Whakahaerenga mahi mamao a tetahi whakahaere SMB i runga i OpenVPN
Kaupapa raru
Ko te tuhinga e whakaatu ana i te whakahaeretanga o te uru mamao mo nga kaimahi i runga i nga hua tuwhera ka taea te whakamahi ki te hanga i tetahi punaha tino motuhake, a ka whai hua mo te roha ina he kore raihana i roto i te punaha arumoni o naianei, he iti ranei ana mahi.
Ko te whainga o te tuhinga ko te whakatinana i tetahi punaha katoa mo te tuku uru mamao ki tetahi whakahaere, he iti noa atu i te "whakauru OpenVPN i roto i nga meneti 10."
Ko te mutunga mai, ka whiwhi tatou i tetahi punaha e whakamahia ai nga tiwhikete me te (mehemea) te Active Directory rangatōpū hei whakamotuhēhē i ngā kaiwhakamahi. Ko tera. ka whiwhi matou i tetahi punaha e rua nga waahanga whakaū - he aha kei a au (tiwhikete) me taku mohio (kupuhipa).
Ko te tohu e whakaaetia ana te kaiwhakamahi ki te hono ko to ratau mema ki te roopu myVPNUsr. Ka whakamahia tuimotu te mana tiwhikete.
Ko te utu mo te whakatinana i te otinga he iti noa nga rauemi taputapu me te 1 haora o te mahi a te kaiwhakahaere punaha.
Ka whakamahia e matou he miihini mariko me te OpenVPN me te Easy-RSA putanga 3 i runga i te CetntOS 7, ka tohatohahia nga 100 vCPU me te 4 GiB RAM mo nga hononga 4.
I roto i te tauira, ko te whatunga o ta maatau whakahaere ko 172.16.0.0/16, kei reira te tūmau VPN me te wāhitau 172.16.19.123 kei roto i te waahanga 172.16.19.0/24, DNS servers 172.16.16.16 me te 172.16.17.17, me te subnet 172.16.20.0. .23/XNUMX kua tohaina mo nga kaihoko VPN.
Hei hono mai i waho, ka whakamahia he hononga ma te tauranga 1194/udp, ka hangaia he A-record gw.abc.ru i roto i te DNS mo to maatau tūmau.
Kaore rawa i te tūtohu kia whakakorehia te SELinux! Ka mahi a OpenVPN me te kore e whakakore i nga kaupapa here haumaru.
Ka whakamahia e matou te tohatoha CentOS 7.8.2003. Me whakauru tatou i te OS i roto i te whirihoranga iti. He pai ki te mahi i tenei ma te whakamahi timatatanga, te whakakao i te ahua OS kua whakauruhia i mua me etahi atu tikanga.
I muri i te whakaurunga, ka tohua he wahitau ki te atanga whatunga (kia rite ki nga tikanga o te mahi 172.16.19.123), ka whakahouhia e matou te OS:
$ sudo yum update -y && reboot
Me whakarite ano kia mahia te tukutahi wa ki runga i ta maatau miihini.
Hei whakauru i nga rorohiko tono, me hiahia koe ki nga kohinga openvpn, openvpn-auth-ldap, ngawari-rsa me te vim hei ētita matua (ka hiahia koe ki te putunga EPEL).
Ko nga tawhā mo te whakahaere herenga ABC LLC kua whakaahuatia i konei; ka taea e koe te whakatika ki nga mea pono ka waiho ranei mai i te tauira. Ko te mea tino nui i roto i nga tawhā ko te rarangi whakamutunga, e whakatau ana i te wa whaimana o te tiwhikete i nga ra. Ka whakamahia e te tauira te uara 10 tau (365*10+2 tau peke). Me whakatika tenei uara i mua i te tuku tiwhikete kaiwhakamahi.
Whai muri, ka whirihorahia e matou he mana tiwhikete motuhake.
Kei roto i te Tatūnga te kaweake i nga taurangi, te arawhiti i te CA, te tuku i te kii pakiaka CA me te tiwhikete, te kī Diffie-Hellman, te kī TLS, me te kī tūmau me te tiwhikete. Ko te kī CA me ata tiakina, kia huna! Ka taea nga tawhā uiui katoa te waiho hei taunoa.
Ma tenei ka whakaoti i te waahanga matua o te whakatuu i te tikanga cryptographic.
Whakaritea OpenVPN
Haere ki te raarangi OpenVPN, hangahia nga raarangi ratonga me te taapiri hononga ki te ngawari-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Waihangahia te konae whirihoranga OpenVPN matua:
$ sudo vim server.conf
e whai ake nei nga korero
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Ko etahi korero mo nga tawhā:
ki te mea he ingoa rereke i tohua i te wa i tukuna ai te tiwhikete, tohuhia;
whakapūtāhia te puna o ngā wāhitau kia hāngai ki ō mahi*;
he kotahi, neke atu ranei nga huarahi me nga tūmau DNS;
Ko nga rarangi whakamutunga e 2 e hiahiatia ana hei whakatinana i te motuhēhēnga i AD**.
*Ko te awhe o nga wahitau kua tohua i roto i te tauira ka taea ki te 127 nga kaihoko ki te hono i te wa kotahi, na te mea ka tohua te whatunga /23, ka hangaia e OpenVPN he kupengaroto mo ia kiritaki ma te whakamahi i te kanohi kanohi /30.
Mena e tika ana, ka taea te whakarereke i te tauranga me te kawa, engari, me mahara ko te whakarereke i te tau tauranga tauranga ka uru ki te whirihora i te SELinux, me te whakamahi i te kawa tcp ka piki ake, na te mea Kua mahia kētia te mana tuku paatete TCP ki te taumata o nga paatete kua mau ki roto i te kauhanga.
**Ki te kore e hiahiatia te whakamotuhēhēnga i roto i te AD, korerohia, pekehia te waahanga e whai ake nei, me te tauira tangohia te raina mana-kaiwhakamahi-whakahaere.
AD Motuhēhēnga
Hei tautoko i te take tuarua, ka whakamahia e matou te manatoko kaute i AD.
Kei te hiahia matou i tetahi kaute i roto i te rohe me nga mana o te kaiwhakamahi noa me te roopu, ko te mema ka whakatau i te kaha ki te hono.
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Te whakaputanga tiwhikete me te whakakore
No te mea I tua atu i nga tiwhikete ake, ka hiahia koe ki nga taviri me etahi atu tautuhinga; he tino watea ki te takai i enei mea katoa ki te konae korero kotahi. Ka whakawhitia tenei konae ki te kaiwhakamahi, ka kawemai te kōtaha ki te kiritaki OpenVPN. Ki te mahi i tenei, ka hangahia e matou he tauira tautuhinga me tetahi tuhinga hei whakaputa i te korero.
Me whakauru e koe nga ihirangi o te tiwhikete pakiaka (ca.crt) me nga konae matua TLS (ta.key) ki te kōtaha.
I mua i te tuku tiwhikete kaiwhakamahi kaua e wareware ki te whakarite i te waa whaimana e hiahiatia ana mo nga tiwhikete i roto i te kōnae tawhā. Kaua e roa rawa te mahi; Ka tūtohu ahau kia whakawhäitihia koe ki te 180 ra.
vim /usr/share/easy-rsa/3/vars
...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpn
client
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Tuhipoka:
raina PUTA TO... huri ki te ihirangi ake tiwhikete;
i roto i te tohutohu mamao, whakapūtā te ingoa/ wāhitau o tō kūwaha;
ka whakamahia te tohutohu motuhēhē-kaiwhakamahi-whakahaere mo te whakamotuhēhēnga o waho.
I roto i te raarangi kaainga (me etahi atu waahi watea ranei) ka hangaia e matou he tuhinga mo te tono tiwhikete me te hanga korero:
vim ~/make.profile.sh
#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Ka taea te whakahaere i te konae:
chmod a+x ~/make.profile.sh
A ka taea e matou te whakaputa i to maatau tiwhikete tuatahi.
~/make.profile.sh my-first-user
Tuhinga
Ki te taupatupatu tetahi tiwhikete (ngaro, tahae), me whakakore tenei tiwhikete:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Tirohia nga tiwhikete kua tukuna, kua whakakorehia
Hei tiro i nga tiwhikete kua tukuna, kua whakakorehia, tirohia noa te konae tohu:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Whakaahuatanga:
ko te rarangi tuatahi ko te tiwhikete tūmau;
huru tuatahi
V (Walid) - whai mana;
R (Revoked) - ka maumahara.
Tatūnga whatunga
Ko nga mahi whakamutunga ko te whirihora i te whatunga tuku - ararere me nga papaahi.
I roto i te taiao rangatōpū, tera pea kei te uru ki te ipurangi me te korero ki te pouara me pehea te tuku i nga paatete mo o taatau kiritaki VPN. I runga i te raina whakahau ka mahia e matou te whakahau i runga i te tikanga (i runga i nga taputapu e whakamahia ana):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123
me te tiaki i te whirihoranga.
I tua atu, i runga i te atanga pouara taitapa e tukuna ana te wahitau o waho gw.abc.ru, he mea tika kia whakaaetia te haere o nga paatete udp/1194.
Mena he tino ture haumaru te whakahaere, me whirihora ano he papaahi ki runga i to tatou tūmau VPN. Ki taku whakaaro, ko te tino ngawari ka tukuna ma te whakatu i nga mekameka iptables FORWARD, ahakoa he iti ake te watea ki te whakarite. He iti ake mo te whakarite i a raatau. Ki te mahi i tenei, he pai ake te whakamahi i nga "ture tika" - nga ture tika, kei te rongoa i roto i te konae /etc/firewalld/direct.xml. Ko te whirihoranga o naianei o nga ture ka kitea e whai ake nei:
$ sudo firewall-cmd --direct --get-all-rule
I mua i te huri i tetahi konae, mahia he kape taapiri:
He ture iptables auau enei, ki te kore e whakaemihia i muri i te taenga mai o te paahi ahi.
Ko te atanga whainga me nga tautuhinga taunoa he tun0, he rereke pea te atanga o waho mo te kauhanga, hei tauira, ens192, i runga i te turanga i whakamahia.
Ko te rarangi whakamutunga mo te takiuru i nga paatete kua taka. Kia mahi te takiuru, me huri koe i te taumata patuiro i roto i te whirihoranga papangaahi:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Ko te tono i nga tautuhinga ko te whakahau papaahi o mua ki te panui ano i nga tautuhinga:
$ sudo firewall-cmd --reload
Ka taea e koe te tiro i nga paatete kua taka penei:
grep forward_fw /var/log/messages
He aha te muri
Ka whakaoti tenei i te tatūnga!
Ko nga mea e toe ana ko te whakauru i te rorohiko a te kiritaki ki te taha o te kiritaki, te kawemai i te whaarangi me te hono. Mo nga punaha whakahaere Windows, kei runga te kete tohatoha paetukutuku kaiwhakawhanake.
Ka mutu, ka honoa ta matou tūmau hou ki nga punaha aroturuki me te whakapuranga, kaua hoki e wareware ki te whakauru i nga whakahoutanga i ia wa.