Maqaalku wuxuu qeexayaa habaynta fogeynta ee shaqaalaha ee alaabta furan waxaana loo isticmaali karaa labadaba si loo dhiso nidaam gebi ahaanba madaxbannaan, waxayna faa'iido u yeelan doontaa ballaarinta marka ay jirto yaraanta shatiyada nidaamka ganacsiga ee jira ama waxqabadkiisu ku filnaado.
Hadafka maqaalku waa in la hirgeliyo nidaam dhammaystiran oo loogu talagalay helitaanka fogaanta ee hay'adda, taas oo wax yar ka badan "ku rakibidda OpenVPN 10 daqiiqo."
Natiijo ahaan, waxaan heli doonaa nidaam shahaadooyinka iyo (ikhtiyaar ahaan) hagaha firfircoonida ee shirkada loo isticmaali doono xaqiijinta isticmaalayaasha. Taasi. Waxaan heli doonaa nidaam leh laba arrimood oo xaqiijin ah - waxa aan haysto (shahaadada) iyo waxa aan aqaan (password).
Calaamadda in isticmaale loo oggol yahay inuu ku xidho waa xubinnimadooda kooxda myVPNUsr. Maamulka shahaadada waxaa loo isticmaali doonaa offline.
Waxaan isticmaalnaa qaybinta CentOS 7.8.2003. Waxaan u baahanahay in aan ku rakibno OS qaabeynta ugu yar. Way ku habboon tahay in tan la isticmaalo laadlaado, xidhidhaynta muuqaal OS hore loo rakibay iyo habab kale.
Ka dib markii la rakibo, ku meelaynta ciwaanka interface-ka shabakadda (sida waafaqsan shuruudaha shaqada 172.16.19.123), waxaan cusbooneysiineynaa OS:
$ sudo yum update -y && reboot
Waxaan sidoo kale u baahannahay inaan hubinno in isku-xirnaanta waqtiga lagu sameeyay mashiinkayaga.
Si aad u rakibto software codsiga, waxaad u baahan tahay openvpn, openvpn-auth-ldap, easy-rsa iyo vim xirmooyinka sida tafatiraha ugu weyn (waxaad u baahan doontaa kaydka EPEL).
Halbeegyada ururka shardiga ah ee ABC LLC ayaa lagu sifeeyay halkan; waad ku sixi kartaa kuwa dhabta ah ama waad ka tagi kartaa tusaalaha. Waxa ugu muhiimsan ee xuduudaha waa xariiqda ugu dambeysa, taas oo go'aamisa muddada ansaxnimada shahaadada maalmo. Tusaaluhu wuxuu isticmaalayaa qiimaha 10 sano (365*10+2 sano oo leap). Qiimahan ayaa u baahan doona in la hagaajiyo ka hor inta aan la soo saarin shahaadooyinka isticmaalaha.
Marka xigta, waxaan dejineynaa maamul shahaado oo madaxbannaan.
Dejinta waxaa ku jira doorsoomayaasha dhoofinta, bilaabista CA, bixinta furaha xididka CA iyo shahaadada, furaha Diffie-Hellman, furaha TLS, iyo furaha serverka iyo shahaadada. Furaha CA waa in si taxadar leh loo ilaaliyaa oo la xafidaa! Dhammaan halbeegyada weydiinta waxaa looga tagi karaa inay yihiin default.
Tani waxay dhamaystiraysaa qaybta ugu muhiimsan ee dejinta habka cryptographic.
Dejinta OpenVPN
Tag tusaha OpenVPN, samee hagayaasha adeegga oo ku dar isku xirka fudud-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Samee faylka ugu muhiimsan ee isku xidhka OpenVPN:
$ sudo vim server.conf
soo socda waxa ku jira
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Qaar ka mid ah qoraallada ku saabsan xuduudaha:
haddii magac ka duwan la cayimay marka la bixinayo shahaadada, tilmaan;
cadee goobta ciwaanada si ay ugu haboonaato hawlahaaga*;
waxaa jiri kara hal ama dhowr waddo iyo server-yada DNS;
2da xariiq ee ugu dambeeya ayaa loo baahan yahay si loo hirgaliyo xaqiijinta AD**.
*Ciwaannada kala duwan ee lagu doortay tusaalaha ayaa u oggolaanaya ilaa 127 macmiil inay isku mar ku xidhmaan, sababtoo ah Shabakadda / 23 ayaa la doortay, OpenVPN waxay u abuurtaa subnet macmiil kasta oo isticmaalaya maaskarada / 30.
Haddii si gaar ah loo baahdo, dekedda iyo borotokoolka waa la beddeli karaa, si kastaba ha ahaatee, waa in maskaxda lagu hayaa in beddelka lambarka dekeddu ay keenayso habeynta SELinux, iyo adeegsiga borotokoolka tcp ayaa kor u qaadi doona, sababtoo ah Xakamaynta baakadaha TCP ayaa horeba loogu sameeyay heerka baakadaha ku lifaaqan tunnelka.
**Haddii aqoonsiga AD aan loo baahnayn, faallo ka bixi, ka bood qaybta xigta, iyo qaab-dhismeedka ka saar khadka auth-user-pass.
Xaqiijinta AD
Si loo taageero qodobka labaad, waxaan ku isticmaali doonaa xaqiijinta akoontiga AD.
Waxaan u baahanahay akoon ku jira domainka oo leh xuquuqda isticmaalaha caadiga ah iyo koox, xubinnimada taas oo go'aamin doonta awoodda isku xirka.
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Soo saarida shahaadada iyo ka noqoshada
Sababtoo ah Marka lagu daro shahaadooyinka laftooda, waxaad u baahan tahay furayaal iyo goobo kale; aad bay ugu habboon tahay in lagu duubo waxaas oo dhan hal fayl profile. Faylkan ayaa markaa loo wareejiyaa isticmaalaha oo profile-ka waxa lagu soo dejiyaa macmiilka OpenVPN. Si tan loo sameeyo, waxaan abuuri doonaa template settings iyo script ka soo saara profile ah.
Waxaad u baahan tahay inaad ku darto waxyaabaha ku jira shahaadada xididka (ca.crt) iyo furaha TLS (ta.key) faylasha profile.
Kahor intaanan soo saarin shahaadooyinka isticmaale Ha iloobin inaad dejiso muddada ansaxinta loo baahan yahay ee shahaadooyinka ee faylka xuduudaha. Waa inaadan ka dhigin mid aad u dheer; Waxaan ku talinayaa inaad naftaada xaddido ugu badnaan 180 maalmood.
vim /usr/share/easy-rsa/3/vars
...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpn
client
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Ogeysiis:
khadadka GALI AAD... u beddelo nuxurka gaar ah shahaadooyinka;
Deegaanka shirkadda, waxay u badan tahay in la isku xidho oo waxaan u baahanahay inaan u sheegno router-ka sida loo diro xirmooyinka loogu talagalay macaamiishayada VPN. Xariiqda taliska waxaan u fulinaa amarka habka (iyadoo ku xiran qalabka loo isticmaalo):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123
oo badbaadi qaabeynta.
Intaa waxaa dheer, interface router xuduudka halkaas oo ciwaanka dibadda gw.abc.ru loo adeego, waa lagama maarmaan in la oggolaado marinka udp/1194 xirmooyinka.
Haddii ay dhacdo in ururku leeyahay xeerar ammaan oo adag, firewall waa in sidoo kale lagu habeeyaa server-kayaga VPN. Fikradayda, dabacsanaanta ugu weyn waxaa lagu bixiyaa iyada oo la dejinayo silsiladaha iptables FORWARD, in kasta oo dejinta ay ku habboon tahay. Wax yar oo dheeraad ah oo ku saabsan dejinta iyaga. Si tan loo sameeyo, waxaa ugu habboon in la isticmaalo "xeerarka tooska ah" - xeerar toos ah, oo lagu kaydiyo faylka /etc/firewalld/direct.xml. Qaabeynta hadda ee xeerarka waxaa laga heli karaa sida soo socota:
Kuwani waa xeerar caadi ah oo iptables ah, haddii kale baakadeeyay ka dib imaatinka dab-damiska.
Interface-ka loo socdo ee leh goobaha caadiga ah waa tun0, interface-ka dibadda ee tunnelku wuu ka duwanaan karaa, tusaale ahaan, en192, iyadoo ku xidhan goobta la isticmaalo.
Xariiqda ugu dambeysa waa in la geliyo xirmooyinka la tuuray. Si aad u gashid shaqada, waxaad u baahan tahay inaad bedesho heerka cilladaha ee qaabeynta firewalld:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Codsiga dejinta waa amarka caadiga ah ee firewalld si dib loogu akhriyo dejinta:
$ sudo firewall-cmd --reload
Waxaad arki kartaa baakadaha la tuuray sida tan:
grep forward_fw /var/log/messages
Maxaa ku xiga
Tani waxay dhamaystiraysaa habaynta!
Waxa hadhay oo dhan waa in lagu rakibo software-ka macmiilka dhinaca macmiilka, soo dejinta profile-ka oo lagu xidho. Nidaamyada hawlgalka Windows, qalabka qaybinta ayaa ku yaal website horumariye.
Ugu dambeyntii, waxaan ku xireynaa server-keena cusub hababka la socodka iyo kaydinta, hana iloobin inaad si joogto ah u rakibto cusbooneysiinta.