DE PECCATO quaestio
Articulus describit ordinationem remotae accessus operariorum in aperto fonte productorum et adhiberi potest tum ad aedificandum systema omnino sui iuris et ad dilatationem utilis erit cum penuria licentiarum in systemate commerciali existente vel eius effectus insufficiens est.
Propositum articulum est systema complere complere ad remotum accessum ad organizationem parandum, quod paulo plus est quam "in X minuta installare OpenVPN".
Quam ob rem systema habebimus in quo testimoniales et corporatum Active Directorium authenticitatis usoribus adhibebuntur. Quod. systema dabimus cum duabus factoribus verificationis - quae habeo (testimonium) et quid novi (password).
Signum quod utentis coniungere licet, eorum adiunctio in coetus myVPNUsr est. Auctoritas certificatoria adhibebitur offline.
Sumptus solutionis exsequendae solum parvae facultates ferrariae et 1 hora laboris administratoris systematis sunt.
Utemur machina virtuali cum OpenVPN et versione Securi-RSA 3 in CetntOS 7, quae partita est 100 vCPUs et 4 GiB RAM per 4 hospites.
In exemplo, retiacula nostra organizationis 172.16.0.0/16 est, in qua VPN server cum inscriptione 172.16.19.123 in segmento 172.16.19.0/24 sita est, DNS servientibus 172.16.16.16 et 172.16.17.17, subnet 172.16.20.0 .23/XNUMX clientibus VPN partita est.
Coniungere ab extra, nexus per portum 1194/udp adhibetur, et A-record gw.abc.ru in DNS pro servo nostro creata est.
Stricte non commendatur inactivandi SELinux! OpenVPN operatur sine inactivare rationes securitatis.
contentus
Installation of OS ac application software
CentOS 7.8.2003 distributio utimur. Necesse est ut OS in configuratione minima instituere. Convenit hoc facere utens , os imaginis OS antea inauguratus et alia media.
Post institutionem, electronicam ad retis interfaciei assignans (secundum negotium 172.16.19.123), OS renovamus:
$ sudo yum update -y && reboot
Etiam nobis opus est efficere ut tempus synchronisation in machina nostra conficiatur.
Ad programmatum applicationis instituendum, openvpn, openvpn-auth-ldap, facilia-rsa et vim fasciculorum ut editor principalis (opus EPEL repositorio indigebit).
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
Utile est procuratorem hospitem ad virtualem machinam instituere;
$ sudo yum install open-vm-toolspro VMware ESXi exercituum, vel pro oVirt
$ sudo yum install ovirt-guest-agent
Profecti sunt cryptography
Vade ad rsa presul facilis:
$ cd /usr/share/easy-rsa/3/Variabilis file creare:
$ sudo vim varssequenti contentus:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
Parametri dispositionis conditionalis ABC LLC hic describuntur, eas veras corrigere potes vel ab exemplo relinquere. Maxima res in parametris est ultima linea, quae validitatem certificationis in diebus determinat. Exempli gratia utitur valor 10 annorum (365*10+2 annorum bissextilis). Hoc valore necesse erit accommodari antequam testimonium usoris edantur.
Deinde auctoritatem certificationis sui iuris configuramus.
Setup includit variabiles educendi, CA initializationem, clavem radicis CA emittentes et libellum, clavis Diffie-Hellman, clavem TLS, et clavem et libellum servo. CA clavis diligenter custodienda et occulta custodienda sunt! Omnes parametri interrogationes ut defaltam relinquantur.
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
Haec principalis pars perficit mechanismum cryptographicum erigendi.
Occasus OpenVPN
Vade ad directorium OpenVPN, opera directoria crea et vinculum ad rsa facilem adde:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Create OpenVPN configuration file pelagus:
$ sudo vim server.confsequenti contenta
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Notae quaedam de parametris:
- si aliud nomen, cum testimonium ediderit, indicandum est;
- specificare piscinam inscriptionum ad apta negotia tua*;
- possunt esse unum vel plura itinera et DNS servientes;
- Ultimae 2 lineae ad authenticationem efficiendam necessariae sunt in AD**.
*Dispositio inscriptionum in exemplo delectorum permittit usque ad 127 clientes simul coniungere, quia reticulum /23 seligitur, et OpenVPN subnet pro quolibet cliente larva / / 30 personato creat.
Si in primis opus est, portus et protocollum mutari possunt, tamen prae oculis habendum est quod numerus portus mutatus figuram SELinux secumfert, et usus protocollo supra caput augebit, quia TCP imperium traditio fasciculus iam perfecit in plano fasciculorum in cuniculo encapsulato.
**Si authenticas in AD non opus est, eas explana, sequentem sectionem omittitur, et in Formulario tollere auth-user-transeat linea.
AD authenticas
Ad secundum sustinendum, ratione verificationis in AD utemur.
Ratione indigemus in dominio cum iuribus usoris ordinarii et coetus, in quibus adiunctis facultatem connectendi determinabit.
Configuratione file creare:
/etc/openvpn/ldap.confsequenti contenta
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
Et pelagus parametris:
- URL "ldap://ldap.abc.ru" - inscriptio domicilii moderatoris;
- BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru" - nomen canonicum ad ligandum LDAP (UZ - bindUsr in abc.ru/Users continens);
- Password b1ndP@SS - usor tesserae ligaturae;
- BaseDN "OU=allUsr, DC=abc, DC=ru" - via unde inquirit utentis initium;
- BaseDN "OU=myGrp,DC=abc,DC=ru" - continens permittentes globi (globi myVPNUsr in continente abc.rumyGrp);
- Quaero Filter" (cn=myVPNUsr)" nomen coetus permittens.
Satus et diagnostica
Nunc conemur efficere ac servo nostro incipere:
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
Satus reprehendo:
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Certificatorium exitus et revocatio
Quod Praeter ipsos libellos, claves et uncinis aliis indiges, haec omnia in unum fasciculum involvere commodissimum est. Hic fasciculus postea ad usorem transfertur et profile in clientelam OpenVPN importatur. Ad hoc faciendum, occasus templates et scripturam creabimus, quae profile generat.
Vos postulo ut documenta radicis (ca.crt) et TLS clavem (ta.key) lima in profano addere debes.
Ante fiebant user libellorum nolite oblivisci ut requiritur validitatem periodum testimoniales in lima parametri. Nimium non debes facere: commendo te limitando maximo centum octoginta diebus.
vim /usr/share/easy-rsa/3/vars...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpnclient
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
dictis:
- lineae TUAS... mutare contentus suum Testimonia;
- in directivis remotis, nomen/electronica portae tuae denota;
- the auth-user-pass directive is used for additional external authentication.
In directorio domus (vel alio loco opportuno) scriptum creamus ut libellum petamus et figuram creemus;
vim ~/make.profile.sh#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Faciens tabella exsecutabile:
chmod a+x ~/make.profile.shEt primum libellum edendum possumus.
~/make.profile.sh my-first-userrecall
In casu transactionis certificatorium (detrimentum, furtum), necesse est ut libellum revocet;
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
View edita et revocanda testimonia
Ad testimonium edita et revocanda, solum indicem fasciculi inspicias;
cd /usr/share/easy-rsa/3/
cat pki/index.txt
explicandum:
- prima linea est ministra certificatorium;
- prima character
- V (validis) - valid;
- R (Revocatus) - Revocavit.
network configurationis
Gradus ultimi sunt retis transmissionis - fuso et firewallo configurandi.
Permittens nexus in firewall loci:
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
Deinde, efficiat IP routing negotiationis:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
In ambitu corporato, verisimile est subntationem esse et opus est nuntiare iter(s) quomodo mittere fasciculos destinatos clientibus nostris VPN. In order to the order in the manner we execute the command (prout instrumento adhibito) ;
# ip route 172.16.20.0 255.255.254.0 172.16.19.123et salva conformatione.
Praeterea in confinio itineris interfaciei ubi oratio externa gw.abc.ru ministratur, necesse est ut transitus udp/1194 facis.
Si ordinatio stricte securitatis praecepta habet, firewall etiam in nostro VPN servo figurari debet. Opinor, maxima flexibilitas in catenis iptables erigiendis praebetur, quamvis eas erigas minus commodas. Aliquanto de constituendo. Quod ad faciendum, commodissimum est "regulas directas" uti, regulas directas, in tabella repositas /etc/firewalld/direct.xml. Configuratio hodiernae regularum sic reperiri potest:
$ sudo firewall-cmd --direct --get-all-rulePriusquam limam mutes, exemplum tergum fac eius;
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bakTabulae proximae contenta sunt:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
explanations
Hae regulae iptables essentialiter regulares sunt, alias post adventum firewalld fasciculatae sunt.
Destinatio interfaciei cum occasus defectus tun0 est, et interface externa cuniculi diversum esse potest, exempli gratia, ens192, secundum suggestum adhibitum.
Ultima linea est ad colligationem omissa facis. Ad opus colligationem, debes mutare debug gradum in configuratione firewalld:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Applicare occasus est solitum firewalld mandatum re-legere occasus;
$ sudo firewall-cmd --reloadInspicere potes omissa facis sic:
grep forward_fw /var/log/messages
deinde quid
Hoc complet setup!
Reliquum est ut programmatum clientem in latere clientis instituat, profile et connectat. Pro Fenestra systemata operativa, ornamentum distributio in loco sita est .
Novo denique servo nostro ad systemata vigilantia et archivendi coniungimus, nec oblivisci regulariter updates instituendi.
Firmum nexu!
Source: www.habr.com