Pages

Friday, 17 November 2017

goSecure-一款便携式vpn程序

An easy to use and portable Virtual Private Network (VPN) system built with Linux and a Raspberry Pi.

About goSecure

goSecure is an easy-to-use and portable Virtual Private Network (VPN) solution.
To get started or for more information see https://iadgov.github.io/goSecure/
from https://github.com/iadgov/goSecure
-----------

goSecure Documentation Current version 0.9.9


goSecure is an easy to use and portable Virtual Private Network (VPN) solution.

The system consists of a single server and one or many clients. strongSwan is used to establish a Suite B IPsec tunnel with pre-shared keys between the server and client(s).

The server component is a multi-homed [laptop/server/cloud instance/Raspberry Pi] that runs strongSwan using the NSA Commercial Solutions for Classified (CSfC) guidelines for protecting classified data. It is built upon a minimal and hardened Linux instance per DISA Security Technical Implementation Guides (STIGs).

The client component is a Raspberry Pi that runs strongSwan using the NSA CSFC guidelines for protecting classified data and it utilizes its hardware Random Number Generator (RNG). It is built upon a minimal and hardened Linux instance per DISA STIGs.

The client currently supports 3 modes of operation:
  1. Ethernet (eth0) LAN - Wifi (wlan0) WAN
  2. Ethernet (eth1) LAN - Ethernet (eth0) WAN
  3. Wifi LAN (wlan0) - Ethernet (eth0) WAN

Step 0: Prerequisites

Decide on values for the following before starting:
VariableValue
Client IDi.e. client1.ix.mil
Client Pre-Shared Keyi.e. "cxvljals@fj09q2jasdf#dsjvk(asdjf"
Note: The PSK must be at least 16 characters. The PSK must also be surrounded in double quotes and cannot contain a double quote within.

Step 1: Build Server Side

Note: The server component build instructions are an example that can be used by affaliates that desire a complete solution, but the client component can interoperate with any VPN server that can be configured using the NSA CSFC guidelines.


Step 2: Build Client Side

Select a client side deployment option:


Step 3: Client Setup

    Setup:
    1. Plug in the Ethernet cable from the goSecure Client to the device (i.e. your laptop).
    2. Plug in the USB cable to the goSecure Client to the device (i.e. your laptop).
    3. Wait 60 seconds.
    4. Open a web browser and navigate to "https://setup.gosecure"
    5. Follow the instructions on the web page that appears. The default login username is "admin" and the password is "gosecure". You will be prompted to change them once you login.
    6. You can access your enterprise resources now.

    Normal use:
    1. Plug in the Ethernet cable from the goSecure Client to the device (i.e. your laptop).
    2. Plug in the USB cable to the goSecure Client to the device (i.e. your laptop).
    3. Wait 60 seconds.
    4. You can access your enterprise resources now.


Client - User Instructions:


    Initial Setup:
    1. Plug in the Ethernet cable from the goSecure Client to the device (i.e. your laptop).
    2. Plug in the USB cable to the goSecure Client to the device (i.e. your laptop).
    3. Wait 60 seconds.
    4. Open a web browser and navigate to "https://setup.gosecure"
    5. Follow the instructions on the web page that appears. The default login username is "admin" and the password is "gosecure". You will be prompted to change them once you login.
    6. You can access your enterprise resources now.

    Normal use:
    1. Plug in the Ethernet cable from the goSecure Client to the device (i.e. your laptop).
    2. Plug in the USB cable to the goSecure Client to the device (i.e. your laptop).
    3. Wait 60 seconds.
    4. You can access your enterprise resources now.

API

goSecure Client REST API examples using curl


Note: Add "--insecure" to the end of the curl command if your computer does not trust the goSecure client's self signed certificate.
#Actioncurl command
1Set VPN credentialscurl --user admin:gosecure -H "Content-Type: application/json" -X POST https://192.168.50.1/v1.0/vpn/credentials -d '{"vpn_server":"server1@ix.mil", "user_id":"client1@ix.mil","user_psk":"mysecretpsk"}'
2Reset (clear) VPN credentialscurl --user admin:gosecure -H "Content-Type: application/json" -X DELETE https://192.168.50.1/v1.0/vpn/credentials
3Start VPN service and establish connectioncurl --user admin:gosecure -H "Content-Type: application/json" -X POST https://192.168.50.1/v1.0/vpn/actions -d '{"action":"start_vpn"}'
4Stop VPN service and close connectioncurl --user admin:gosecure -H "Content-Type: application/json" -X POST https://192.168.50.1/v1.0/vpn/actions -d '{"action":"stop_vpn"}'
5Restart VPN service and establish connectioncurl --user admin:gosecure -H "Content-Type: application/json" -X POST https://192.168.50.1/v1.0/vpn/actions -d '{"action":"restart_vpn"}'

How do I add more clients to the system?

Refer to the comments in the "/etc/ipsec.conf" configuration file on the goSecure server. Also add a new line to the "/etc/ipsec.secrets" configuration file on the goSecure server that contains the new <unique_id_of_client> and a new unique password.



No comments:

Post a Comment