Nqe lus ntawm qhov teeb meem
Tsab xov xwm piav qhia txog lub koom haum ntawm kev nkag mus rau cov chaw taws teeb rau cov neeg ua haujlwm ntawm cov khoom qhib thiab tuaj yeem siv ob qho tib si los tsim kom muaj kev tswj hwm tus kheej, thiab yuav muaj txiaj ntsig zoo rau kev nthuav dav thaum muaj kev tsis txaus ntawm cov ntawv tso cai hauv kev lag luam uas twb muaj lawm lossis nws cov kev ua haujlwm tsis txaus.
Lub hom phiaj ntawm tsab xov xwm yog los ua kom tiav cov txheej txheem rau kev muab cov chaw taws teeb nkag mus rau ib lub koom haum, uas yog me ntsis ntau dua "kev txhim kho OpenVPN hauv 10 feeb."
Yog li ntawd, peb yuav tau txais ib qho system uas daim ntawv pov thawj thiab (xaiv tau) lub koom haum Active Directory yuav raug siv los txheeb xyuas cov neeg siv. Qhov ntawd. peb yuav tau txais ib qho system nrog ob yam pov thawj - qhov kuv muaj (daim ntawv pov thawj) thiab qhov kuv paub (password).
Ib qho kos npe uas tus neeg siv raug tso cai txuas yog lawv cov tswv cuab hauv pawg myVPNUsr. Daim ntawv pov thawj txoj cai yuav raug siv offline.
Tus nqi ntawm kev siv cov kev daws teeb meem tsuas yog cov khoom siv me me thiab 1 teev ntawm kev ua haujlwm ntawm tus thawj tswj hwm.
Peb yuav siv lub tshuab virtual nrog OpenVPN thiab Easy-RSA version 3 ntawm CetntOS 7, uas tau faib 100 vCPUs thiab 4 GiB RAM ib 4 kev sib txuas.
Hauv qhov piv txwv, peb lub koom haum lub network yog 172.16.0.0/16, uas VPN server nrog qhov chaw nyob 172.16.19.123 nyob rau hauv ntu 172.16.19.0/24, DNS servers 172.16.16.16 thiab 172.16.17.17 sub. .172.16.20.0/23 yog faib rau cov neeg siv VPN .
Txhawm rau txuas los ntawm sab nraud, kev sib txuas ntawm qhov chaw nres nkoj 1194/udp yog siv, thiab A-record gw.abc.ru tau tsim nyob rau hauv DNS rau peb cov neeg rau zaub mov.
Nws yog nruj me ntsis txwv tsis pub lov tes taw SELinux! OpenVPN ua haujlwm yam tsis muaj kev cuam tshuam kev ruaj ntseg.
Txheem
Installation ntawm OS thiab daim ntawv thov software
Peb siv CentOS 7.8.2003 kev faib tawm. Peb yuav tsum nruab OS nyob rau hauv ib tug tsawg configuration. Nws yog qhov yooj yim los ua qhov no siv , cloning ib tug yav tas los ntsia OS duab thiab lwm yam txhais tau tias.
Tom qab kev teeb tsa, muab qhov chaw nyob rau lub network interface (raws li cov lus qhia ntawm kev ua haujlwm 172.16.19.123), peb hloov kho OS:
$ sudo yum update -y && reboot
Peb kuj yuav tsum tau ua kom paub tseeb tias lub sijhawm synchronization tau ua tiav ntawm peb lub tshuab.
Txhawm rau nruab daim ntawv thov software, koj xav tau openvpn, openvpn-auth-ldap, easy-rsa thiab vim pob khoom ua tus editor tseem ceeb (koj yuav xav tau EPEL repository).
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
Nws yog qhov zoo rau nruab tus neeg sawv cev qhua rau lub tshuab virtual:
$ sudo yum install open-vm-toolsrau VMware ESXi hosts, lossis rau oVirt
$ sudo yum install ovirt-guest-agent
Kev teeb tsa cryptography
Mus rau qhov yooj yim-rsa directory:
$ cd /usr/share/easy-rsa/3/Tsim cov ntaub ntawv sib txawv:
$ sudo vim varscov ntsiab lus hauv qab no:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
Cov kev tsis haum rau lub koom haum ABC LLC tau piav qhia ntawm no; koj tuaj yeem kho lawv mus rau qhov tseeb lossis tawm ntawm qhov piv txwv. Qhov tseem ceeb tshaj plaws hauv qhov tsis yog kab kawg, uas txiav txim siab lub sijhawm siv tau ntawm daim ntawv pov thawj hnub. Qhov piv txwv siv tus nqi 10 xyoo (365 * 10 + 2 leap xyoo). Tus nqi no yuav tsum tau hloov kho ua ntej cov neeg siv daim ntawv pov thawj raug muab.
Tom ntej no, peb teeb tsa txoj cai tswj hwm kev tswj hwm tus kheej.
Kev teeb tsa suav nrog kev xa tawm cov hloov pauv, pib lub CA, muab CA tus yuam sij hauv paus thiab daim ntawv pov thawj, Diffie-Hellman tus yuam sij, TLS tus yuam sij, thiab tus yuam sij server thiab daim ntawv pov thawj. Tus yuam sij CA yuav tsum ua tib zoo tiv thaiv thiab khaws cia zais cia! Tag nrho cov lus nug tsis tuaj yeem tso tseg raws li lub neej ntawd.
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
Qhov no ua tiav qhov tseem ceeb ntawm kev teeb tsa cryptographic mechanism.
Teeb tsa OpenVPN
Mus rau OpenVPN directory, tsim cov ntawv qhia kev pabcuam thiab ntxiv qhov txuas rau yooj yim-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Tsim cov ntaub ntawv tseem ceeb OpenVPN configuration:
$ sudo vim server.confraws cov ntsiab lus
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Qee cov ntawv sau rau ntawm qhov parameter:
- yog tias lwm lub npe tau teev tseg thaum muab daim ntawv pov thawj, qhia nws;
- qhia cov chaw nyob kom haum koj cov dej num *;
- tuaj yeem muaj ib lossis ntau txoj kev thiab DNS servers;
- 2 kab kawg yog xav tau los siv kev lees paub hauv AD **.
* Ntau qhov chaw nyob xaiv hauv qhov piv txwv yuav tso cai rau 127 tus neeg siv los txuas ib txhij, vim lub /23 network raug xaiv, thiab OpenVPN tsim ib lub subnet rau txhua tus neeg siv lub npog ntsej muag / 30.
Yog tias tsim nyog tshwj xeeb, qhov chaw nres nkoj thiab raws tu qauv tuaj yeem hloov pauv, txawm li cas los xij, nws yuav tsum nco ntsoov tias kev hloov pauv chaw nres nkoj tus lej yuav suav nrog kev teeb tsa SELinux, thiab siv tcp raws tu qauv yuav nce nyiaj siv ua haujlwm, vim tias TCP pob ntawv tswj kev xa khoom twb tau ua tiav ntawm qib ntawm cov pob ntawv encapsulated hauv lub qhov.
** Yog tias tsis muaj kev lees paub hauv AD tsis xav tau, tawm tswv yim rau lawv, hla ntu txuas ntxiv, thiab hauv cov qauv tshem tawm auth-user-pass kab.
AD Authentication
Txhawm rau txhawb qhov thib ob, peb yuav siv kev txheeb xyuas tus lej hauv AD.
Peb xav tau ib tug account nyob rau hauv lub sau nrog cov cai ntawm ib tug zoo tib yam neeg siv thiab ib pab pawg neeg, kev koom tes nyob rau hauv uas yuav txiav txim lub peev xwm mus cuag.
Tsim cov ntaub ntawv configuration:
/etc/openvpn/ldap.confraws cov ntsiab lus
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
Lub ntsiab tsis:
- URL "ldap: // ldap.abc.ru" - chaw nyob tswj chaw nyob;
- BindDN "CN = bindUsr, CN = Cov neeg siv, DC = abc, DC = ru" - canonical lub npe rau khi rau LDAP (UZ - bindUsr hauv lub thawv abc.ru/Users);
- Lo lus zais b1ndP@SS - tus neeg siv lo lus zais rau kev khi;
- BaseDN "OU = allUsr, DC = abc, DC = ru" - txoj hauv kev los pib tshawb rau tus neeg siv;
- BaseDN βOU = myGrp, DC = abc, DC = ruβ β thawv ntawm cov pab pawg (pab pawg myVPNUsr hauv lub thawv abc.rumyGrp);
- SearchFilter "(cn = myVPNUsr)" yog lub npe ntawm pawg tso cai.
Pib thiab kuaj mob
Tam sim no peb tuaj yeem sim qhib thiab pib peb lub server:
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
Startup check:
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Daim ntawv pov thawj qhov teeb meem thiab tshem tawm
Vim Ntxiv rau daim ntawv pov thawj lawv tus kheej, koj xav tau cov yuam sij thiab lwm qhov chaw; nws yooj yim heev los qhwv tag nrho cov no hauv ib daim ntawv profile. Cov ntaub ntawv no yog tom qab ntawd xa mus rau tus neeg siv thiab qhov profile yog imported ntawm OpenVPN tus neeg siv khoom. Txhawm rau ua qhov no, peb yuav tsim cov qauv teeb tsa thiab cov ntawv sau uas tsim cov profile.
Koj yuav tsum ntxiv cov ntsiab lus ntawm daim ntawv pov thawj hauv paus (ca.crt) thiab TLS qhov tseem ceeb (ta.key) cov ntaub ntawv rau qhov profile.
Ua ntej tshaj tawm cov neeg siv daim ntawv pov thawj tsis txhob hnov ββββqab teem lub sijhawm siv tau rau cov ntawv pov thawj hauv cov ntaub ntawv parameter. Koj yuav tsum tsis txhob ua kom ntev dhau lawm; Kuv xav kom txwv koj tus kheej mus rau qhov siab kawg ntawm 180 hnub.
vim /usr/share/easy-rsa/3/vars...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpnclient
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Sau ntawv:
- cov hlua POM KOJ... hloov rau cov ntsiab lus tus kheej daim ntawv pov thawj;
- nyob rau hauv cov lus qhia tej thaj chaw deb, qhia lub npe/chaw nyob ntawm koj lub rooj vag;
- cov auth-user-pass directive yog siv rau ntxiv authentication sab nraud.
Hauv phau ntawv teev npe hauv tsev (lossis lwm qhov chaw yooj yim) peb tsim ib tsab ntawv thov rau daim ntawv pov thawj thiab tsim ib qhov profile:
vim ~/make.profile.sh#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Ua cov ntaub ntawv executable:
chmod a+x ~/make.profile.shThiab peb tuaj yeem muab peb daim ntawv pov thawj thawj zaug.
~/make.profile.sh my-first-userTswv yim
Nyob rau hauv rooj plaub ntawm kev cuam tshuam ntawm daim ntawv pov thawj (poob, tub sab), nws yog ib qho tsim nyog yuav tau tshem tawm daim ntawv pov thawj no:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Saib daim ntawv pov thawj tawm thiab tshem tawm
Txhawm rau saib cov ntawv pov thawj tawm thiab tshem tawm, tsuas yog saib cov ntaub ntawv index:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Kev piav qhia:
- thawj kab yog daim ntawv pov thawj server;
- thawj tus cim
- V (Valid) - siv tau;
- R (Rov qab) - rov qab.
Kev teeb tsa network
Cov kauj ruam kawg yog los teeb tsa lub network sib kis - routing thiab firewalls.
Tso cai rau kev sib txuas hauv zos firewall:
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
Tom ntej no, pab kom IP tsheb khiav routing:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
Hauv kev lag luam ib puag ncig, muaj feem yuav yog subnetting thiab peb yuav tsum tau qhia rau lub router yuav ua li cas xa cov pob ntawv destined rau peb cov neeg siv VPN. Ntawm kab hais kom ua peb ua raws li cov lus txib (nyob ntawm cov cuab yeej siv):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123thiab txuag lub configuration.
Tsis tas li ntawd, nyob rau ntawm ciam teb router interface qhov chaw nyob sab nraud gw.abc.ru tau txais kev pab, nws yog ib qho tsim nyog yuav tsum tso cai rau cov ntaub ntawv udp/1194.
Nyob rau hauv rooj plaub uas lub koom haum muaj kev ruaj ntseg nruj, lub firewall yuav tsum tau teeb tsa ntawm peb VPN server. Hauv kuv lub tswv yim, qhov yooj yim tshaj plaws yog muab los ntawm kev teeb tsa iptables FORWARD chains, txawm tias teeb tsa lawv yooj yim dua. Ib me ntsis ntxiv txog kev teeb tsa lawv. Ua li no, nws yog qhov yooj yim tshaj plaws los siv "cov cai ncaj qha" - cov cai ncaj qha, khaws cia hauv cov ntaub ntawv /etc/firewalld/direct.xml. Cov kev teeb tsa tam sim no ntawm cov cai tuaj yeem pom raws li hauv qab no:
$ sudo firewall-cmd --direct --get-all-ruleUa ntej hloov cov ntaub ntawv, ua ib daim ntawv luam ntawm nws:
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bakCov ntsiab lus kwv yees ntawm cov ntaub ntawv yog:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
Cov lus piav qhia
Cov no yog cov kev cai iptables tseem ceeb, txwv tsis pub ntim tom qab qhov tshwm sim ntawm firewalld.
Lub hom phiaj kev sib txuas nrog qhov chaw pib yog tun0, thiab sab nraud interface rau lub qhov yuav txawv, piv txwv li, ens192, nyob ntawm lub platform siv.
Cov kab kawg yog rau kev txiav cov pob ntawv poob. Txhawm rau nkag mus ua haujlwm, koj yuav tsum hloov qhov debug qib hauv firewalld configuration:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Kev thov cov chaw yog cov lus txib firewalld ib txwm los rov nyeem cov chaw:
$ sudo firewall-cmd --reloadKoj tuaj yeem saib cov pob ntawv poob zoo li no:
grep forward_fw /var/log/messages
Dab tsi ntxiv
Qhov no ua tiav qhov kev teeb tsa!
Txhua yam uas tseem tshuav yog txhawm rau nruab tus neeg siv khoom software ntawm tus neeg siv khoom sab, import cov profile thiab txuas. Rau Windows operating systems, cov khoom siv faib khoom yog nyob ntawm .
Thaum kawg, peb txuas peb cov neeg rau zaub mov tshiab rau kev saib xyuas thiab khaws cov tshuab, thiab tsis txhob hnov ββββqab txhim kho qhov hloov tshiab tsis tu ncua.
Kev sib txuas ruaj khov!
Tau qhov twg los: www.hab.com