Bungwe la ntchito zakutali za bungwe la SMB pa OpenVPN
Kupanga kwa vuto
Nkhaniyi ikufotokoza za bungwe lakutali kwa ogwira ntchito pazinthu zotseguka ndipo angagwiritsidwe ntchito pomanga dongosolo lodziyimira palokha, ndipo lidzakhala lothandiza pakukulitsa pamene pali kuchepa kwa malayisensi mu dongosolo lamalonda lomwe liripo kapena ntchito yake sikwanira.
Cholinga cha nkhaniyi ndikukhazikitsa dongosolo lathunthu lopereka mwayi wofikira ku bungwe, zomwe sizingowonjezera "kukhazikitsa OpenVPN mumphindi 10."
Zotsatira zake, tidzalandira dongosolo lomwe ziphaso ndi (mwakufuna) Active Directory yamakampani zidzagwiritsidwa ntchito kutsimikizira ogwiritsa ntchito. Kuti. tidzalandira dongosolo lokhala ndi zinthu ziwiri zotsimikizira - zomwe ndili nazo (satifiketi) ndi zomwe ndikudziwa (password).
Chizindikiro choti wogwiritsa ntchito amaloledwa kulumikizana ndi umembala wawo mu myVPNUsr gulu. Ulamuliro wa satifiketi udzagwiritsidwa ntchito popanda intaneti.
Mtengo wogwiritsira ntchito yankho ndizinthu zochepa chabe za hardware ndi ola la 1 la ntchito ya woyang'anira dongosolo.
Tidzagwiritsa ntchito makina enieni okhala ndi OpenVPN ndi Easy-RSA mtundu 3 pa CetntOS 7, yomwe imaperekedwa 100 vCPUs ndi 4 GiB RAM pamalumikizidwe 4.
Mwachitsanzo, maukonde a bungwe lathu ndi 172.16.0.0/16, momwe seva ya VPN yokhala ndi adilesi 172.16.19.123 ili mu gawo 172.16.19.0/24, ma seva a DNS 172.16.16.16 ndi 172.16.17.17 172.16.20.0, 23. .XNUMX/XNUMX yaperekedwa kwa makasitomala a VPN.
Kuti mugwirizane kuchokera kunja, kugwirizana kudzera pa doko 1194/udp kumagwiritsidwa ntchito, ndipo A-record gw.abc.ru yapangidwa mu DNS kwa seva yathu.
Timagwiritsa ntchito kugawa kwa CentOS 7.8.2003. Tiyenera kukhazikitsa OS pang'onopang'ono. Ndikwabwino kuchita izi pogwiritsa ntchito kuyamba, kupanga chithunzi cha OS chomwe chinayikidwa kale ndi njira zina.
Pambuyo kukhazikitsa, kupatsa adilesi ku mawonekedwe a netiweki (malinga ndi ntchito 172.16.19.123), timasintha OS:
$ sudo yum update -y && reboot
Tiyeneranso kuonetsetsa kuti kalunzanitsidwe nthawi ikuchitika pa makina athu.
Kuti muyike mapulogalamu a pulogalamu, mufunika openvpn, openvpn-auth-ldap, Easy-rsa ndi vim phukusi monga mkonzi wamkulu (mudzafunika chosungira cha EPEL).
Magawo a bungwe lokhazikika la ABC LLC afotokozedwa apa; mutha kuwawongolera ku zenizeni kapena kuwasiya pachitsanzo. Chofunika kwambiri pazigawo ndi mzere wotsiriza, womwe umatsimikizira nthawi yovomerezeka ya chiphaso m'masiku. Chitsanzo chimagwiritsa ntchito mtengo wazaka 10 (365 * 10 + 2 leap years). Mtengowu uyenera kusinthidwa zikalata za ogwiritsa ntchito zisanaperekedwe.
Kenako, timakonza olamulira odziyimira pawokha.
Kukhazikitsa kumaphatikizapo kutumiza zosintha, kuyambitsa CA, kupereka fungulo la mizu ya CA ndi satifiketi, kiyi ya Diffie-Hellman, kiyi ya TLS, ndi kiyi ya seva ndi satifiketi. Kiyi ya CA iyenera kutetezedwa mosamala ndikusungidwa mwachinsinsi! Magawo onse amafunso akhoza kusiyidwa ngati osakhazikika.
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Kutulutsa satifiketi ndi kuchotsedwa
Chifukwa Kuphatikiza pa satifiketi yokha, mumafunikira makiyi ndi zosintha zina; ndizosavuta kukulunga zonsezi mu fayilo imodzi. Fayiloyi imasamutsidwa kwa wogwiritsa ntchito ndipo mbiriyo imatumizidwa kunja kwa kasitomala wa OpenVPN. Kuti tichite izi, tipanga template yokhazikitsira ndi script yomwe imapanga mbiriyo.
Muyenera kuwonjezera zomwe zili mu chikalata cha mizu (ca.crt) ndi mafayilo a TLS (ta.key) pambiri.
Musanapereke ziphaso za ogwiritsa ntchito musaiwale kukhazikitsa nthawi yovomerezeka ya ziphaso mu fayilo ya parameters. Simuyenera kuyipanga motalika; Ndikupangira kudzichepetsera mpaka masiku 180.
vim /usr/share/easy-rsa/3/vars
...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpn
client
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Mfundo:
mizere IKANI ZANU... sintha ku zomwe zili mwini satifiketi;
mu malangizo akutali, tchulani dzina/adiresi ya pachipata chanu;
malangizo a auth-user-pass amagwiritsidwa ntchito powonjezera kutsimikizika kwakunja.
Mu bukhu lanyumba (kapena malo ena abwino) timapanga script yopempha satifiketi ndikupanga mbiri:
vim ~/make.profile.sh
#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Awa ndi malamulo anthawi zonse a iptables, mwinanso amapakidwa pambuyo pakubwera kwa firewalld.
Mawonekedwe a malo okhala ndi zosintha zosasinthika ndi tun0, ndipo mawonekedwe akunja a ngalandeyo angakhale osiyana, mwachitsanzo, en192, kutengera nsanja yomwe imagwiritsidwa ntchito.
Mzere womaliza ndi wodula mitengo mapaketi ogwetsedwa. Kuti kudula mitengo kugwire ntchito, muyenera kusintha mulingo wa debug mu kasinthidwe ka firewalld:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Kugwiritsa ntchito makonda ndi lamulo lanthawi zonse la firewalld kuti muwerengenso zoikamo:
$ sudo firewall-cmd --reload
Mutha kuwona mapaketi otayidwa motere:
grep forward_fw /var/log/messages
Chotsatira
Izi zimamaliza kukhazikitsa!
Zomwe zatsala ndikuyika pulogalamu ya kasitomala kumbali ya kasitomala, kulowetsa mbiriyo ndikulumikiza. Kwa machitidwe opangira Windows, zida zogawa zili webusayiti ya wopanga.
Pomaliza, timalumikiza seva yathu yatsopano kumayendedwe owunikira ndi kusungitsa zakale, ndipo musaiwale kukhazikitsa zosintha pafupipafupi.