Tsara matsalar
Labarin ya bayyana yadda ake tsara hanyoyin shiga nesa don ma'aikata akan samfuran buɗaɗɗen tushe kuma ana iya amfani da su duka don gina tsarin mai cin gashin kansa gaba ɗaya, kuma zai zama da amfani don faɗaɗawa lokacin da ƙarancin lasisi a cikin tsarin kasuwancin da ake da shi ko kuma aikinsa bai isa ba.
Makasudin labarin shine aiwatar da cikakken tsarin don samar da damar nesa zuwa kungiya, wanda bai wuce "saka OpenVPN a cikin mintuna 10 ba."
A sakamakon haka, za mu sami tsarin da za a yi amfani da takaddun shaida da (na zaɓi) na Kamfanin Active Directory don tantance masu amfani. Wannan. za mu sami tsarin da abubuwan tabbatarwa guda biyu - abin da nake da shi (certificate) da abin da na sani (password).
Alamar cewa an yarda mai amfani ya haɗa shi shine membobinsu a cikin ƙungiyar myVPNUsr. Za a yi amfani da ikon takaddun shaida ta layi.
Kudin aiwatar da maganin shine kawai ƙananan kayan aikin kayan aiki da 1 hour na aikin mai sarrafa tsarin.
Za mu yi amfani da na'ura mai mahimmanci tare da OpenVPN da Easy-RSA version 3 akan CetntOS 7, wanda aka ware 100 vCPUs da 4 GiB RAM ta hanyar haɗin 4.
A cikin misali, cibiyar sadarwar ƙungiyarmu ita ce 172.16.0.0/16, inda uwar garken VPN tare da adireshin 172.16.19.123 yana cikin sashin 172.16.19.0/24, sabobin DNS 172.16.16.16 da 172.16.17.17. .172.16.20.0/23 an ware don abokan ciniki na VPN.
Don haɗawa daga waje, ana amfani da haɗi ta tashar jiragen ruwa 1194/udp, kuma an ƙirƙiri A-record gw.abc.ru a cikin DNS don uwar garken mu.
Ba a ba da shawarar sosai don kashe SELinux ba! OpenVPN yana aiki ba tare da kashe manufofin tsaro ba.
Abubuwa
Shigar da OS da software na aikace-aikace
Muna amfani da rarrabawar CentOS 7.8.2003. Muna buƙatar shigar da OS a cikin ƙaramin tsari. Yana da dacewa don yin wannan ta amfani da shi , cloning hoton OS da aka shigar a baya da sauran hanyoyin.
Bayan shigarwa, sanya adireshin zuwa cibiyar sadarwar cibiyar sadarwa (bisa ga sharuddan aiki 172.16.19.123), muna sabunta OS:
$ sudo yum update -y && reboot
Muna kuma buƙatar tabbatar da cewa ana yin aiki tare da lokaci akan injin mu.
Don shigar da software na aikace-aikacen, kuna buƙatar fakitin openvpn, openvpn-auth-ldap, Easy-rsa da vim a matsayin babban editan (za ku buƙaci ma'ajiyar EPEL).
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
Yana da amfani don shigar da wakilin baƙo don injin kama-da-wane:
$ sudo yum install open-vm-toolsdon VMware ESXi runduna, ko na oVirt
$ sudo yum install ovirt-guest-agent
Saita cryptography
Jeka littafin jagora mai sauƙi-rsa:
$ cd /usr/share/easy-rsa/3/Ƙirƙiri fayil mai canzawa:
$ sudo vim varsabun ciki mai zuwa:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
An kwatanta sigogi na ƙungiyar ABC LLC a nan; zaku iya gyara su zuwa na ainihi ko ku bar su daga misalin. Abu mafi mahimmanci a cikin sigogi shine layi na ƙarshe, wanda ke ƙayyade lokacin ingancin takaddun shaida a cikin kwanaki. Misali yana amfani da ƙimar shekaru 10 (365*10+2 shekaru tsalle). Wannan ƙimar za a buƙaci a gyara kafin a ba da takaddun shaida na mai amfani.
Bayan haka, za mu tsara ikon ba da takaddun shaida mai cin gashin kansa.
Saita ya haɗa da masu canji na fitarwa, ƙaddamar da CA, ba da maɓallin tushen CA da takaddun shaida, maɓallin Diffie-Hellman, maɓallin TLS, da maɓallin uwar garke da takaddun shaida. Maɓallin CA dole ne a kiyaye shi a hankali kuma a ɓoye shi! Ana iya barin duk sigogin tambaya azaman tsoho.
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
Wannan yana kammala babban ɓangaren kafa tsarin ƙirar ƙira.
Saita OpenVPN
Jeka kundin adireshi na OpenVPN, ƙirƙirar kundayen adireshi kuma ƙara hanyar haɗi zuwa mai sauƙi-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Ƙirƙiri babban fayil ɗin sanyi na OpenVPN:
$ sudo vim server.confbin abun ciki
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Wasu bayanan kula akan sigogi:
- idan an ayyana wani suna daban lokacin bayar da takardar shaidar, nuna shi;
- saka wuraren adiresoshin don dacewa da ayyukanku*;
- ana iya samun hanyoyi ɗaya ko fiye da sabar DNS;
- Ana buƙatar layukan 2 na ƙarshe don aiwatar da ingantaccen aiki a AD**.
*Yawancin adiresoshin da aka zaɓa a cikin misalin zai ba da damar abokan ciniki har 127 su haɗa lokaci guda, saboda an zaɓi cibiyar sadarwa / 23, kuma OpenVPN yana ƙirƙira subnet ga kowane abokin ciniki ta amfani da abin rufe fuska / 30.
Idan ya cancanta, ana iya canza tashar jiragen ruwa da yarjejeniya, duk da haka, ya kamata a la'akari da cewa canza lambar tashar tashar tashar jiragen ruwa zai haifar da daidaitawa SELinux, kuma yin amfani da ka'idar tcp zai haɓaka sama, saboda An riga an riga an yi sarrafa sarrafa fakitin TCP a matakin fakitin da aka lullube a cikin rami.
**Idan ba a buƙatar tantancewa a cikin AD, yi sharhi game da su, tsallake sashe na gaba, kuma a cikin samfuri. cire auth-user-pass line.
Tabbatar da AD
Don tallafawa abu na biyu, za mu yi amfani da tabbatarwar asusu a cikin AD.
Muna buƙatar asusu a cikin yanki tare da haƙƙin mai amfani na yau da kullun da ƙungiya, kasancewa memba wanda zai ƙayyade ikon haɗi.
Ƙirƙiri fayil ɗin daidaitawa:
/etc/openvpn/ldap.confbin abun ciki
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
Maɓallan mabuɗi:
- URL "ldap://ldap.abc.ru" - adireshin mai sarrafa yanki;
- BindDN "CN = bindUsr, CN = Masu amfani, DC = abc, DC = ru" - sunan canonical don ɗaure zuwa LDAP (UZ - bindUsr a cikin akwati abc.ru/Users);
- Kalmar wucewa b1ndP@SS - kalmar sirrin mai amfani don ɗaure;
- BaseDN "OU = allUsr, DC=abc,DC=ru" - hanyar da za a fara neman mai amfani;
- BaseDN "OU = myGrp, DC = abc, DC = ru" - ganga na ƙungiyar ba da izini (ƙungiyar myVPNUsr a cikin akwati abc.rumyGrp);
- SearchFilter "(cn=myVPNUsr)" shine sunan rukunin izini.
Farawa da bincike
Yanzu za mu iya gwada kunnawa da fara uwar garken mu:
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
Duban farawa:
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Batun takaddun shaida da sokewa
Domin Baya ga takaddun shaida da kansu, kuna buƙatar maɓallai da sauran saitunan; yana da matukar dacewa don kunsa duk wannan a cikin fayil ɗin bayanan martaba ɗaya. Ana canja wurin wannan fayil ɗin zuwa mai amfani kuma ana shigo da bayanin martaba akan abokin ciniki na OpenVPN. Don yin wannan, za mu ƙirƙiri samfurin saiti da rubutun da ke haifar da bayanin martaba.
Kuna buƙatar ƙara abubuwan da ke cikin tushen takardar shaidar (ca.crt) da maɓallin TLS (ta.key) zuwa bayanan martaba.
Kafin bayar da takaddun shaida na mai amfani kar a manta da saita lokacin ingancin da ake buƙata don takaddun shaida a cikin fayilolin sigogi. Kada ku yi tsayi da yawa; Ina ba da shawarar iyakance kanku zuwa iyakar kwanaki 180.
vim /usr/share/easy-rsa/3/vars...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpnclient
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Bayanan kula:
- kirtani SAKA KA... canza zuwa abun ciki nasu takaddun shaida;
- a cikin umarnin nesa, saka sunan/adireshin ƙofar ku;
- ana amfani da umarnin auth-user-pass don ƙarin tabbaci na waje.
A cikin kundin adireshin gida (ko wani wuri mai dacewa) muna ƙirƙirar rubutun don neman takaddun shaida da ƙirƙirar bayanin martaba:
vim ~/make.profile.sh#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Yin fayil ɗin aiwatarwa:
chmod a+x ~/make.profile.shKuma za mu iya ba da takardar shaidarmu ta farko.
~/make.profile.sh my-first-userBayani
Idan aka yi sulhu da takaddun shaida (asara, sata), wajibi ne a soke wannan takardar shaidar:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Duba takaddun shaida da aka bayar da sokewa
Don duba takaddun shaida da aka bayar da sokewa, kawai duba fayil ɗin fihirisa:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Bayani:
- layin farko shine takardar shaidar uwar garken;
- hali na farko
- V (Mai inganci) - inganci;
- R (An soke) - tuna.
Tsarin hanyar sadarwa
Matakai na ƙarshe shine don saita hanyar sadarwar watsa labarai - routing da firewalls.
Ba da izinin haɗi a cikin Tacewar zaɓi na gida:
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
Na gaba, kunna hanyar zirga-zirgar ababen hawa ta IP:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
A cikin mahallin kamfani, da alama za a iya samun haɗin kai kuma muna buƙatar gaya wa na'ura mai ba da hanya tsakanin hanyoyin sadarwa (s) yadda ake aika fakitin da aka ƙaddara don abokan cinikinmu na VPN. A kan layin umarni muna aiwatar da umarnin ta hanyar (dangane da kayan aikin da aka yi amfani da su):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123kuma ajiye sanyi.
Bugu da kari, a kan iyakar na'ura mai ba da hanya tsakanin hanyoyin sadarwa inda aka ba da adireshin waje gw.abc.ru, ya zama dole don ba da izinin fakitin udp/1194.
Idan ƙungiyar tana da ƙaƙƙarfan ƙa'idodin tsaro, dole ne kuma a saita matattarar wuta akan sabar VPN ɗin mu. A ganina, ana ba da mafi girman sassauci ta hanyar kafa iptables FORWARD sarƙoƙi, kodayake kafa su bai dace ba. Kaɗan kaɗan game da saita su. Don yin wannan, ya fi dacewa don amfani da "dokokin kai tsaye" - dokokin kai tsaye, adana a cikin fayil /etc/firewalld/direct.xml. Ana iya samun tsarin ƙa'idodin yanzu kamar haka:
$ sudo firewall-cmd --direct --get-all-ruleKafin canza fayil, yi kwafin ajiyar ajiyarsa:
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bakKimanin abubuwan da ke cikin fayil ɗin sune:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
Bayanai
Waɗannan su ne ainihin ƙa'idodin iptables na yau da kullun, in ba haka ba an tattara su bayan zuwan Firewalld.
Wurin kewayawa tare da saitunan tsoho shine tun0, kuma mahaɗin waje don rami na iya bambanta, misali, en192, dangane da dandamalin da aka yi amfani da shi.
Layi na ƙarshe shine don shigar da fakitin da aka jefar. Don shiga don aiki, kuna buƙatar canza matakin gyara kuskure a cikin saitin wuta:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Aiwatar da saituna shine umarnin Firewalld na yau da kullun don sake karanta saitunan:
$ sudo firewall-cmd --reloadKuna iya duba fakitin da aka sauke kamar haka:
grep forward_fw /var/log/messages
Menene gaba
Wannan yana kammala saitin!
Abin da ya rage shi ne shigar da software na abokin ciniki a gefen abokin ciniki, shigo da bayanin martaba kuma haɗi. Don tsarin aiki na Windows, ana samun kayan aikin rarrabawa .
A ƙarshe, muna haɗa sabon uwar garken mu zuwa tsarin sa ido da adanawa, kuma kar a manta da shigar da sabuntawa akai-akai.
Tsayayyen haɗi!
source: www.habr.com