Fausiaina o le faʻafitauli
O loʻo faʻamatalaina e le tusiga le faʻatulagaina o avanoa mamao mo tagata faigaluega i luga o punaoa tatala ma e mafai ona faʻaaogaina uma e fausia ai se faiga tutoʻatasi atoatoa, ma o le a aoga mo le faʻalauteleina pe a le lava le laisene i le faiga faʻapisinisi o loʻo i ai nei poʻo lona faʻatinoga e le lava.
O le sini o le tusiga o le faʻatinoina lea o se faiga atoa mo le tuʻuina atu o avanoa mamao i se faʻalapotopotoga, lea e sili atu nai lo le "faʻapipiʻiina o OpenVPN i le 10 minute."
O le i'uga, o le a matou maua se faiga e fa'aoga ai tusi pasi ma (filifiliga) le kamupani Active Directory e fa'amaonia ai tagata fa'aoga. lena. o le a matou maua se faiga e lua fa'amaoniga - mea o lo'o ia te a'u (tusi) ma mea ou te iloa (password).
O se faʻailoga e faʻatagaina se tagata faʻaoga e faʻafesoʻotaʻi o lo latou auai i le myVPNUsr vaega. O le pule o le tusipasi o le a fa'aoga tuimotu.
O le tau o le faʻatinoina o le fofo e naʻo mea laiti meafaigaluega ma le 1 itula o le galuega a le pule o le polokalama.
O le a matou faʻaogaina se masini komepiuta ma OpenVPN ma Easy-RSA version 3 i le CetntOS 7, lea e tuʻuina atu 100 vCPUs ma 4 GiB RAM mo 4 fesoʻotaʻiga.
I le faʻataʻitaʻiga, o le fesoʻotaʻiga a le matou faʻalapotopotoga o le 172.16.0.0/16, lea o loʻo i ai le server VPN ma le tuatusi 172.16.19.123 i le vaega 172.16.19.0/24, DNS servers 172.16.16.16 ma le 172.16.17.17, ma le subnet 172.16.20.0. .23/XNUMX ua fa'asoaina mo tagata VPN.
Ina ia faʻafesoʻotaʻi mai fafo, o se fesoʻotaʻiga e ala i le taulaga 1194/udp o loʻo faʻaogaina, ma o se A-record gw.abc.ru ua faia i le DNS mo la matou 'auʻaunaga.
E matua le fautuaina e tape le SELinux! OpenVPN galue e aunoa ma le faʻagataina o faiga faʻavae puipuiga.
Mataupu
Fa'atuina o le OS ma polokalama fa'aoga
Matou te faʻaaogaina le CentOS 7.8.2003 tufatufaga. Matou te manaʻomia le faʻapipiʻiina o le OS i se faʻatulagaga laʻititi. E faigofie ona fai lenei mea i le faʻaaogaina , faʻapipiʻi se ata OS faʻapipiʻi muamua ma isi auala.
A maeʻa faʻapipiʻi, tuʻuina atu se tuatusi i le fesoʻotaʻiga fesoʻotaʻiga (e tusa ai ma tuutuuga o galuega 172.16.19.123), matou te faʻafouina le OS:
$ sudo yum update -y && reboot
E manaʻomia foʻi ona faʻamautinoa o loʻo faʻatinoina le taimi i luga o la matou masini.
Ina ia faʻapipiʻi polokalama faʻapipiʻi, e te manaʻomia le openvpn, openvpn-auth-ldap, easy-rsa ma vim packages e fai ma faatonu autu (e te manaʻomia le fale teu oloa EPEL).
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
E aoga le faʻapipiʻiina o se sui asiasi mo se masini komepiuta:
$ sudo yum install open-vm-toolsmo VMware ESXi 'au, po'o le oVirt
$ sudo yum install ovirt-guest-agent
Fa'atulagaina o fa'amatalaga
Alu i le lisi faigofie-rsa:
$ cd /usr/share/easy-rsa/3/Fausia se faila fesuisuiai:
$ sudo vim varsmea nei:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
O faʻamaufaʻailoga mo le faʻalapotopotoga faʻapitoa ABC LLC o loʻo faʻamatalaina iinei; e mafai ona e faʻasaʻoina i latou i mea moni pe tuʻu i latou mai le faʻataʻitaʻiga. O le mea pito sili ona taua i faʻamaufaʻailoga o le laina mulimuli, lea e fuafua ai le taimi aoga o le tusi faamaonia i aso. O le fa'ata'ita'iga e fa'aaoga ai le tau 10 tausaga (365*10+2 tausaga oso). O lenei tau e mana'omia ona fetu'una'i a'o le'i tu'uina atu tusi pasi fa'aoga.
O le isi, matou te fa'atulagaina se pulega fa'amaonia tuto'atasi.
Seti e aofia ai le auina atu i fafo o fesuiaiga, amataina le CA, tuʻuina atu o le CA root key ma le tusi faamaonia, Diffie-Hellman key, TLS key, ma le server key ma le tusi faamaonia. O le ki CA e tatau ona puipuia ma le faʻaeteete ma tausia faalilolilo! E mafai ona tu'u uma fa'amaufa'ailoga fa'aletonu.
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
O le mea lea e faʻamaeʻa ai le vaega autu o le faʻatulagaina o le masini faʻapipiʻi.
Seti OpenVPN
Alu i le OpenVPN directory, fai lisi o auaunaga ma faʻaopopo se fesoʻotaʻiga i faigofie-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Fausia le faila autu o le OpenVPN configuration:
$ sudo vim server.confmea e mulimuli mai
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
O nisi faʻamatalaga i luga o tapulaʻa:
- afai e ese le igoa na faamaoti mai i le tuuina atu o le tusi faamaonia, faailoa mai;
- fa'ailoa le vaituloto o tuatusi e fetaui ma au galuega*;
- e mafai ona tasi pe sili atu auala ma DNS servers;
- O laina mulimuli e 2 e manaʻomia e faʻatino ai faʻamaoniga i AD **.
*O le tele o tuatusi filifilia i le faʻataʻitaʻiga o le a mafai ai e oʻo atu i le 127 tagata faʻatau e faʻafesoʻotaʻi i le taimi e tasi, aua ua filifilia le feso'ota'iga /23, ma fa'atupuina e OpenVPN se subnet mo tagata ta'itasi e fa'aaoga le /30 mask.
Afai e manaʻomia faapitoa, e mafai ona suia le taulaga ma le protocol, peitaʻi, e tatau ona manatua o le suia o le numera o le taulaga o le a aofia ai le faʻatulagaina o le SELinux, ma le faʻaaogaina o le tcp protocol o le a faʻateleina i luga, aua TCP fa'atonuga tu'uina atu ua uma ona fa'atino i le maualuga o afifi o lo'o fa'apipi'iina i totonu o le alavai.
** Afai e le manaʻomia le faʻamaonia i le AD, faʻaalia i latou, faaseʻe le isi vaega, ma i le mamanu aveese le auth-user-pass line.
AD Authentication
Ina ia lagolagoina le vaega lona lua, o le a matou faʻaogaina faʻamatalaga faʻamatalaga i le AD.
Matou te manaʻomia se faʻamatalaga i totonu o le vaega ma aia tatau a se tagata faʻaoga masani ma se vaega, o le avea ma sui auai o le a fuafua ai le mafai ona faʻafesoʻotaʻi.
Fausia se faila faatulagaina:
/etc/openvpn/ldap.confmea e mulimuli mai
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
Faʻaiʻuga autu:
- URL "ldap://ldap.abc.ru" - tuatusi fa'atonu;
- BindDN “CN=bindUsr,CN=Users,DC=abc,DC=ru” - igoa fa'acanonical mo le fusia i le LDAP (UZ - bindUsr i le pusa abc.ru/Users);
- Password b1ndP@SS - upu fa'aoga mo le fusifusia;
- BaseDN “OU=allUsr,DC=abc,DC=ru” — le ala e amata ai ona su'e le tagata fa'aoga;
- BaseDN "OU = myGrp, DC = abc, DC = ru" - pusa o le vaega faʻatagaina (vaega myVPNUsr i le pusa abc.rumyGrp);
- SearchFilter "(cn=myVPNUsr)" ole igoa ole vaega fa'atagaina.
Amata ma su'esu'ega
Ole taimi nei e mafai ona tatou taumafai e mafai ma amata la tatou 'auʻaunaga:
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
Siaki amata:
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Tuuina atu o tusi faamaonia ma faaleaogaina
Aua I le faʻaopoopoga i tusi faamaonia latou lava, e te manaʻomia ki ma isi faʻatulagaga; e faigofie tele le afifiina o nei mea uma i le faila faila e tasi. Ona tuʻuina atu lea o le faila i le tagata faʻaoga ma faʻaulufale mai le talaaga ile OpenVPN client. Ina ia faia lenei mea, matou te faia se faʻataʻitaʻiga faʻataʻitaʻiga ma se tusitusiga e faʻatupuina ai le talaaga.
E te manaʻomia le faʻaopoopoina o mea o loʻo i totonu o le root certificate (ca.crt) ma le TLS key (ta.key) faila i le talaaga.
A'o le'i tu'uina atu tusi pasi fa'aoga 'aua ne'i galo e fa'atulaga le vaitaimi mana'omia mo tusi pasi i le faila faila. E le tatau ona e umi tele; Ou te fautuaina e faʻatapulaʻa oe i le maualuga o le 180 aso.
vim /usr/share/easy-rsa/3/vars...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpnclient
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Faamatalaga:
- laina TUU LOU... sui i le anotusi lava tusi pasi;
- i le faʻatonuga mamao, faʻamaonia le igoa / tuatusi o lou faitotoa;
- o le aut-user-pass fa'atonuga o lo'o fa'aogaina mo fa'amaoniga fa'aopoopo mai fafo.
I totonu o le lisi o fale (poʻo se isi nofoaga talafeagai) matou te fatuina se tusitusiga mo le talosagaina o se tusi faamaonia ma le fatuina o se talaaga:
vim ~/make.profile.sh#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Fa'atonuina le faila:
chmod a+x ~/make.profile.shMa e mafai ona matou tuʻuina atu le matou tusi faamaonia muamua.
~/make.profile.sh my-first-userManatu faaalia
I le tulaga o le fetuunai o se tusi faamaonia (toilalo, gaoi), e tatau ona soloia lenei tusi faamaonia:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Va'ai tusi pasi na tu'uina atu ma fa'aleaogaina
Ina ia va'ai i tusi pasi na tu'uina atu ma fa'aleaogaina, na'o le va'ai i le faila fa'asino:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Faamatalaga:
- o le laina muamua o le tusi faamaonia a le server;
- uiga muamua
- V (Tagata) - aoga;
- R (Se'e) - toe manatua.
Faʻatonuina o fesoʻotaʻiga
O la'asaga mulimuli o le fa'atulagaina lea o feso'otaiga fa'asalalau - ta'avale ma puipui afi.
Fa'ataga feso'ota'iga i le pa puipui fa'apitonu'u:
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
Soso'o, fa'aagaina le ta'avale a le IP:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
I totonu o se siosiomaga faʻapisinisi, e foliga mai o loʻo i ai se subnetting ma e manaʻomia ona matou taʻu atu i le router(s) le auala e lafo ai faʻailoga mo a matou tagata VPN. I luga o le laina faʻatonu matou te faʻatinoina le poloaiga i le faiga (faʻalagolago i meafaigaluega na faʻaaogaina):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123ma faasaoina le faatulagaga.
E le gata i lea, i luga o le laina laina tuaoi o loʻo tuʻuina atu ai le tuatusi fafo gw.abc.ru, e tatau ona faʻatagaina le faʻaogaina o udp/1194 packets.
I le tulaga o loʻo i ai i le faʻalapotopotoga tulafono malu puipuia, e tatau foi ona faʻapipiʻi se pa puipui i la matou VPN server. I loʻu manatu, o le sili ona fetuutuunai e tuʻuina atu e ala i le faʻatulagaina o filifili iptables FORWARD, e ui o le faʻatulagaina e le faigofie. O sina mea itiiti e uiga i le setiina. Ina ia faia lenei mea, e sili ona faigofie le faʻaogaina o "tulafono tuusaʻo" - tulafono tuusaʻo, teuina i totonu o se faila /etc/firewalld/direct.xml. O le fa'atulagaga o lo'o iai nei o tulafono e mafai ona maua e fa'apea:
$ sudo firewall-cmd --direct --get-all-ruleA'o le'i suia se faila, fai se kopi faaleoleo:
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bakO mea fa'atatau o le faila o:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
Faamalamalamaga
O tulafono masani ia iptables, a le o lea e afifiina pe a uma ona oʻo mai le firewalld.
O le feso'ota'iga o lo'o i ai fa'atasi ai ma tulaga fa'aletonu o le tun0, ma o le fa'aoga fafo mo le alavai atonu e ese, mo se fa'ata'ita'iga, ens192, e fa'atatau i le fa'aoga fa'aoga.
O le laina mulimuli e mo le fa'amauina o pepa na pa'u. Mo le logging e galue, e tatau ona e suia le tulaga debug i le firewalld configuration:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
O le fa'aogaina o tulaga o le fa'atonuga masani firewalld e toe faitau ai fa'atulagaga:
$ sudo firewall-cmd --reloadE mafai ona e vaʻai i paʻu pa'u e pei o lenei:
grep forward_fw /var/log/messages
O le a le isi
Ua mae'a le seti!
Pau lava le mea o loʻo totoe o le faʻapipiʻiina o le polokalama a le kalani i le itu o le kalani, faʻaulufale mai le talaaga ma faʻafesoʻotaʻi. Mo faiga fa'aoga Windows, o lo'o iai le pusa fa'asoa .
Mulimuli ane, matou te faʻafesoʻotaʻi la matou 'auʻaunaga fou i le mataʻituina ma le teuina o faʻamaumauga, ma aua neʻi galo e faʻapipiʻi i taimi uma faʻafouga.
So'oga mautu!
puna: www.habr.com