为什么所有这些以及为什么呢?
我们拥有:DigitalOcean上的10种最简单的服务器配置,iOS移动设备,用于收集统计信息的服务器,没有建立VPN服务器的经验,以及顽固地渴望提供一种快速,可靠且易于使用的VPN服务,请享用。并不是所有这些都是绝对必要的,但是如果我们已经开始,那么我们必须认真对待这个问题。
在本文中,我将简要介绍如何选择VPN协议,如何设置服务器以及如何组织每个VPN服务器的统计信息收集。不要依赖详细的分步说明。在本文中,我将提供配置文件的摘录,并附有简短的注释。
我认为在IT领域,您将不再找到一个不知道VPN是什么以及为什么需要它的人。
但是,如果是要解释现代人为什么需要VPN的论点,那么结果将是这样的:
- 如果您有任何内部(专用)资源,则应从全球Internet上限制对其的访问。
- 如果需要在两个网络之间建立安全连接。
- 如果您需要访问由于某种原因而无法从您的国家/地区使用的资源(您的位置相对于IP地址的更改)。
还有一点并不完全明显:通过vpn可以提高Internet连接的速度,因为 您的ISP可以沿着较短的路由发送流量,这意味着可以选择更优化的路由,因此,您可以提高速度。但是,如果您选择相对于您而言不是很好的服务器位置,则它可以朝相反的方向工作(稍后再介绍)。
我们如何选择VPN协议
VPN协议应在移动设备上无缝支持,而无需安装其他软件。
我们选择了最著名的协议实现,并剔除了那些不适合原始问题的条件的实现。
我只提醒您两个条件:
- 稳定可靠的连接。
- 客户端设备上未安装任何第三方软件。
我将介绍这些协议,并简要地向您介绍它们+我将告诉您该协议不适合我们的原因。
PPTP(点对点隧道协议)
微软开发的最古老的VPN协议之一。由于其使用时间已久,该协议受大多数操作系统支持,但同时无法提供稳定可靠的连接。Microsoft建议使用L2TP或SSTP代替PPTP。
, .
L2TP/IPSec
PPTP, . , -, .. .
L2TP/IPsec , . : , , VPN-.
.. , , , .
IKEv2/IPSec
Microsoft Cisco, (, OpenIKEv2, Openswan strongSwan).
Mobility and Multi-homing Protocol (MOBIKE), .
IKEv2 , WiFi .
IKEv2 .
, .. Mobility and Multi-homing Protocol .
OpenVPN
OpenVPN Technologies.
, .
OpenVPN . , TCP UPD, . VPN .
OpenVPN, , .
, , , - , .
Wireguard
VPN. IPSec OpenVPN, , , .
Unix , .. Unix. .
, , .
.
IKEv2/IPSe, :
- Mobility and Multi-homing Protocol (MOBIKE).
- .
- .
- .
.
VPN-
, , () ().
— , .. , ( ), .., , - .
- , digitalocean , 1 Gb 25 Gb .
, - VPN- .
:
- Docker + docker-compose.
- strongswan — IPSec .
- Let's Encrypt — .
- Radius — .
Docker , vpn-.
FROM alpine:latest # alpine-linux
...
# strongSwan Version
ARG SS_VERSION="https://download.strongswan.org/strongswan-5.8.2.tar.gz" # , .
...
COPY ./run.sh /run.sh
COPY ./adduser.sh /adduser.sh
COPY ./rmuser.sh /rmuser.sh
RUN chmod 755 /run.sh /adduser.sh /rmuser.sh
VOLUME ["/usr/local/etc/ipsec.secrets"]
EXPOSE 500:500/udp 4500:4500/udp
CMD ["/run.sh"]adduser.sh, rmuser.sh .
adduser.sh
#!/bin/sh
VPN_USER="$1"
if [ -z "$VPN_USER" ]; then
echo "Usage: $0 username" >&2
echo "Example: $0 jordi" >&2
exit 1
fi
case "$VPN_USER" in
*[\\\"\']*)
echo "VPN credentials must not contain any of these characters: \\ \" '" >&2
exit 1
;;
esac
VPN_PASSWORD="$(openssl rand -base64 9)" #
HOST="$(printenv VPNHOST)"
echo "Password for user is: $VPN_PASSWORD"
echo $VPN_USER : EAP \"$VPN_PASSWORD\">> /usr/local/etc/ipsec.secrets # /usr/local/etc/ipsec.secrets
ipsec rereadsecretsrmuser.sh
#!/bin/sh
VPN_USER="$1"
if [ -z "$VPN_USER" ]; then
echo "Usage: $0 username" >&2
echo "Example: $0 jordi" >&2
exit 1
fi
cp /usr/local/etc/ipsec.secrets /usr/local/etc/ipsec.secrets.bak
sed "/$VPN_USER :/d" /usr/local/etc/ipsec.secrets.bak > /usr/local/etc/ipsec.secrets # /usr/local/etc/ipsec.secrets
ipsec rereadsecretsipsec.secrets.
:
#!/bin/bash
VPNIPPOOL="10.15.1.0/24" # IP , VPN-.
LEFT_ID=${VPNHOST} # vpn-
sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.all.forwarding=1
sysctl net.ipv6.conf.eth0.proxy_ndp=1
if [ ! -z "$DNS_SERVERS" ] ; then # DNS , vpn .
DNS=$DNS_SERVERS
else
DNS="1.1.1.1,8.8.8.8"
fi
if [ ! -z "$SPEED_LIMIT" ] ; then # , "" , .
tc qdisc add dev eth0 handle 1: ingress
tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip src 0.0.0.0/0 police rate ${SPEED_LIMIT}mbit burst 10k drop flowid :1
tc qdisc add dev eth0 root tbf rate ${SPEED_LIMIT}mbit latency 25ms burst 10k
fi
iptables -t nat -A POSTROUTING -s ${VPNIPPOOL} -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s ${VPNIPPOOL} -o eth0 -j MASQUERADE
iptables -L
#
if [[ ! -f "/usr/local/etc/ipsec.d/certs/fullchain.pem" && ! -f "/usr/local/etc/ipsec.d/private/privkey.pem" ]] ; then
certbot certonly --standalone --preferred-challenges http --agree-tos --no-eff-email --email ${LEEMAIL} -d ${VPNHOST}
cp /etc/letsencrypt/live/${VPNHOST}/fullchain.pem /usr/local/etc/ipsec.d/certs
cp /etc/letsencrypt/live/${VPNHOST}/privkey.pem /usr/local/etc/ipsec.d/private
cp /etc/letsencrypt/live/${VPNHOST}/chain.pem /usr/local/etc/ipsec.d/cacerts
fi
rm -f /var/run/starter.charon.pid
# ipsec
if [ -f "/usr/local/etc/ipsec.conf" ]; then
rm /usr/local/etc/ipsec.conf
cat >> /usr/local/etc/ipsec.conf <<EOF
config setup
charondebug="ike 1, knl 1, cfg 1"
uniqueids=never
conn ikev2-vpn
...
eap_identity=%identity
EOF
fi
if [ ! -f "/usr/local/etc/ipsec.secrets" ]; then
cat > /usr/local/etc/ipsec.secrets <<EOF
: RSA privkey.pem
EOF
fi
.....
EOF
fi
sysctl -p
ipsec start --nofork, docker-compose:
version: '3'
services:
vpn:
build: .
container_name: ikev2-vpn-server
privileged: true
volumes:
- './data/certs/certs:/usr/local/etc/ipsec.d/certs'
- './data/certs/private:/usr/local/etc/ipsec.d/private'
- './data/certs/cacerts:/usr/local/etc/ipsec.d/cacerts'
- './data/etc/ipsec.d/ipsec.secrets:/usr/local/etc/ipsec.secrets'
env_file:
- .env
ports:
- '500:500/udp'
- '4500:4500/udp'
- '80:80'
depends_on:
- radius
links:
- radius
networks:
- backend
radius:
image: 'freeradius/freeradius-server:latest'
container_name: freeradius-server
volumes:
- './freeradius/clients.conf:/etc/raddb/clients.conf'
- './freeradius/mods-enabled/rest:/etc/raddb/mods-enabled/rest'
- './freeradius/sites-enabled/default:/etc/raddb/sites-enabled/default'
env_file:
- .env
command: radiusd -X
networks:
- backend
networks:
backend:
ipam:
config:
- subnet: 10.0.0.0/24volume , .
, , Let's Encrypt.
.env , :
VPNHOST=vpn.vpn.com # vpn-
LEEMAIL=admin@admin.com # , Let's Encrypt
SPEED_LIMIT=20 # , mbit
DNS_SERVERS= # DNS
RADIUS_SERVER= # radius , radius
RADIUS_SERVER_SECRET= # , radius
REMOTE_SERVER= # endpoint, radius , . docker-compose up -d, vpn-, radius ( ).
VPN-
, , . ipsec, , - , .
, , FreeRadius , ipsec .
FreeRadius , .
radius ipsec:
FreeRADIUS
if [[ ! -z "$RADIUS_SERVER" && ! -z "$RADIUS_SERVER_SECRET" ]]; then
rm /usr/local/etc/strongswan.d/charon/eap-radius.conf
cat >> /usr/local/etc/strongswan.d/charon/eap-radius.conf <<EOF
eap-radius {
accounting = yes # , ipsec /,
accounting_close_on_timeout = no
accounting_interval = 300 # radius .
close_all_on_timeout = no
load = yes
nas_identifier = $VPNHOST
# Section to specify multiple RADIUS servers.
servers {
primary {
address = $RADIUS_SERVER
secret = $RADIUS_SERVER_SECRET
auth_port = 1812 # default
acct_port = 1813 # default
}
}
}endpoint, rest. /etc/raddb/mods-enabled/rest accounting, - :
accounting {
uri = "${..connect_uri}/vpn_sessions/%{Acct-Session-Id}-%{Acct-Unique-Session-ID}"
method = 'post'
tls = ${..tls}
body = json
data = '{ "username": "%{User-Name}", "nas_port": "%{NAS-Port}", "nas_ip_address": "%{NAS-IP-Address}", "framed_ip_address": "%{Framed-IP-Address}", "framed_ipv6_prefix": "%{Framed-IPv6-Prefix}", "nas_identifier": "%{NAS-Identifier}", "airespace_wlan_id": "%{Airespace-Wlan-Id}", "acct_session_id": "%{Acct-Session-Id}", "nas_port_type": "%{NAS-Port-Type}", "cisco_avpair": "%{Cisco-AVPair}", "acct_authentic": "%{Acct-Authentic}", "tunnel_type": "%{Tunnel-Type}", "tunnel_medium_type": "%{Tunnel-Medium-Type}", "tunnel_private_group_id": "%{Tunnel-Private-Group-Id}", "event_timestamp": "%{Event-Timestamp}", "acct_status_type": "%{Acct-Status-Type}", "acct_input_octets": "%{Acct-Input-Octets}", "acct_input_gigawords": "%{Acct-Input-Gigawords}", "acct_output_octets": "%{Acct-Output-Octets}", "acct_output_gigawords": "%{Acct-Output-Gigawords}", "acct_input_packets": "%{Acct-Input-Packets}", "acct_output_packets": "%{Acct-Output-Packets}", "acct_terminate_cause": "%{Acct-Terminate-Cause}", "acct_session_time": "%{Acct-Session-Time}", "acct_delay_time": "%{Acct-Delay-Time}", "calling_station_id": "%{Calling-Station-Id}", "called_station_id": "%{Called-Station-Id}"}'
}.
VPN , , Apple , , , Let's Encrypt.
?
- radius , VPN.
- , VPN-.
VPN-?
- radius.
- .
- , .
- health-check .
?
通过反复试验,我们得出了本文中描述的选项,首先我们坚持“简化”的原则,没有重新发明自己的自行车,而是使用了现成的工具,如Docker,FreeRadius。是的,很可能存在优化,加强安全策略和自动化的地方。但是,如果您需要组织对私人(封闭)信息的访问,我们的选择非常适合个人使用,也适合在小型公司中使用。