Ƙungiyoyin ayyukan nesa na ƙungiyar SMB akan OpenVPN
Tsara matsalar
Labarin ya bayyana yadda ake tsara hanyoyin shiga nesa don ma'aikata akan samfuran buɗaɗɗen tushe kuma ana iya amfani da su duka don gina tsarin mai cin gashin kansa gaba ɗaya, kuma zai zama da amfani don faɗaɗawa lokacin da ƙarancin lasisi a cikin tsarin kasuwancin da ake da shi ko kuma aikinsa bai isa ba.
Makasudin labarin shine aiwatar da cikakken tsarin don samar da damar nesa zuwa kungiya, wanda bai wuce "saka OpenVPN a cikin mintuna 10 ba."
A sakamakon haka, za mu sami tsarin da za a yi amfani da takaddun shaida da (na zaɓi) na Kamfanin Active Directory don tantance masu amfani. Wannan. za mu sami tsarin da abubuwan tabbatarwa guda biyu - abin da nake da shi (certificate) da abin da na sani (password).
Alamar cewa an yarda mai amfani ya haɗa shi shine membobinsu a cikin ƙungiyar myVPNUsr. Za a yi amfani da ikon takaddun shaida ta layi.
Kudin aiwatar da maganin shine kawai ƙananan kayan aikin kayan aiki da 1 hour na aikin mai sarrafa tsarin.
Za mu yi amfani da na'ura mai mahimmanci tare da OpenVPN da Easy-RSA version 3 akan CetntOS 7, wanda aka ware 100 vCPUs da 4 GiB RAM ta hanyar haɗin 4.
A cikin misali, cibiyar sadarwar ƙungiyarmu ita ce 172.16.0.0/16, inda uwar garken VPN tare da adireshin 172.16.19.123 yana cikin sashin 172.16.19.0/24, sabobin DNS 172.16.16.16 da 172.16.17.17. .172.16.20.0/23 an ware don abokan ciniki na VPN.
Don haɗawa daga waje, ana amfani da haɗi ta tashar jiragen ruwa 1194/udp, kuma an ƙirƙiri A-record gw.abc.ru a cikin DNS don uwar garken mu.
Ba a ba da shawarar sosai don kashe SELinux ba! OpenVPN yana aiki ba tare da kashe manufofin tsaro ba.
Muna amfani da rarrabawar CentOS 7.8.2003. Muna buƙatar shigar da OS a cikin ƙaramin tsari. Yana da dacewa don yin wannan ta amfani da shi wasan ƙwanƙwasa, cloning hoton OS da aka shigar a baya da sauran hanyoyin.
Bayan shigarwa, sanya adireshin zuwa cibiyar sadarwar cibiyar sadarwa (bisa ga sharuddan aiki 172.16.19.123), muna sabunta OS:
$ sudo yum update -y && reboot
Muna kuma buƙatar tabbatar da cewa ana yin aiki tare da lokaci akan injin mu.
Don shigar da software na aikace-aikacen, kuna buƙatar fakitin openvpn, openvpn-auth-ldap, Easy-rsa da vim a matsayin babban editan (za ku buƙaci ma'ajiyar EPEL).
An kwatanta sigogi na ƙungiyar ABC LLC a nan; zaku iya gyara su zuwa na ainihi ko ku bar su daga misalin. Abu mafi mahimmanci a cikin sigogi shine layi na ƙarshe, wanda ke ƙayyade lokacin ingancin takaddun shaida a cikin kwanaki. Misali yana amfani da ƙimar shekaru 10 (365*10+2 shekaru tsalle). Wannan ƙimar za a buƙaci a gyara kafin a ba da takaddun shaida na mai amfani.
Bayan haka, za mu tsara ikon ba da takaddun shaida mai cin gashin kansa.
Saita ya haɗa da masu canji na fitarwa, ƙaddamar da CA, ba da maɓallin tushen CA da takaddun shaida, maɓallin Diffie-Hellman, maɓallin TLS, da maɓallin uwar garke da takaddun shaida. Maɓallin CA dole ne a kiyaye shi a hankali kuma a ɓoye shi! Ana iya barin duk sigogin tambaya azaman tsoho.
Wannan yana kammala babban ɓangaren kafa tsarin ƙirar ƙira.
Saita OpenVPN
Jeka kundin adireshi na OpenVPN, ƙirƙirar kundayen adireshi kuma ƙara hanyar haɗi zuwa mai sauƙi-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Ƙirƙiri babban fayil ɗin sanyi na OpenVPN:
$ sudo vim server.conf
bin abun ciki
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Wasu bayanan kula akan sigogi:
idan an ayyana wani suna daban lokacin bayar da takardar shaidar, nuna shi;
saka wuraren adiresoshin don dacewa da ayyukanku*;
ana iya samun hanyoyi ɗaya ko fiye da sabar DNS;
Ana buƙatar layukan 2 na ƙarshe don aiwatar da ingantaccen aiki a AD**.
*Yawancin adiresoshin da aka zaɓa a cikin misalin zai ba da damar abokan ciniki har 127 su haɗa lokaci guda, saboda an zaɓi cibiyar sadarwa / 23, kuma OpenVPN yana ƙirƙira subnet ga kowane abokin ciniki ta amfani da abin rufe fuska / 30.
Idan ya cancanta, ana iya canza tashar jiragen ruwa da yarjejeniya, duk da haka, ya kamata a la'akari da cewa canza lambar tashar tashar tashar jiragen ruwa zai haifar da daidaitawa SELinux, kuma yin amfani da ka'idar tcp zai haɓaka sama, saboda An riga an riga an yi sarrafa sarrafa fakitin TCP a matakin fakitin da aka lullube a cikin rami.
**Idan ba a buƙatar tantancewa a cikin AD, yi sharhi game da su, tsallake sashe na gaba, kuma a cikin samfuri. cire auth-user-pass line.
Tabbatar da AD
Don tallafawa abu na biyu, za mu yi amfani da tabbatarwar asusu a cikin AD.
Muna buƙatar asusu a cikin yanki tare da haƙƙin mai amfani na yau da kullun da ƙungiya, kasancewa memba wanda zai ƙayyade ikon haɗi.
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Batun takaddun shaida da sokewa
Domin Baya ga takaddun shaida da kansu, kuna buƙatar maɓallai da sauran saitunan; yana da matukar dacewa don kunsa duk wannan a cikin fayil ɗin bayanan martaba ɗaya. Ana canja wurin wannan fayil ɗin zuwa mai amfani kuma ana shigo da bayanin martaba akan abokin ciniki na OpenVPN. Don yin wannan, za mu ƙirƙiri samfurin saiti da rubutun da ke haifar da bayanin martaba.
Kuna buƙatar ƙara abubuwan da ke cikin tushen takardar shaidar (ca.crt) da maɓallin TLS (ta.key) zuwa bayanan martaba.
Kafin bayar da takaddun shaida na mai amfani kar a manta da saita lokacin ingancin da ake buƙata don takaddun shaida a cikin fayilolin sigogi. Kada ku yi tsayi da yawa; Ina ba da shawarar iyakance kanku zuwa iyakar kwanaki 180.
vim /usr/share/easy-rsa/3/vars
...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpn
client
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Bayanan kula:
kirtani SAKA KA... canza zuwa abun ciki nasu takaddun shaida;
a cikin umarnin nesa, saka sunan/adireshin ƙofar ku;
ana amfani da umarnin auth-user-pass don ƙarin tabbaci na waje.
A cikin kundin adireshin gida (ko wani wuri mai dacewa) muna ƙirƙirar rubutun don neman takaddun shaida da ƙirƙirar bayanin martaba:
vim ~/make.profile.sh
#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Yin fayil ɗin aiwatarwa:
chmod a+x ~/make.profile.sh
Kuma za mu iya ba da takardar shaidarmu ta farko.
~/make.profile.sh my-first-user
Bayani
Idan aka yi sulhu da takaddun shaida (asara, sata), wajibi ne a soke wannan takardar shaidar:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Duba takaddun shaida da aka bayar da sokewa
Don duba takaddun shaida da aka bayar da sokewa, kawai duba fayil ɗin fihirisa:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Bayani:
layin farko shine takardar shaidar uwar garken;
hali na farko
V (Mai inganci) - inganci;
R (An soke) - tuna.
Tsarin hanyar sadarwa
Matakai na ƙarshe shine don saita hanyar sadarwar watsa labarai - routing da firewalls.
A cikin mahallin kamfani, da alama za a iya samun haɗin kai kuma muna buƙatar gaya wa na'ura mai ba da hanya tsakanin hanyoyin sadarwa (s) yadda ake aika fakitin da aka ƙaddara don abokan cinikinmu na VPN. A kan layin umarni muna aiwatar da umarnin ta hanyar (dangane da kayan aikin da aka yi amfani da su):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123
kuma ajiye sanyi.
Bugu da kari, a kan iyakar na'ura mai ba da hanya tsakanin hanyoyin sadarwa inda aka ba da adireshin waje gw.abc.ru, ya zama dole don ba da izinin fakitin udp/1194.
Idan ƙungiyar tana da ƙaƙƙarfan ƙa'idodin tsaro, dole ne kuma a saita matattarar wuta akan sabar VPN ɗin mu. A ganina, ana ba da mafi girman sassauci ta hanyar kafa iptables FORWARD sarƙoƙi, kodayake kafa su bai dace ba. Kaɗan kaɗan game da saita su. Don yin wannan, ya fi dacewa don amfani da "dokokin kai tsaye" - dokokin kai tsaye, adana a cikin fayil /etc/firewalld/direct.xml. Ana iya samun tsarin ƙa'idodin yanzu kamar haka:
Waɗannan su ne ainihin ƙa'idodin iptables na yau da kullun, in ba haka ba an tattara su bayan zuwan Firewalld.
Wurin kewayawa tare da saitunan tsoho shine tun0, kuma mahaɗin waje don rami na iya bambanta, misali, en192, dangane da dandamalin da aka yi amfani da shi.
Layi na ƙarshe shine don shigar da fakitin da aka jefar. Don shiga don aiki, kuna buƙatar canza matakin gyara kuskure a cikin saitin wuta:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Aiwatar da saituna shine umarnin Firewalld na yau da kullun don sake karanta saitunan:
$ sudo firewall-cmd --reload
Kuna iya duba fakitin da aka sauke kamar haka:
grep forward_fw /var/log/messages
Menene gaba
Wannan yana kammala saitin!
Abin da ya rage shi ne shigar da software na abokin ciniki a gefen abokin ciniki, shigo da bayanin martaba kuma haɗi. Don tsarin aiki na Windows, ana samun kayan aikin rarrabawa mawallafi site.
A ƙarshe, muna haɗa sabon uwar garken mu zuwa tsarin sa ido da adanawa, kuma kar a manta da shigar da sabuntawa akai-akai.