 1. No spaces are permitted between commas or within addresses.
- #
- # 2. If you give more IP addresses than MAX_CONNECTIONS, it will
- # start at the beginning of the list and go until it gets
- # MAX_CONNECTIONS IPs. Others will be ignored.
- #
- # 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
- # you must type 234-238 if you mean this.
- #
- # 4. If you give a single localIP, that's ok - all local IPs will
- # be set to the given one. You MUST still give at least one remote
- # IP for each simultaneous client.
- #
- #localip 192.168.0.234-238,192.168.0.245
- #remoteip 192.168.1.234-238,192.168.1.245
- #localip 10.0.1.1
- #remoteip 10.0.1.2-100
- localip 192.168.0.199
- remoteip 192.168.0.200-250
PPP 采用 PPTP 服务器配置时也需在 /etc/ppp/pptpd-options
做若干改变。 重要的参数有服务器名称 (pptp
)、网域名称 (falcot.com
)、以及 DNS 与 WINS 服务器的 IP 地址。
例 10.7. /etc/ppp/pptpd-options
文件
- ## turn pppd syslog debugging on
- #debug
- ## change 'servername' to whatever you specify as your server name in chap-secrets
- name pptp
- ## change the domainname to your local domain
- domain falcot.com
- ## these are reasonable defaults for WinXXXX clients
- ## for the security related settings
- # The Debian pppd package now supports both MSCHAP and MPPE, so enable them
- # here. Please note that the kernel support for MPPE must also be present!
- auth
- require-chap
- require-mschap
- require-mschap-v2
- require-mppe-128
- ## Fill in your addresses
- ms-dns 192.168.0.1
- ms-wins 192.168.0.1
- ## Fill in your netmask
- netmask 255.255.255.0
- ## some defaults
- nodefaultroute
- proxyarp
- lock
登录 vpn
用户 (及其密码) 于 /etc/ppp/chap-secrets
文件的最后一个步骤。其他的作为里,星号 (*
) 是有作用的,在此的服务器名称必须明示出来。而且,Windows PPTP 客户端以 *DOMAIN*\\*USER*
形式辨识,不是以用户名区别。这就说明了在 FALCOT\\vpn
用户必须提及的文件。也可以指定用户使用特定的 IP 地址;此字段内的星号用于指定动态的地址。
例 10.8. 该 /etc/ppp/chap-secrets
文件
- # Secrets for authentication using CHAP
- # client server secret IP addresses
- vpn pptp f@Lc3au *
- FALCOT\\vpn pptp f@Lc3au *
安全 PPTP 漏洞
𧢒微软的第一个 PPTP 应用发生重大的瑕疪,因为出现很多安全漏洞;多半在新版已修正了。本节的配置文档使用最新版的协议。移除部分选项 (如 require-mppe-128
与 require-mschap-v2
) 仍可能再出现服务漏洞。