VPN部署:安全远程访问
VPN类型
VPN类型:
├── 远程访问VPN: 个人设备连接到企业网络
├── 站点到站点VPN: 连接两个网络
├── SSL VPN: 基于SSL/TLS的VPN
└── IPSec VPN: 基于IPSec的VPN
OpenVPN部署
安装配置
# 安装OpenVPN
sudo apt-get update
sudo apt-get install openvpn easy-rsa
# 初始化PKI
cd /etc/openvpn
make-cadir easy-rsa
cd easy-rsa
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh
openvpn --genkey secret ta.key
服务端配置
# /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-GCM
tls-auth /etc/openvpn/ta.key 0
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
explicit-exit-notify 1
启动服务
# 启动OpenVPN
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
# 检查状态
sudo systemctl status openvpn@server
# 查看日志
journalctl -u openvpn@server -f
WireGuard部署
安装配置
# 安装WireGuard
sudo apt-get install wireguard
# 生成密钥对
wg genkey | tee privatekey | wg pubkey > publickey
# 服务端配置
cat > /etc/wireguard/wg0.conf << 'EOF'
[Interface]
PrivateKey = <server-private-key>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.0.0.2/32, 192.168.1.0/24
EOF
# 启动WireGuard
sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0
客户端配置
# client.conf
[Interface]
PrivateKey = <client-private-key>
Address = 10.0.0.2/24
DNS = 8.8.8.8
[Peer]
PublicKey = <server-public-key>
Endpoint = your-server.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
IPSec VPN
StrongSwan配置
# 安装StrongSwan
sudo apt-get install strongswan strongswan-pki
# 服务端配置
cat > /etc/ipsec.conf << 'EOF'
config setup
charondebug="ike 2, knl 2, cfg 2, net 2"
uniqueids=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha256-modp2048!
esp=aes256-sha256!
conn vpn-server
keyexchange=ikev2
left=%any
leftid=@server.example.com
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8
rightsendcert=never
eap_identity=%identity
auto=add
EOF
站点到站点VPN
AWS VPN配置
# aws-vpn.tf
resource "aws_vpn_gateway" "main" {
vpc_id = var.vpc_id
tags = {
Name = "main-vpn-gateway"
}
}
resource "aws_customer_gateway" "office" {
bgp_asn = 65000
ip_address = "203.0.113.1"
type = "ipsec.1"
tags = {
Name = "office-gateway"
}
}
resource "aws_vpn_connection" "office" {
vpn_gateway_id = aws_vpn_gateway.main.id
customer_gateway_id = aws_customer_gateway.office.id
type = "ipsec.1"
static_routes_only = true
tags = {
Name = "office-vpn"
}
}
resource "aws_vpn_connection_route" "office" {
destination_cidr_block = "192.168.1.0/24"
vpn_connection_id = aws_vpn_connection.office.id
}
监控和管理
VPN状态监控
#!/bin/bash
# vpn-monitor.sh
echo "=== VPN状态监控 ==="
# OpenVPN状态
echo -e "\n--- OpenVPN ---"
cat /var/log/openvpn-status.log | grep "ROUTING TABLE" -A 100 | head -20
# WireGuard状态
echo -e "\n--- WireGuard ---"
sudo wg show
# IPSec状态
echo -e "\n--- IPSec ---"
sudo ipsec status
自动化管理脚本
#!/bin/bash
# vpn-manager.sh
ACTION=$1
CLIENT=$2
case $ACTION in
"add-client")
# 添加新客户端
cd /etc/openvpn/easy-rsa
./easyrsa gen-req $CLIENT nopass
./easyrsa sign-req client $CLIENT
;;
"revoke-client")
# 撤销客户端证书
cd /etc/openvpn/easy-rsa
./easyrsa revoke $CLIENT
./easyrsa gen-crl
sudo cp pki/crl/ca.crl /etc/openvpn/
;;
"show-clients")
# 显示所有客户端
ls /etc/openvpn/easy-rsa/pki/issued/ | grep -v ca
;;
esac
最佳实践
- 使用强加密: AES-256、ChaCha20等
- 密钥管理: 定期轮换密钥和证书
- 访问控制: 实施最小权限原则
- 日志审计: 记录所有VPN连接和访问
- 双因素认证: 启用2FA增强安全性
- 网络隔离: VPN访问限制在必要资源