ProHoster > ΠΠ»ΠΎΠ³ > Kev tswj hwm > Lub koom haum ntawm kev ua haujlwm nyob deb ntawm ib lub koom haum SMB ntawm OpenVPN
Lub koom haum ntawm kev ua haujlwm nyob deb ntawm ib lub koom haum SMB ntawm OpenVPN
Nqe lus ntawm qhov teeb meem
Tsab xov xwm piav qhia txog lub koom haum ntawm kev nkag mus rau cov chaw taws teeb rau cov neeg ua haujlwm ntawm cov khoom qhib thiab tuaj yeem siv ob qho tib si los tsim kom muaj kev tswj hwm tus kheej, thiab yuav muaj txiaj ntsig zoo rau kev nthuav dav thaum muaj kev tsis txaus ntawm cov ntawv tso cai hauv kev lag luam uas twb muaj lawm lossis nws cov kev ua haujlwm tsis txaus.
Lub hom phiaj ntawm tsab xov xwm yog los ua kom tiav cov txheej txheem rau kev muab cov chaw taws teeb nkag mus rau ib lub koom haum, uas yog me ntsis ntau dua "kev txhim kho OpenVPN hauv 10 feeb."
Yog li ntawd, peb yuav tau txais ib qho system uas daim ntawv pov thawj thiab (xaiv tau) lub koom haum Active Directory yuav raug siv los txheeb xyuas cov neeg siv. Qhov ntawd. peb yuav tau txais ib qho system nrog ob yam pov thawj - qhov kuv muaj (daim ntawv pov thawj) thiab qhov kuv paub (password).
Ib qho kos npe uas tus neeg siv raug tso cai txuas yog lawv cov tswv cuab hauv pawg myVPNUsr. Daim ntawv pov thawj txoj cai yuav raug siv offline.
Tus nqi ntawm kev siv cov kev daws teeb meem tsuas yog cov khoom siv me me thiab 1 teev ntawm kev ua haujlwm ntawm tus thawj tswj hwm.
Peb yuav siv lub tshuab virtual nrog OpenVPN thiab Easy-RSA version 3 ntawm CetntOS 7, uas tau faib 100 vCPUs thiab 4 GiB RAM ib 4 kev sib txuas.
Hauv qhov piv txwv, peb lub koom haum lub network yog 172.16.0.0/16, uas VPN server nrog qhov chaw nyob 172.16.19.123 nyob rau hauv ntu 172.16.19.0/24, DNS servers 172.16.16.16 thiab 172.16.17.17 sub. .172.16.20.0/23 yog faib rau cov neeg siv VPN .
Txhawm rau txuas los ntawm sab nraud, kev sib txuas ntawm qhov chaw nres nkoj 1194/udp yog siv, thiab A-record gw.abc.ru tau tsim nyob rau hauv DNS rau peb cov neeg rau zaub mov.
Nws yog nruj me ntsis txwv tsis pub lov tes taw SELinux! OpenVPN ua haujlwm yam tsis muaj kev cuam tshuam kev ruaj ntseg.
Installation ntawm OS thiab daim ntawv thov software
Peb siv CentOS 7.8.2003 kev faib tawm. Peb yuav tsum nruab OS nyob rau hauv ib tug tsawg configuration. Nws yog qhov yooj yim los ua qhov no siv kickstart, cloning ib tug yav tas los ntsia OS duab thiab lwm yam txhais tau tias.
Tom qab kev teeb tsa, muab qhov chaw nyob rau lub network interface (raws li cov lus qhia ntawm kev ua haujlwm 172.16.19.123), peb hloov kho OS:
$ sudo yum update -y && reboot
Peb kuj yuav tsum tau ua kom paub tseeb tias lub sijhawm synchronization tau ua tiav ntawm peb lub tshuab.
Txhawm rau nruab daim ntawv thov software, koj xav tau openvpn, openvpn-auth-ldap, easy-rsa thiab vim pob khoom ua tus editor tseem ceeb (koj yuav xav tau EPEL repository).
Cov kev tsis haum rau lub koom haum ABC LLC tau piav qhia ntawm no; koj tuaj yeem kho lawv mus rau qhov tseeb lossis tawm ntawm qhov piv txwv. Qhov tseem ceeb tshaj plaws hauv qhov tsis yog kab kawg, uas txiav txim siab lub sijhawm siv tau ntawm daim ntawv pov thawj hnub. Qhov piv txwv siv tus nqi 10 xyoo (365 * 10 + 2 leap xyoo). Tus nqi no yuav tsum tau hloov kho ua ntej cov neeg siv daim ntawv pov thawj raug muab.
Tom ntej no, peb teeb tsa txoj cai tswj hwm kev tswj hwm tus kheej.
Kev teeb tsa suav nrog kev xa tawm cov hloov pauv, pib lub CA, muab CA tus yuam sij hauv paus thiab daim ntawv pov thawj, Diffie-Hellman tus yuam sij, TLS tus yuam sij, thiab tus yuam sij server thiab daim ntawv pov thawj. Tus yuam sij CA yuav tsum ua tib zoo tiv thaiv thiab khaws cia zais cia! Tag nrho cov lus nug tsis tuaj yeem tso tseg raws li lub neej ntawd.
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Daim ntawv pov thawj qhov teeb meem thiab tshem tawm
Vim Ntxiv rau daim ntawv pov thawj lawv tus kheej, koj xav tau cov yuam sij thiab lwm qhov chaw; nws yooj yim heev los qhwv tag nrho cov no hauv ib daim ntawv profile. Cov ntaub ntawv no yog tom qab ntawd xa mus rau tus neeg siv thiab qhov profile yog imported ntawm OpenVPN tus neeg siv khoom. Txhawm rau ua qhov no, peb yuav tsim cov qauv teeb tsa thiab cov ntawv sau uas tsim cov profile.
Ua ntej tshaj tawm cov neeg siv daim ntawv pov thawj tsis txhob hnov ββββqab teem lub sijhawm siv tau rau cov ntawv pov thawj hauv cov ntaub ntawv parameter. Koj yuav tsum tsis txhob ua kom ntev dhau lawm; Kuv xav kom txwv koj tus kheej mus rau qhov siab kawg ntawm 180 hnub.
vim /usr/share/easy-rsa/3/vars
...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpn
client
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Sau ntawv:
cov hlua POM KOJ... hloov rau cov ntsiab lus tus kheej daim ntawv pov thawj;
nyob rau hauv cov lus qhia tej thaj chaw deb, qhia lub npe/chaw nyob ntawm koj lub rooj vag;
cov auth-user-pass directive yog siv rau ntxiv authentication sab nraud.
Hauv kev lag luam ib puag ncig, muaj feem yuav yog subnetting thiab peb yuav tsum tau qhia rau lub router yuav ua li cas xa cov pob ntawv destined rau peb cov neeg siv VPN. Ntawm kab hais kom ua peb ua raws li cov lus txib (nyob ntawm cov cuab yeej siv):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123
thiab txuag lub configuration.
Tsis tas li ntawd, nyob rau ntawm ciam teb router interface qhov chaw nyob sab nraud gw.abc.ru tau txais kev pab, nws yog ib qho tsim nyog yuav tsum tso cai rau cov ntaub ntawv udp/1194.
Nyob rau hauv rooj plaub uas lub koom haum muaj kev ruaj ntseg nruj, lub firewall yuav tsum tau teeb tsa ntawm peb VPN server. Hauv kuv lub tswv yim, qhov yooj yim tshaj plaws yog muab los ntawm kev teeb tsa iptables FORWARD chains, txawm tias teeb tsa lawv yooj yim dua. Ib me ntsis ntxiv txog kev teeb tsa lawv. Ua li no, nws yog qhov yooj yim tshaj plaws los siv "cov cai ncaj qha" - cov cai ncaj qha, khaws cia hauv cov ntaub ntawv /etc/firewalld/direct.xml. Cov kev teeb tsa tam sim no ntawm cov cai tuaj yeem pom raws li hauv qab no:
$ sudo firewall-cmd --direct --get-all-rule
Ua ntej hloov cov ntaub ntawv, ua ib daim ntawv luam ntawm nws: