Hoʻonohonoho i ka hana mamao o kahi hui SMB ma OpenVPN
Ka hoʻokumu ʻana i ka pilikia
Hōʻike ka ʻatikala i ka hoʻonohonoho ʻana o ka loaʻa mamao no nā limahana ma nā huahana open source a hiki ke hoʻohana ʻia no ke kūkulu ʻana i kahi ʻōnaehana kūʻokoʻa holoʻokoʻa, a e hoʻohana ʻia no ka hoʻonui ʻana i ka wā i lawa ʻole ai nā laikini i ka ʻōnaehana kalepa e kū nei a i ʻole lawa ʻole kāna hana.
ʻO ka pahuhopu o ka ʻatikala e hoʻokō i kahi ʻōnaehana holoʻokoʻa no ka hāʻawi ʻana i kahi mamao mamao i kahi hui, ʻoi aku ka liʻiliʻi ma mua o "ka hoʻokomo ʻana iā OpenVPN i 10 mau minuke."
ʻO ka hopena, e loaʻa iā mākou kahi ʻōnaehana kahi e hoʻohana ʻia ai nā palapala hōʻoia a me (ke koho) ka Active Directory hui e hōʻoia i nā mea hoʻohana. ʻO kēlā. e loaʻa iā mākou kahi ʻōnaehana me nā mea hōʻoia ʻelua - ʻo kaʻu mea (hōʻoia) a me kaʻu mea i ʻike (password).
ʻO kahi hōʻailona e ʻae ʻia ka mea hoʻohana e hoʻopili ʻo ia ko lākou lālā i ka hui myVPNUsr. E hoʻohana ʻia ka mana palapala hōʻoia ma waho.
ʻO ke kumukūʻai o ka hoʻokō ʻana i ka hopena he mau kumuwaiwai liʻiliʻi wale nō a me 1 hola o ka hana a ka luna hoʻoponopono.
E hoʻohana mākou i kahi mīkini virtual me OpenVPN a me Easy-RSA version 3 ma CetntOS 7, i hāʻawi ʻia i 100 vCPU a me 4 GiB RAM no 4 mau pilina.
I ka laʻana, ʻo ka pūnaewele o kā mākou hui ʻo 172.16.0.0/16, kahi i loaʻa ai ka server VPN me ka helu helu 172.16.19.123 ma ka māhele 172.16.19.0/24, nā kikowaena DNS 172.16.16.16 a me 172.16.17.17. Hāʻawi ʻia ka .172.16.20.0/23 no nā mea kūʻai aku VPN.
No ka hoʻopili ʻana mai waho, hoʻohana ʻia kahi pilina ma o ke awa 1194/udp, a ua hana ʻia kahi A-record gw.abc.ru i ka DNS no kā mākou kikowaena.
ʻAʻole ʻōlelo ʻia e hoʻopau iā SELinux! Hana ʻo OpenVPN me ka hoʻopau ʻole i nā kulekele palekana.
Hoʻohana mākou i ka māhele CentOS 7.8.2003. Pono mākou e hoʻokomo i ka OS ma kahi hoʻonohonoho liʻiliʻi. He mea maʻalahi ke hana i kēia me ka hoʻohana ʻana kickstart, cloning i kahi kiʻi OS i hoʻokomo mua ʻia a me nā ʻano ʻē aʻe.
Ma hope o ka hoʻokomo ʻana, hāʻawi ʻia i kahi helu i ka interface pūnaewele (e like me nā ʻōlelo o ka hana 172.16.19.123), hoʻonui mākou i ka OS:
$ sudo yum update -y && reboot
Pono mākou e hōʻoia i ka hana ʻana o ka manawa ma kā mākou mīkini.
No ka hoʻouka ʻana i nā polokalamu noi, pono ʻoe i ka openvpn, openvpn-auth-ldap, easy-rsa a me nā pūʻolo vim ma ke ʻano he mea hoʻoponopono nui (pono ʻoe i ka waihona EPEL).
Hōʻike ʻia nā ʻāpana no ka hui kūlana ABC LLC; hiki iā ʻoe ke hoʻoponopono iā lākou i nā mea maoli a haʻalele paha iā lākou mai ka laʻana. ʻO ka mea nui loa i nā ʻāpana ʻo ia ka laina hope, e hoʻoholo ai i ka manawa kūpono o ka palapala hōʻoia i nā lā. Hoʻohana ka laʻana i ka waiwai 10 makahiki (365*10+2 mau makahiki lele). Pono e hoʻoponopono ʻia kēia waiwai ma mua o ka hoʻopuka ʻia ʻana o nā palapala hoʻohana.
A laila, hoʻonohonoho mākou i kahi mana hōʻoia autonomous.
Hoʻokomo ʻia ka hoʻonohonoho ʻana i nā mea hoʻololi e hoʻokuʻu aku, e hoʻomaka ana i ka CA, e hoʻopuka ana i ke kī kumu CA a me ka palapala hōʻoia, kī Diffie-Hellman, kī TLS, a me ke kī kikowaena a me ka palapala hōʻoia. Pono e mālama pono ʻia ke kī CA a hūnā ʻia! Hiki ke waiho ʻia nā ʻāpana hulina ma ke ʻano he paʻamau.
Hoʻopau kēia i ka ʻāpana nui o ka hoʻonohonoho ʻana i ka mīkini cryptographic.
Hoʻonohonoho i ka OpenVPN
E hele i ka papa kuhikuhi OpenVPN, hana i nā papa kuhikuhi lawelawe a hoʻohui i kahi loulou i easy-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
E hana i ka faila hoʻonohonoho OpenVPN nui:
$ sudo vim server.conf
ma hope o nā mea i loko
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
ʻO kekahi mau memo ma nā palena:
inā i kuhikuhi ʻia kahi inoa ʻē aʻe i ka wā e hoʻopuka ai i ka palapala hōʻoia, e hōʻike;
e kuhikuhi i ka waihona o nā helu wahi e kūpono i kāu mau hana*;
hiki ke loaʻa hoʻokahi a ʻoi aku paha nā ala a me nā kikowaena DNS;
Pono nā laina 2 hope loa e hoʻokō i ka hōʻoia ma AD **.
* ʻO ka laulā o nā helu wahi i koho ʻia ma ka laʻana e ʻae i nā mea kūʻai aku 127 e hoʻopili i ka manawa like, no ka mea koho ʻia ka pūnaewele /23, a hana ʻo OpenVPN i kahi subnet no kēlā me kēia mea kūʻai aku e hoʻohana ana i ka mask /30.
Inā pono, hiki ke hoʻololi i ke awa a me ka protocol, akā naʻe, pono e hoʻomanaʻo ʻia ʻo ka hoʻololi ʻana i ka helu port port e komo i ka hoʻonohonoho ʻana iā SELinux, a me ka hoʻohana ʻana i ka protocol tcp e hoʻonui i luna, no ka mea Ua hoʻokō ʻia ka mana hoʻopuka packet TCP ma ke kiʻekiʻe o nā ʻeke i hoʻopaʻa ʻia i loko o ka tunnel.
**Inā ʻaʻole pono ka hōʻoia ʻana ma AD, e haʻi aku iā lākou, e lele i ka ʻāpana aʻe, a ma ka template wehe i ka laina auth-user-pass.
AD Authentication
No ke kākoʻo ʻana i ke kumu ʻelua, e hoʻohana mākou i ka hōʻoia moʻokāki ma AD.
Pono mākou i kahi moʻokāki ma ka domain me nā kuleana o kahi mea hoʻohana maʻamau a me kahi hui, kahi lālā e hoʻoholo ai i ka hiki ke hoʻopili.
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Hoʻopuka palapala a me ka hoʻopau ʻana
No ka mea Ma kahi o nā palapala hōʻoia ponoʻī, pono ʻoe i nā kī a me nā hoʻonohonoho ʻē aʻe; he mea maʻalahi loa ia e hoʻopili i kēia mau mea āpau i hoʻokahi faila profile. Hoʻololi ʻia kēia faila i ka mea hoʻohana a lawe ʻia ka ʻaoʻao ma ka mea kūʻai OpenVPN. No ka hana ʻana i kēia, e hana mākou i kahi hoʻonohonoho hoʻonohonoho a me kahi palapala e hoʻopuka ai i ka ʻaoʻao.
Pono ʻoe e hoʻohui i nā mea o ka palapala kumu (ca.crt) a me ke kī TLS (ta.key) faila i ka ʻaoʻao.
Ma mua o ka hoʻopuka ʻana i nā palapala hoʻohana mai poina e hoʻonohonoho i ka manawa kūpono no nā palapala hōʻoia ma ka waihona ʻāpana. ʻAʻole pono ʻoe e hoʻolōʻihi i ka lōʻihi; Manaʻo wau e kaupalena iā ʻoe iho i ka lōʻihi o 180 mau lā.
vim /usr/share/easy-rsa/3/vars
...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpn
client
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Nā memo:
nā aho E kau i kāu... hoʻololi i ka ʻike kā lākou palapala hōʻoia;
ma ke kuhikuhi mamao, e kuhikuhi i ka inoa/ka helu wahi o kou puka;
hoʻohana ʻia ke kuhikuhi aut-user-pass no ka hōʻoia waho waho.
Ma ka papa kuhikuhi home (a i ʻole kahi kūpono ʻē aʻe) hana mākou i kahi palapala no ke noi ʻana i kahi palapala a me ka hana ʻana i kahi ʻaoʻao:
vim ~/make.profile.sh
#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
E hoʻokō i ka faila:
chmod a+x ~/make.profile.sh
A hiki iā mākou ke hoʻopuka i kā mākou palapala hōʻoia mua.
~/make.profile.sh my-first-user
Kauohaʻi
I ka hihia o kahi palapala hōʻoia (nalo, ʻaihue), pono ia e hoʻopau i kēia palapala:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Nānā i nā palapala hōʻoia i hoʻopuka ʻia a hoʻopau ʻia
No ka nānā ʻana i nā palapala hōʻoia i hoʻopuka ʻia a hoʻopau ʻia, e nānā wale i ka faila kuhikuhi:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Nā ʻōlelo wehewehe:
ʻo ka laina mua ka palapala kikowaena;
ʻano mua
V (Valid) - pono;
R (Hoʻopau ʻia) - hoʻomanaʻo.
Hoʻonohonoho hoʻonohonoho pūnaewele
ʻO nā ʻanuʻu hope loa e hoʻonohonoho i ka pūnaewele hoʻouna - routing a me nā pā ahi.
I loko o kahi ʻoihana ʻoihana, aia paha ka subnetting a pono mākou e haʻi i ke alalai (s) pehea e hoʻouna ai i nā ʻeke i koho ʻia no kā mākou mea kūʻai VPN. Ma ka laina kauoha, hoʻokō mākou i ke kauoha ma ke ʻano (e pili ana i nā mea hana i hoʻohana ʻia):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123
a mālama i ka hoʻonohonoho.
Eia kekahi, ma ka palena o ka mea hoʻokele kaʻa kahi i lawelawe ʻia ai ka helu waho gw.abc.ru, pono e ʻae i ka hele ʻana o nā paʻi udp/1194.
Inā loaʻa i ka hui nā lula palekana, pono e hoʻonohonoho ʻia kahi pā ahi ma kā mākou kikowaena VPN. I koʻu manaʻo, hāʻawi ʻia ka maʻalahi loa ma ka hoʻonohonoho ʻana i nā kaulahao FORWARD iptables, ʻoiai ʻaʻole maʻalahi ka hoʻonohonoho ʻana iā lākou. ʻO kahi mea hou aʻe e pili ana i ka hoʻonohonoho ʻana iā lākou. No ka hana ʻana i kēia, ʻoi aku ka maʻalahi o ka hoʻohana ʻana i nā "rula pololei" - nā lula pololei, mālama ʻia i kahi faila /etc/firewalld/direct.xml. Hiki ke ʻike ʻia ka hoʻonohonoho ʻana o nā lula i kēia manawa:
$ sudo firewall-cmd --direct --get-all-rule
Ma mua o ka hoʻololi ʻana i kahi faila, e hana i kope kope o ia mea:
ʻO kēia nā lula iptables maʻamau, inā ʻaʻole i hoʻopaʻa ʻia ma hope o ka hiki ʻana mai o firewalld.
ʻO tun0 ka ʻaoʻao huakaʻi me nā hoʻonohonoho paʻamau, a ʻokoʻa paha ke kikowaena waho no ka tunnel, no ka laʻana, ens192, ma muli o ke kahua i hoʻohana ʻia.
ʻO ka laina hope no ka hoʻopaʻa ʻana i nā ʻeke i hāʻule. No ka hana ʻana, pono ʻoe e hoʻololi i ka pae debug i ka hoʻonohonoho firewalld:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
ʻO ka noi ʻana i nā hoʻonohonoho ʻo ia ke kauoha maʻamau firewalld e heluhelu hou i nā hoʻonohonoho:
$ sudo firewall-cmd --reload
Hiki iā ʻoe ke ʻike i nā ʻeke i hāʻule e like me kēia:
grep forward_fw /var/log/messages
He aha ka mea aʻe
Hoʻopau kēia i ka hoʻonohonoho!
ʻO nā mea a pau i koe e hoʻokomo i ka polokalamu mea kūʻai aku ma ka ʻaoʻao o ka mea kūʻai aku, lawe mai i ka ʻaoʻao a hoʻohui. No nā ʻōnaehana hana Windows, aia ka pahu hoʻolaha ma kahua hoʻomohala.
ʻO ka hope, hoʻohui mākou i kā mākou kikowaena hou i ka nānā ʻana a me nā ʻōnaehana waihona, a mai poina e hoʻokomo mau i nā mea hou.