ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > Abaabulka shaqada fog ee ururka SMB ee OpenVPN

Abaabulka shaqada fog ee ururka SMB ee OpenVPN

Abuurista dhibaatada

Maqaalku wuxuu qeexayaa habaynta fogeynta ee shaqaalaha ee alaabta furan waxaana loo isticmaali karaa labadaba si loo dhiso nidaam gebi ahaanba madaxbannaan, waxayna faa'iido u yeelan doontaa ballaarinta marka ay jirto yaraanta shatiyada nidaamka ganacsiga ee jira ama waxqabadkiisu ku filnaado.

Hadafka maqaalku waa in la hirgeliyo nidaam dhammaystiran oo loogu talagalay helitaanka fogaanta ee hay'adda, taas oo wax yar ka badan "ku rakibidda OpenVPN 10 daqiiqo."

Natiijo ahaan, waxaan heli doonaa nidaam shahaadooyinka iyo (ikhtiyaar ahaan) hagaha firfircoonida ee shirkada loo isticmaali doono xaqiijinta isticmaalayaasha. Taasi. Waxaan heli doonaa nidaam leh laba arrimood oo xaqiijin ah - waxa aan haysto (shahaadada) iyo waxa aan aqaan (password).

Calaamadda in isticmaale loo oggol yahay inuu ku xidho waa xubinnimadooda kooxda myVPNUsr. Maamulka shahaadada waxaa loo isticmaali doonaa offline.

Kharashka hirgelinta xalku waa kaliya agab yar oo qalab ah iyo 1 saac oo shaqo ah maamulaha nidaamka.

Waxaan isticmaali doonaa mashiinka farsamada leh ee OpenVPN iyo Easy-RSA nooca 3 ee CetntOS 7, kaas oo loo qoondeeyay 100 vCPUs iyo 4 GiB RAM 4kiiba xiriir.

Tusaale ahaan, shabakadda ururkayadu waa 172.16.0.0/16, kaas oo server-ka VPN ee ciwaankiisu yahay 172.16.19.123 uu ku yaal qaybta 172.16.19.0/24, DNS servers 172.16.16.16 iyo 172.16.17.17. .172.16.20.0/23 waxaa loo qoondeeyay macaamiisha VPN .

Si aad dibadda ugala xiriirto, isku xirka dekedda 1194/udp ayaa la isticmaalaa, iyo Gw.abc.ru A-record ayaa loo sameeyay DNS-ka server-kayaga.

Si adag looguma talinayo in la joojiyo SELinux! OpenVPN waxay shaqeysaa iyada oo aan curyaamin siyaasadaha amniga.

Tusmo

  1. Rakibaadda OS iyo software-ka codsiga
  2. Dejinta xog-ururinta
  3. Dejinta OpenVPN
  4. Xaqiijinta AD
  5. Bilawga iyo ogaanshaha
  6. Soo saarida shahaadada iyo ka noqoshada
  7. Dejinta shabakadda
  8. Maxaa ku xiga

Rakibaadda OS iyo software-ka codsiga

Waxaan isticmaalnaa qaybinta CentOS 7.8.2003. Waxaan u baahanahay in aan ku rakibno OS qaabeynta ugu yar. Way ku habboon tahay in tan la isticmaalo laadlaado, xidhidhaynta muuqaal OS hore loo rakibay iyo habab kale.

Ka dib markii la rakibo, ku meelaynta ciwaanka interface-ka shabakadda (sida waafaqsan shuruudaha shaqada 172.16.19.123), waxaan cusbooneysiineynaa OS:

$ sudo yum update -y && reboot

Waxaan sidoo kale u baahannahay inaan hubinno in isku-xirnaanta waqtiga lagu sameeyay mashiinkayaga.
Si aad u rakibto software codsiga, waxaad u baahan tahay openvpn, openvpn-auth-ldap, easy-rsa iyo vim xirmooyinka sida tafatiraha ugu weyn (waxaad u baahan doontaa kaydka EPEL).

$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim

Waa faa'iido leh in lagu rakibo wakiilka martida ee mashiinka farsamada:

$ sudo yum install open-vm-tools

loogu talagalay VMware ESXi hosts, ama oVirt

$ sudo yum install ovirt-guest-agent

Dejinta xog-ururinta

Tag hagaha sahlan-rsa:

$ cd /usr/share/easy-rsa/3/

Samee fayl doorsooma:

$ sudo vim vars

nuxurka soo socda:

export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652

Halbeegyada ururka shardiga ah ee ABC LLC ayaa lagu sifeeyay halkan; waad ku sixi kartaa kuwa dhabta ah ama waad ka tagi kartaa tusaalaha. Waxa ugu muhiimsan ee xuduudaha waa xariiqda ugu dambeysa, taas oo go'aamisa muddada ansaxnimada shahaadada maalmo. Tusaaluhu wuxuu isticmaalayaa qiimaha 10 sano (365*10+2 sano oo leap). Qiimahan ayaa u baahan doona in la hagaajiyo ka hor inta aan la soo saarin shahaadooyinka isticmaalaha.

Marka xigta, waxaan dejineynaa maamul shahaado oo madaxbannaan.

Dejinta waxaa ku jira doorsoomayaasha dhoofinta, bilaabista CA, bixinta furaha xididka CA iyo shahaadada, furaha Diffie-Hellman, furaha TLS, iyo furaha serverka iyo shahaadada. Furaha CA waa in si taxadar leh loo ilaaliyaa oo la xafidaa! Dhammaan halbeegyada weydiinta waxaa looga tagi karaa inay yihiin default.

cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key

Tani waxay dhamaystiraysaa qaybta ugu muhiimsan ee dejinta habka cryptographic.

Dejinta OpenVPN

Tag tusaha OpenVPN, samee hagayaasha adeegga oo ku dar isku xirka fudud-rsa:

cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/

Samee faylka ugu muhiimsan ee isku xidhka OpenVPN:

$ sudo vim server.conf

soo socda waxa ku jira

port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf

Qaar ka mid ah qoraallada ku saabsan xuduudaha:

  • haddii magac ka duwan la cayimay marka la bixinayo shahaadada, tilmaan;
  • cadee goobta ciwaanada si ay ugu haboonaato hawlahaaga*;
  • waxaa jiri kara hal ama dhowr waddo iyo server-yada DNS;
  • 2da xariiq ee ugu dambeeya ayaa loo baahan yahay si loo hirgaliyo xaqiijinta AD**.

*Ciwaannada kala duwan ee lagu doortay tusaalaha ayaa u oggolaanaya ilaa 127 macmiil inay isku mar ku xidhmaan, sababtoo ah Shabakadda / 23 ayaa la doortay, OpenVPN waxay u abuurtaa subnet macmiil kasta oo isticmaalaya maaskarada / 30.
Haddii si gaar ah loo baahdo, dekedda iyo borotokoolka waa la beddeli karaa, si kastaba ha ahaatee, waa in maskaxda lagu hayaa in beddelka lambarka dekeddu ay keenayso habeynta SELinux, iyo adeegsiga borotokoolka tcp ayaa kor u qaadi doona, sababtoo ah Xakamaynta baakadaha TCP ayaa horeba loogu sameeyay heerka baakadaha ku lifaaqan tunnelka.

**Haddii aqoonsiga AD aan loo baahnayn, faallo ka bixi, ka bood qaybta xigta, iyo qaab-dhismeedka ka saar khadka auth-user-pass.

Xaqiijinta AD

Si loo taageero qodobka labaad, waxaan ku isticmaali doonaa xaqiijinta akoontiga AD.

Waxaan u baahanahay akoon ku jira domainka oo leh xuquuqda isticmaalaha caadiga ah iyo koox, xubinnimada taas oo go'aamin doonta awoodda isku xirka.

Samee faylka qaabeynta:

/etc/openvpn/ldap.conf

soo socda waxa ku jira

<LDAP>
        URL             "ldap://ldap.abc.ru"
        BindDN          "CN=bindUsr,CN=Users,DC=abc,DC=ru"
        Password        b1ndP@SS
        Timeout         15
        TLSEnable       no
        FollowReferrals yes
</LDAP>
<Authorization>
        BaseDN          "OU=allUsr,DC=abc,DC=ru"
        SearchFilter    "(sAMAccountName=%u)"
        RequireGroup    true
        <Group>
                BaseDN          "OU=myGrp,DC=abc,DC=ru"
                SearchFilter    "(cn=myVPNUsr)"
                MemberAttribute "member"
        </Group>
</Authorization>

Cabirrada ugu waaweyn:

  • URL "ldap://ldap.abc.ru" - cinwaanka maamulaha domain;
  • BindDN "CN = bindUsr, CN = Isticmaalayaasha, DC=abc, DC=ru" - magaca canonical ee ku xidhan LDAP (UZ - bindUsr ee weelka abc.ru/ Isticmaalayaasha);
  • Password b1ndP@SS - erayga sirta ah ee isticmaalaha;
  • BaseDN "OU=allUsr,DC=abc,DC=ru" - dariiqa laga bilaabo raadinta isticmaalaha;
  • BaseDN "OU=myGrp,DC=abc,DC=ru" - weelka kooxda oggolaanshaha (kooxda myVPNUsr ee weelka abc.rumyGrp);
  • SearchFilter "(cn=myVPNUsr)" waa magaca kooxda oggolaanshaha.

Bilawga iyo ogaanshaha

Hadda waxaan isku dayi karnaa inaan awoodno oo aan bilowno server-keena:

$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]

Hubinta bilowga:

systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log

Soo saarida shahaadada iyo ka noqoshada

Sababtoo ah Marka lagu daro shahaadooyinka laftooda, waxaad u baahan tahay furayaal iyo goobo kale; aad bay ugu habboon tahay in lagu duubo waxaas oo dhan hal fayl profile. Faylkan ayaa markaa loo wareejiyaa isticmaalaha oo profile-ka waxa lagu soo dejiyaa macmiilka OpenVPN. Si tan loo sameeyo, waxaan abuuri doonaa template settings iyo script ka soo saara profile ah.

Waxaad u baahan tahay inaad ku darto waxyaabaha ku jira shahaadada xididka (ca.crt) iyo furaha TLS (ta.key) faylasha profile.

Kahor intaanan soo saarin shahaadooyinka isticmaale Ha iloobin inaad dejiso muddada ansaxinta loo baahan yahay ee shahaadooyinka ee faylka xuduudaha. Waa inaadan ka dhigin mid aad u dheer; Waxaan ku talinayaa inaad naftaada xaddido ugu badnaan 180 maalmood.

vim /usr/share/easy-rsa/3/vars

...
export EASYRSA_CERT_EXPIRE=180


vim /usr/share/easy-rsa/3/client/template.ovpn

client
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>

Ogeysiis:

  • khadadka GALI AAD... u beddelo nuxurka gaar ah shahaadooyinka;
  • dardaaranka fog, sheeg magaca/ciwaanka albaabkaga;
  • dardaaranka auth-user-pass waxaa loo isticmaalaa xaqiijinta dheeraadka ah ee dibadda.

Hagaha guriga (ama meel kale oo ku habboon) waxaan ku abuureynaa qoraal si aad u codsato shahaado iyo abuurista astaanta:

vim ~/make.profile.sh

#!/bin/bash

if [ -z "$1" ] ; then
 echo Missing mandatory client name. Usage: $0 vpn-username
 exit 1
fi

#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn

#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client

cd $basepath

if [  -f client/$client* ]; then
    echo "*** ERROR! ***"
    echo "Certificate $client already issued!"
    echo "*** ERROR! ***"
    exit 1
fi

. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client

#Make profile
cp $clntpath/template.ovpn $profile

echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile

echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt

echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile

#remove tmp file
rm -f $basepath/$1.crt

echo Complete. See $profile file.

cd ~

Samaynta faylka la fulin karo:

chmod a+x ~/make.profile.sh

Waxaanan bixin karnaa shahaadadeena koowaad.

~/make.profile.sh my-first-user

Jawaab celin

Haddii ay dhacdo tanaasul shahaado (lumin, xatooyo), waa lagama maarmaan in la buriyo shahaadadan:

cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl

Eeg shahaadooyinka la bixiyay iyo kuwa la buriyay

Si aad u aragto shahaadooyinka la bixiyay iyo kuwa la buriyay, si fudud u arag faylka tusmada:

cd /usr/share/easy-rsa/3/
cat pki/index.txt

Sharaxaad:

  • safka koowaad waa shahaadada serverka;
  • dabeecadda koowaad
    • V (Ansaxsan) - ansax ah;
    • R (lala noqday) - dib loo celiyay.

Dejinta shabakadda

Tallaabooyinka ugu dambeeya waa in la habeeyo shabakada gudbinta - marinka iyo dab-damiska.

Oggolaanshaha isku xirka dab-damiska deegaanka:

$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent

Marka xigta, karti u geli dajinta taraafikada IP:

$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf

Deegaanka shirkadda, waxay u badan tahay in la isku xidho oo waxaan u baahanahay inaan u sheegno router-ka sida loo diro xirmooyinka loogu talagalay macaamiishayada VPN. Xariiqda taliska waxaan u fulinaa amarka habka (iyadoo ku xiran qalabka loo isticmaalo):

# ip route 172.16.20.0 255.255.254.0 172.16.19.123

oo badbaadi qaabeynta.

Intaa waxaa dheer, interface router xuduudka halkaas oo ciwaanka dibadda gw.abc.ru loo adeego, waa lagama maarmaan in la oggolaado marinka udp/1194 xirmooyinka.

Haddii ay dhacdo in ururku leeyahay xeerar ammaan oo adag, firewall waa in sidoo kale lagu habeeyaa server-kayaga VPN. Fikradayda, dabacsanaanta ugu weyn waxaa lagu bixiyaa iyada oo la dejinayo silsiladaha iptables FORWARD, in kasta oo dejinta ay ku habboon tahay. Wax yar oo dheeraad ah oo ku saabsan dejinta iyaga. Si tan loo sameeyo, waxaa ugu habboon in la isticmaalo "xeerarka tooska ah" - xeerar toos ah, oo lagu kaydiyo faylka /etc/firewalld/direct.xml. Qaabeynta hadda ee xeerarka waxaa laga heli karaa sida soo socota:

$ sudo firewall-cmd --direct --get-all-rule

Kahor intaadan bedelin faylka, samee koobi kayd ah:

cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bak

Qiyaasta waxa ku jira faylka waa:

<?xml version="1.0" encoding="utf-8"?>
<direct>
 <!--Common Remote Services-->
  <!--DNS-->
    <rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
  <!--web-->
    <rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
    <rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
  <!--Some Other Systems-->
    <rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
  <!--just logging-->
    <rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>

Faahfaahinta

Kuwani waa xeerar caadi ah oo iptables ah, haddii kale baakadeeyay ka dib imaatinka dab-damiska.

Interface-ka loo socdo ee leh goobaha caadiga ah waa tun0, interface-ka dibadda ee tunnelku wuu ka duwanaan karaa, tusaale ahaan, en192, iyadoo ku xidhan goobta la isticmaalo.

Xariiqda ugu dambeysa waa in la geliyo xirmooyinka la tuuray. Si aad u gashid shaqada, waxaad u baahan tahay inaad bedesho heerka cilladaha ee qaabeynta firewalld:

vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2

Codsiga dejinta waa amarka caadiga ah ee firewalld si dib loogu akhriyo dejinta:

$ sudo firewall-cmd --reload

Waxaad arki kartaa baakadaha la tuuray sida tan:

grep forward_fw /var/log/messages

Maxaa ku xiga

Tani waxay dhamaystiraysaa habaynta!

Waxa hadhay oo dhan waa in lagu rakibo software-ka macmiilka dhinaca macmiilka, soo dejinta profile-ka oo lagu xidho. Nidaamyada hawlgalka Windows, qalabka qaybinta ayaa ku yaal website horumariye.

Ugu dambeyntii, waxaan ku xireynaa server-keena cusub hababka la socodka iyo kaydinta, hana iloobin inaad si joogto ah u rakibto cusbooneysiinta.

Isku xirka xasilloon!

Source: www.habr.com

Add a comment