ProHoster > Blog > Pulega > Fa'alapotopotoga o galuega mamao a se fa'alapotopotoga SMB ile OpenVPN
Fa'alapotopotoga o galuega mamao a se fa'alapotopotoga SMB ile OpenVPN
Fausiaina o le faʻafitauli
O loʻo faʻamatalaina e le tusiga le faʻatulagaina o avanoa mamao mo tagata faigaluega i luga o punaoa tatala ma e mafai ona faʻaaogaina uma e fausia ai se faiga tutoʻatasi atoatoa, ma o le a aoga mo le faʻalauteleina pe a le lava le laisene i le faiga faʻapisinisi o loʻo i ai nei poʻo lona faʻatinoga e le lava.
O le sini o le tusiga o le faʻatinoina lea o se faiga atoa mo le tuʻuina atu o avanoa mamao i se faʻalapotopotoga, lea e sili atu nai lo le "faʻapipiʻiina o OpenVPN i le 10 minute."
O le i'uga, o le a matou maua se faiga e fa'aoga ai tusi pasi ma (filifiliga) le kamupani Active Directory e fa'amaonia ai tagata fa'aoga. lena. o le a matou maua se faiga e lua fa'amaoniga - mea o lo'o ia te a'u (tusi) ma mea ou te iloa (password).
O se faʻailoga e faʻatagaina se tagata faʻaoga e faʻafesoʻotaʻi o lo latou auai i le myVPNUsr vaega. O le pule o le tusipasi o le a fa'aoga tuimotu.
O le tau o le faʻatinoina o le fofo e naʻo mea laiti meafaigaluega ma le 1 itula o le galuega a le pule o le polokalama.
O le a matou faʻaogaina se masini komepiuta ma OpenVPN ma Easy-RSA version 3 i le CetntOS 7, lea e tuʻuina atu 100 vCPUs ma 4 GiB RAM mo 4 fesoʻotaʻiga.
I le faʻataʻitaʻiga, o le fesoʻotaʻiga a le matou faʻalapotopotoga o le 172.16.0.0/16, lea o loʻo i ai le server VPN ma le tuatusi 172.16.19.123 i le vaega 172.16.19.0/24, DNS servers 172.16.16.16 ma le 172.16.17.17, ma le subnet 172.16.20.0. .23/XNUMX ua fa'asoaina mo tagata VPN.
Ina ia faʻafesoʻotaʻi mai fafo, o se fesoʻotaʻiga e ala i le taulaga 1194/udp o loʻo faʻaogaina, ma o se A-record gw.abc.ru ua faia i le DNS mo la matou 'auʻaunaga.
E matua le fautuaina e tape le SELinux! OpenVPN galue e aunoa ma le faʻagataina o faiga faʻavae puipuiga.
Matou te faʻaaogaina le CentOS 7.8.2003 tufatufaga. Matou te manaʻomia le faʻapipiʻiina o le OS i se faʻatulagaga laʻititi. E faigofie ona fai lenei mea i le faʻaaogaina kiki amata, faʻapipiʻi se ata OS faʻapipiʻi muamua ma isi auala.
A maeʻa faʻapipiʻi, tuʻuina atu se tuatusi i le fesoʻotaʻiga fesoʻotaʻiga (e tusa ai ma tuutuuga o galuega 172.16.19.123), matou te faʻafouina le OS:
$ sudo yum update -y && reboot
E manaʻomia foʻi ona faʻamautinoa o loʻo faʻatinoina le taimi i luga o la matou masini.
Ina ia faʻapipiʻi polokalama faʻapipiʻi, e te manaʻomia le openvpn, openvpn-auth-ldap, easy-rsa ma vim packages e fai ma faatonu autu (e te manaʻomia le fale teu oloa EPEL).
O faʻamaufaʻailoga mo le faʻalapotopotoga faʻapitoa ABC LLC o loʻo faʻamatalaina iinei; e mafai ona e faʻasaʻoina i latou i mea moni pe tuʻu i latou mai le faʻataʻitaʻiga. O le mea pito sili ona taua i faʻamaufaʻailoga o le laina mulimuli, lea e fuafua ai le taimi aoga o le tusi faamaonia i aso. O le fa'ata'ita'iga e fa'aaoga ai le tau 10 tausaga (365*10+2 tausaga oso). O lenei tau e mana'omia ona fetu'una'i a'o le'i tu'uina atu tusi pasi fa'aoga.
O le isi, matou te fa'atulagaina se pulega fa'amaonia tuto'atasi.
Seti e aofia ai le auina atu i fafo o fesuiaiga, amataina le CA, tuʻuina atu o le CA root key ma le tusi faamaonia, Diffie-Hellman key, TLS key, ma le server key ma le tusi faamaonia. O le ki CA e tatau ona puipuia ma le faʻaeteete ma tausia faalilolilo! E mafai ona tu'u uma fa'amaufa'ailoga fa'aletonu.
O le mea lea e faʻamaeʻa ai le vaega autu o le faʻatulagaina o le masini faʻapipiʻi.
Seti OpenVPN
Alu i le OpenVPN directory, fai lisi o auaunaga ma faʻaopopo se fesoʻotaʻiga i faigofie-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Fausia le faila autu o le OpenVPN configuration:
$ sudo vim server.conf
mea e mulimuli mai
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
O nisi faʻamatalaga i luga o tapulaʻa:
afai e ese le igoa na faamaoti mai i le tuuina atu o le tusi faamaonia, faailoa mai;
fa'ailoa le vaituloto o tuatusi e fetaui ma au galuega*;
e mafai ona tasi pe sili atu auala ma DNS servers;
O laina mulimuli e 2 e manaʻomia e faʻatino ai faʻamaoniga i AD **.
*O le tele o tuatusi filifilia i le faʻataʻitaʻiga o le a mafai ai e oʻo atu i le 127 tagata faʻatau e faʻafesoʻotaʻi i le taimi e tasi, aua ua filifilia le feso'ota'iga /23, ma fa'atupuina e OpenVPN se subnet mo tagata ta'itasi e fa'aaoga le /30 mask.
Afai e manaʻomia faapitoa, e mafai ona suia le taulaga ma le protocol, peitaʻi, e tatau ona manatua o le suia o le numera o le taulaga o le a aofia ai le faʻatulagaina o le SELinux, ma le faʻaaogaina o le tcp protocol o le a faʻateleina i luga, aua TCP fa'atonuga tu'uina atu ua uma ona fa'atino i le maualuga o afifi o lo'o fa'apipi'iina i totonu o le alavai.
** Afai e le manaʻomia le faʻamaonia i le AD, faʻaalia i latou, faaseʻe le isi vaega, ma i le mamanu aveese le auth-user-pass line.
AD Authentication
Ina ia lagolagoina le vaega lona lua, o le a matou faʻaogaina faʻamatalaga faʻamatalaga i le AD.
Matou te manaʻomia se faʻamatalaga i totonu o le vaega ma aia tatau a se tagata faʻaoga masani ma se vaega, o le avea ma sui auai o le a fuafua ai le mafai ona faʻafesoʻotaʻi.
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Tuuina atu o tusi faamaonia ma faaleaogaina
Aua I le faʻaopoopoga i tusi faamaonia latou lava, e te manaʻomia ki ma isi faʻatulagaga; e faigofie tele le afifiina o nei mea uma i le faila faila e tasi. Ona tuʻuina atu lea o le faila i le tagata faʻaoga ma faʻaulufale mai le talaaga ile OpenVPN client. Ina ia faia lenei mea, matou te faia se faʻataʻitaʻiga faʻataʻitaʻiga ma se tusitusiga e faʻatupuina ai le talaaga.
E te manaʻomia le faʻaopoopoina o mea o loʻo i totonu o le root certificate (ca.crt) ma le TLS key (ta.key) faila i le talaaga.
A'o le'i tu'uina atu tusi pasi fa'aoga 'aua ne'i galo e fa'atulaga le vaitaimi mana'omia mo tusi pasi i le faila faila. E le tatau ona e umi tele; Ou te fautuaina e faʻatapulaʻa oe i le maualuga o le 180 aso.
vim /usr/share/easy-rsa/3/vars
...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpn
client
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Faamatalaga:
laina TUU LOU... sui i le anotusi lava tusi pasi;
i le faʻatonuga mamao, faʻamaonia le igoa / tuatusi o lou faitotoa;
o le aut-user-pass fa'atonuga o lo'o fa'aogaina mo fa'amaoniga fa'aopoopo mai fafo.
I totonu o le lisi o fale (poʻo se isi nofoaga talafeagai) matou te fatuina se tusitusiga mo le talosagaina o se tusi faamaonia ma le fatuina o se talaaga:
vim ~/make.profile.sh
#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Fa'atonuina le faila:
chmod a+x ~/make.profile.sh
Ma e mafai ona matou tuʻuina atu le matou tusi faamaonia muamua.
~/make.profile.sh my-first-user
Manatu faaalia
I le tulaga o le fetuunai o se tusi faamaonia (toilalo, gaoi), e tatau ona soloia lenei tusi faamaonia:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Va'ai tusi pasi na tu'uina atu ma fa'aleaogaina
Ina ia va'ai i tusi pasi na tu'uina atu ma fa'aleaogaina, na'o le va'ai i le faila fa'asino:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Faamatalaga:
o le laina muamua o le tusi faamaonia a le server;
uiga muamua
V (Tagata) - aoga;
R (Se'e) - toe manatua.
Faʻatonuina o fesoʻotaʻiga
O la'asaga mulimuli o le fa'atulagaina lea o feso'otaiga fa'asalalau - ta'avale ma puipui afi.
Fa'ataga feso'ota'iga i le pa puipui fa'apitonu'u:
I totonu o se siosiomaga faʻapisinisi, e foliga mai o loʻo i ai se subnetting ma e manaʻomia ona matou taʻu atu i le router(s) le auala e lafo ai faʻailoga mo a matou tagata VPN. I luga o le laina faʻatonu matou te faʻatinoina le poloaiga i le faiga (faʻalagolago i meafaigaluega na faʻaaogaina):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123
ma faasaoina le faatulagaga.
E le gata i lea, i luga o le laina laina tuaoi o loʻo tuʻuina atu ai le tuatusi fafo gw.abc.ru, e tatau ona faʻatagaina le faʻaogaina o udp/1194 packets.
I le tulaga o loʻo i ai i le faʻalapotopotoga tulafono malu puipuia, e tatau foi ona faʻapipiʻi se pa puipui i la matou VPN server. I loʻu manatu, o le sili ona fetuutuunai e tuʻuina atu e ala i le faʻatulagaina o filifili iptables FORWARD, e ui o le faʻatulagaina e le faigofie. O sina mea itiiti e uiga i le setiina. Ina ia faia lenei mea, e sili ona faigofie le faʻaogaina o "tulafono tuusaʻo" - tulafono tuusaʻo, teuina i totonu o se faila /etc/firewalld/direct.xml. O le fa'atulagaga o lo'o iai nei o tulafono e mafai ona maua e fa'apea:
O tulafono masani ia iptables, a le o lea e afifiina pe a uma ona oʻo mai le firewalld.
O le feso'ota'iga o lo'o i ai fa'atasi ai ma tulaga fa'aletonu o le tun0, ma o le fa'aoga fafo mo le alavai atonu e ese, mo se fa'ata'ita'iga, ens192, e fa'atatau i le fa'aoga fa'aoga.
O le laina mulimuli e mo le fa'amauina o pepa na pa'u. Mo le logging e galue, e tatau ona e suia le tulaga debug i le firewalld configuration:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
O le fa'aogaina o tulaga o le fa'atonuga masani firewalld e toe faitau ai fa'atulagaga:
$ sudo firewall-cmd --reload
E mafai ona e vaʻai i paʻu pa'u e pei o lenei:
grep forward_fw /var/log/messages
O le a le isi
Ua mae'a le seti!
Pau lava le mea o loʻo totoe o le faʻapipiʻiina o le polokalama a le kalani i le itu o le kalani, faʻaulufale mai le talaaga ma faʻafesoʻotaʻi. Mo faiga fa'aoga Windows, o lo'o iai le pusa fa'asoa upega tafa'ilagi.
Mulimuli ane, matou te faʻafesoʻotaʻi la matou 'auʻaunaga fou i le mataʻituina ma le teuina o faʻamaumauga, ma aua neʻi galo e faʻapipiʻi i taimi uma faʻafouga.