10.3. 虛擬專用網路

虛擬專用網路 (VPN) 是以通道方式，經由網際網路連結兩個區域網路的方式；通常以加密方式在通道內傳送資訊。VPN 通常用於整合公司內部遠端機器。

Several tools provide this functionality. OpenVPN is an efficient solution, easy to deploy and maintain, based on SSL/TLS. Another possibility is using IPsec to encrypt IP traffic between two machines; this encryption is transparent, which means that applications running on these hosts need not be modified to take the VPN into account. SSH can also be used to provide a VPN, in addition to its more conventional features. Finally, a VPN can be established using Microsoft's PPTP protocol. Other solutions exist, but are beyond the focus of this book.

10.3.1. OpenVPN

OpenVPN 用於建立虛擬專用網路的一個軟體。在 VPN 伺服器及客戶端建立虛擬專用網路；支援 tun (IP 層面的通道) 和 tap (Ethernet 層面的通道) 介面。實務上，常用的是 tun 介面，除非 VPN 客戶端難以經由 Ethernet 橋接器整合入伺服器的區域網路。

OpenVPN 所有的 SSL/TLS 加密與其他功能 (機密性、認證、完整性、不可否認性)，均有賴於 OpenSSL。可以用公鑰基礎設施的共享私鑰或使用 X.509 認證的方式組態它。建議使用後者的方式組態，以漫遊方式近用 VPN 的使用者可享有更多的彈性。

10.3.1.1. 組態 OpenVPN 伺服器

After all certificates have been created (follow the instructions from 節 10.2.2, “公鑰基礎設施：easy-rsa”), they need to be copied where appropriate: the root certificate's public key (pki/ca.crt) will be stored on all machines (both server and clients) as /etc/ssl/certs/Falcot_CA.crt. The server's certificate is installed only on the server (pki/issued/vpn.falcot.com.crt goes to /etc/ssl/certs/vpn.falcot.com.crt, and pki/private/vpn.falcot.com.key goes to /etc/ssl/private/vpn.falcot.com.key with restricted permissions so that only the administrator can read it), with the corresponding Diffie-Hellman parameters (pki/dh.pem) installed to /etc/openvpn/dh.pem. Client certificates are installed on the corresponding VPN client in a similar fashion.

By default, the OpenVPN initialization script tries starting all virtual private networks defined in /etc/openvpn/*.conf. Setting up a VPN server is therefore a matter of storing a corresponding configuration file in this directory. A good starting point is /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz, which leads to a rather standard server. Of course, some parameters need to be adapted: ca, cert, key and dh need to describe the selected locations (respectively, /etc/ssl/certs/Falcot_CA.crt, /etc/ssl/vpn.falcot.com.crt, /etc/ssl/private/vpn.falcot.com.key and /etc/openvpn/dh.pem). The server 10.8.0.0 255.255.255.0 directive defines the subnet to be used by the VPN; the server uses the first IP address in that range (10.8.0.1) and the rest of the addresses are allocated to clients.

With this configuration, starting OpenVPN creates the virtual network interface, usually under the tun0 name. However, firewalls are often configured at the same time as the real network interfaces, which happens before OpenVPN starts. Good practice therefore recommends creating a persistent virtual network interface, and configuring OpenVPN to use this pre-existing interface. This further allows choosing the name for this interface. To this end, openvpn --mktun --dev vpn --dev-type tun creates a virtual network interface named vpn with type tun; this command can easily be integrated in the firewall configuration script, or in an up directive of the /etc/network/interfaces file, or a udev rule can be added to that end. The OpenVPN configuration file must also be updated accordingly, with the dev vpn and dev-type tun directives.

禁止進一步的行動，VPN 客戶端祗能經由 10.8.0.1 位址近用 VPN 伺服器。為了授權客戶近用在地網路 (192.168.0.0/24)，需在 OpenVPN 組態中加入 推送路徑 192.168.0.0 255.255.255.0，讓 VPN 客戶端自動取得網路路由，使其明瞭經由 VPN 可以進入該網路。此外，在地網路的機器也需被告知，經由 VPN 伺服器 (在閘道安裝 VPN 伺服器即自動啟用) 進入VPN。另外，VPN 伺服器可以組態後執行偽裝 IP 的工作，讓來自 VPN 客戶端的訊息顯示成來自 VPN 伺服器 (見節 10.1, “閘道器”)。

10.3.1.2. 組態 OpenVPN 客戶端

需組態 /etc/openvpn/ 內的檔案才能設定 OpenVPN 客戶端。標準的組態方法可從使用 /usr/share/doc/openvpn/examples/sample-config-files/client.conf 這個檔案開始。remote vpn.falcot.com 1194 介紹 OpenVPN 伺服器的位址及埠號；描述密鑰文件位址時，需參考 ca、cert 和 key。

If the VPN should not be started automatically on boot, set the AUTOSTART directive to none in the /etc/default/openvpn file. Starting or stopping a given VPN connection is always possible with the commands systemctl start openvpn@name and systemctl stop openvpn@name (where the connection name matches the one defined in /etc/openvpn/name.conf).

The network-manager-openvpn-gnome package contains an extension to Network Manager (see 節 8.2.5, “網路自動組態漫遊使用者”) that allows managing OpenVPN virtual private networks. This allows every user to configure OpenVPN connections graphically and to control them from the network management icon.

10.3.2. SSH 下的虛擬專屬網路

There are actually two ways of creating a virtual private network with SSH. The historic one involves establishing a PPP layer over the SSH link. This method is described in a HOWTO document:

→ https://www.tldp.org/HOWTO/ppp-ssh/

第二個方法較新，適用於 OpenSSH 4.3；可以在 OpenSSH 之下建立虛擬網路介面 (tun*) 於 SSH 連結的兩端，且可以精準地組態這些虛擬介面，就像在實體介面環境下。必須先設定 PermitTunnel 為 “yes” 於 SSH 伺服器組態檔 (/etc/ssh/sshd_config)，才能啟用此隧道系統。啟用 SSH 連結後，新增的隧道必須以 -w any:any 選項 (any 可以用期望的 tun 設備名稱取代) 請求連結。兩端的使用者需有管理者權限，才能新增網路設備 (換句話說，必須以超級使用者的身份才能建立連結)。

以 SSH 建立虛擬專屬網路的兩種方法都很直接。然而，它們提供的 VPN 不是最有效的；特別是，無法有效處理高階的流量。

The explanation is that when a TCP/IP stack is encapsulated within a TCP/IP connection (for SSH), the TCP protocol is used twice, once for the SSH connection and once within the tunnel. This leads to problems, especially due to the way TCP adapts to network conditions by altering timeout delays. The following site describes the problem in more detail:

→ http://sites.inka.de/sites/bigred/devel/tcp-tcp.html

VPNs over SSH should therefore be restricted to one-off tunnels with no performance constraints.

10.3.3. 網際網路安全協定

IPsec, despite being the standard in IP VPNs, is rather more involved in its implementation. The IPsec engine itself is integrated in the Linux kernel; the required user-space parts, the control and configuration tools, are provided by the libreswan package or the strongswan package. Here we describe briefly the first of these options.

First, we install the libreswan package. In concrete terms, each host's /etc/ipsec.conf contains the parameters for IPsec tunnels (or Security Associations, in the IPsec terminology) that the host is concerned with. There are many configuration examples in /usr/share/doc/libreswan/, but Libreswan's online documentation has more examples with explanations:

→ https://libreswan.org/wiki/

The IPsec service can be controlled with systemctl; for example, systemctl start ipsec will start the IPsec service.

僅管其狀態為參照，IPsec 的設定限制其用途。必備的通道不多也不是動態時，OpenVPN-based 解決方案較受用。

10.3.4. PPTP

PPTP (𪅈原文是 Point-to-Point Tunneling Protocol) 用到兩種通訊閘道，一個控制資料另個酬載資料；後者使用 GRE 協定 (Generic Routing Encapsulation)。標準的 PPP 連結建立在資料交換閘道。

10.3.4.1. 設定客戶端

此 pptp-linux 封包含有易於組態的 Linux 客戶端 PPTP。以下說明取自官方文件：

→ http://pptpclient.sourceforge.net/howto-debian.phtml

Falcot 管理者新增若干檔案：/etc/ppp/options.pptp、/etc/ppp/peers/falcot、/etc/ppp/ip-up.d/falcot、與 /etc/ppp/ip-down.d/falcot。

範例 10.2. /etc/ppp/options.pptp 檔案

# PPP options used for a PPTP connection
lock
noauth
nobsdcomp
nodeflate

範例 10.3. /etc/ppp/peers/falcot 檔案

# vpn.falcot.com is the PPTP server
pty "pptp vpn.falcot.com --nolaunchpppd"
# the connection will identify as the "vpn" user
user vpn
remotename pptp
# encryption is needed
require-mppe-128
file /etc/ppp/options.pptp
ipparam falcot

範例 10.4. /etc/ppp/ip-up.d/falcot 檔案

# Create the route to the Falcot network
if [ "$6" = "falcot" ]; then
  # 192.168.0.0/24 is the (remote) Falcot network
  ip route add 192.168.0.0/24 dev $1
fi

範例 10.5. /etc/ppp/ip-down.d/falcot 檔案

# Delete the route to the Falcot network
if [ "$6" = "falcot" ]; then
  # 192.168.0.0/24 is the (remote) Falcot network
  ip route del 192.168.0.0/24 dev $1
fi

10.3.4.2. 組態伺服器

pptpd 是 Linux 的 PPTP 伺服器。它的主要組態檔是，/etc/pptpd.conf，應做若干改變：localip (內網 IP 位址) 與 remoteip (外網 IP 位址)。在下例中，PPTP 伺服器總是使用 192.168.0.199 位址，以及從 192.168.0.200 至 192.168.0.250 之間接收 PPTP 客戶端的 IP 位址。

範例 10.6. /etc/pptpd.conf 檔案

[..]
# TAG: localip
# TAG: remoteip
#       Specifies the local and remote IP address ranges.
#
#       These options are ignored if delegate option is set.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#       You can specify single IP addresses seperated by commas or you can
#       specify ranges, or both. For example:
#
#               192.168.0.234,192.168.0.245-249,192.168.0.254
#
#       IMPORTANT RESTRICTIONS:
#
#       1. No spaces are permitted between commas or within addresses.
#
#       2. If you give more IP addresses than the value of connections,
#          it will start at the beginning of the list and go until it
#          gets connections IPs.  Others will be ignored.
#
#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#          you must type 234-238 if you mean this.
#
#       4. If you give a single localIP, that's ok - all local IPs will
#          be set to the given one. You MUST still give at least one remote
#          IP for each simultaneous client.
#
# (Recommended)
#localip 192.168.0.1
#remoteip 192.168.0.234-238,192.168.0.245
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
localip 192.168.0.199
remoteip 192.168.0.200-250

PPP 採用 PPTP 伺服器組態時也需在 /etc/ppp/pptpd-options 做若干改變。重要的參數有伺服器名稱 (pptp)、網域名稱 (falcot.com)、以及 DNS 與 WINS 伺服器的 IP 位址。

範例 10.7. /etc/ppp/pptpd-options 檔案

# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
#debug

# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd

# Optional: domain name to use for authentication
## change the domainname to your local domain
domain falcot.com

# Authentication
## these are reasonable defaults for WinXXXX clients
## for the security related settings
auth
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128

# Network and Routing
## Fill in your addresses
ms-dns 192.168.0.1
ms-wins 192.168.0.1

## Fill in your netmask
netmask 255.255.255.0

## some defaults
nodefaultroute
proxyarp
lock

登錄 vpn 使用者 (及其密碼) 於 /etc/ppp/chap-secrets 檔案的最後一個步驟。其他的作為裡，星號 (*) 是有作用的，在此的伺服器名稱必須明示出來。而且，Windows PPTP 客戶端以 DOMAIN\\USER 形式辨識，不是以使用者名稱區別。這就說明了在 FALCOT\\vpn 使用者必須提及的檔案。也可以指定使用者使用特定的 IP 位址；此欄位內的星號用於指定動態的位址。

範例 10.8. 該 /etc/ppp/chap-secrets 檔案

# Secrets for authentication using CHAP
# client        server  secret      IP addresses
vpn             pptp    f@Lc3au     *
FALCOT\\vpn     pptp    f@Lc3au     *