Lua-faʻamaoniga faʻamaonia o tagata VPN e ala i MikroTik ma SMS

Talofa paaga! I aso nei, ina ua faʻaitiitia le malosi o tuʻinanau i le "galuega mamao", o le toʻatele o le au pulega na manumalo i le galuega o le faʻaogaina mamao o tagata faigaluega i le fesoʻotaʻiga kamupani, ua oʻo i le taimi e faʻasoa ai loʻu poto masani i le faʻaleleia o le saogalemu VPN. O lenei tusiga o le a le o se mea fou IPSec IKEv2 ma xAuth. E uiga i le fausiaina o se faiga. fa'amaoniga e lua (2FA) VPN tagata fa'aoga pe a fai MikroTik o se VPN server. O lona uiga, pe a faʻaaogaina tulafono faʻapitoa e pei o le PPP.

O le asō o le a ou taʻu atu ia te oe le auala e puipuia ai MikroTik PPP-VPN e tusa lava pe o le "faoa" o le tagata faʻaoga. Ina ua faʻafeiloaʻi lenei polokalame i se tasi o aʻu tagata faʻatau, na ia faʻamatalaina puupuu "ia, o lea ua pei lava o se faletupe!".

Ole auala e le fa'aogaina ai au'aunaga authenticator fafo. O galuega e faia i totonu e le router lava ia. Leai se tau mo le tagata fa'afeso'ota'i. O le metotia e aoga mo PC uma ma masini feaveaʻi.

O le faiga lautele o le puipuiga e faapea:

1. O le tuatusi IP i totonu o se tagata faʻaoga na fesoʻotaʻi ma le manuia i le VPN server e otometi lava ona faʻaefuefu.
2. O le fesoʻotaʻiga fesoʻotaʻiga e otometi lava ona faʻatupuina se code tasi taimi e lafo i le tagata faʻaoga e faʻaaoga ai se tasi o auala avanoa.
3. O tuatusi o lo'o i totonu o lenei lisi e fa'atapula'aina le avanoa i punaoa feso'otaiga i le lotoifale, se'i vagana ai le "authenticator" 'au'aunaga, lea o lo'o fa'atali mo le mauaina o se passcode tasi.
4. A maeʻa ona tuʻuina atu le code, e mafai e le tagata faʻaoga ona maua le avanoa i totonu o le upega tafaʻilagi.

Muamua o le faʻafitauli sili ona itiiti na ou feagai o le teuina o faʻamatalaga faʻafesoʻotaʻi e uiga i le tagata faʻaoga e auina atu ia te ia le 2FA code. Talu ai e le mafai ona fatuina faʻamatalaga faʻamatalaga e fetaui ma tagata faʻaoga i Mikrotik, na faʻaaogaina le "faʻamatalaga" o loʻo i ai nei:

/ppp mealilo fa'aopoopo le igoa=Petrov password=4M@ngr! fa'amatalaga = "89876543210"

Le lua o le faʻafitauli na sili atu ona ogaoga - o le filifiliga o le ala ma le auala e tuʻuina atu ai le code. E tolu polokalame o lo'o fa'atinoina i le taimi nei: a) SMS e ala i le USB-modem b) i-meli c) SMS e ala i imeli e avanoa mo kamupani fa'apisinisi a le telefoni feavea'i mumu.

Ioe, o polokalame SMS e maua ai tau. Ae afai e te vaʻai, "o le saogalemu e masani lava e uiga i tupe" (i).
Ou te le fiafia lava i le polokalame i le imeli. E le ona o le mana'omia o le meli e avanoa mo le tagata o tausia e fa'amaonia - e le o se fa'afitauli le vaeluaga o feoaiga. Ae peita'i, afai e fa'atama'i fa'asaoina e le kalani ia vpn ma imeli passwords i totonu o se su'esu'ega ona leiloa lea o lana komepiuta feavea'i, o le a maua e le tagata osofa'i le avanoa atoatoa i le feso'ota'iga kamupani mai ai.

O lea la, ua tonu - matou te tuʻuina atu se faʻailoga e tasi le taimi e faʻaaoga ai feʻau SMS.

Tolu O le faafitauli o fea faʻafefea ona faʻatupuina se pseudo-random code mo 2FA i MikroTik. E leai se fa'atusa o le random() galuega i le RouterOS scripting language, ma ua ou va'ai i le tele o fa'amaufa'ailoga pseudo-random numera generators muamua. Ou te leʻi fiafia i se tasi oi latou mo ni mafuaaga eseese.

O le mea moni, o loʻo i ai se faʻasologa faʻasologa faʻasolosolo i MikroTik! E natia mai se vaaiga papa'u i le tulaga o /certificates scep-server. Le ala muamua e faigofie ma faigofie le mauaina o se upu faataga e tasi le taimi - faatasi ai ma le poloaiga / tusipasi scep-server otp gaosia. Afai tatou te faia se faʻagaioiga faigofie fesuiaʻi, o le a tatou maua se tau faʻasologa e mafai ona faʻaaoga mulimuli ane i tusitusiga.

Lua ala mauaina o se upu faataga e tasi le taimi e faigofie foi ona faaaoga - faaaoga se auaunaga i fafo random.org e fa'atupuina ai le fa'asologa mana'omia o numera fa'ailoga fa'afuase'i. O lea ua faafaigofieina fa'alava faʻataʻitaʻiga o le mauaina o faʻamatalaga i se fesuiaiga:

kote
:global rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user ]->"da
ta") 1 6] :put $rnd1

O se talosaga ua fa'atulagaina mo le fa'amafanafanaga (sola mataitusi fa'apitoa o le a mana'omia i le tino o tusitusiga) maua se manoa o le ono numera i le $rnd1 fesuia'i. O le faʻatonuga "tuʻu" o loʻo faʻaalia ai le fesuiaiga i le MikroTik console.

O le faafitauli lona fa lea e tatau ona vave foia - o le auala lea ma le mea e faʻafeiloaʻi ai e le tagata faʻafesoʻotaʻi lana code tasi taimi i le laasaga lona lua o le faʻamaonia.

E tatau ona i ai se auaunaga i luga o le router MikroTik e mafai ona talia le code ma fetaui ma se tagata faʻapitoa. Afai o le code ua tuʻuina atu e fetaui ma le mea e faʻamoemoeina, e tatau ona aofia ai le tuatusi o le kalani i se lisi "paʻepaʻe" patino, o tuatusi e mafai ai ona maua le avanoa i totonu ole kamupani.

Ona o le le lelei o le filifiliga o auaunaga, na filifili ai e talia tulafono laiti e ala i le http e faʻaaoga ai le webproxy fausia i totonu Mikrotik. Ma talu ai e mafai ona galue le pa afi ma lisi faʻamalosi o tuatusi IP, o le firewall lea e faia le sailiga mo le code, faʻafetaui ma le IP client ma faʻaopoopo i le lisi "paʻepaʻe" e faʻaaoga ai Layer7 regexp. O le router lava ia na tu'uina atu i ai se igoa DNS fa'atulafonoina "gw.local", o se fa'amaumauga A fa'amaumau na faia i luga mo le tu'uina atu i tagata PPP:

DNS
/ip dns static add name=gw.local address=172.31.1.1

Pu'eina o felauaiga a tagata e le'i fa'amaoniaina ile sui sui:
/ip firewall nat add chain=dstnat dst-port=80,443 in-interface=2fa protocol=tcp !src-address-list=2fa_approved action=redirect to-ports=3128


I lenei tulaga, e lua galuega a le sui.

1. Tatala feso'ota'iga tcp ma tagata fa'atau;

2. I le tulaga o le fa'atagaina manuia, toe fa'asaga le tagata su'esu'e i se itulau po'o se ata e logoina ai le fa'amaoni manuia:

Fa'atonu sui
/ip proxy
set enabled=yes port=3128
/ip proxy access
add action=deny disabled=no redirect-to=gw.local./mikrotik_logo.png src-address=0.0.0.0/0

O le a ou lisiina elemene taua o le faatulagaga:

1. interface-lisi "2fa" - o se lisi malosi o feso'ota'iga tagata fa'atau, felauaiga e mana'omia ai le fa'agaioiga i totonu ole 2FA;
2. tuatusi-lisi "2fa_jailed" - "efuefu" lisi o tunnel IP tuatusi o VPN clients;
3. address_list "2fa_approved" - "paʻepaʻe" lisi o tunnel IP tuatusi o VPN tagata faʻatau ua pasi manuia lua faʻamaoniga faʻamaonia.
4. filifili firewall "input_2fa" - e siaki pepa tcp mo le i ai o se tulafono faʻatagaina ma fetaui ma le tuatusi IP a le tagata e tuʻuina atu tulafono ma le mea e manaʻomia. O tulafono i le filifili ua fa'aopoopoina ma aveese fa'amalosi.

O se fa'asologa fa'afaigofie o le fa'agaioiina o pepa e fa'apea:

Ina ia ulufale atu i le Layer7 siaki o fefaʻatauaiga mai tagata faʻatau mai le lisi "gray" e leʻi pasia le laasaga lona lua o le faʻamaoni, ua faia se tulafono i le laina masani "input":

kote
/ip firewall filter add chain=input !src-address-list=2fa_approved action=jump jump-target=input_2fa

Ia tatou amata fa'amauina uma nei 'oa i le tautua a le PPP. MikroTik e faʻatagaina oe e faʻaaoga tusitusiga i faʻamatalaga (ppp-profile) ma tuʻuina atu i latou i mea na tutupu o le faʻavaeina ma le talepeina o se fesoʻotaʻiga ppp. E mafai ona fa'aoga le fa'asologa o ppp-profile i le PPP server atoa po'o tagata ta'ito'atasi. I le taimi lava e tasi, o le faʻailoga ua tuʻuina atu i le tagata faʻaoga e iai le faʻamuamua, faʻamalo le faʻasologa o le faʻailoga ua filifilia mo le 'auʻaunaga atoa ma ona faʻamaufaʻailogaina.

O se taunuuga o lenei faiga, e mafai ona tatou fatuina se talaaga faʻapitoa mo faʻamaoniga e lua ma tuʻuina atu e le o tagata faʻaoga uma, ae naʻo i latou e manatu e tatau ona faia. Atonu e talafeagai lenei mea pe afai e te faʻaogaina auaunaga PPP e le gata e faʻafesoʻotaʻi ai tagata faʻaoga, ae i le taimi lava e tasi e fausia ai fesoʻotaʻiga i luga ole laiga.

I le faʻamatalaga faʻapitoa fou fou, matou te faʻaogaina le faʻaopoopoga malosi o le tuatusi ma le faʻaogaina o le tagata faʻaoga fesoʻotaʻi i le lisi "gray" o tuatusi ma fesoʻotaʻiga:

winbox

kote
/ppp profile add address-list=2fa_jailed change-tcp-mss=no local-address=192.0.2.254 name=2FA interface-list=2fa only-one=yes remote-address=dhcp_pool1 use-compression=no use-encryption= required use-mpls=no use-upnp=no dns-server=172.31.1.1

E mana'omia le fa'aoga uma o le lisi o le "address-list" ma le "interface-list" e iloa ai ma pu'eina felauaiga mai tagata e le o ni tulaga lua VPN i le dstnat (prerouting) filifili.

A maeʻa le sauniuniga, faʻapipiʻi filifili afi ma se faʻamatalaga, matou te tusia se tusitusiga e nafa ma le faʻatupuina o le 2FA code ma tulafono taʻitasi taʻitasi.

Fa'amaumauga wiki.mikrotik.com i luga ole PPP-Profile e fa'atamaoaigaina ai i tatou i fa'amatalaga e uiga i fesuiaiga e feso'ota'i ma le PPP client connect-disconnect events "Faʻatino le faʻamaumauga i luga ole faʻaoga-tagata e tupu. O lo'o avanoa avanoa e mafai ona maua mo le mea na tupu: tagata fa'aoga, tuatusi fa'apitonu'u, tuatusi mamao, caller-id, call-id, interface". O nisi o na mea e aoga tele ia i tatou.

Code fa'aoga ile fa'ailoga mo le PPP i luga ole fa'alavelave feso'ota'iga

#Логируем для отладки полученные переменные 
:log info (

quot;local-address")

:log info (

quot;remote-address")

:log info (

quot;caller-id")

:log info (

quot;called-id")

:log info ([/int pptp-server get (

quot;interface") name])

#Объявляем свои локальные переменные

:local listname "2fa_jailed"

:local viamodem false

:local modemport "usb2"

#ищем автоматически созданную запись в адрес-листе "2fa_jailed"

:local recnum1 [/ip fi address-list find address=(

quot;remote-address") list=$listname]
#получаем псевдослучайный код через random.org

#:local rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user]->"data") 0 4]
#либо получаем псевдослучайный код через локальный генератор

#:local rnd1 [pick ([/cert scep-server otp generate as-value minutes-valid=1]->"password") 0 4 ]
#Ищем и обновляем коммент к записи в адрес-листе. Вносим искомый код для отладки

/ip fir address-list set $recnum1 comment=$rnd1

#получаем номер телефона куда слать SMS

:local vphone [/ppp secret get [find name=$user] comment]
#Готовим тело сообщения. Если клиент подключается к VPN прямо с телефона ему достаточно

#будет перейти прямо по ссылке из полученного сообщения

:local msgboby ("Your code: ".$comm1."n Or open link http://gw.local/otp/".$comm1."/")
# Отправляем SMS по выбранному каналу - USB-модем или email-to-sms

if $viamodem do={

/tool sms send phone-number=$vphone message=$msgboby port=$modemport }

else={

/tool e-mail send server=a.b.c.d [email protected] [email protected] subject="@".$vphone body=$msgboby }
#Генерируем Layer7 regexp

local vregexp ("otp\/".$comm1)

:local vcomment ("2fa_".(

quot;remote-address"))

/ip firewall layer7-protocol add name=(

quot;vcomment") comment=(

quot;remote-address") regexp=(

quot;vregexp")
#Генерируем правило проверяющее по Layer7 трафик клиента в поисках нужного кода

#и небольшой защитой от брутфорса кодов с помощью dst-limit

/ip firewall filter add action=add-src-to-address-list address-list=2fa_approved address-list-timeout=none-dynamic chain=input_2fa dst-port=80,443,3128 layer7-protocol=(

quot;vcomment") protocol=tcp src-address=(

quot;remote-address") dst-limit=1,1,src-address/1m40s



Aemaise lava mo i latou e fiafia e kopi-pasi ma le le mafaufau, ou te lapatai atu ia te oe - o le code e ave mai le suʻega faʻataʻitaʻiga ma e ono iai ni nai typos laiti. E lē faigatā i se tagata malamalama ona iloa tonu po o fea.
Pe a motusia se tagata faʻaoga, o se mea "On-Down" e faʻatupuina ma o le tusitusiga tutusa ma faʻamaufaʻailoga e valaʻau. O le fa'amoemoega o lenei tusitusiga o le fa'amamāina lea o tulafono o le firewall na faia mo le tagata fa'aoga motusia.
Fa'ailoga o lo'o fa'aogaina i fa'amatalaga mo le PPP i lalo o feso'ota'iga mea na tupu
:local vcomment ("2fa_".(

quot;remote-address"))

/ip firewall address-list remove [find address=(

quot;remote-address") list=2fa_approved]
/ip firewall filter remove [find chain="input_2fa" src-address=(

quot;remote-address") ]
/ip firewall layer7-protocol remove [find name=$vcomment]


Ona mafai lea ona e fatuina tagata faʻaoga ma tuʻuina atu uma poʻo nisi o latou i se faʻamatalaga faʻamaonia e lua.
winbox


kote

/ppp secrets set [find name=Petrov] profile=2FA
E fa'afefea i le itu a le kalani.
A fa'atūina se feso'ota'iga VPN, e maua e le Android/iOS telefoni/papa ma se kata SIM se SMS fa'apenei:
SMS


Afai o le fesoʻotaʻiga e faʻavae saʻo mai le telefoni / papalama, ona mafai lea ona e alu i le 2FA i le kilikiina o le sootaga mai le feʻau. E mafanafana.
Afai o le VPN fesoʻotaʻiga e faʻavaeina mai se PC, ona manaʻomia lea o le tagata faʻaoga e ulufale i se faʻailoga laʻititi. O se tamai fomu i foliga o se faila HTML e tuʻuina atu i le tagata faʻaoga pe a faʻatulagaina le VPN. O le faila e mafai foʻi ona lafo i meli ina ia faʻasaoina e le tagata faʻaoga ma faia se ala pupuu i se nofoaga talafeagai. E pei o lenei:
Faailoga i luga o le laulau


O le tagata e kiliki i luga o le ala pupuu, o se pepa faʻailoga faigofie e tatala, lea o le a faʻapipiʻi le code i totonu o le URL tatala:
Fa'ailoga mata


O le fomu sili ona fa'amuamua ua tu'uina atu e fai ma fa'ata'ita'iga. O i latou e mananao e mafai ona suia mo i latou lava.
2fa_login_mini.html
<html>
<head> <title>SMS OTP login</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> </head>
<body>
<form name="login" action="location.href='http://gw.local/otp/'+document.getElementById(‘text').value"  method="post"
 <input id="text" type="text"/> 
<input type="button" value="Login" onclick="location.href='http://gw.local/otp/'+document.getElementById('text').value"/> 
</form>
</body>
</html>

Afai na manuia le faʻatagaina, o le a vaʻaia e le tagata faʻaoga le logo MikroTik i totonu o le browser, lea e tatau ona faʻaalia ai le faʻamaonia manuia:

Manatua o le ata o loʻo toe faʻafoʻi mai i totonu ole MikroTik web server e faʻaaoga ai WebProxy Deny Redirect.
Ou te manatu e mafai ona faʻapipiʻiina le ata e faʻaaoga ai le meafaigaluega "hotspot", faʻapipiʻi lau oe lava faʻamatalaga iina ma faʻapipiʻi le Deny Redirect URL i ai ma WebProxy.
O se talosaga tele ia i latou o loʻo taumafai e faʻatau le "meataalo" Mikrotik sili ona taugofie mo le $ 20 ma sui se $500 router i ai - aua le faia lena mea. O masini e pei o le "hAP Lite" / "hAP mini" (mea e maua ai le fale) e matua vaivai lava le PPU (smips), ma e foliga mai latou te le gafatia le uta i le vaega pisinisi.
Lapataiga!  O lenei fofo e tasi le toe faʻafoʻi: pe a faʻafesoʻotaʻi pe motusia tagata faʻatau, e tupu suiga faʻatulagaina, lea e taumafai le router e teu i lona manatua e le faʻafefe. Faatasi ai ma se numera tele o tagata faʻatau ma fesoʻotaʻiga masani ma motusia, e mafai ona taʻitaʻia ai le faʻaleagaina o le teuina i totonu i totonu o le router.
PS: Metotia mo le tu'uina atu o code i le tagata o tausia e mafai ona fa'alautele ma fa'aopoopo pe a lava le malosi o au polokalame. Mo se faʻataʻitaʻiga, e mafai ona e lafoina feʻau i le telegram poʻo ... fautua mai filifiliga!
Ou te faʻamoemoe o le a aoga le tusiga ia te oe ma o le a fesoasoani i le faʻaogaina o fesoʻotaʻiga o pisinisi laiti ma feololo e sili atu ona malupuipuia.
puna: www.habr.com