Kupanga kwa vuto
Nkhaniyi ikufotokoza za bungwe lakutali kwa ogwira ntchito pazinthu zotseguka ndipo angagwiritsidwe ntchito pomanga dongosolo lodziyimira palokha, ndipo lidzakhala lothandiza pakukulitsa pamene pali kuchepa kwa malayisensi mu dongosolo lamalonda lomwe liripo kapena ntchito yake sikwanira.
Cholinga cha nkhaniyi ndikukhazikitsa dongosolo lathunthu lopereka mwayi wofikira ku bungwe, zomwe sizingowonjezera "kukhazikitsa OpenVPN mumphindi 10."
Zotsatira zake, tidzalandira dongosolo lomwe ziphaso ndi (mwakufuna) Active Directory yamakampani zidzagwiritsidwa ntchito kutsimikizira ogwiritsa ntchito. Kuti. tidzalandira dongosolo lokhala ndi zinthu ziwiri zotsimikizira - zomwe ndili nazo (satifiketi) ndi zomwe ndikudziwa (password).
Chizindikiro choti wogwiritsa ntchito amaloledwa kulumikizana ndi umembala wawo mu myVPNUsr gulu. Ulamuliro wa satifiketi udzagwiritsidwa ntchito popanda intaneti.
Mtengo wogwiritsira ntchito yankho ndizinthu zochepa chabe za hardware ndi ola la 1 la ntchito ya woyang'anira dongosolo.
Tidzagwiritsa ntchito makina enieni okhala ndi OpenVPN ndi Easy-RSA mtundu 3 pa CetntOS 7, yomwe imaperekedwa 100 vCPUs ndi 4 GiB RAM pamalumikizidwe 4.
Mwachitsanzo, maukonde a bungwe lathu ndi 172.16.0.0/16, momwe seva ya VPN yokhala ndi adilesi 172.16.19.123 ili mu gawo 172.16.19.0/24, ma seva a DNS 172.16.16.16 ndi 172.16.17.17 172.16.20.0, 23. .XNUMX/XNUMX yaperekedwa kwa makasitomala a VPN.
Kuti mugwirizane kuchokera kunja, kugwirizana kudzera pa doko 1194/udp kumagwiritsidwa ntchito, ndipo A-record gw.abc.ru yapangidwa mu DNS kwa seva yathu.
Sitikulimbikitsidwa kuletsa SELinux! OpenVPN imagwira ntchito popanda kuletsa mfundo zachitetezo.
Zamkatimu
Kuyika kwa OS ndi mapulogalamu a pulogalamu
Timagwiritsa ntchito kugawa kwa CentOS 7.8.2003. Tiyenera kukhazikitsa OS pang'onopang'ono. Ndikwabwino kuchita izi pogwiritsa ntchito , kupanga chithunzi cha OS chomwe chinayikidwa kale ndi njira zina.
Pambuyo kukhazikitsa, kupatsa adilesi ku mawonekedwe a netiweki (malinga ndi ntchito 172.16.19.123), timasintha OS:
$ sudo yum update -y && reboot
Tiyeneranso kuonetsetsa kuti kalunzanitsidwe nthawi ikuchitika pa makina athu.
Kuti muyike mapulogalamu a pulogalamu, mufunika openvpn, openvpn-auth-ldap, Easy-rsa ndi vim phukusi monga mkonzi wamkulu (mudzafunika chosungira cha EPEL).
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
Ndizothandiza kukhazikitsa wothandizira alendo pamakina enieni:
$ sudo yum install open-vm-toolskwa makamu a VMware ESXi, kapena oVirt
$ sudo yum install ovirt-guest-agent
Kupanga cryptography
Pitani ku chikwatu chosavuta-rsa:
$ cd /usr/share/easy-rsa/3/Pangani fayilo yosinthika:
$ sudo vim varszotsatirazi:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
Magawo a bungwe lokhazikika la ABC LLC afotokozedwa apa; mutha kuwawongolera ku zenizeni kapena kuwasiya pachitsanzo. Chofunika kwambiri pazigawo ndi mzere wotsiriza, womwe umatsimikizira nthawi yovomerezeka ya chiphaso m'masiku. Chitsanzo chimagwiritsa ntchito mtengo wazaka 10 (365 * 10 + 2 leap years). Mtengowu uyenera kusinthidwa zikalata za ogwiritsa ntchito zisanaperekedwe.
Kenako, timakonza olamulira odziyimira pawokha.
Kukhazikitsa kumaphatikizapo kutumiza zosintha, kuyambitsa CA, kupereka fungulo la mizu ya CA ndi satifiketi, kiyi ya Diffie-Hellman, kiyi ya TLS, ndi kiyi ya seva ndi satifiketi. Kiyi ya CA iyenera kutetezedwa mosamala ndikusungidwa mwachinsinsi! Magawo onse amafunso akhoza kusiyidwa ngati osakhazikika.
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
Izi zimamaliza gawo lalikulu lokhazikitsa makina a cryptographic.
Kukhazikitsa kwa OpenVPN
Pitani ku chikwatu cha OpenVPN, pangani zolemba zautumiki ndikuwonjezera ulalo wosavuta-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Pangani fayilo yayikulu yosinthira OpenVPN:
$ sudo vim server.confkutsatira zomwe zili mkati
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Zolemba zina pa parameters:
- ngati dzina lina linatchulidwa popereka satifiketi, lisonyezeni;
- tchulani ma adilesi kuti agwirizane ndi ntchito zanu*;
- pakhoza kukhala njira imodzi kapena zingapo ndi ma seva a DNS;
- Mizere iwiri yomaliza ndiyofunikira kuti mutsimikizire mu AD**.
*Ma adilesi osankhidwa pachitsanzo alola makasitomala opitilira 127 kulumikizana nthawi imodzi, chifukwa network / 23 imasankhidwa, ndipo OpenVPN imapanga subnet kwa kasitomala aliyense pogwiritsa ntchito / 30 chigoba.
Ngati kuli kofunikira, doko ndi protocol zitha kusinthidwa, komabe, ziyenera kukumbukiridwa kuti kusintha nambala ya doko kumaphatikizapo kukonza SELinux, ndipo kugwiritsa ntchito tcp protocol kumawonjezeka, chifukwa. Kuwongolera kwa paketi ya TCP kumachitidwa kale pamlingo wa mapaketi omwe atsekeredwa mumsewu.
**Ngati kutsimikizika mu AD sikofunikira, perekani ndemanga, dumphani gawo lotsatira, ndipo mu template chotsani mzere wa auth-user-pass.
Chitsimikizo cha AD
Kuti tithandizire chinthu chachiwiri, tidzagwiritsa ntchito kutsimikizira akaunti mu AD.
Tikufuna akaunti mu domain yomwe ili ndi ufulu wa wogwiritsa ntchito wamba ndi gulu, umembala womwe ungatsimikizire kuthekera kolumikizana.
Pangani fayilo yosinthira:
/etc/openvpn/ldap.confkutsatira zomwe zili mkati
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
Magawo ofunikira:
- Ulalo "ldap://ldap.abc.ru" - adilesi yoyang'anira dera;
- BindDN βCN=bindUsr,CN=Users,DC=abc,DC=ruβ - dzina lovomerezeka lomangirira ku LDAP (UZ - bindUsr mu chidebe cha abc.ru/Users);
- Mawu achinsinsi b1ndP@SS - mawu achinsinsi omangirira;
- BaseDN βOU=alUsr,DC=abc,DC=ruβ β njira yoyambira kufufuza wogwiritsa ntchito;
- BaseDN βOU=myGrp,DC=abc,DC=ruβ β chidebe cha gulu lololeza (gulu myVPNUsr mu chidebe abc.rumyGrp);
- SearchFilter "(cn=myVPNUsr)" ndi dzina la gulu lololeza.
Zoyambira ndi diagnostics
Tsopano titha kuyesa kuyatsa ndi kuyambitsa seva yathu:
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
Kuwona koyambira:
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Kutulutsa satifiketi ndi kuchotsedwa
Chifukwa Kuphatikiza pa satifiketi yokha, mumafunikira makiyi ndi zosintha zina; ndizosavuta kukulunga zonsezi mu fayilo imodzi. Fayiloyi imasamutsidwa kwa wogwiritsa ntchito ndipo mbiriyo imatumizidwa kunja kwa kasitomala wa OpenVPN. Kuti tichite izi, tipanga template yokhazikitsira ndi script yomwe imapanga mbiriyo.
Muyenera kuwonjezera zomwe zili mu chikalata cha mizu (ca.crt) ndi mafayilo a TLS (ta.key) pambiri.
Musanapereke ziphaso za ogwiritsa ntchito musaiwale kukhazikitsa nthawi yovomerezeka ya ziphaso mu fayilo ya parameters. Simuyenera kuyipanga motalika; Ndikupangira kudzichepetsera mpaka masiku 180.
vim /usr/share/easy-rsa/3/vars...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpnclient
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Mfundo:
- mizere IKANI ZANU... sintha ku zomwe zili mwini satifiketi;
- mu malangizo akutali, tchulani dzina/adiresi ya pachipata chanu;
- malangizo a auth-user-pass amagwiritsidwa ntchito powonjezera kutsimikizika kwakunja.
Mu bukhu lanyumba (kapena malo ena abwino) timapanga script yopempha satifiketi ndikupanga mbiri:
vim ~/make.profile.sh#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Kupanga fayilo kuti ikwaniritsidwe:
chmod a+x ~/make.profile.shNdipo titha kupereka satifiketi yathu yoyamba.
~/make.profile.sh my-first-userMayankho
Pakakhala kunyengerera satifiketi (kutaya, kuba), ndikofunikira kubweza satifiketi iyi:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Onani ziphaso zoperekedwa ndi zothetsedwa
Kuti muwone ziphaso zoperekedwa ndi zochotsedwa, ingowonani fayilo ya index:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Zofotokozera:
- mzere woyamba ndi satifiketi ya seva;
- khalidwe loyamba
- V (Chovomerezeka) - chovomerezeka;
- R (Kuchotsedwa) - anakumbukira.
Kukhazikitsa makina
Masitepe omaliza ndikukonza maukonde otumizira - mayendedwe ndi ma firewall.
Kulola malumikizidwe mu firewall yakomweko:
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
Kenako, yambitsani njira zamtundu wa IP:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
M'malo ogwirira ntchito, pakhoza kukhala subnetting ndipo tiyenera kuuza ma router (ma) momwe angatumizire mapaketi opita kwa makasitomala athu a VPN. Pa mzere wolamula timachita lamulo m'njira (malingana ndi zida zomwe zimagwiritsidwa ntchito):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123ndi kusunga kasinthidwe.
Kuphatikiza apo, pamawonekedwe a rauta yamalire pomwe adilesi yakunja gw.abc.ru imatumizidwa, ndikofunikira kuti mulole kudutsa mapaketi a udp/1194.
Ngati bungwe liri ndi malamulo okhwima a chitetezo, chowotcha moto chiyenera kukonzedwanso pa seva yathu ya VPN. M'malingaliro anga, kusinthasintha kwakukulu kumaperekedwa ndikukhazikitsa unyolo wa iptables FORWARD, ngakhale kuziyika ndizosavuta. Zambiri zokhuza kuwakhazikitsa. Kuti muchite izi, ndibwino kugwiritsa ntchito "malamulo achindunji" - malamulo achindunji, osungidwa mufayilo /etc/firewalld/direct.xml. Kukonzekera kwamakono kwa malamulo kungapezeke motere:
$ sudo firewall-cmd --direct --get-all-ruleMusanasinthe fayilo, pangani zosunga zobwezeretsera:
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bakZomwe zili mufayiloyi ndi:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
Ndemanga
Awa ndi malamulo anthawi zonse a iptables, mwinanso amapakidwa pambuyo pakubwera kwa firewalld.
Mawonekedwe a malo okhala ndi zosintha zosasinthika ndi tun0, ndipo mawonekedwe akunja a ngalandeyo angakhale osiyana, mwachitsanzo, en192, kutengera nsanja yomwe imagwiritsidwa ntchito.
Mzere womaliza ndi wodula mitengo mapaketi ogwetsedwa. Kuti kudula mitengo kugwire ntchito, muyenera kusintha mulingo wa debug mu kasinthidwe ka firewalld:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Kugwiritsa ntchito makonda ndi lamulo lanthawi zonse la firewalld kuti muwerengenso zoikamo:
$ sudo firewall-cmd --reloadMutha kuwona mapaketi otayidwa motere:
grep forward_fw /var/log/messages
Chotsatira
Izi zimamaliza kukhazikitsa!
Zomwe zatsala ndikuyika pulogalamu ya kasitomala kumbali ya kasitomala, kulowetsa mbiriyo ndikulumikiza. Kwa machitidwe opangira Windows, zida zogawa zili .
Pomaliza, timalumikiza seva yathu yatsopano kumayendedwe owunikira ndi kusungitsa zakale, ndipo musaiwale kukhazikitsa zosintha pafupipafupi.
Kulumikizana kokhazikika!
Source: www.habr.com