Talofa paaga! I aso nei, ina ua faʻaitiitia le malosi o tuʻinanau i le "galuega mamao", o le toʻatele o le au pulega na manumalo i le galuega o le faʻaogaina mamao o tagata faigaluega i le fesoʻotaʻiga kamupani, ua oʻo i le taimi e faʻasoa ai loʻu poto masani i le faʻaleleia o le saogalemu VPN. O lenei tusiga o le a le o se mea fou IPSec IKEv2 ma xAuth. E uiga i le fausiaina o se faiga.
O le asō o le a ou taʻu atu ia te oe le auala e puipuia ai MikroTik PPP-VPN e tusa lava pe o le "faoa" o le tagata faʻaoga. Ina ua faʻafeiloaʻi lenei polokalame i se tasi o aʻu tagata faʻatau, na ia faʻamatalaina puupuu "ia, o lea ua pei lava o se faletupe!".
Ole auala e le fa'aogaina ai au'aunaga authenticator fafo. O galuega e faia i totonu e le router lava ia. Leai se tau mo le tagata fa'afeso'ota'i. O le metotia e aoga mo PC uma ma masini feaveaʻi.
O le faiga lautele o le puipuiga e faapea:
- O le tuatusi IP i totonu o se tagata faʻaoga na fesoʻotaʻi ma le manuia i le VPN server e otometi lava ona faʻaefuefu.
- O le fesoʻotaʻiga fesoʻotaʻiga e otometi lava ona faʻatupuina se code tasi taimi e lafo i le tagata faʻaoga e faʻaaoga ai se tasi o auala avanoa.
- O tuatusi o lo'o i totonu o lenei lisi e fa'atapula'aina le avanoa i punaoa feso'otaiga i le lotoifale, se'i vagana ai le "authenticator" 'au'aunaga, lea o lo'o fa'atali mo le mauaina o se passcode tasi.
- A maeʻa ona tuʻuina atu le code, e mafai e le tagata faʻaoga ona maua le avanoa i totonu o le upega tafaʻilagi.
Muamua o le faʻafitauli sili ona itiiti na ou feagai o le teuina o faʻamatalaga faʻafesoʻotaʻi e uiga i le tagata faʻaoga e auina atu ia te ia le 2FA code. Talu ai e le mafai ona fatuina faʻamatalaga faʻamatalaga e fetaui ma tagata faʻaoga i Mikrotik, na faʻaaogaina le "faʻamatalaga" o loʻo i ai nei:
/ppp mealilo fa'aopoopo le igoa=Petrov password=4M@ngr! fa'amatalaga = "89876543210"
Le lua o le faʻafitauli na sili atu ona ogaoga - o le filifiliga o le ala ma le auala e tuʻuina atu ai le code. E tolu polokalame o lo'o fa'atinoina i le taimi nei: a) SMS e ala i le USB-modem b) i-meli c) SMS e ala i imeli e avanoa mo kamupani fa'apisinisi a le telefoni feavea'i mumu.
Ioe, o polokalame SMS e maua ai tau. Ae afai e te vaʻai, "o le saogalemu e masani lava e uiga i tupe" (i).
Ou te le fiafia lava i le polokalame i le imeli. E le ona o le mana'omia o le meli e avanoa mo le tagata o tausia e fa'amaonia - e le o se fa'afitauli le vaeluaga o feoaiga. Ae peita'i, afai e fa'atama'i fa'asaoina e le kalani ia vpn ma imeli passwords i totonu o se su'esu'ega ona leiloa lea o lana komepiuta feavea'i, o le a maua e le tagata osofa'i le avanoa atoatoa i le feso'ota'iga kamupani mai ai.
O lea la, ua tonu - matou te tuʻuina atu se faʻailoga e tasi le taimi e faʻaaoga ai feʻau SMS.
Tolu O le faafitauli o fea faʻafefea ona faʻatupuina se pseudo-random code mo 2FA i MikroTik. E leai se fa'atusa o le random() galuega i le RouterOS scripting language, ma ua ou va'ai i le tele o fa'amaufa'ailoga pseudo-random numera generators muamua. Ou te leʻi fiafia i se tasi oi latou mo ni mafuaaga eseese.
O le mea moni, o loʻo i ai se faʻasologa faʻasologa faʻasolosolo i MikroTik! E natia mai se vaaiga papa'u i le tulaga o /certificates scep-server. Le ala muamua e faigofie ma faigofie le mauaina o se upu faataga e tasi le taimi - faatasi ai ma le poloaiga / tusipasi scep-server otp gaosia. Afai tatou te faia se faʻagaioiga faigofie fesuiaʻi, o le a tatou maua se tau faʻasologa e mafai ona faʻaaoga mulimuli ane i tusitusiga.
Lua ala mauaina o se upu faataga e tasi le taimi e faigofie foi ona faaaoga - faaaoga se auaunaga i fafo
kote
:global rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user ]->"da
ta") 1 6]
:put $rnd1
O se talosaga ua fa'atulagaina mo le fa'amafanafanaga (sola mataitusi fa'apitoa o le a mana'omia i le tino o tusitusiga) maua se manoa o le ono numera i le $rnd1 fesuia'i. O le faʻatonuga "tuʻu" o loʻo faʻaalia ai le fesuiaiga i le MikroTik console.
O le faafitauli lona fa lea e tatau ona vave foia - o le auala lea ma le mea e faʻafeiloaʻi ai e le tagata faʻafesoʻotaʻi lana code tasi taimi i le laasaga lona lua o le faʻamaonia.
E tatau ona i ai se auaunaga i luga o le router MikroTik e mafai ona talia le code ma fetaui ma se tagata faʻapitoa. Afai o le code ua tuʻuina atu e fetaui ma le mea e faʻamoemoeina, e tatau ona aofia ai le tuatusi o le kalani i se lisi "paʻepaʻe" patino, o tuatusi e mafai ai ona maua le avanoa i totonu ole kamupani.
Ona o le le lelei o le filifiliga o auaunaga, na filifili ai e talia tulafono laiti e ala i le http e faʻaaoga ai le webproxy fausia i totonu Mikrotik. Ma talu ai e mafai ona galue le pa afi ma lisi faʻamalosi o tuatusi IP, o le firewall lea e faia le sailiga mo le code, faʻafetaui ma le IP client ma faʻaopoopo i le lisi "paʻepaʻe" e faʻaaoga ai Layer7 regexp. O le router lava ia na tu'uina atu i ai se igoa DNS fa'atulafonoina "gw.local", o se fa'amaumauga A fa'amaumau na faia i luga mo le tu'uina atu i tagata PPP:
DNS
/ip dns static add name=gw.local address=172.31.1.1
Pu'eina o felauaiga a tagata e le'i fa'amaoniaina ile sui sui:
/ip firewall nat add chain=dstnat dst-port=80,443 in-interface=2fa protocol=tcp !src-address-list=2fa_approved action=redirect to-ports=3128
I lenei tulaga, e lua galuega a le sui.
1. Tatala feso'ota'iga tcp ma tagata fa'atau;
2. I le tulaga o le fa'atagaina manuia, toe fa'asaga le tagata su'esu'e i se itulau po'o se ata e logoina ai le fa'amaoni manuia:
Fa'atonu sui
/ip proxy
set enabled=yes port=3128
/ip proxy access
add action=deny disabled=no redirect-to=gw.local./mikrotik_logo.png src-address=0.0.0.0/0
O le a ou lisiina elemene taua o le faatulagaga:
- interface-lisi "2fa" - o se lisi malosi o feso'ota'iga tagata fa'atau, felauaiga e mana'omia ai le fa'agaioiga i totonu ole 2FA;
- tuatusi-lisi "2fa_jailed" - "efuefu" lisi o tunnel IP tuatusi o VPN clients;
- address_list "2fa_approved" - "paʻepaʻe" lisi o tunnel IP tuatusi o VPN tagata faʻatau ua pasi manuia lua faʻamaoniga faʻamaonia.
- filifili firewall "input_2fa" - e siaki pepa tcp mo le i ai o se tulafono faʻatagaina ma fetaui ma le tuatusi IP a le tagata e tuʻuina atu tulafono ma le mea e manaʻomia. O tulafono i le filifili ua fa'aopoopoina ma aveese fa'amalosi.
O se fa'asologa fa'afaigofie o le fa'agaioiina o pepa e fa'apea:
Ina ia ulufale atu i le Layer7 siaki o fefaʻatauaiga mai tagata faʻatau mai le lisi "gray" e leʻi pasia le laasaga lona lua o le faʻamaoni, ua faia se tulafono i le laina masani "input":
kote
/ip firewall filter add chain=input !src-address-list=2fa_approved action=jump jump-target=input_2fa
Ia tatou amata fa'amauina uma nei 'oa i le tautua a le PPP. MikroTik e faʻatagaina oe e faʻaaoga tusitusiga i faʻamatalaga (ppp-profile) ma tuʻuina atu i latou i mea na tutupu o le faʻavaeina ma le talepeina o se fesoʻotaʻiga ppp. E mafai ona fa'aoga le fa'asologa o ppp-profile i le PPP server atoa po'o tagata ta'ito'atasi. I le taimi lava e tasi, o le faʻailoga ua tuʻuina atu i le tagata faʻaoga e iai le faʻamuamua, faʻamalo le faʻasologa o le faʻailoga ua filifilia mo le 'auʻaunaga atoa ma ona faʻamaufaʻailogaina.
O se taunuuga o lenei faiga, e mafai ona tatou fatuina se talaaga faʻapitoa mo faʻamaoniga e lua ma tuʻuina atu e le o tagata faʻaoga uma, ae naʻo i latou e manatu e tatau ona faia. Atonu e talafeagai lenei mea pe afai e te faʻaogaina auaunaga PPP e le gata e faʻafesoʻotaʻi ai tagata faʻaoga, ae i le taimi lava e tasi e fausia ai fesoʻotaʻiga i luga ole laiga.
I le faʻamatalaga faʻapitoa fou fou, matou te faʻaogaina le faʻaopoopoga malosi o le tuatusi ma le faʻaogaina o le tagata faʻaoga fesoʻotaʻi i le lisi "gray" o tuatusi ma fesoʻotaʻiga:
kote
/ppp profile add address-list=2fa_jailed change-tcp-mss=no local-address=192.0.2.254 name=2FA interface-list=2fa only-one=yes remote-address=dhcp_pool1 use-compression=no use-encryption= required use-mpls=no use-upnp=no dns-server=172.31.1.1
E mana'omia le fa'aoga uma o le lisi o le "address-list" ma le "interface-list" e iloa ai ma pu'eina felauaiga mai tagata e le o ni tulaga lua VPN i le dstnat (prerouting) filifili.
A maeʻa le sauniuniga, faʻapipiʻi filifili afi ma se faʻamatalaga, matou te tusia se tusitusiga e nafa ma le faʻatupuina o le 2FA code ma tulafono taʻitasi taʻitasi.
Code fa'aoga ile fa'ailoga mo le PPP i luga ole fa'alavelave feso'ota'iga
#Логируем для отладки полученные переменные :log info (
quot;local-address")
:log info (quot;remote-address")
:log info (quot;caller-id")
:log info (quot;called-id")
:log info ([/int pptp-server get (quot;interface") name])
#Объявляем свои локальные переменные
:local listname "2fa_jailed"
:local viamodem false
:local modemport "usb2"
#ищем автоматически созданную запись в адрес-листе "2fa_jailed"
:local recnum1 [/ip fi address-list find address=(quot;remote-address") list=$listname]
#получаем псевдослучайный код через random.org
#:local rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user]->"data") 0 4] #либо получаем псевдослучайный код через локальный генератор
#:local rnd1 [pick ([/cert scep-server otp generate as-value minutes-valid=1]->"password") 0 4 ]#Ищем и обновляем коммент к записи в адрес-листе. Вносим искомый код для отладки
/ip fir address-list set $recnum1 comment=$rnd1
#получаем номер телефона куда слать SMS
:local vphone [/ppp secret get [find name=$user] comment]#Готовим тело сообщения. Если клиент подключается к VPN прямо с телефона ему достаточно
#будет перейти прямо по ссылке из полученного сообщения
:local msgboby ("Your code: ".$comm1."n Or open link http://gw.local/otp/".$comm1."/")# Отправляем SMS по выбранному каналу - USB-модем или email-to-sms
if $viamodem do={
/tool sms send phone-number=$vphone message=$msgboby port=$modemport }
else={
/tool e-mail send server=a.b.c.d [email protected] [email protected] subject="@".$vphone body=$msgboby }#Генерируем Layer7 regexp
local vregexp ("otp\/".$comm1)
:local vcomment ("2fa_".(quot;remote-address"))
/ip firewall layer7-protocol add name=(quot;vcomment") comment=(
quot;remote-address") regexp=(
quot;vregexp")
#Генерируем правило проверяющее по Layer7 трафик клиента в поисках нужного кода
#и небольшой защитой от брутфорса кодов с помощью dst-limit
/ip firewall filter add action=add-src-to-address-list address-list=2fa_approved address-list-timeout=none-dynamic chain=input_2fa dst-port=80,443,3128 layer7-protocol=(quot;vcomment") protocol=tcp src-address=(
quot;remote-address") dst-limit=1,1,src-address/1m40s
Aemaise lava mo i latou e fiafia e kopi-pasi ma le le mafaufau, ou te lapatai atu ia te oe - o le code e ave mai le suʻega faʻataʻitaʻiga ma e ono iai ni nai typos laiti. E lē faigatā i se tagata malamalama ona iloa tonu po o fea.Pe a motusia se tagata faʻaoga, o se mea "On-Down" e faʻatupuina ma o le tusitusiga tutusa ma faʻamaufaʻailoga e valaʻau. O le fa'amoemoega o lenei tusitusiga o le fa'amamāina lea o tulafono o le firewall na faia mo le tagata fa'aoga motusia.
Fa'ailoga o lo'o fa'aogaina i fa'amatalaga mo le PPP i lalo o feso'ota'iga mea na tupu
:local vcomment ("2fa_".(
quot;remote-address"))
/ip firewall address-list remove [find address=(quot;remote-address") list=2fa_approved] /ip firewall filter remove [find chain="input_2fa" src-address=(
quot;remote-address") ] /ip firewall layer7-protocol remove [find name=$vcomment]
Ona mafai lea ona e fatuina tagata faʻaoga ma tuʻuina atu uma poʻo nisi o latou i se faʻamatalaga faʻamaonia e lua.winbox
kote
/ppp secrets set [find name=Petrov] profile=2FA
E fa'afefea i le itu a le kalani.
A fa'atūina se feso'ota'iga VPN, e maua e le Android/iOS telefoni/papa ma se kata SIM se SMS fa'apenei:
SMS
Afai o le fesoʻotaʻiga e faʻavae saʻo mai le telefoni / papalama, ona mafai lea ona e alu i le 2FA i le kilikiina o le sootaga mai le feʻau. E mafanafana.
Afai o le VPN fesoʻotaʻiga e faʻavaeina mai se PC, ona manaʻomia lea o le tagata faʻaoga e ulufale i se faʻailoga laʻititi. O se tamai fomu i foliga o se faila HTML e tuʻuina atu i le tagata faʻaoga pe a faʻatulagaina le VPN. O le faila e mafai foʻi ona lafo i meli ina ia faʻasaoina e le tagata faʻaoga ma faia se ala pupuu i se nofoaga talafeagai. E pei o lenei:
Faailoga i luga o le laulau
O le tagata e kiliki i luga o le ala pupuu, o se pepa faʻailoga faigofie e tatala, lea o le a faʻapipiʻi le code i totonu o le URL tatala:
Fa'ailoga mata
O le fomu sili ona fa'amuamua ua tu'uina atu e fai ma fa'ata'ita'iga. O i latou e mananao e mafai ona suia mo i latou lava.
2fa_login_mini.html
<html> <head> <title>SMS OTP login</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> </head> <body> <form name="login" action="location.href='http://gw.local/otp/'+document.getElementById(‘text').value" method="post" <input id="text" type="text"/> <input type="button" value="Login" onclick="location.href='http://gw.local/otp/'+document.getElementById('text').value"/> </form> </body> </html>
Afai na manuia le faʻatagaina, o le a vaʻaia e le tagata faʻaoga le logo MikroTik i totonu o le browser, lea e tatau ona faʻaalia ai le faʻamaonia manuia:
Manatua o le ata o loʻo toe faʻafoʻi mai i totonu ole MikroTik web server e faʻaaoga ai WebProxy Deny Redirect.
Ou te manatu e mafai ona faʻapipiʻiina le ata e faʻaaoga ai le meafaigaluega "hotspot", faʻapipiʻi lau oe lava faʻamatalaga iina ma faʻapipiʻi le Deny Redirect URL i ai ma WebProxy.
O se talosaga tele ia i latou o loʻo taumafai e faʻatau le "meataalo" Mikrotik sili ona taugofie mo le $ 20 ma sui se $500 router i ai - aua le faia lena mea. O masini e pei o le "hAP Lite" / "hAP mini" (mea e maua ai le fale) e matua vaivai lava le PPU (smips), ma e foliga mai latou te le gafatia le uta i le vaega pisinisi.
Lapataiga! O lenei fofo e tasi le toe faʻafoʻi: pe a faʻafesoʻotaʻi pe motusia tagata faʻatau, e tupu suiga faʻatulagaina, lea e taumafai le router e teu i lona manatua e le faʻafefe. Faatasi ai ma se numera tele o tagata faʻatau ma fesoʻotaʻiga masani ma motusia, e mafai ona taʻitaʻia ai le faʻaleagaina o le teuina i totonu i totonu o le router.
PS: Metotia mo le tu'uina atu o code i le tagata o tausia e mafai ona fa'alautele ma fa'aopoopo pe a lava le malosi o au polokalame. Mo se faʻataʻitaʻiga, e mafai ona e lafoina feʻau i le telegram poʻo ... fautua mai filifiliga!
Ou te faʻamoemoe o le a aoga le tusiga ia te oe ma o le a fesoasoani i le faʻaogaina o fesoʻotaʻiga o pisinisi laiti ma feololo e sili atu ona malupuipuia.
puna: www.habr.com