Nyocha ihe abụọ nke ndị ọrụ VPN site na MikroTik na SMS

Ndewo ndị ọrụ ibe! Taa, mgbe mmasị na ọrụ dịpụrụ adịpụ ebelatala ntakịrị, ọtụtụ ndị nchịkwa emeriela ọrụ nke ịnweta ndị ọrụ na netwọk ụlọ ọrụ, ọ bụ oge ịkọrọ ahụmahụ m ogologo oge n'ịkwalite nchekwa VPN. Edemede a agaghị ekpuchi IPSec IKEv2 na xAuth nke ejiji ugbu a. Ọ bụ maka iwulite sistemu Nyocha ihe abụọ (2FA) Ndị ọrụ VPN mgbe MikroTik na-arụ ọrụ dị ka sava VPN. Ya bụ, mgbe a na-eji ụkpụrụ "kpochapụwo" dịka PPP.

Taa, m ga-agwa gị otu esi echekwa MikroTik PPP-VPN ọbụlagodi ma ọ bụrụ na a tọọrọ akaụntụ onye ọrụ gị. Mgbe e webatara otu n’ime ndị ahịa m atụmatụ a, ọ kọwara nkenke ya dị ka “ọ dị mma, ugbu a ọ dị ka ọ dị n’ụlọ akụ!”

Usoro a anaghị eji ọrụ nyocha mpụga. A na-arụ ọrụ ndị ahụ n'ime site na rawụta n'onwe ya. Enweghị ụgwọ maka onye ahịa ejikọrọ. Usoro a na-arụ ọrụ maka ma ndị ahịa PC na ngwaọrụ mkpanaka.

Atụmatụ nchedo izugbe bụ nke a:

1. Adreesị IP dị n'ime nke onye ọrụ jikọtara nke ọma na sava VPN na-akpaghị aka na ndepụta isi awọ.
2. Mmemme njikọ na-akpaghị aka na-ewepụta koodu otu oge ezigara onye ọrụ site na iji otu ụzọ dị.
3. Adreesị dị na ndepụta a nwere oke ohere ịnweta akụrụngwa netwọkụ mpaghara, ewezuga ọrụ “authenticator”, nke na-atụ anya ịnweta koodu paswọọdụ otu oge.
4. Mgbe o gosipụtara koodu ahụ, onye ọrụ nwere ike ịnweta akụrụngwa netwọkụ dị n'ime.

Nke mbụ Nsogbu kacha nta anyị nwere bụ ịchekwa ozi kọntaktị gbasara onye ọrụ iji ziga ya koodu 2FA. Ebe ọ bụ na ọ gaghị ekwe omume ịmepụta mpaghara data aka ike kwekọrọ na ndị ọrụ na Mikrotik, a na-eji mpaghara "okwu" dị ugbu a:

/ppp nzuzo tinye aha = Petrov paswọọdụ = 4M@ngr! nkọwa = "89876543210"

Nke abụọ nsogbu ahụ tụgharịrị bụrụ nke ka njọ - nhọrọ nke ụzọ na usoro nke ịnyefe koodu. Ugbu a, a na-eme atụmatụ atọ: a) SMS site na modem USB b) e-mail c) SMS site na e-mail dị maka ndị ahịa ụlọ ọrụ nke onye na-arụ ọrụ mkpanaka na-acha uhie uhie.

Ee, atụmatụ SMS na-enweta ego. Ma ọ bụrụ na ị na-ele ya anya, "nchekwa bụ mgbe niile banyere ego" (c).
Atụmatụ email ahụghị m n'onwe m. Ọ bụghị n'ihi na ọ chọrọ ka ihe nkesa ozi dị maka onye ahịa na-akwado ya - ọ bụghị nsogbu ikewa okporo ụzọ. Agbanyeghị, ọ bụrụ na onye ahịa ahụ echekwabara okwuntughe maka VPN na email na ihe nchọgharị ahụ, wee tufuo laptọọpụ ya, onye mwakpo ahụ ga-enweta ohere zuru oke na netwọkụ ụlọ ọrụ site na ya.

Yabụ, ekpebiela - anyị na-ebufe koodu otu oge site na iji ozi SMS.

Nke atọ nsogbu bụ ebe na Otu esi ewepụta koodu pseudo-random maka 2FA na MikroTik. Ọ nweghị ihe dabara na ọrụ random () na asụsụ scripting RouterOS, ahụla m ọtụtụ ndị na-emepụta nọmba pseudo-random na-emepụta ihe na mbụ. Otu n’ime ha ahụghị m n’anya n’ihi ihe dị iche iche.

N'ezie, enwere onye na-emepụta usoro pseudo-random na MikroTik! Ezochiri ya na nleba anya elu n'ọnọdụ nke /certificates scep-server. Ụzọ mbụ ịnweta paswọọdụ otu oge dị mfe ma dị mfe - site na iwu ahụ /certificates scep-server otp n'ịwa. Ọ bụrụ na anyị arụ ọrụ ọrụ mgbanwe dị mfe, anyị ga-enweta uru n'usoro nke enwere ike iji emechaa na script.

Ụzọ nke abụọ inweta paswọọdụ otu oge, nke dịkwa mfe iji - iji ọrụ mpụga random.org iji wepụta ụdị usoro achọrọ nke nọmba pseudorandom. Nke a bụ nke dị mfe cantilevered ọmụmaatụ nke ịnata data n'ime mgbanwe:

Usoro
:global rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user ]->"da
ta") 1 6] :put $rnd1

Arịrịọ ahaziri maka njikwa (ịgbanarị mkpụrụedemede pụrụ iche ka a ga-achọrọ n'ime ahụ nke edemede ahụ) na-anata eriri mkpụrụedemede isii n'ime mgbanwe $rnd1. Iwu "tinye" na-egosiputa naanị mgbanwe dị na console MikroTik.

Nsogbu nke anọ nke a ga-edozi ngwa ngwa bụ otu na ebe onye ahịa ejikọrọ ga-ebufe koodu otu oge ya na ọkwa nke abụọ nke nyocha.

A ga-enwerịrị ọrụ na rawụta MikroTik nke nwere ike ịnakwere koodu ahụ ma kwekọọ ya na onye ahịa akọwapụtara. Ọ bụrụ na koodu enyere dabara na nke a na-atụ anya ya, a ga-etinye adreesị onye ahịa na ndepụta "ọcha", adreesị nke a na-enye ohere ịbanye na netwọk ụlọ ọrụ.

N'ihi oke nhọrọ nke ọrụ, e kpebiri ịnakwere koodu site na http site na iji webproxy arụnyere n'ime Mikrotik. Ma ebe ọ bụ na firewall nwere ike ịrụ ọrụ na ndepụta dị ike nke adreesị IP, ọ bụ firewall na-achọ koodu ahụ, dakọtara ya na IP onye ahịa ma tinye ya na ndepụta "ọcha" site na iji Layer7 regexp. Enyerela rawụta n'onwe ya aha DNS nke nwere ọnọdụ “gw.local”, yana ndekọ static ka emepụtara na ya maka inye ndị ahịa PPP:

DNS
/ip dns static tinye aha =gw.local address=172.31.1.1

Iji onye nnọchi anya weghara okporo ụzọ site n'aka ndị ahịa akwadoghị:
/ip firewall nat add chain=dstnat dst-port=80,443 in-interface=2fa protocol=tcp !src-address-list=2fa_approved action=redirect to-ports=3128


N'okwu a, proxy nwere ọrụ abụọ.

1. Mepee njikọ TCP na ndị ahịa;

2. Ọ bụrụ na ị nweta ikike ịga nke ọma, bugharịa ihe nchọgharị onye ahịa gaa na ibe ma ọ bụ onyonyo na-egosi maka nyocha na-aga nke ọma:

Nhazi proxy
/ip proxy
set enabled=yes port=3128
/ip proxy access
add action=deny disabled=no redirect-to=gw.local./mikrotik_logo.png src-address=0.0.0.0/0

M ga-edepụta ihe nhazi dị mkpa:

1. interface-list "2fa" - ndepụta ike nke ndị ahịa interface, okporo ụzọ nke chọrọ nhazi n'ime usoro nke 2FA;
2. ndepụta adreesị "2fa_jailed" - "isi awọ" ndepụta nke adreesị IP ọwara nke ndị ahịa VPN;
3. address_list "2fa_approved" - ndepụta ọcha nke adreesị IP ọwara nke ndị ahịa VPN gaferela nyocha ihe abụọ nke ọma.
4. yinye firewall “input_2fa” - ọ na-enyocha ngwugwu TCP maka ọnụnọ koodu ikike yana ma adreesị IP onye izipu koodu ọ dabara nke achọrọ. A na-agbakwunye iwu ndị dị na yinye ma wepụ ya n'ike.

Mpempe akwụkwọ nhazi ngwugwu dị mfe dị ka nke a:

Iji tinye okporo ụzọ sitere n'aka ndị ahịa na listi "isi awọ" ndị na-agafebeghị ọkwa nke abụọ nke nyocha n'ime nyocha Layer7, emebela iwu na agbụ "ntinye" ọkọlọtọ:

Usoro
/ip firewall filter add chain=input !src-address-list=2fa_approved action=jump jump-target=input_2fa

Ugbu a, ka anyị malite ijikọ akụ ndị a niile na ọrụ PPP. MikroTik na-enye gị ohere iji scripts na profaịlụ (ppp-profile) wee kenye ha na mmemme nke ịtọlite ​​​​na imebi njikọ ppp. Enwere ike itinye ntọala ppp-profaịlụ ma na sava PPP n'ozuzu yana ndị ọrụ n'otu n'otu. N'okwu a, profaịlụ e kenyere onye ọrụ nwere ihe kacha mkpa, na-ewepụ paramita profaịlụ nke ahọpụtara maka ihe nkesa n'ozuzu ya na paramita ya akọwapụtara.

N'ihi usoro a, anyị nwere ike ịmepụta profaịlụ pụrụ iche maka nyocha ihe abụọ ma kenye ya ọ bụghị ndị ọrụ niile, kama ọ bụ naanị ndị anyị chere na ọ dị mkpa ime ya. Nke a nwere ike ịdị mkpa ma ọ bụrụ na ị na-eji ọrụ PPP ọ bụghị naanị iji jikọọ ndị ọrụ njedebe, mana n'otu oge ahụ iji wuo njikọ saịtị na saịtị.

N'ime profaịlụ pụrụiche emepụtara ọhụrụ, anyị na-eji mgbakwunye ike nke adreesị na interface nke onye ọrụ ejikọrọ na listi adreesị na ihu “isi awọ”:

winbox

Usoro
/ppp profile add address-list=2fa_jailed change-tcp-mss=no local-address=192.0.2.254 name=2FA interface-list=2fa only-one=yes remote-address=dhcp_pool1 use-compression=no use-encryption= required use-mpls=no use-upnp=no dns-server=172.31.1.1

Ọ dị mkpa iji “ndepụta-adreesị” na “interface-list” ọnụ iji chọpụta ma weghara okporo ụzọ sitere n'aka ndị ahịa VPN na-agafebeghị ikike nke abụọ na yinye dstnat (prerouting).

Mgbe emechara nkwadebe ahụ, e mepụtala agbụ firewall na profaịlụ, anyị ga-ede edemede na-ahụ maka nrụpụta akpaaka nke koodu 2FA na iwu firewall nke ọ bụla.

Akwụkwọ wiki.mikrotik.com na PPP-Profaịlụ na-eme ka anyị nwee ozi gbasara mgbanwe ndị metụtara njikọ ndị ahịa PPP na mmemme nkwụsị "Mee script na mmemme nbanye onye ọrụ. Ndị a bụ mgbanwe dịnụ nwere ike ịnweta maka edemede mmemme: onye ọrụ, adreesị mpaghara, adreesị-remote, caller-id, call-id, interface". Ụfọdụ n’ime ha ga-abara anyị ezigbo uru.

Koodu eji na profaịlụ maka mmemme njikọ n'elu PPP

#Логируем для отладки полученные переменные 
:log info (

quot;local-address")

:log info (

quot;remote-address")

:log info (

quot;caller-id")

:log info (

quot;called-id")

:log info ([/int pptp-server get (

quot;interface") name])

#Объявляем свои локальные переменные

:local listname "2fa_jailed"

:local viamodem false

:local modemport "usb2"

#ищем автоматически созданную запись в адрес-листе "2fa_jailed"

:local recnum1 [/ip fi address-list find address=(

quot;remote-address") list=$listname]
#получаем псевдослучайный код через random.org

#:local rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user]->"data") 0 4]
#либо получаем псевдослучайный код через локальный генератор

#:local rnd1 [pick ([/cert scep-server otp generate as-value minutes-valid=1]->"password") 0 4 ]
#Ищем и обновляем коммент к записи в адрес-листе. Вносим искомый код для отладки

/ip fir address-list set $recnum1 comment=$rnd1

#получаем номер телефона куда слать SMS

:local vphone [/ppp secret get [find name=$user] comment]
#Готовим тело сообщения. Если клиент подключается к VPN прямо с телефона ему достаточно

#будет перейти прямо по ссылке из полученного сообщения

:local msgboby ("Your code: ".$comm1."n Or open link http://gw.local/otp/".$comm1."/")
# Отправляем SMS по выбранному каналу - USB-модем или email-to-sms

if $viamodem do={

/tool sms send phone-number=$vphone message=$msgboby port=$modemport }

else={

/tool e-mail send server=a.b.c.d [email protected] [email protected] subject="@".$vphone body=$msgboby }
#Генерируем Layer7 regexp

local vregexp ("otp\/".$comm1)

:local vcomment ("2fa_".(

quot;remote-address"))

/ip firewall layer7-protocol add name=(

quot;vcomment") comment=(

quot;remote-address") regexp=(

quot;vregexp")
#Генерируем правило проверяющее по Layer7 трафик клиента в поисках нужного кода

#и небольшой защитой от брутфорса кодов с помощью dst-limit

/ip firewall filter add action=add-src-to-address-list address-list=2fa_approved address-list-timeout=none-dynamic chain=input_2fa dst-port=80,443,3128 layer7-protocol=(

quot;vcomment") protocol=tcp src-address=(

quot;remote-address") dst-limit=1,1,src-address/1m40s



M na-adọ gị aka ná ntị karịsịa maka ndị na-achọ ịdegharị-paste n'echeghị echiche - ewepụtara koodu ahụ na ụdị ule ma nwee ike ịnwe obere mperi. Ọ gaghị esiri onye nwere nghọta ike ịchọpụta ebe kpọmkwem.
Mgbe onye ọrụ kwụsịrị, a na-emepụta mmemme "On-down" ma a na-akpọ edemede kwekọrọ na paramita. Ebumnuche nke edemede a bụ ikpochapụ iwu firewall emepụtara maka onye ọrụ kwụsịrị.
Koodu eji na profaịlụ maka mmemme njikọ mgbada PPP
:local vcomment ("2fa_".(

quot;remote-address"))

/ip firewall address-list remove [find address=(

quot;remote-address") list=2fa_approved]
/ip firewall filter remove [find chain="input_2fa" src-address=(

quot;remote-address") ]
/ip firewall layer7-protocol remove [find name=$vcomment]


Ị nwere ike ịmepụta ndị ọrụ wee kenye ụfọdụ ma ọ bụ ha niile na profaịlụ njirimara ihe abụọ.
winbox


Usoro

/ppp secrets set [find name=Petrov] profile=2FA
Kedu ihe ọ dị ka n'akụkụ ndị ahịa.
Mgbe ị guzobe njikọ VPN, SMS dị ka nke a ka a na-ezigara na ekwentị gam akporo/iOS/tablet gị nwere kaadị SIM:
SMS


Ọ bụrụ na etinyere njikọ ahụ ozugbo site na ekwentị / mbadamba, ị nwere ike ịgafe 2FA naanị site na ịpị njikọ sitere na ozi ahụ. Ọ dị mma.
Ọ bụrụ na ejikọtara njikọ VPN site na PC, mgbe ahụ, a ga-achọrọ onye ọrụ tinye obere paswọọdụ. A na-ezigara onye ọrụ obere ụdị n'ụdị faịlụ HTML mgbe ị na-edozi VPN. Enwere ike izipu faịlụ ahụ site na mail ka onye ọrụ wee chekwaa ya wee mepụta ụzọ mkpirisi n'ebe dị mma. Ọ dị ka nke a:
Labelụ na tebụl


Onye ọrụ ahụ pịa ụzọ mkpirisi ahụ, ụdị ntinye koodu dị mfe ga-emepe, nke ga-etinye koodu ahụ n'ime URL mepere emepe:
Ihuenyo ụdị


Ụdị ahụ bụ nke kachasị ochie, nyere dịka ọmụmaatụ. Ndị chọrọ nwere ike gbanwee ya ka ọ dabara onwe ha.
2fa_login_mini.html
<html>
<head> <title>SMS OTP login</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> </head>
<body>
<form name="login" action="location.href='http://gw.local/otp/'+document.getElementById(‘text').value"  method="post"
 <input id="text" type="text"/> 
<input type="button" value="Login" onclick="location.href='http://gw.local/otp/'+document.getElementById('text').value"/> 
</form>
</body>
</html>

Ọ bụrụ na ikike na-aga nke ọma, onye ọrụ ga-ahụ akara MikroTik na ihe nchọgharị ahụ, nke kwesịrị ịbụ akara ngosi nke nyocha na-aga nke ọma:

Rịba ama na a na-eweghachi onyonyo a site na sava weebụ MikroTik arụnyere n'ime ya site na iji WebProxy Deny Redirect.
Ekwenyere m na enwere ike ịhazi onyonyo a site na iji ngwa “hotspot”, na-ebugo ụdị nke gị ebe ahụ wee tinye WebProxy deny Redirect URL na ya.
Arịrịọ dị ukwuu nye ndị na-agbalị ịzụta Mikrotik "ihe egwuregwu ụmụaka" dị ọnụ ala maka $20 wee jiri onye rawụta $ 500 dochie ya - emela nke ahụ. Ngwa dị ka "hAP Lite"/"hAP mini"(ebe ịnweta ụlọ) nwere CPU adịghị ike (smips), ma eleghị anya ọ gaghị anabata ibu dị na ngalaba azụmahịa.
Ịdọ aka ná ntị!  Ihe ngwọta a nwere otu ihe ndọghachi azụ: mgbe ndị ahịa jikọọ ma ọ bụ kwụsịrị, mgbanwe nhazi na-eme, nke onye rawụta na-agbalị ịchekwa na ebe nchekwa ya na-adịghị agbanwe agbanwe. Site na ọnụ ọgụgụ buru ibu nke ndị ahịa na njikọ ugboro ugboro na nkwụsịtụ, nke a nwere ike iduga nbibi nke nchekwa dị n'ime na rawụta.
PS: Enwere ike ịgbasawanye ma tinyekwuo usoro maka ịnyefe koodu n'aka onye ahịa dịka ike mmemme gị. Dịka ọmụmaatụ, ị nwere ike izipu ozi na telegram ma ọ bụ... atụ aro nhọrọ!
Enwere m olileanya na isiokwu a ga-abara gị uru ma nyere aka mee ka netwọk azụmahịa dị obere na nke ọkara dị ntakịrị karịa.
isi: www.habr.com