Kugadzirwa kwedambudziko
Chinyorwa chinotsanangura sangano rekusvika kure kwevashandi pane yakavhurika sosi zvigadzirwa uye zvinogona kushandiswa zvese kuvaka yakazvimiririra system, uye ichave inobatsira pakuwedzera kana paine kushomeka kwemarezinesi mune iripo yekutengesa system kana kuita kwayo kusiri kukwana.
Chinangwa chechinyorwa ndechekuita hurongwa hwakazara hwekupa kure kure kune sangano, izvo zvishoma kupfuura "kuisa OpenVPN mumaminetsi gumi."
Nekuda kweizvozvo, isu tichawana sisitimu umo zvitupa uye (nekuda) iyo yemubatanidzwa Active Directory ichashandiswa kuratidza vashandisi. Izvozvo. isu tichawana sisitimu ine zvinhu zviviri zvekusimbisa - zvandinazvo (chitupa) uye chandinoziva (password).
Chiratidzo chekuti mushandisi anotenderwa kubatanidza inhengo yavo muboka remyVPNUsr. Chiremera chetifiketi chichashandiswa pasina Indaneti.
Mutengo wekushandisa mhinduro ingori diki hardware zviwanikwa uye 1 awa yebasa remugadziri wehurongwa.
Tichashandisa muchina chaiwo une OpenVPN uye Easy-RSA vhezheni 3 paCetntOS 7, iyo yakagoverwa 100 vCPUs uye 4 GiB RAM pane zana.
Mumuenzaniso, network yesangano redu ndeye 172.16.0.0/16, umo VPN server ine kero 172.16.19.123 iri muchikamu 172.16.19.0/24, DNS maseva 172.16.16.16 uye 172.16.17.17 uye 172.16.20.0. .23/XNUMX yakagoverwa vatengi veVPN .
Kuti ubatanidze kubva kunze, chinongedzo kuburikidza nechiteshi 1194/udp chinoshandiswa, uye A-rekodhi gw.abc.ru yakagadzirwa muDNS yeserver yedu.
Izvo hazvina kukurudzirwa kudzima SELinux! OpenVPN inoshanda pasina kudzima mitemo yekuchengetedza.
Zviri mukati
Kuiswa kweOS uye application software
Isu tinoshandisa kugovera kweCentOS 7.8.2003. Isu tinofanirwa kuisa iyo OS mune zvishoma zvigadziriso. Zviri nyore kuita izvi uchishandisa , kugadzira mufananidzo weOS wakamboiswa uye dzimwe nzira.
Mushure mekuisa, kugovera kero kune network interface (maererano nemitemo yebasa 172.16.19.123), tinovandudza OS:
$ sudo yum update -y && reboot
Isu tinofanirwawo kuve nechokwadi chekuti kuwiriranisa nguva kunoitwa pamushini wedu.
Kuti uise application software, unoda iyo openvpn, openvpn-auth-ldap, nyore-rsa uye vim mapakeji semupepeti mukuru (iwe unozoda iyo EPEL repository).
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
Izvo zvinobatsira kuisa mumiriri wevaenzi kune chaiwo muchina:
$ sudo yum install open-vm-toolsyeVMware ESXi mauto, kana oVirt
$ sudo yum install ovirt-guest-agent
Kugadzira cryptography
Enda kune nyore-rsa dhairekitori:
$ cd /usr/share/easy-rsa/3/Gadzira faira rakasiyana:
$ sudo vim varszvinotevera zvirimo:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
Iwo ma paramita esangano rine mamiriro ABC LLC anotsanangurwa pano; unogona kuvagadzirisa kune iwo chaiwo kana kuvasiya kubva pamuenzaniso. Chinhu chinonyanya kukosha mumiganhu ndiyo mutsara wekupedzisira, iyo inosarudza nguva yechokwadi yechitupa mumazuva. Muenzaniso unoshandisa kukosha makore gumi (10 * 365 + 10 makore anosvetuka). Ukoshi uhwu huchada kugadziriswa zvitupa zvemushandisi zvisati zvapihwa.
Tevere, isu tinogadzirisa yakazvimirira certification chiremera.
Kuseta kunosanganisira kutumira kunze kwenyika zvinosiyana, kutanga iyo CA, kuburitsa CA mudzi kiyi uye chitupa, Diffie-Hellman kiyi, TLS kiyi, uye server kiyi nechitupa. Kiyi yeCA inofanirwa kuchengetedzwa nekuchengetwa yakavanzika! Yese query parameters inogona kusiiwa seyekutanga.
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
Izvi zvinopedzisa chikamu chikuru chekumisikidza cryptographic mechanism.
OpenVPN setup
Enda kune OpenVPN dhairekitori, gadzira madhairekitori ebasa uye wedzera chinongedzo kune nyore-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Gadzira iyo huru OpenVPN yekumisikidza faira:
$ sudo vim server.confzvinotevera zviri mukati
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Mamwe manotsi pane parameters:
- kana zita rakasiyana rakatsanangurwa pakuburitsa chitupa, riratidze;
- tsanangura dziva rekero kuti rienderane nemabasa ako*;
- panogona kunge paine imwe kana kupfuura nzira uye DNS maseva;
- Mitsetse miviri yekupedzisira inodiwa kuti uise chokwadi muAD**.
*Kusiyana kwemakero akasarudzwa mumuenzaniso kunobvumira vatengi vanosvika zana nemakumi maviri nevanomwe kubatana panguva imwe chete, nekuti. iyo / 127 network inosarudzwa, uye OpenVPN inogadzira subnet yemutengi wega wega uchishandisa iyo /23 mask.
Kana zvichinyanya kukosha, chiteshi uye protocol zvinogona kuchinjwa, zvisinei, zvinofanirwa kurangarirwa kuti kushandura nhamba yechiteshi chechiteshi kunosanganisira kugadzirisa SELinux, uye kushandisa tcp protocol kuchawedzera kumusoro, nekuti. TCP packet delivery control yakatoitwa pamwero wemapaketi akavharirwa mugero.
** Kana huchokwadi hweAD husingade, vataure, svetuka chikamu chinotevera, uye mutemplate bvisa mutsara-mushandisi-pass line.
AD Kusimbisa
Kuti titsigire chinhu chechipiri, isu tichashandisa account verification muAD.
Isu tinoda account mune iyo domain ine kodzero dzeakajairika mushandisi uye boka, nhengo iyo inozoona kugona kwekubatanidza.
Gadzira faira rekugadzirisa:
/etc/openvpn/ldap.confzvinotevera zviri mukati
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
Key parameter:
- URL "ldap://ldap.abc.ru" - domain controller kero;
- BindDN βCN=bindUsr,CN=Users,DC=abc,DC=ruβ - canonical name yekusunga kuLDAP (UZ - bindUsr mumudziyo abc.ru/Users);
- Password b1ndP@SS - password yemushandisi yekusunga;
- BaseDN βOU=alUsr,DC=abc,DC=ruβ β nzira yekutangira kutsvaga mushandisi;
- BaseDN βOU=myGrp,DC=abc,DC=ruβ β mudziyo weboka rinobvumira (boka myVPNUsr mumudziyo abc.rumyGrp);
- SearchFilter "(cn=myVPNUsr)" ndiro zita reboka rinobvumira.
Kutanga uye diagnostics
Iye zvino tinogona kuedza kugonesa uye kutanga server yedu:
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
Kutanga kutarisa:
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Chitupa uye kukanzurwa
Nokuti Pamusoro pezvitupa pachazvo, iwe unoda makiyi uye mamwe marongero; zviri nyore kuputira zvese izvi mune imwe mbiri faira. Iri faira rinobva raendeswa kumushandisi uye iyo mbiri inotumirwa kune OpenVPN mutengi. Kuti tiite izvi, isu tichagadzira template yezvigadziriso uye script inogadzira iyo mbiri.
Iwe unofanirwa kuwedzera zviri mukati memudzi chitupa (ca.crt) uye TLS kiyi (ta.key) mafaera kune iyo mbiri.
Usati waburitsa zvitupa zvevashandisi usakanganwa kuseta iyo inodiwa yechokwadi nguva yezvitupa mune parameters faira. Iwe haufanirwe kuita kuti irebe; Ini ndinokurudzira kuzvimisa iwe kusvika pamazuva e180.
vim /usr/share/easy-rsa/3/vars...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpnclient
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Notes:
- tambo ISA YAKO... shanduko kune zviri mukati zvavo zvitupa;
- mune yekuraira iri kure, tsanangura zita/kero yegedhi rako;
- iyo auth-user-pass dhairekitori inoshandiswa kune yekuwedzera yekunze huchokwadi.
Mune dhairekitori repamba (kana imwe nzvimbo iri nyore) tinogadzira script yekukumbira chitupa uye kugadzira chimiro:
vim ~/make.profile.sh#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Kuita kuti faira riitike:
chmod a+x ~/make.profile.shUye tinogona kuburitsa chitupa chedu chekutanga.
~/make.profile.sh my-first-userMhinduro
Muchiitiko chekukanganisa kwechitupa (kurasikirwa, kuba), zvinofanirwa kudzoreredza chitupa ichi:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Ona zvitupa zvakapihwa uye zvakakanzurwa
Kuti utarise zvitupa zvakaburitswa uye zvakakanzurwa, ingoona index index:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Tsananguro:
- mutsara wekutanga ndeye server setifiketi;
- hunhu hwekutanga
- V (Inoshanda) - inoshanda;
- R (Revoked) - akayeuka.
Network setup
Matanho ekupedzisira ndeekugadzirisa network yekutumira - routing uye firewall.
Kubvumira kubatanidza mune yemuno firewall:
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
Tevere, gonesa IP traffic routing:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
Munharaunda yemakambani, panogona kunge paine subnetting uye isu tinofanirwa kuudza iyo router (s) nzira yekutumira mapaketi akatemerwa vatengi vedu veVPN. Pamutsetse wekuraira tinoita murairo nenzira (zvichienderana nemidziyo inoshandiswa):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123uye chengetedza kugadzirisa.
Mukuwedzera, pamuganhu we router interface uko kero yekunze gw.abc.ru inoshandiswa, zvakakosha kubvumira nzira ye udp/1194 packets.
Kana sangano riine mitemo yakasimba yekuchengetedza, firewall inofanirawo kugadzirwa pane yedu VPN server. Mune maonero angu, kushanduka kukuru kunopiwa nekugadzirisa iptables FORWARD maketani, kunyange zvazvo kuamisa kunenge kusina nyore. Zvimwe zvishoma pamusoro pekuvamisa. Kuti uite izvi, zviri nyore kushandisa "mitemo yakananga" - yakananga mitemo, yakachengetwa mufaira /etc/firewalld/direct.xml. Ikozvino kugadzirisa kwemitemo kunogona kuwanikwa sezvinotevera:
$ sudo firewall-cmd --direct --get-all-ruleUsati wachinja faira, ita kopi yaro yekuchengetedza:
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bakIzvo zviri mukati mefaira ndezvekuti:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
Tsananguro
Aya ndiwo akajairika iptables mitemo, neimwe nzira yakarongedzwa mushure mekuuya kwe firewalld.
Iyo yekuenda inotarisana ine default marongero ndeye tun0, uye yekunze interface yemugero inogona kunge yakasiyana, semuenzaniso, ens192, zvichienderana nepuratifomu inoshandiswa.
Mutsetse wekupedzisira ndewekutema matanda akadonha mapaketi. Kuti matanda ashande, unofanirwa kushandura iyo debug level mune firewalld kumisikidza:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Kushandisa zvigadziriso ndiyo yakajairwa firewalld kuraira kuverenga zvakare marongero:
$ sudo firewall-cmd --reloadIwe unogona kuona akadonha mapaketi seizvi:
grep forward_fw /var/log/messages
Chii chinotevera
Izvi zvinopedzisa kuseta!
Chasara ndechekuisa software yemutengi padivi remutengi, pinza iyo mbiri uye ubatanidze. Kune maWindows anoshanda masisitimu, iyo yekugovera kit inowanikwa .
Chekupedzisira, tinobatanidza sevha yedu nyowani kune yekutarisa uye yekuchengetedza masisitimu, uye usakanganwa kugara uchiisa zvigadziriso.
Kubatana kwakagadzikana!
Source: www.habr.com