Ka hoʻokumu ʻana i ka pilikia
Hōʻike ka ʻatikala i ka hoʻonohonoho ʻana o ka loaʻa mamao no nā limahana ma nā huahana open source a hiki ke hoʻohana ʻia no ke kūkulu ʻana i kahi ʻōnaehana kūʻokoʻa holoʻokoʻa, a e hoʻohana ʻia no ka hoʻonui ʻana i ka wā i lawa ʻole ai nā laikini i ka ʻōnaehana kalepa e kū nei a i ʻole lawa ʻole kāna hana.
ʻO ka pahuhopu o ka ʻatikala e hoʻokō i kahi ʻōnaehana holoʻokoʻa no ka hāʻawi ʻana i kahi mamao mamao i kahi hui, ʻoi aku ka liʻiliʻi ma mua o "ka hoʻokomo ʻana iā OpenVPN i 10 mau minuke."
ʻO ka hopena, e loaʻa iā mākou kahi ʻōnaehana kahi e hoʻohana ʻia ai nā palapala hōʻoia a me (ke koho) ka Active Directory hui e hōʻoia i nā mea hoʻohana. ʻO kēlā. e loaʻa iā mākou kahi ʻōnaehana me nā mea hōʻoia ʻelua - ʻo kaʻu mea (hōʻoia) a me kaʻu mea i ʻike (password).
ʻO kahi hōʻailona e ʻae ʻia ka mea hoʻohana e hoʻopili ʻo ia ko lākou lālā i ka hui myVPNUsr. E hoʻohana ʻia ka mana palapala hōʻoia ma waho.
ʻO ke kumukūʻai o ka hoʻokō ʻana i ka hopena he mau kumuwaiwai liʻiliʻi wale nō a me 1 hola o ka hana a ka luna hoʻoponopono.
E hoʻohana mākou i kahi mīkini virtual me OpenVPN a me Easy-RSA version 3 ma CetntOS 7, i hāʻawi ʻia i 100 vCPU a me 4 GiB RAM no 4 mau pilina.
I ka laʻana, ʻo ka pūnaewele o kā mākou hui ʻo 172.16.0.0/16, kahi i loaʻa ai ka server VPN me ka helu helu 172.16.19.123 ma ka māhele 172.16.19.0/24, nā kikowaena DNS 172.16.16.16 a me 172.16.17.17. Hāʻawi ʻia ka .172.16.20.0/23 no nā mea kūʻai aku VPN.
No ka hoʻopili ʻana mai waho, hoʻohana ʻia kahi pilina ma o ke awa 1194/udp, a ua hana ʻia kahi A-record gw.abc.ru i ka DNS no kā mākou kikowaena.
ʻAʻole ʻōlelo ʻia e hoʻopau iā SELinux! Hana ʻo OpenVPN me ka hoʻopau ʻole i nā kulekele palekana.
Nā mea
Ka hoʻokomo ʻana i ka OS a me ka polokalamu noi
Hoʻohana mākou i ka māhele CentOS 7.8.2003. Pono mākou e hoʻokomo i ka OS ma kahi hoʻonohonoho liʻiliʻi. He mea maʻalahi ke hana i kēia me ka hoʻohana ʻana , cloning i kahi kiʻi OS i hoʻokomo mua ʻia a me nā ʻano ʻē aʻe.
Ma hope o ka hoʻokomo ʻana, hāʻawi ʻia i kahi helu i ka interface pūnaewele (e like me nā ʻōlelo o ka hana 172.16.19.123), hoʻonui mākou i ka OS:
$ sudo yum update -y && reboot
Pono mākou e hōʻoia i ka hana ʻana o ka manawa ma kā mākou mīkini.
No ka hoʻouka ʻana i nā polokalamu noi, pono ʻoe i ka openvpn, openvpn-auth-ldap, easy-rsa a me nā pūʻolo vim ma ke ʻano he mea hoʻoponopono nui (pono ʻoe i ka waihona EPEL).
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
He mea pono ke hoʻokomo i kahi mākaʻikaʻi no kahi mīkini virtual:
$ sudo yum install open-vm-toolsno VMware ESXi pūʻali, a no oVirt
$ sudo yum install ovirt-guest-agent
Hoʻonohonoho i ka cryptography
E hele i ka papa kuhikuhi easy-rsa:
$ cd /usr/share/easy-rsa/3/E hana i kahi faila hoʻololi:
$ sudo vim varska mea i lalo:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
Hōʻike ʻia nā ʻāpana no ka hui kūlana ABC LLC; hiki iā ʻoe ke hoʻoponopono iā lākou i nā mea maoli a haʻalele paha iā lākou mai ka laʻana. ʻO ka mea nui loa i nā ʻāpana ʻo ia ka laina hope, e hoʻoholo ai i ka manawa kūpono o ka palapala hōʻoia i nā lā. Hoʻohana ka laʻana i ka waiwai 10 makahiki (365*10+2 mau makahiki lele). Pono e hoʻoponopono ʻia kēia waiwai ma mua o ka hoʻopuka ʻia ʻana o nā palapala hoʻohana.
A laila, hoʻonohonoho mākou i kahi mana hōʻoia autonomous.
Hoʻokomo ʻia ka hoʻonohonoho ʻana i nā mea hoʻololi e hoʻokuʻu aku, e hoʻomaka ana i ka CA, e hoʻopuka ana i ke kī kumu CA a me ka palapala hōʻoia, kī Diffie-Hellman, kī TLS, a me ke kī kikowaena a me ka palapala hōʻoia. Pono e mālama pono ʻia ke kī CA a hūnā ʻia! Hiki ke waiho ʻia nā ʻāpana hulina ma ke ʻano he paʻamau.
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
Hoʻopau kēia i ka ʻāpana nui o ka hoʻonohonoho ʻana i ka mīkini cryptographic.
Hoʻonohonoho i ka OpenVPN
E hele i ka papa kuhikuhi OpenVPN, hana i nā papa kuhikuhi lawelawe a hoʻohui i kahi loulou i easy-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
E hana i ka faila hoʻonohonoho OpenVPN nui:
$ sudo vim server.confma hope o nā mea i loko
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
ʻO kekahi mau memo ma nā palena:
- inā i kuhikuhi ʻia kahi inoa ʻē aʻe i ka wā e hoʻopuka ai i ka palapala hōʻoia, e hōʻike;
- e kuhikuhi i ka waihona o nā helu wahi e kūpono i kāu mau hana*;
- hiki ke loaʻa hoʻokahi a ʻoi aku paha nā ala a me nā kikowaena DNS;
- Pono nā laina 2 hope loa e hoʻokō i ka hōʻoia ma AD **.
* ʻO ka laulā o nā helu wahi i koho ʻia ma ka laʻana e ʻae i nā mea kūʻai aku 127 e hoʻopili i ka manawa like, no ka mea koho ʻia ka pūnaewele /23, a hana ʻo OpenVPN i kahi subnet no kēlā me kēia mea kūʻai aku e hoʻohana ana i ka mask /30.
Inā pono, hiki ke hoʻololi i ke awa a me ka protocol, akā naʻe, pono e hoʻomanaʻo ʻia ʻo ka hoʻololi ʻana i ka helu port port e komo i ka hoʻonohonoho ʻana iā SELinux, a me ka hoʻohana ʻana i ka protocol tcp e hoʻonui i luna, no ka mea Ua hoʻokō ʻia ka mana hoʻopuka packet TCP ma ke kiʻekiʻe o nā ʻeke i hoʻopaʻa ʻia i loko o ka tunnel.
**Inā ʻaʻole pono ka hōʻoia ʻana ma AD, e haʻi aku iā lākou, e lele i ka ʻāpana aʻe, a ma ka template wehe i ka laina auth-user-pass.
AD Authentication
No ke kākoʻo ʻana i ke kumu ʻelua, e hoʻohana mākou i ka hōʻoia moʻokāki ma AD.
Pono mākou i kahi moʻokāki ma ka domain me nā kuleana o kahi mea hoʻohana maʻamau a me kahi hui, kahi lālā e hoʻoholo ai i ka hiki ke hoʻopili.
E hana i kahi faila hoʻonohonoho:
/etc/openvpn/ldap.confma hope o nā mea i loko
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
Nā kī nui:
- HKH "ldap://ldap.abc.ru" - ka helu wahi hoʻomalu;
- BindDN “CN=bindUsr,CN=Users,DC=abc,DC=ru” - inoa canonical no ka hoʻopaʻa ʻana iā LDAP (UZ - bindUsr i ka pahu abc.ru/Users);
- ʻO ka ʻōlelo huna b1ndP@SS — ʻōlelo huna mea hoʻohana no ka hoʻopaʻa ʻana;
- BaseDN “OU=allUsr,DC=abc,DC=ru” — ke ala e hoʻomaka ai e ʻimi i ka mea hoʻohana;
- BaseDN "OU=myGrp,DC=abc,DC=ru" - pahu o ka hui ʻae (hui myVPNUsr i loko o ka ipu abc.rumyGrp);
- ʻO SearchFilter "(cn=myVPNUsr)" ka inoa o ka hui ʻae.
Hoʻomaka a me nā diagnostics
I kēia manawa hiki iā mākou ke hoʻāʻo e hiki a hoʻomaka i kā mākou kikowaena:
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
Nānā hoʻomaka:
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Hoʻopuka palapala a me ka hoʻopau ʻana
No ka mea Ma kahi o nā palapala hōʻoia ponoʻī, pono ʻoe i nā kī a me nā hoʻonohonoho ʻē aʻe; he mea maʻalahi loa ia e hoʻopili i kēia mau mea āpau i hoʻokahi faila profile. Hoʻololi ʻia kēia faila i ka mea hoʻohana a lawe ʻia ka ʻaoʻao ma ka mea kūʻai OpenVPN. No ka hana ʻana i kēia, e hana mākou i kahi hoʻonohonoho hoʻonohonoho a me kahi palapala e hoʻopuka ai i ka ʻaoʻao.
Pono ʻoe e hoʻohui i nā mea o ka palapala kumu (ca.crt) a me ke kī TLS (ta.key) faila i ka ʻaoʻao.
Ma mua o ka hoʻopuka ʻana i nā palapala hoʻohana mai poina e hoʻonohonoho i ka manawa kūpono no nā palapala hōʻoia ma ka waihona ʻāpana. ʻAʻole pono ʻoe e hoʻolōʻihi i ka lōʻihi; Manaʻo wau e kaupalena iā ʻoe iho i ka lōʻihi o 180 mau lā.
vim /usr/share/easy-rsa/3/vars...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpnclient
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Nā memo:
- nā aho E kau i kāu... hoʻololi i ka ʻike kā lākou palapala hōʻoia;
- ma ke kuhikuhi mamao, e kuhikuhi i ka inoa/ka helu wahi o kou puka;
- hoʻohana ʻia ke kuhikuhi aut-user-pass no ka hōʻoia waho waho.
Ma ka papa kuhikuhi home (a i ʻole kahi kūpono ʻē aʻe) hana mākou i kahi palapala no ke noi ʻana i kahi palapala a me ka hana ʻana i kahi ʻaoʻao:
vim ~/make.profile.sh#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
E hoʻokō i ka faila:
chmod a+x ~/make.profile.shA hiki iā mākou ke hoʻopuka i kā mākou palapala hōʻoia mua.
~/make.profile.sh my-first-userKauohaʻi
I ka hihia o kahi palapala hōʻoia (nalo, ʻaihue), pono ia e hoʻopau i kēia palapala:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Nānā i nā palapala hōʻoia i hoʻopuka ʻia a hoʻopau ʻia
No ka nānā ʻana i nā palapala hōʻoia i hoʻopuka ʻia a hoʻopau ʻia, e nānā wale i ka faila kuhikuhi:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Nā ʻōlelo wehewehe:
- ʻo ka laina mua ka palapala kikowaena;
- ʻano mua
- V (Valid) - pono;
- R (Hoʻopau ʻia) - hoʻomanaʻo.
Hoʻonohonoho hoʻonohonoho pūnaewele
ʻO nā ʻanuʻu hope loa e hoʻonohonoho i ka pūnaewele hoʻouna - routing a me nā pā ahi.
E ʻae ana i nā pilina ma ka pā ahi kūloko:
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
A laila, hiki iā ʻoe ke hoʻokele i ka hoʻokele IP:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
I loko o kahi ʻoihana ʻoihana, aia paha ka subnetting a pono mākou e haʻi i ke alalai (s) pehea e hoʻouna ai i nā ʻeke i koho ʻia no kā mākou mea kūʻai VPN. Ma ka laina kauoha, hoʻokō mākou i ke kauoha ma ke ʻano (e pili ana i nā mea hana i hoʻohana ʻia):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123a mālama i ka hoʻonohonoho.
Eia kekahi, ma ka palena o ka mea hoʻokele kaʻa kahi i lawelawe ʻia ai ka helu waho gw.abc.ru, pono e ʻae i ka hele ʻana o nā paʻi udp/1194.
Inā loaʻa i ka hui nā lula palekana, pono e hoʻonohonoho ʻia kahi pā ahi ma kā mākou kikowaena VPN. I koʻu manaʻo, hāʻawi ʻia ka maʻalahi loa ma ka hoʻonohonoho ʻana i nā kaulahao FORWARD iptables, ʻoiai ʻaʻole maʻalahi ka hoʻonohonoho ʻana iā lākou. ʻO kahi mea hou aʻe e pili ana i ka hoʻonohonoho ʻana iā lākou. No ka hana ʻana i kēia, ʻoi aku ka maʻalahi o ka hoʻohana ʻana i nā "rula pololei" - nā lula pololei, mālama ʻia i kahi faila /etc/firewalld/direct.xml. Hiki ke ʻike ʻia ka hoʻonohonoho ʻana o nā lula i kēia manawa:
$ sudo firewall-cmd --direct --get-all-ruleMa mua o ka hoʻololi ʻana i kahi faila, e hana i kope kope o ia mea:
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bakʻO nā mea pili o ka faila:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
ʻO nā wehewehe
ʻO kēia nā lula iptables maʻamau, inā ʻaʻole i hoʻopaʻa ʻia ma hope o ka hiki ʻana mai o firewalld.
ʻO tun0 ka ʻaoʻao huakaʻi me nā hoʻonohonoho paʻamau, a ʻokoʻa paha ke kikowaena waho no ka tunnel, no ka laʻana, ens192, ma muli o ke kahua i hoʻohana ʻia.
ʻO ka laina hope no ka hoʻopaʻa ʻana i nā ʻeke i hāʻule. No ka hana ʻana, pono ʻoe e hoʻololi i ka pae debug i ka hoʻonohonoho firewalld:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
ʻO ka noi ʻana i nā hoʻonohonoho ʻo ia ke kauoha maʻamau firewalld e heluhelu hou i nā hoʻonohonoho:
$ sudo firewall-cmd --reloadHiki iā ʻoe ke ʻike i nā ʻeke i hāʻule e like me kēia:
grep forward_fw /var/log/messages
He aha ka mea aʻe
Hoʻopau kēia i ka hoʻonohonoho!
ʻO nā mea a pau i koe e hoʻokomo i ka polokalamu mea kūʻai aku ma ka ʻaoʻao o ka mea kūʻai aku, lawe mai i ka ʻaoʻao a hoʻohui. No nā ʻōnaehana hana Windows, aia ka pahu hoʻolaha ma .
ʻO ka hope, hoʻohui mākou i kā mākou kikowaena hou i ka nānā ʻana a me nā ʻōnaehana waihona, a mai poina e hoʻokomo mau i nā mea hou.
Hoʻohui paʻa!
Source: www.habr.com