Kaupapa raru
Ko te tuhinga e whakaatu ana i te whakahaeretanga o te uru mamao mo nga kaimahi i runga i nga hua tuwhera ka taea te whakamahi ki te hanga i tetahi punaha tino motuhake, a ka whai hua mo te roha ina he kore raihana i roto i te punaha arumoni o naianei, he iti ranei ana mahi.
Ko te whainga o te tuhinga ko te whakatinana i tetahi punaha katoa mo te tuku uru mamao ki tetahi whakahaere, he iti noa atu i te "whakauru OpenVPN i roto i nga meneti 10."
Ko te mutunga mai, ka whiwhi tatou i tetahi punaha e whakamahia ai nga tiwhikete me te (mehemea) te Active Directory rangatōpū hei whakamotuhēhē i ngā kaiwhakamahi. Ko tera. ka whiwhi matou i tetahi punaha e rua nga waahanga whakaū - he aha kei a au (tiwhikete) me taku mohio (kupuhipa).
Ko te tohu e whakaaetia ana te kaiwhakamahi ki te hono ko to ratau mema ki te roopu myVPNUsr. Ka whakamahia tuimotu te mana tiwhikete.
Ko te utu mo te whakatinana i te otinga he iti noa nga rauemi taputapu me te 1 haora o te mahi a te kaiwhakahaere punaha.
Ka whakamahia e matou he miihini mariko me te OpenVPN me te Easy-RSA putanga 3 i runga i te CetntOS 7, ka tohatohahia nga 100 vCPU me te 4 GiB RAM mo nga hononga 4.
I roto i te tauira, ko te whatunga o ta maatau whakahaere ko 172.16.0.0/16, kei reira te tūmau VPN me te wāhitau 172.16.19.123 kei roto i te waahanga 172.16.19.0/24, DNS servers 172.16.16.16 me te 172.16.17.17, me te subnet 172.16.20.0. .23/XNUMX kua tohaina mo nga kaihoko VPN.
Hei hono mai i waho, ka whakamahia he hononga ma te tauranga 1194/udp, ka hangaia he A-record gw.abc.ru i roto i te DNS mo to maatau tūmau.
Kaore rawa i te tūtohu kia whakakorehia te SELinux! Ka mahi a OpenVPN me te kore e whakakore i nga kaupapa here haumaru.
Tuhinga
Te whakaurunga o te OS me te rorohiko tono
Ka whakamahia e matou te tohatoha CentOS 7.8.2003. Me whakauru tatou i te OS i roto i te whirihoranga iti. He pai ki te mahi i tenei ma te whakamahi , te whakakao i te ahua OS kua whakauruhia i mua me etahi atu tikanga.
I muri i te whakaurunga, ka tohua he wahitau ki te atanga whatunga (kia rite ki nga tikanga o te mahi 172.16.19.123), ka whakahouhia e matou te OS:
$ sudo yum update -y && reboot
Me whakarite ano kia mahia te tukutahi wa ki runga i ta maatau miihini.
Hei whakauru i nga rorohiko tono, me hiahia koe ki nga kohinga openvpn, openvpn-auth-ldap, ngawari-rsa me te vim hei ētita matua (ka hiahia koe ki te putunga EPEL).
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
He pai ki te whakauru i tetahi kaihoko manuhiri mo te miihini mariko:
$ sudo yum install open-vm-toolsmo VMware ESXi ope, mo oVirt ranei
$ sudo yum install ovirt-guest-agent
Te whakatu i te tuhi tuhi
Haere ki te whaiaronga ngawari-rsa:
$ cd /usr/share/easy-rsa/3/Waihangatia he kōnae taurangi:
$ sudo vim varste ihirangi e whai ake nei:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
Ko nga tawhā mo te whakahaere herenga ABC LLC kua whakaahuatia i konei; ka taea e koe te whakatika ki nga mea pono ka waiho ranei mai i te tauira. Ko te mea tino nui i roto i nga tawhā ko te rarangi whakamutunga, e whakatau ana i te wa whaimana o te tiwhikete i nga ra. Ka whakamahia e te tauira te uara 10 tau (365*10+2 tau peke). Me whakatika tenei uara i mua i te tuku tiwhikete kaiwhakamahi.
Whai muri, ka whirihorahia e matou he mana tiwhikete motuhake.
Kei roto i te Tatūnga te kaweake i nga taurangi, te arawhiti i te CA, te tuku i te kii pakiaka CA me te tiwhikete, te kī Diffie-Hellman, te kī TLS, me te kī tūmau me te tiwhikete. Ko te kī CA me ata tiakina, kia huna! Ka taea nga tawhā uiui katoa te waiho hei taunoa.
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
Ma tenei ka whakaoti i te waahanga matua o te whakatuu i te tikanga cryptographic.
Whakaritea OpenVPN
Haere ki te raarangi OpenVPN, hangahia nga raarangi ratonga me te taapiri hononga ki te ngawari-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Waihangahia te konae whirihoranga OpenVPN matua:
$ sudo vim server.confe whai ake nei nga korero
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Ko etahi korero mo nga tawhā:
- ki te mea he ingoa rereke i tohua i te wa i tukuna ai te tiwhikete, tohuhia;
- whakapūtāhia te puna o ngā wāhitau kia hāngai ki ō mahi*;
- he kotahi, neke atu ranei nga huarahi me nga tūmau DNS;
- Ko nga rarangi whakamutunga e 2 e hiahiatia ana hei whakatinana i te motuhēhēnga i AD**.
*Ko te awhe o nga wahitau kua tohua i roto i te tauira ka taea ki te 127 nga kaihoko ki te hono i te wa kotahi, na te mea ka tohua te whatunga /23, ka hangaia e OpenVPN he kupengaroto mo ia kiritaki ma te whakamahi i te kanohi kanohi /30.
Mena e tika ana, ka taea te whakarereke i te tauranga me te kawa, engari, me mahara ko te whakarereke i te tau tauranga tauranga ka uru ki te whirihora i te SELinux, me te whakamahi i te kawa tcp ka piki ake, na te mea Kua mahia kētia te mana tuku paatete TCP ki te taumata o nga paatete kua mau ki roto i te kauhanga.
**Ki te kore e hiahiatia te whakamotuhēhēnga i roto i te AD, korerohia, pekehia te waahanga e whai ake nei, me te tauira tangohia te raina mana-kaiwhakamahi-whakahaere.
AD Motuhēhēnga
Hei tautoko i te take tuarua, ka whakamahia e matou te manatoko kaute i AD.
Kei te hiahia matou i tetahi kaute i roto i te rohe me nga mana o te kaiwhakamahi noa me te roopu, ko te mema ka whakatau i te kaha ki te hono.
Waihangatia he kōnae whirihoranga:
/etc/openvpn/ldap.confe whai ake nei nga korero
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
Tautuhinga matua:
- URL “ldap://ldap.abc.ru” - wāhitau kaiwhakahaere rohe;
- BindDN “CN=bindUsr,CN=Users,DC=abc,DC=ru” - ingoa kano mo te here ki te LDAP (UZ - bindUsr i roto i te ipu abc.ru/Users);
- Kupuhipa b1ndP@SS — kupuhipa kaiwhakamahi mo te here;
- BaseDN “OU=allUsr,DC=abc,DC=ru” — te ara e timata ai te rapu i te kaiwhakamahi;
- BaseDN “OU=myGrp,DC=abc,DC=ru” – ipu o te rōpū tuku (rōpū myVPNUsr i roto i te ipu abc.rumyGrp);
- RapuTatari "(cn=myVPNUsr)" ko te ingoa o te roopu whakaae.
Whakaoho me nga tātaritanga
Inaianei ka taea e tatou te ngana ki te whakahohe me te tiimata i ta maatau tūmau:
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
Taki Whakaoho:
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Te whakaputanga tiwhikete me te whakakore
No te mea I tua atu i nga tiwhikete ake, ka hiahia koe ki nga taviri me etahi atu tautuhinga; he tino watea ki te takai i enei mea katoa ki te konae korero kotahi. Ka whakawhitia tenei konae ki te kaiwhakamahi, ka kawemai te kōtaha ki te kiritaki OpenVPN. Ki te mahi i tenei, ka hangahia e matou he tauira tautuhinga me tetahi tuhinga hei whakaputa i te korero.
Me whakauru e koe nga ihirangi o te tiwhikete pakiaka (ca.crt) me nga konae matua TLS (ta.key) ki te kōtaha.
I mua i te tuku tiwhikete kaiwhakamahi kaua e wareware ki te whakarite i te waa whaimana e hiahiatia ana mo nga tiwhikete i roto i te kōnae tawhā. Kaua e roa rawa te mahi; Ka tūtohu ahau kia whakawhäitihia koe ki te 180 ra.
vim /usr/share/easy-rsa/3/vars...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpnclient
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Tuhipoka:
- raina PUTA TO... huri ki te ihirangi ake tiwhikete;
- i roto i te tohutohu mamao, whakapūtā te ingoa/ wāhitau o tō kūwaha;
- ka whakamahia te tohutohu motuhēhē-kaiwhakamahi-whakahaere mo te whakamotuhēhēnga o waho.
I roto i te raarangi kaainga (me etahi atu waahi watea ranei) ka hangaia e matou he tuhinga mo te tono tiwhikete me te hanga korero:
vim ~/make.profile.sh#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Ka taea te whakahaere i te konae:
chmod a+x ~/make.profile.shA ka taea e matou te whakaputa i to maatau tiwhikete tuatahi.
~/make.profile.sh my-first-userTuhinga
Ki te taupatupatu tetahi tiwhikete (ngaro, tahae), me whakakore tenei tiwhikete:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Tirohia nga tiwhikete kua tukuna, kua whakakorehia
Hei tiro i nga tiwhikete kua tukuna, kua whakakorehia, tirohia noa te konae tohu:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Whakaahuatanga:
- ko te rarangi tuatahi ko te tiwhikete tūmau;
- huru tuatahi
- V (Walid) - whai mana;
- R (Revoked) - ka maumahara.
Tatūnga whatunga
Ko nga mahi whakamutunga ko te whirihora i te whatunga tuku - ararere me nga papaahi.
Whakaaetia nga hononga ki te papaahi paetata:
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
Panuku, whakaahei te ararere waka IP:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
I roto i te taiao rangatōpū, tera pea kei te uru ki te ipurangi me te korero ki te pouara me pehea te tuku i nga paatete mo o taatau kiritaki VPN. I runga i te raina whakahau ka mahia e matou te whakahau i runga i te tikanga (i runga i nga taputapu e whakamahia ana):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123me te tiaki i te whirihoranga.
I tua atu, i runga i te atanga pouara taitapa e tukuna ana te wahitau o waho gw.abc.ru, he mea tika kia whakaaetia te haere o nga paatete udp/1194.
Mena he tino ture haumaru te whakahaere, me whirihora ano he papaahi ki runga i to tatou tūmau VPN. Ki taku whakaaro, ko te tino ngawari ka tukuna ma te whakatu i nga mekameka iptables FORWARD, ahakoa he iti ake te watea ki te whakarite. He iti ake mo te whakarite i a raatau. Ki te mahi i tenei, he pai ake te whakamahi i nga "ture tika" - nga ture tika, kei te rongoa i roto i te konae /etc/firewalld/direct.xml. Ko te whirihoranga o naianei o nga ture ka kitea e whai ake nei:
$ sudo firewall-cmd --direct --get-all-ruleI mua i te huri i tetahi konae, mahia he kape taapiri:
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bakKo nga ihirangi tata o te konae ko:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
Whakamārama
He ture iptables auau enei, ki te kore e whakaemihia i muri i te taenga mai o te paahi ahi.
Ko te atanga whainga me nga tautuhinga taunoa he tun0, he rereke pea te atanga o waho mo te kauhanga, hei tauira, ens192, i runga i te turanga i whakamahia.
Ko te rarangi whakamutunga mo te takiuru i nga paatete kua taka. Kia mahi te takiuru, me huri koe i te taumata patuiro i roto i te whirihoranga papangaahi:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Ko te tono i nga tautuhinga ko te whakahau papaahi o mua ki te panui ano i nga tautuhinga:
$ sudo firewall-cmd --reloadKa taea e koe te tiro i nga paatete kua taka penei:
grep forward_fw /var/log/messages
He aha te muri
Ka whakaoti tenei i te tatūnga!
Ko nga mea e toe ana ko te whakauru i te rorohiko a te kiritaki ki te taha o te kiritaki, te kawemai i te whaarangi me te hono. Mo nga punaha whakahaere Windows, kei runga te kete tohatoha .
Ka mutu, ka honoa ta matou tūmau hou ki nga punaha aroturuki me te whakapuranga, kaua hoki e wareware ki te whakauru i nga whakahoutanga i ia wa.
Hononga pumau!
Source: will.com