ProHoster > Blog > Tsamaiso > Mokhatlo oa mosebetsi o hole oa mokhatlo oa SMB ho OpenVPN
Mokhatlo oa mosebetsi o hole oa mokhatlo oa SMB ho OpenVPN
Mokhoa oa bothata
Sengoliloeng sena se hlalosa mokhatlo oa phihlello e hole bakeng sa basebetsi ho lihlahisoa tsa mohloli o bulehileng mme e ka sebelisoa ka bobeli ho haha sistimi e ikemetseng ka botlalo, 'me e tla ba molemo bakeng sa ho atolosoa ha ho na le khaello ea li-license tsamaisong e teng ea khoebo kapa ts'ebetso ea eona e sa lekana.
Sepheo sa sengoloa ke ho kenya tšebetsong sistimi e felletseng ea ho fana ka phihlello e hole le mokhatlo, e leng "ho kenya OpenVPN ka metsotso e 10."
Ka lebaka leo, re tla fumana sistimi eo ho eona ho tla sebelisoa litifikeiti le (ka boikhethelo) Active Directory ea khoebo ho netefatsa basebelisi. Seo. re tla fumana sistimi e nang le lintlha tse peli tsa netefatso - seo ke nang le sona (setifikeiti) le seo ke se tsebang (password).
Letšoao la hore mosebelisi o lumelletsoe ho hokela ke litho tsa bona ho sehlopha sa myVPNUsr. Bolaoli ba setifikeiti bo tla sebelisoa ntle le inthanete.
Litsenyehelo tsa ho kenya ts'ebetsong tharollo ke lisebelisoa tse nyenyane feela tsa hardware le hora ea 1 ea mosebetsi oa mookameli oa tsamaiso.
Re tla sebelisa mochini o sebetsang o nang le OpenVPN le Easy-RSA mofuta oa 3 ho CetntOS 7, e abetsoeng li-vCPU tse 100 le 4 GiB RAM ho likhokahanyo tse 4.
Mohlala, marang-rang a mokhatlo oa rona ke 172.16.0.0/16, moo seva sa VPN se nang le aterese 172.16.19.123 se fumanehang karolong ea 172.16.19.0/24, li-server tsa DNS 172.16.16.16 le 172.16.17.17 le 172.16.20.0. .23/XNUMX e abetsoe bareki ba VPN .
Ho hokahanya ho tsoa ka ntle, ho sebelisoa khokahanyo ka port 1194/udp, 'me A-record gw.abc.ru e bōpiloe ho DNS bakeng sa seva sa rona.
Ha e khothalletsoe ka tieo ho tima SELinux! OpenVPN e sebetsa ntle le ho tima maano a ts'ireletso.
Re sebelisa phepelo ea CentOS 7.8.2003. Re hloka ho kenya OS ka tlhophiso e nyane. Ho bonolo ho etsa sena ka ho sebelisa kickstart, ho kopanya setšoantšo sa OS se kentsoeng pele le mekhoa e meng.
Kamora ho kenya, ho fana ka aterese ho sebopeho sa marang-rang (ho ea ka lipehelo tsa mosebetsi 172.16.19.123), re ntlafatsa OS:
$ sudo yum update -y && reboot
Hape re hloka ho etsa bonnete ba hore ho lumellana ha nako ho etsoa mochine oa rona.
Ho kenya software ea kopo, o hloka openvpn, openvpn-auth-ldap, bonolo-rsa le liphutheloana tsa vim joalo ka mohlophisi oa sehlooho (o tla hloka polokelo ea EPEL).
Litekanyetso tsa mokhatlo o nang le maemo ABC LLC li hlalositsoe mona; o ka li lokisa ho tsa 'nete kapa oa li tlohela mohlaleng. Ntho ea bohlokoa ka ho fetisisa ho li-parameter ke mohala oa ho qetela, o khethollang nako ea ho nepahala ha setifikeiti ka matsatsi. Mohlala o sebelisa boleng ba lilemo tse 10 (365*10+2 leap years). Boleng bona bo tla hloka ho lokisoa pele litifikeiti tsa mosebelisi li ntšoa.
Ka mor'a moo, re lokisa bolaoli ba setifikeiti bo ikemetseng.
Ho seta ho kenyelletsa ho romela lintho tse fapaneng, ho qala CA, ho fana ka senotlolo sa CA le setifikeiti, senotlolo sa Diffie-Hellman, senotlolo sa TLS, le senotlolo sa seva le setifikeiti. Senotlolo sa CA se tlameha ho sireletsoa ka hloko le ho bolokoa lekunutu! Litlhophiso tsohle tsa lipotso li ka tloheloa e le tsa kamehla.
Sena se phethela karolo e ka sehloohong ea ho theha mochine oa cryptographic.
Ho theha OpenVPN
E-ea bukeng ea OpenVPN, theha li-directory tsa lits'ebeletso 'me u kenye sehokelo ho bonolo-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Theha faele ea mantlha ea tlhophiso ea OpenVPN:
$ sudo vim server.conf
tse latelang dikahare
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Lintlha tse ling ho li-parameter:
haeba lebitso le fapaneng le ne le hlalositsoe ha ho fanoa ka setifikeiti, se bontše;
Hlalosa letamo la liaterese tse lumellanang le mesebetsi ea hau *;
ho ka ba le tsela e le 'ngoe kapa ho feta le li-server tsa DNS;
Ho hlokahala mela e 2 ea ho qetela ho kenya tšebetsong netefatso ka AD**.
*Palo ea liaterese tse khethiloeng mohlaleng li tla lumella bareki ba ka bang 127 ho hokahana ka nako e le ngoe, hobane marang-rang a /23 a khethiloe, 'me OpenVPN e theha subnet bakeng sa moreki e mong le e mong a sebelisa mask /30.
Haeba ho hlokahala haholo, boema-kepe le protocol li ka fetoloa, leha ho le joalo, ho lokela ho hopoloa hore ho fetola nomoro ea boema-kepe ho tla kenyelletsa ho hlophisa SELinux, mme ho sebelisa protocol ea tcp ho tla eketseha ka holimo, hobane Taolo ea ho tsamaisa pakete ea TCP e se e ntse e etsoa maemong a lipakete tse kentsoeng ka har'a kotopo.
**Haeba netefatso ho AD e sa hlokehe, fana ka maikutlo ka bona, tlola karolo e latelang, le ho template. tlosa mola oa auth-user-pass.
Netefatso ea AD
Ho tšehetsa ntlha ea bobeli, re tla sebelisa netefatso ea akhaonto ho AD.
Re hloka ak'haonte sebakeng sa marang-rang se nang le litokelo tsa mosebelisi ea tloaelehileng le sehlopha, setho seo ho sona se tla khetholla bokhoni ba ho hokahana.
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Taba ea setifikeiti le ho hlakoloa
Hobane Ntle le litifikeiti ka botsona, o hloka linotlolo le litlhophiso tse ling; ho bonolo haholo ho phuthela tsena tsohle ka faele e le 'ngoe ea profil. Faele ena e fetisetsoa ho mosebelisi mme profaele e romelloa ho moreki oa OpenVPN. Ho etsa sena, re tla theha template ea litlhophiso le script e hlahisang profil.
U hloka ho kenyelletsa litaba tsa setifikeiti sa motso (ca.crt) le lifaele tsa TLS (ta.key) profaeleng.
Pele o fana ka setifikeiti sa basebelisi u seke oa lebala ho beha nako e hlokahalang ea ho netefatsa litifikeiti faeleng ea parameter. Ha ua lokela ho e etsa nako e telele haholo; Ke khothaletsa ho ipehela meeli ho matsatsi a 180.
vim /usr/share/easy-rsa/3/vars
...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpn
client
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Lintlha:
likhoele BEHA HAO... phetoho ho dikahare ipatlele setifikeiti;
ho taelo e hole, bolela lebitso/aterese ea heke ea hau;
taelo ea auth-user-pass e sebelisoa bakeng sa netefatso e eketsehileng ea kantle.
Bukeng ea lapeng (kapa sebakeng se seng se loketseng) re theha script bakeng sa ho kopa setifikeiti le ho theha profil:
vim ~/make.profile.sh
#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Ho etsa hore faele e phethehe:
chmod a+x ~/make.profile.sh
Mme re ka fana ka setifikeiti sa rona sa pele.
~/make.profile.sh my-first-user
Tlhahiso
Tabeng ea ho sekisetsa setifikeiti (tahlehelo, bosholu), ho hlokahala ho hlakola setifikeiti sena:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Sheba litifikeiti tse fanoeng le tse hlakotsoeng
Ho sheba litifikeiti tse fanoeng le tse hlakotsoeng, sheba feela faele ea index:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Litlhaloso:
mola oa pele ke setifikeiti sa seva;
sebopeho sa pele
V (Ea sebetsa) - e nepahetse;
R (E hlakotsoe) - e hopotse.
Tlhophiso ea marang-rang
Mehato ea ho qetela ke ho lokisa marang-rang a phetiso - routing le firewall.
Sebakeng sa khoebo, ho na le monyetla oa ho ba le subnetting mme re hloka ho bolella router(s) mokhoa oa ho romella lipakete tse reretsoeng bareki ba rona ba VPN. Moleng oa taelo re phethahatsa taelo ka mokhoa (ho itšetlehile ka thepa e sebelisoang):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123
ebe u boloka tlhophiso.
Ho phaella moo, sehokelong sa router ea moeli moo aterese ea ka ntle ea gw.abc.ru e fanoang teng, hoa hlokahala ho lumella ho feta ha lipakete tsa udp/1194.
Haeba mokhatlo o na le melao e thata ea ts'ireletso, firewall e tlameha ho hlophisoa ho seva sa rona sa VPN. Ka maikutlo a ka, phetoho e kholo ka ho fetisisa e fanoa ka ho theha liketane tsa iptables FORWARD, le hoja ho li beha ha ho bonolo haholo. Ho hong hanyane mabapi le ho li hlophisa. Ho etsa sena, ho bonolo haholo ho sebelisa "melao e tobileng" - melao e tobileng, e bolokiloeng faeleng /etc/firewalld/direct.xml. Sebopeho sa hona joale sa melao se ka fumanoa ka tsela e latelang:
$ sudo firewall-cmd --direct --get-all-rule
Pele o fetola faele, etsa kopi ea eona ea ho boloka:
Ha e le hantle ena ke melao e tloaelehileng ea li-iptables, ho seng joalo e phuthetsoe ka mor'a ho fihla ha firewalld.
Sehokelo sa sebaka se nang le litlhophiso tsa kamehla ke tun0, mme sebopeho sa kantle sa kotopo se ka fapana, mohlala, en192, ho latela sethala se sebelisitsoeng.
Mohala oa ho qetela ke oa ho rema lipakete tse theohileng. Bakeng sa ho rema lifate ho sebetsa, o hloka ho fetola boemo ba debug ho tlhophiso ea firewalld:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Ho sebelisa litlhophiso ke taelo e tloaelehileng ea firewalld ea ho bala litlhophiso hape:
$ sudo firewall-cmd --reload
U ka sheba lipakete tse lahliloeng ka tsela ena:
grep forward_fw /var/log/messages
Ke eng e tlang
Sena se phethela ho seta!
Ho setseng ke ho kenya software ea bareki ka lehlakoreng la bareki, ho kenya profil le ho hokela. Bakeng sa litsamaiso tsa ts'ebetso tsa Windows, lisebelisoa tsa kabo li fumaneha webosaete ea moqapi.
Qetellong, re hokela seva sa rona se secha lits'ebetsong tsa ho beha leihlo le ho boloka litokomane, 'me u se ke oa lebala ho kenya liapdeite khafetsa.