Ulationkpụzi nsogbu a
Isiokwu ahụ na-akọwa nhazi nke ohere dịpụrụ adịpụ maka ndị ọrụ na ngwaahịa ndị na-emeghe ma nwee ike iji ma wuo usoro zuru oke, ọ ga-aba uru maka mgbasawanye mgbe enwere ụkọ ikike na usoro azụmahịa dị ugbu a ma ọ bụ arụmọrụ ya ezughi oke.
Ebumnuche nke isiokwu a bụ iji mejuputa usoro zuru oke maka ịnye ụlọ ọrụ dịpụrụ adịpụ, nke dị ntakịrị karịa "ịwụnye OpenVPN na nkeji 10."
N'ihi ya, anyị ga-enweta usoro nke a ga-eji asambodo na (nhọrọ) ụlọ ọrụ Active Directory iji nyochaa ndị ọrụ. Nke ahụ. anyị ga-enweta usoro nwere ihe nkwenye abụọ - ihe m nwere (akwụkwọ ikike) na ihe m maara (paswọọdụ).
Ihe ịrịba ama na ekwenyere onye ọrụ ka ọ jikọọ bụ otu ha na otu myVPNUsr. A ga-eji ikike asambodo na-anọghị n'ịntanetị.
Ọnụ ego iji mejuputa ihe ngwọta bụ naanị obere akụrụngwa akụrụngwa yana ọrụ elekere 1 nke onye na-ahụ maka sistemụ.
Anyị ga-eji igwe mebere ya na ụdị OpenVPN na Easy-RSA 3 na CetntOS 7, nke ekenyela 100 vCPUs na 4 GiB RAM maka njikọ 4.
N'ihe atụ, netwọkụ nke nzukọ anyị bụ 172.16.0.0/16, ebe ihe nkesa VPN nwere adreesị 172.16.19.123 dị na ngalaba 172.16.19.0/24, sava DNS 172.16.16.16 na 172.16.17.17. .172.16.20.0/23 ekenyela maka ndị ahịa VPN.
Iji jikọọ site na mpụga, a na-eji njikọ site na ọdụ ụgbọ mmiri 1194/udp, na-emepụta Gw.abc.ru A-record na DNS maka ihe nkesa anyị.
A naghị atụ aro ka ị gbanyụọ SELinux! OpenVPN na-arụ ọrụ na-enweghị gbanyụọ amụma nchekwa.
Ihe
Nwụnye OS na ngwa ngwa
Anyị na-eji nkesa CentOS 7.8.2003. Anyị kwesịrị ịwụnye OS na nhazi ntakịrị. Ọ dị mma iji mee nke a , cloning oyiyi OS arụnyere na mbụ na ụzọ ndị ọzọ.
Mgbe echichi, na-ekenye adreesị na netwọk interface (dị ka usoro nke ọrụ 172.16.19.123), anyị na-emelite OS:
$ sudo yum update -y && reboot
Anyị kwesịkwara ijide n'aka na a na-emekọrịta oge na igwe anyị.
Iji tinye ngwanrọ ngwa, ị ga-achọ ngwugwu openvpn, openvpn-auth-ldap, easy-rsa na vim dị ka onye nchịkọta akụkọ (ị ga-achọ ebe nchekwa EPEL).
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
Ọ bara uru ịwụnye onye ọbịa maka igwe mebere:
$ sudo yum install open-vm-toolsmaka ndị ọbịa VMware ESXi, ma ọ bụ maka oVirt
$ sudo yum install ovirt-guest-agent
Ịtọlite cryptography
Gaa na ndekọ Easy-rsa:
$ cd /usr/share/easy-rsa/3/Mepụta faịlụ agbanwe agbanwe:
$ sudo vim varsọdịnaya ndị a:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
A kọwapụtara paramita maka ọgbakọ ọnọdụ ABC LLC ebe a; ị nwere ike idozi ha ka ọ bụrụ ndị dị adị ma ọ bụ hapụ ha na ihe atụ. Ihe kachasị mkpa na paramita bụ ahịrị ikpeazụ, nke na-ekpebi oge nkwado nke akwụkwọ ahụ na ụbọchị. Ihe atụ na-eji uru afọ 10 (365 * 10 + 2 leap year). Ọ ga-adị mkpa ịgbanwe uru a tupu enye asambodo onye ọrụ.
Na-esote, anyị na-ahazi ikike asambodo kwụụrụ onwe ya.
Ntọlite gụnyere mbupụ mgbanwe, ibido CA, na-enye igodo mgbọrọgwụ CA na asambodo, igodo Diffie-Hellman, igodo TLS, yana igodo sava na asambodo. A ghaghị iji nlezianya chekwaa igodo CA na nzuzo! Enwere ike ịhapụ parampat ajụjụ niile dị ka nke ndabara.
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
Nke a na-emecha akụkụ bụ isi nke ịtọlite usoro cryptographic.
Ịtọlite OpenVPN
Gaa na ndekọ OpenVPN, mepụta akwụkwọ ndekọ aha ma tinye njikọ na mfe-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Mepụta faịlụ nhazi OpenVPN isi:
$ sudo vim server.confna-eso ọdịnaya
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Ụfọdụ ndetu na paramita:
- ọ bụrụ na akọwapụtara aha dị iche mgbe ị na-enye asambodo ahụ, gosi ya;
- ezipụta ọdọ mmiri nke adreesị iji kwado ọrụ gị;
- enwere ike inwe otu ụzọ ma ọ bụ karịa na sava DNS;
- Ahịrị 2 ikpeazụ dị mkpa iji mejuputa nyocha na AD ***.
* Ọnụ ọgụgụ adreesị ndị ahọpụtara na ihe atụ ga-eme ka ndị ahịa ruru 127 jikọọ ọnụ n'otu oge, n'ihi na ahọpụtara netwọk / 23, na OpenVPN na-emepụta subnet maka onye ahịa ọ bụla na-eji ihe mkpuchi / 30.
Ọ bụrụ na ọ dị mkpa karịsịa, enwere ike ịgbanwe ọdụ ụgbọ mmiri na protocol, Otú ọ dị, ekwesịrị iburu n'uche na ịgbanwe nọmba ọdụ ụgbọ mmiri ga-agụnye ịhazi SELinux, na iji tcp protocol ga-abawanye elu, n'ihi na A na-emelarị njikwa nnyefe TCP n'ọkwa nke ngwugwu etinyere na ọwara.
** Ọ bụrụ na nyocha na AD adịghị mkpa, kwuo ha, mafee ngalaba na-esote, yana na ndebiri. wepụ auth-user-pass line.
Nyocha AD
Iji kwado ihe nke abụọ, anyị ga-eji nkwenye akaụntụ na AD.
Anyị chọrọ akaụntụ dị na ngalaba nwere ikike nke onye ọrụ nkịtị na otu, otu nke ga-ekpebi ikike ijikọ.
Mepụta faịlụ nhazi:
/etc/openvpn/ldap.confna-eso ọdịnaya
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
Основные параметры:
- URL “ldap://ldap.abc.ru” - adreesị onye njikwa ngalaba;
- BindDN "CN = bindUsr, CN = Ndị ọrụ, DC = abc, DC = ru" - aha canonical maka ijikọ na LDAP (UZ - bindUsr na abc.ru/Users akpa);
- Paswọdu b1ndP @ SS - paswọọdụ onye ọrụ maka njikọ;
- BaseDN "OU=allUsr,DC=abc,DC=ru" - ụzọ isi malite ịchọ onye ọrụ;
- BaseDN "OU = myGrp, DC = abc, DC = ru" - akpa nke ndị na-enye ohere (otu myVPNUsr na akpa abc.rumyGrp);
- SearchFilter "(cn=myVPNUsr)" bụ aha otu na-enye ohere.
Mmalite na nyocha
Ugbu a, anyị nwere ike ịgbalị ime ka ma malite sava anyị:
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
Nyocha mmalite:
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Ntinye akwụkwọ na kagbuo
N'ihi na Na mgbakwunye na asambodo n'onwe ha, ịchọrọ igodo na ntọala ndị ọzọ; ọ dị mfe iji kechie ihe a niile n'otu faịlụ profaịlụ. A na-ebufe faịlụ a na onye ọrụ wee bubata profaịlụ na onye ahịa OpenVPN. Iji mee nke a, anyị ga-emepụta template ntọala na edemede nke na-emepụta profaịlụ.
Ịkwesịrị ịgbakwunye ọdịnaya nke akwụkwọ mgbọrọgwụ (ca.crt) na igodo TLS (ta.key) na profaịlụ.
Tupu ịnye asambodo onye ọrụ echefula ịtọ oge nkwado achọrọ maka asambodo n'ime faịlụ parameters. I kwesịghị ime ya ogologo oge; Ana m akwado ịmachi onwe gị karịa ụbọchị 180.
vim /usr/share/easy-rsa/3/vars...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpnclient
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Ihe ndetu:
- ndido urụk Tinye gị... gbanwee na ọdịnaya nke ha asambodo;
- n'ime ntuziaka dịpụrụ adịpụ, dee aha/adreesị nke ọnụ ụzọ ámá gị;
- A na-eji ntụzịaka auth-user-pass maka nkwenye mpụga ọzọ.
N'ime ndekọ ụlọ (ma ọ bụ ebe ọzọ dị mma) anyị na-emepụta edemede maka ịrịọ asambodo na ịmepụta profaịlụ:
vim ~/make.profile.sh#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Na-eme ka faịlụ ahụ rụọ ọrụ:
chmod a+x ~/make.profile.shAnyị nwekwara ike ịnye asambodo mbụ anyị.
~/make.profile.sh my-first-userNzaghachi
Ọ bụrụ na emebie asambodo (ofu, izu ohi), ọ dị mkpa kagbuo asambodo a:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Lelee asambodo enyere na akagbu
Ka ilele asambodo enyere na nke akagbuola, naanị lelee faịlụ index:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Nkọwa:
- mbụ ahịrị bụ akwụkwọ nkesa;
- agwa mbụ
- V (Ndabere) - dị irè;
- R (wepụrụ) - echetara.
Mbido network
Nzọụkwụ ikpeazụ bụ ịhazi netwọk mgbasa ozi - routing na firewalls.
Na-enye ohere njikọ na firewall mpaghara:
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
Na-esote, mee ka okporo ụzọ IP rụọ ọrụ:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
Na gburugburu ụlọ ọrụ, enwere ike ịnwe subnet na anyị kwesịrị ịgwa ndị rawụta (s) otu esi ezipu ngwugwu echere maka ndị ahịa VPN anyị. N'ahịrị iwu, anyị na-eme iwu ahụ n'ụzọ (dabere na akụrụngwa eji):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123ma chekwaa nhazi ahụ.
Na mgbakwunye, na ókèala rawụta interface ebe a na-eje ozi mpụga adreesị gw.abc.ru, ọ dị mkpa ikwe ka ụzọ nke udp/1194 ngwugwu.
Ọ bụrụ na nzukọ a nwere iwu nchekwa siri ike, a ga-ahazikwa firewall na sava VPN anyị. N'uche nke m, a na-enye mgbanwe kachasị ukwuu site na ịtọlite iptables FORWARD chains, ọ bụ ezie na ịtọlite ha adịghị adaba. Obere ntakịrị gbasara ịtọlite ha. Iji mee nke a, ọ kachasị mma iji "iwu kpọmkwem" - iwu kpọmkwem, echekwara na faịlụ /etc/firewalld/direct.xml. Enwere ike ịchọta nhazi ugbu a nke iwu ndị a:
$ sudo firewall-cmd --direct --get-all-ruleTupu ịgbanwe faịlụ, mee nnomi ya:
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bakỌdịnaya dị nso na faịlụ ahụ bụ:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
Nkọwa
Ndị a bụ iwu iptables mgbe niile, ma ọ bụghị ngwugwu mgbe ọbịbịa nke firewalld gasịrị.
Ebe ebe aga nwere ntọala ndabara bụ tun0, na ihu mpụga maka ọwara ahụ nwere ike ịdị iche, dịka ọmụmaatụ, en192, dabere na ikpo okwu eji.
Ahịrị ikpeazụ bụ maka ịbanye ngwugwu ndị a tụfuru. Maka ịbanye na-arụ ọrụ, ịkwesịrị ịgbanwe ọkwa nbibi na nhazi firewalld:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Itinye ntọala bụ iwu firewalld na-emekarị ka ịgụgharị ntọala ndị a:
$ sudo firewall-cmd --reloadỊ nwere ike ịlele ngwungwu ndị a tụfuru dị ka nke a:
grep forward_fw /var/log/messages
Kedu ihe na-esote
Nke a na-emecha nhazi ahụ!
Naanị ihe fọdụrụ bụ ịwụnye ngwanrọ ndị ahịa n'akụkụ ndị ahịa, bubata profaịlụ ma jikọọ. Maka sistemụ arụmọrụ Windows, ngwa nkesa dị na .
N'ikpeazụ, anyị na-ejikọta ihe nkesa ọhụrụ anyị na usoro nlekota na nchekwa nchekwa, ma echefula ịwụnye mmelite mgbe niile.
Njikọ kwụsiri ike!
isi: www.habr.com