Isiokwu ahụ na-akọwa nhazi nke ohere dịpụrụ adịpụ maka ndị ọrụ na ngwaahịa ndị na-emeghe ma nwee ike iji ma wuo usoro zuru oke, ọ ga-aba uru maka mgbasawanye mgbe enwere ụkọ ikike na usoro azụmahịa dị ugbu a ma ọ bụ arụmọrụ ya ezughi oke.
Ebumnuche nke isiokwu a bụ iji mejuputa usoro zuru oke maka ịnye ụlọ ọrụ dịpụrụ adịpụ, nke dị ntakịrị karịa "ịwụnye OpenVPN na nkeji 10."
N'ihi ya, anyị ga-enweta usoro nke a ga-eji asambodo na (nhọrọ) ụlọ ọrụ Active Directory iji nyochaa ndị ọrụ. Nke ahụ. anyị ga-enweta usoro nwere ihe nkwenye abụọ - ihe m nwere (akwụkwọ ikike) na ihe m maara (paswọọdụ).
Ihe ịrịba ama na ekwenyere onye ọrụ ka ọ jikọọ bụ otu ha na otu myVPNUsr. A ga-eji ikike asambodo na-anọghị n'ịntanetị.
Ọnụ ego iji mejuputa ihe ngwọta bụ naanị obere akụrụngwa akụrụngwa yana ọrụ elekere 1 nke onye na-ahụ maka sistemụ.
Anyị ga-eji igwe mebere ya na ụdị OpenVPN na Easy-RSA 3 na CetntOS 7, nke ekenyela 100 vCPUs na 4 GiB RAM maka njikọ 4.
N'ihe atụ, netwọkụ nke nzukọ anyị bụ 172.16.0.0/16, ebe ihe nkesa VPN nwere adreesị 172.16.19.123 dị na ngalaba 172.16.19.0/24, sava DNS 172.16.16.16 na 172.16.17.17. .172.16.20.0/23 ekenyela maka ndị ahịa VPN.
Iji jikọọ site na mpụga, a na-eji njikọ site na ọdụ ụgbọ mmiri 1194/udp, na-emepụta Gw.abc.ru A-record na DNS maka ihe nkesa anyị.
A naghị atụ aro ka ị gbanyụọ SELinux! OpenVPN na-arụ ọrụ na-enweghị gbanyụọ amụma nchekwa.
Anyị na-eji nkesa CentOS 7.8.2003. Anyị kwesịrị ịwụnye OS na nhazi ntakịrị. Ọ dị mma iji mee nke a kickstart, cloning oyiyi OS arụnyere na mbụ na ụzọ ndị ọzọ.
Mgbe echichi, na-ekenye adreesị na netwọk interface (dị ka usoro nke ọrụ 172.16.19.123), anyị na-emelite OS:
$ sudo yum update -y && reboot
Anyị kwesịkwara ijide n'aka na a na-emekọrịta oge na igwe anyị.
Iji tinye ngwanrọ ngwa, ị ga-achọ ngwugwu openvpn, openvpn-auth-ldap, easy-rsa na vim dị ka onye nchịkọta akụkọ (ị ga-achọ ebe nchekwa EPEL).
A kọwapụtara paramita maka ọgbakọ ọnọdụ ABC LLC ebe a; ị nwere ike idozi ha ka ọ bụrụ ndị dị adị ma ọ bụ hapụ ha na ihe atụ. Ihe kachasị mkpa na paramita bụ ahịrị ikpeazụ, nke na-ekpebi oge nkwado nke akwụkwọ ahụ na ụbọchị. Ihe atụ na-eji uru afọ 10 (365 * 10 + 2 leap year). Ọ ga-adị mkpa ịgbanwe uru a tupu enye asambodo onye ọrụ.
Na-esote, anyị na-ahazi ikike asambodo kwụụrụ onwe ya.
Ntọlite gụnyere mbupụ mgbanwe, ibido CA, na-enye igodo mgbọrọgwụ CA na asambodo, igodo Diffie-Hellman, igodo TLS, yana igodo sava na asambodo. A ghaghị iji nlezianya chekwaa igodo CA na nzuzo! Enwere ike ịhapụ parampat ajụjụ niile dị ka nke ndabara.
Nke a na-emecha akụkụ bụ isi nke ịtọlite usoro cryptographic.
Ịtọlite OpenVPN
Gaa na ndekọ OpenVPN, mepụta akwụkwọ ndekọ aha ma tinye njikọ na mfe-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Mepụta faịlụ nhazi OpenVPN isi:
$ sudo vim server.conf
na-eso ọdịnaya
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Ụfọdụ ndetu na paramita:
ọ bụrụ na akọwapụtara aha dị iche mgbe ị na-enye asambodo ahụ, gosi ya;
ezipụta ọdọ mmiri nke adreesị iji kwado ọrụ gị;
enwere ike inwe otu ụzọ ma ọ bụ karịa na sava DNS;
Ahịrị 2 ikpeazụ dị mkpa iji mejuputa nyocha na AD ***.
* Ọnụ ọgụgụ adreesị ndị ahọpụtara na ihe atụ ga-eme ka ndị ahịa ruru 127 jikọọ ọnụ n'otu oge, n'ihi na ahọpụtara netwọk / 23, na OpenVPN na-emepụta subnet maka onye ahịa ọ bụla na-eji ihe mkpuchi / 30.
Ọ bụrụ na ọ dị mkpa karịsịa, enwere ike ịgbanwe ọdụ ụgbọ mmiri na protocol, Otú ọ dị, ekwesịrị iburu n'uche na ịgbanwe nọmba ọdụ ụgbọ mmiri ga-agụnye ịhazi SELinux, na iji tcp protocol ga-abawanye elu, n'ihi na A na-emelarị njikwa nnyefe TCP n'ọkwa nke ngwugwu etinyere na ọwara.
** Ọ bụrụ na nyocha na AD adịghị mkpa, kwuo ha, mafee ngalaba na-esote, yana na ndebiri. wepụ auth-user-pass line.
Nyocha AD
Iji kwado ihe nke abụọ, anyị ga-eji nkwenye akaụntụ na AD.
Anyị chọrọ akaụntụ dị na ngalaba nwere ikike nke onye ọrụ nkịtị na otu, otu nke ga-ekpebi ikike ijikọ.
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Ntinye akwụkwọ na kagbuo
N'ihi na Na mgbakwunye na asambodo n'onwe ha, ịchọrọ igodo na ntọala ndị ọzọ; ọ dị mfe iji kechie ihe a niile n'otu faịlụ profaịlụ. A na-ebufe faịlụ a na onye ọrụ wee bubata profaịlụ na onye ahịa OpenVPN. Iji mee nke a, anyị ga-emepụta template ntọala na edemede nke na-emepụta profaịlụ.
Ịkwesịrị ịgbakwunye ọdịnaya nke akwụkwọ mgbọrọgwụ (ca.crt) na igodo TLS (ta.key) na profaịlụ.
Tupu ịnye asambodo onye ọrụ echefula ịtọ oge nkwado achọrọ maka asambodo n'ime faịlụ parameters. I kwesịghị ime ya ogologo oge; Ana m akwado ịmachi onwe gị karịa ụbọchị 180.
vim /usr/share/easy-rsa/3/vars
...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpn
client
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Ihe ndetu:
ndido urụk Tinye gị... gbanwee na ọdịnaya nke ha asambodo;
n'ime ntuziaka dịpụrụ adịpụ, dee aha/adreesị nke ọnụ ụzọ ámá gị;
A na-eji ntụzịaka auth-user-pass maka nkwenye mpụga ọzọ.
N'ime ndekọ ụlọ (ma ọ bụ ebe ọzọ dị mma) anyị na-emepụta edemede maka ịrịọ asambodo na ịmepụta profaịlụ:
vim ~/make.profile.sh
#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Na-eme ka faịlụ ahụ rụọ ọrụ:
chmod a+x ~/make.profile.sh
Anyị nwekwara ike ịnye asambodo mbụ anyị.
~/make.profile.sh my-first-user
Nzaghachi
Ọ bụrụ na emebie asambodo (ofu, izu ohi), ọ dị mkpa kagbuo asambodo a:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Lelee asambodo enyere na akagbu
Ka ilele asambodo enyere na nke akagbuola, naanị lelee faịlụ index:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Nkọwa:
mbụ ahịrị bụ akwụkwọ nkesa;
agwa mbụ
V (Ndabere) - dị irè;
R (wepụrụ) - echetara.
Mbido network
Nzọụkwụ ikpeazụ bụ ịhazi netwọk mgbasa ozi - routing na firewalls.
Na gburugburu ụlọ ọrụ, enwere ike ịnwe subnet na anyị kwesịrị ịgwa ndị rawụta (s) otu esi ezipu ngwugwu echere maka ndị ahịa VPN anyị. N'ahịrị iwu, anyị na-eme iwu ahụ n'ụzọ (dabere na akụrụngwa eji):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123
ma chekwaa nhazi ahụ.
Na mgbakwunye, na ókèala rawụta interface ebe a na-eje ozi mpụga adreesị gw.abc.ru, ọ dị mkpa ikwe ka ụzọ nke udp/1194 ngwugwu.
Ọ bụrụ na nzukọ a nwere iwu nchekwa siri ike, a ga-ahazikwa firewall na sava VPN anyị. N'uche nke m, a na-enye mgbanwe kachasị ukwuu site na ịtọlite iptables FORWARD chains, ọ bụ ezie na ịtọlite ha adịghị adaba. Obere ntakịrị gbasara ịtọlite ha. Iji mee nke a, ọ kachasị mma iji "iwu kpọmkwem" - iwu kpọmkwem, echekwara na faịlụ /etc/firewalld/direct.xml. Enwere ike ịchọta nhazi ugbu a nke iwu ndị a: