«Debian сертификаты openvpn» и «Recover Deleted Files on an NTFS Hard Drive from a Linux»: разница между страницами

Материал из support.qbpro.ru
(Различия между страницами)
imported>Vix
Нет описания правки
 
imported>Vix
(Новая страница: «To undelete our files, we first need to identify the hard drive that we want to undelete from. In the terminal window, type in: sudo fdisk –l and press ente…»)
 
Строка 1: Строка 1:
Описаний установки и настройки системы Open VPN в интернете очень много, но как правило все рекомендации сводятся или к общему описанию того как должна быть организована эта система или пошаговая настройка какого то конкретного дистрибутива Linux или BSD зачастую без толковых описаний своих действий.
To undelete our files, we first need to identify the hard drive that we want to undelete from. In the terminal window, type in:
  Все что здесь будет описано выполнялось на '''Linux Debian Squeeze'''. Все действия я буду подробно описывать, что и зачем выполняется,
  в случае если кто то воспользуется этой статьей для настройки на другом дистрибутиве '''Linux''' или операционной системе.
* Первый этап это установка необходимых пакетов, в моем случае из стандартного репозитария: '''openvpn и openvpn-blacklist''', с подтверждением всех необходимых зависимостей которые запросит программа '''aptitude'''.
* Вторым этапом установка программы '''tinyca''', с помощью которой мы будем генерировать ключи и сертификаты для своего сервера и клиентов, так же я объясню почему предпочтительнее  использование именно этой программы, а не встроенных средств пакета '''openvpn'''.
* В каталоге /etc/openvpn/ создаем каталог easy-rsa а в нем keys (тут будут находиться наши ключи):
  mkdir /etc/openvpn/easy-rsa
  mkdir /etc/openvpn/easy-rsa/keys
* Генерируем 2048 битный ключ с помощью алгоритма '''Диффи Хеллмана''' в /etc/openvpn/easy-rsa/keys
  cd  /etc/openvpn/easy-rsa/keys
  openssl dhparam -out dh2048.pem 2048
* Следующим шагом будет генерация ключей с помощью  '''tinyca''', запускаем программу:
[[Файл:Tiny1.png]]
* Пример заполнения полей для создания открытого ключа:
'''tinyca - генерация основного сертификата'''
[[Файл:Tiny2.png]]
* Пример создания сертификатов для сервера и клиента:
'''tinyca - создание сертификатов для сервера и клиента'''
[[Файл:Tiny5.png]]
* Пример экспорта ключа для сервера и клиента - клик правой кнопкой мышки на сертификат или иконку вверху '''export''':
'''tinyca - экспорт сертификатов в формате PKCS#12'''
[[Файл:Tiny3.png]]
*'''tinyca - экспорт сертификатов пароль основного ключа!'''
[[Файл:Tiny4.png]]
* Теперь копируем ключ сервера в  /etc/openvpn/easy-rsa/keys и настраиваем /etc/openvpn/server.conf по примеру:
  mode server
  tls-server
  daemon
  local 83.221.170.103
  port 1194
  proto tcp-server
  # - используемый тип устройства и номер
  dev tap0
  #указываем файл с ключем сервера
  pkcs12 /etc/openvpn/easy-rsa/keys/server_crt.p12
  #указываем файл Диффи Хельман
  dh /etc/openvpn/easy-rsa/keys/dh2048.pem
  #задаем IP-адрес сервера и маску подсети
  ifconfig 10.10.10.1 255.255.255.0
  #### clients ip
  client-config-dir ccd
  push "route 10.10.10.0 255.255.255.0 10.10.10.1"
  keepalive 10 120 # пинг каждые 10 секунд для поддержания канала связи
  client-to-client
  #########
  #auth MD5
  # включаем шифрацию пакетов
  cipher BF-CBC
  keepalive 10 120
  # сжатие трафика
  comp-lzo
  # максимум клиентов
  max-clients 100
  # Не перечитывать ключи после получения
  # SIGUSR1 или ping-restart
  persist-key
  # Не закрывать и переоткрывать TUN\TAP
  # устройство, после получения
  # SIGUSR1 или ping-restart
  persist-tun
  # логгирование (не забудьте создать эту дирректорию /var/log/openvpn/)
  status /var/log/openvpn/openvpn-status.log
  log /var/log/openvpn/openvpn.log
  # Уровень информации для отладки
  verb 5
* Выполняем команду разрешающую dh 2048
  touch /usr/share/openssl-blacklist/blacklist.RSA-2048


* Разрешаем трансляцию ip адресов openvpn
sudo fdisk –l
    mcedit /etc/sysctl.conf


    net.ipv4.conf.default.rp_filter=1
and press enter.
    net.ipv4.conf.all.rp_filter=1


* Фиксируем размер MTU не больше основного канала..
sshot-2
  echo "1">/proc/sys/net/ipv4/ip_no_pmtu_disc


* Теперь необходимо прописать то, что будут получать клиенты по dhcp, когда пройдет авторизация, файлы должны лежать в /etc/openvpn/ccd
What you’re looking for is a line that ends with HPSF/NTFS (under the heading System). In our case, the device is “/dev/sda1”. This may be slightly different for you, but it will still begin with /dev/. Note this device name.
  echo >klient.crt
  mcedit /etc/openvpn/ccd/klient.crt (имя файла - это имя common name сертификата в программе '''tinyca'''; по нему и происходит присвоение...)
  ### далее настройки в файле klient.crt
  # приcваиваем ip-адрес
  ifconfig-push 10.10.10.11 255.255.255.0
  # присваиваем наш внутренний dns server
  push dhcp-option DNS 10.10.10.1
  # присваиваем dns domain suffix - для win машин очень актуально
  push dhcp-option DOMAIN org
  # роутинг на сети центрального офиса
  push "route 10.10.10.0 255.255.255.0 10.10.10.1"
  # если необходимо то и на другие сети..
  push "route 192.168.5.0 255.255.255.0 10.10.10.1"


* теперь запуск сервера в работу:
If you have more than one hard drive partition formatted as NTFS, then you may be able to identify the correct partition by the size. If you look at the second line of text in the screenshot above, it reads “Disk /dev/sda: 136.4 GB, …” This means that the hard drive that Ubuntu has named /dev/sda is 136.4 GB large. If your hard drives are of different size, then this information can help you track down the right device name to use. Alternatively, you can just try them all, though this can be time consuming for large hard drives.
    /etc/init.d/openvpn start
* следующий этап, настройка клиента openvpn.


'''Пример конфигурационного файла клиента:'''
Now that you know the name Ubuntu has assigned to your hard drive, we’ll scan it to see what files we can uncover.


client
In the terminal window, type:
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
##;dev tap
dev tap0
# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
#proto udp
proto tcp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
#remote my-server-1 1194
##;remote my-server-2 1194
remote 83.221.170.103 1194
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
#user nobody
#group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
#;http-proxy-retry # retry on connection failures
#;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
#;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
dh dh2048.pem
### - сертификат клиента!
pkcs12 client-crt.p12
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
#;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
#;cipher x
#cipher AES-128-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 4
# Silence repeating messages
mute 20


и на последок, канал внутри канала необходимо также настраивать, например если у вас MTU на внешнем 1500,
  sudo ntfsundelete <HD name>
значит внутренний канал VPN MTU не должен быть больше, а рекомендуемый параметр в данном случае 1496 или 1442
выставляется на клинете параметром '''tun-mtu'''
  tun-mtu 1496


опыт показывает, что при соединении по 3G MTU канала как правило не выше 1400, чаще 962 - 1276
and hit enter. In our case, the command is:
соответственно берем параметр внешнего канала и отнимаем 62.
 
полученное значение присваиваем подключаемому клиенту.
sudo ntfsundelete /dev/sda1
 
sshot-3
 
The names of files that can recovered show up in the far right column. The percentage in the third column tells us how much of that file can be recovered. Three of the four files that we originally deleted are showing up in this list, even though we shut down the computer right after deleting the four files – so even in ideal cases, your files may not be recoverable.
 
Nevertheless, we have three files that we can recover – two JPGs and an MPG.
 
Note: ntfsundelete is immediately available in the Ubuntu 9.10 Live CD. If you are in a different version of Ubuntu, or for some other reason get an error when trying to use ntfsundelete, you can install it by entering “sudo apt-get install ntfsprogs” in a terminal window.
 
To quickly recover the two JPGs, we will use the * wildcard to recover all of the files that end with .jpg.
 
In the terminal window, enter
 
sudo ntfsundelete <HD name> –u –m *.jpg
 
which is, in our case,
 
sudo ntfsundelete /dev/sda1 –u –m *.jpg
 
sshot-10
 
The two files are recovered from the NTFS hard drive and saved in the current working directory of the terminal. By default, this is the home directory of the current user, though we are working in the Desktop folder.
 
Note that the ntfsundelete program does not make any changes to the original NTFS hard drive. If you want to take those files and put them back in the NTFS hard drive, you will have to move them there after they are undeleted with ntfsundelete. Of course, you can also put them on your flash drive or open Firefox and email them to yourself – the sky’s the limit!
 
We have one more file to undelete – our MPG.
 
sshot-4
 
Note the first column on the far left. It contains a number, its Inode. Think of this as the file’s unique identifier. Note this number.
 
To undelete a file by its Inode, enter the following in the terminal:
 
sudo ntfsundelete <HD name> –u –i <Inode>
 
In our case, this is:
 
sudo ntfsundelete /dev/sda1 –u –i 14159
 
sshot-11
 
This recovers the file, along with an identifier that we don’t really care about. All three of our recoverable files are now recovered.
<hr>
'''Resurses:'''
<hr>
* [https://www.howtogeek.com/howto/13706/recover-deleted-files-on-an-ntfs-hard-drive-from-a-ubuntu-live-cd/ Recover Deleted Files on an NTFS Hard Drive from a Ubuntu Live CD]

Версия от 23:39, 25 сентября 2017

To undelete our files, we first need to identify the hard drive that we want to undelete from. In the terminal window, type in:

sudo fdisk –l
and press enter.
sshot-2

What you’re looking for is a line that ends with HPSF/NTFS (under the heading System). In our case, the device is “/dev/sda1”. This may be slightly different for you, but it will still begin with /dev/. Note this device name.

If you have more than one hard drive partition formatted as NTFS, then you may be able to identify the correct partition by the size. If you look at the second line of text in the screenshot above, it reads “Disk /dev/sda: 136.4 GB, …” This means that the hard drive that Ubuntu has named /dev/sda is 136.4 GB large. If your hard drives are of different size, then this information can help you track down the right device name to use. Alternatively, you can just try them all, though this can be time consuming for large hard drives.

Now that you know the name Ubuntu has assigned to your hard drive, we’ll scan it to see what files we can uncover.

In the terminal window, type:

sudo ntfsundelete <HD name>

and hit enter. In our case, the command is:

sudo ntfsundelete /dev/sda1

sshot-3

The names of files that can recovered show up in the far right column. The percentage in the third column tells us how much of that file can be recovered. Three of the four files that we originally deleted are showing up in this list, even though we shut down the computer right after deleting the four files – so even in ideal cases, your files may not be recoverable.

Nevertheless, we have three files that we can recover – two JPGs and an MPG.

Note: ntfsundelete is immediately available in the Ubuntu 9.10 Live CD. If you are in a different version of Ubuntu, or for some other reason get an error when trying to use ntfsundelete, you can install it by entering “sudo apt-get install ntfsprogs” in a terminal window.

To quickly recover the two JPGs, we will use the * wildcard to recover all of the files that end with .jpg.

In the terminal window, enter

sudo ntfsundelete <HD name> –u –m *.jpg

which is, in our case,

sudo ntfsundelete /dev/sda1 –u –m *.jpg

sshot-10

The two files are recovered from the NTFS hard drive and saved in the current working directory of the terminal. By default, this is the home directory of the current user, though we are working in the Desktop folder.

Note that the ntfsundelete program does not make any changes to the original NTFS hard drive. If you want to take those files and put them back in the NTFS hard drive, you will have to move them there after they are undeleted with ntfsundelete. Of course, you can also put them on your flash drive or open Firefox and email them to yourself – the sky’s the limit!

We have one more file to undelete – our MPG.

sshot-4

Note the first column on the far left. It contains a number, its Inode. Think of this as the file’s unique identifier. Note this number.

To undelete a file by its Inode, enter the following in the terminal:

sudo ntfsundelete <HD name> –u –i <Inode>

In our case, this is:

sudo ntfsundelete /dev/sda1 –u –i 14159

sshot-11

This recovers the file, along with an identifier that we don’t really care about. All three of our recoverable files are now recovered.


Resurses: