Mokhoa oa bothata
Sengoliloeng sena se hlalosa mokhatlo oa phihlello e hole bakeng sa basebetsi ho lihlahisoa tsa mohloli o bulehileng mme e ka sebelisoa ka bobeli ho haha sistimi e ikemetseng ka botlalo, 'me e tla ba molemo bakeng sa ho atolosoa ha ho na le khaello ea li-license tsamaisong e teng ea khoebo kapa ts'ebetso ea eona e sa lekana.
Sepheo sa sengoloa ke ho kenya tšebetsong sistimi e felletseng ea ho fana ka phihlello e hole le mokhatlo, e leng "ho kenya OpenVPN ka metsotso e 10."
Ka lebaka leo, re tla fumana sistimi eo ho eona ho tla sebelisoa litifikeiti le (ka boikhethelo) Active Directory ea khoebo ho netefatsa basebelisi. Seo. re tla fumana sistimi e nang le lintlha tse peli tsa netefatso - seo ke nang le sona (setifikeiti) le seo ke se tsebang (password).
Letšoao la hore mosebelisi o lumelletsoe ho hokela ke litho tsa bona ho sehlopha sa myVPNUsr. Bolaoli ba setifikeiti bo tla sebelisoa ntle le inthanete.
Litsenyehelo tsa ho kenya ts'ebetsong tharollo ke lisebelisoa tse nyenyane feela tsa hardware le hora ea 1 ea mosebetsi oa mookameli oa tsamaiso.
Re tla sebelisa mochini o sebetsang o nang le OpenVPN le Easy-RSA mofuta oa 3 ho CetntOS 7, e abetsoeng li-vCPU tse 100 le 4 GiB RAM ho likhokahanyo tse 4.
Mohlala, marang-rang a mokhatlo oa rona ke 172.16.0.0/16, moo seva sa VPN se nang le aterese 172.16.19.123 se fumanehang karolong ea 172.16.19.0/24, li-server tsa DNS 172.16.16.16 le 172.16.17.17 le 172.16.20.0. .23/XNUMX e abetsoe bareki ba VPN .
Ho hokahanya ho tsoa ka ntle, ho sebelisoa khokahanyo ka port 1194/udp, 'me A-record gw.abc.ru e bōpiloe ho DNS bakeng sa seva sa rona.
Ha e khothalletsoe ka tieo ho tima SELinux! OpenVPN e sebetsa ntle le ho tima maano a ts'ireletso.
Tse ka hare
Ho kenya OS le software ea ts'ebeliso
Re sebelisa phepelo ea CentOS 7.8.2003. Re hloka ho kenya OS ka tlhophiso e nyane. Ho bonolo ho etsa sena ka ho sebelisa , ho kopanya setšoantšo sa OS se kentsoeng pele le mekhoa e meng.
Kamora ho kenya, ho fana ka aterese ho sebopeho sa marang-rang (ho ea ka lipehelo tsa mosebetsi 172.16.19.123), re ntlafatsa OS:
$ sudo yum update -y && reboot
Hape re hloka ho etsa bonnete ba hore ho lumellana ha nako ho etsoa mochine oa rona.
Ho kenya software ea kopo, o hloka openvpn, openvpn-auth-ldap, bonolo-rsa le liphutheloana tsa vim joalo ka mohlophisi oa sehlooho (o tla hloka polokelo ea EPEL).
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
Ho bohlokoa ho kenya moemeli oa moeti bakeng sa mochini o sebetsang:
$ sudo yum install open-vm-toolsbakeng sa mabotho a VMware ESXi, kapa bakeng sa oVirt
$ sudo yum install ovirt-guest-agent
Ho theha cryptography
Eya ho directory e bonolo-rsa:
$ cd /usr/share/easy-rsa/3/Etsa faele e fapaneng:
$ sudo vim varslitaba tse latelang:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
Litekanyetso tsa mokhatlo o nang le maemo ABC LLC li hlalositsoe mona; o ka li lokisa ho tsa 'nete kapa oa li tlohela mohlaleng. Ntho ea bohlokoa ka ho fetisisa ho li-parameter ke mohala oa ho qetela, o khethollang nako ea ho nepahala ha setifikeiti ka matsatsi. Mohlala o sebelisa boleng ba lilemo tse 10 (365*10+2 leap years). Boleng bona bo tla hloka ho lokisoa pele litifikeiti tsa mosebelisi li ntšoa.
Ka mor'a moo, re lokisa bolaoli ba setifikeiti bo ikemetseng.
Ho seta ho kenyelletsa ho romela lintho tse fapaneng, ho qala CA, ho fana ka senotlolo sa CA le setifikeiti, senotlolo sa Diffie-Hellman, senotlolo sa TLS, le senotlolo sa seva le setifikeiti. Senotlolo sa CA se tlameha ho sireletsoa ka hloko le ho bolokoa lekunutu! Litlhophiso tsohle tsa lipotso li ka tloheloa e le tsa kamehla.
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
Sena se phethela karolo e ka sehloohong ea ho theha mochine oa cryptographic.
Ho theha OpenVPN
E-ea bukeng ea OpenVPN, theha li-directory tsa lits'ebeletso 'me u kenye sehokelo ho bonolo-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Theha faele ea mantlha ea tlhophiso ea OpenVPN:
$ sudo vim server.conftse latelang dikahare
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Lintlha tse ling ho li-parameter:
- haeba lebitso le fapaneng le ne le hlalositsoe ha ho fanoa ka setifikeiti, se bontše;
- Hlalosa letamo la liaterese tse lumellanang le mesebetsi ea hau *;
- ho ka ba le tsela e le 'ngoe kapa ho feta le li-server tsa DNS;
- Ho hlokahala mela e 2 ea ho qetela ho kenya tšebetsong netefatso ka AD**.
*Palo ea liaterese tse khethiloeng mohlaleng li tla lumella bareki ba ka bang 127 ho hokahana ka nako e le ngoe, hobane marang-rang a /23 a khethiloe, 'me OpenVPN e theha subnet bakeng sa moreki e mong le e mong a sebelisa mask /30.
Haeba ho hlokahala haholo, boema-kepe le protocol li ka fetoloa, leha ho le joalo, ho lokela ho hopoloa hore ho fetola nomoro ea boema-kepe ho tla kenyelletsa ho hlophisa SELinux, mme ho sebelisa protocol ea tcp ho tla eketseha ka holimo, hobane Taolo ea ho tsamaisa pakete ea TCP e se e ntse e etsoa maemong a lipakete tse kentsoeng ka har'a kotopo.
**Haeba netefatso ho AD e sa hlokehe, fana ka maikutlo ka bona, tlola karolo e latelang, le ho template. tlosa mola oa auth-user-pass.
Netefatso ea AD
Ho tšehetsa ntlha ea bobeli, re tla sebelisa netefatso ea akhaonto ho AD.
Re hloka ak'haonte sebakeng sa marang-rang se nang le litokelo tsa mosebelisi ea tloaelehileng le sehlopha, setho seo ho sona se tla khetholla bokhoni ba ho hokahana.
Theha faele ea litlhophiso:
/etc/openvpn/ldap.conftse latelang dikahare
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
Entsprechen Main:
- URL "ldap://ldap.abc.ru" - aterese ea molaoli oa sebaka;
- BindDN “CN=bindUsr,CN=Users,DC=abc,DC=ru” - lebitso la canonical bakeng sa ho tlama LDAP (UZ - bindUsr ka har'a sets'oants'o sa abc.ru/Users);
- Password b1ndP@SS — phasewete ya mosebedisi bakeng sa ho tlama;
- BaseDN “OU=alUsr,DC=abc,DC=ru” — tsela eo u ka qalang ho batla mosebelisi;
- BaseDN “OU=myGrp,DC=abc,DC=ru” – setshelo sa sehlopha se dumellang (sehlopha myVPNUsr setshelong abc.rumyGrp);
- SearchFilter "(cn=myVPNUsr)" ke lebitso la sehlopha se lumellang.
Ho qala le ho hlahloba
Joale re ka leka ho nolofalletsa le ho qala seva ea rona:
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
Tlhahlobo ea ho qala:
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Taba ea setifikeiti le ho hlakoloa
Hobane Ntle le litifikeiti ka botsona, o hloka linotlolo le litlhophiso tse ling; ho bonolo haholo ho phuthela tsena tsohle ka faele e le 'ngoe ea profil. Faele ena e fetisetsoa ho mosebelisi mme profaele e romelloa ho moreki oa OpenVPN. Ho etsa sena, re tla theha template ea litlhophiso le script e hlahisang profil.
U hloka ho kenyelletsa litaba tsa setifikeiti sa motso (ca.crt) le lifaele tsa TLS (ta.key) profaeleng.
Pele o fana ka setifikeiti sa basebelisi u seke oa lebala ho beha nako e hlokahalang ea ho netefatsa litifikeiti faeleng ea parameter. Ha ua lokela ho e etsa nako e telele haholo; Ke khothaletsa ho ipehela meeli ho matsatsi a 180.
vim /usr/share/easy-rsa/3/vars...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpnclient
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Lintlha:
- likhoele BEHA HAO... phetoho ho dikahare ipatlele setifikeiti;
- ho taelo e hole, bolela lebitso/aterese ea heke ea hau;
- taelo ea auth-user-pass e sebelisoa bakeng sa netefatso e eketsehileng ea kantle.
Bukeng ea lapeng (kapa sebakeng se seng se loketseng) re theha script bakeng sa ho kopa setifikeiti le ho theha profil:
vim ~/make.profile.sh#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Ho etsa hore faele e phethehe:
chmod a+x ~/make.profile.shMme re ka fana ka setifikeiti sa rona sa pele.
~/make.profile.sh my-first-userTlhahiso
Tabeng ea ho sekisetsa setifikeiti (tahlehelo, bosholu), ho hlokahala ho hlakola setifikeiti sena:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Sheba litifikeiti tse fanoeng le tse hlakotsoeng
Ho sheba litifikeiti tse fanoeng le tse hlakotsoeng, sheba feela faele ea index:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Litlhaloso:
- mola oa pele ke setifikeiti sa seva;
- sebopeho sa pele
- V (Ea sebetsa) - e nepahetse;
- R (E hlakotsoe) - e hopotse.
Tlhophiso ea marang-rang
Mehato ea ho qetela ke ho lokisa marang-rang a phetiso - routing le firewall.
E lumella likhokahano ho firewall ea lehae:
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
Ka mor'a moo, lumella IP traffic routing:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
Sebakeng sa khoebo, ho na le monyetla oa ho ba le subnetting mme re hloka ho bolella router(s) mokhoa oa ho romella lipakete tse reretsoeng bareki ba rona ba VPN. Moleng oa taelo re phethahatsa taelo ka mokhoa (ho itšetlehile ka thepa e sebelisoang):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123ebe u boloka tlhophiso.
Ho phaella moo, sehokelong sa router ea moeli moo aterese ea ka ntle ea gw.abc.ru e fanoang teng, hoa hlokahala ho lumella ho feta ha lipakete tsa udp/1194.
Haeba mokhatlo o na le melao e thata ea ts'ireletso, firewall e tlameha ho hlophisoa ho seva sa rona sa VPN. Ka maikutlo a ka, phetoho e kholo ka ho fetisisa e fanoa ka ho theha liketane tsa iptables FORWARD, le hoja ho li beha ha ho bonolo haholo. Ho hong hanyane mabapi le ho li hlophisa. Ho etsa sena, ho bonolo haholo ho sebelisa "melao e tobileng" - melao e tobileng, e bolokiloeng faeleng /etc/firewalld/direct.xml. Sebopeho sa hona joale sa melao se ka fumanoa ka tsela e latelang:
$ sudo firewall-cmd --direct --get-all-rulePele o fetola faele, etsa kopi ea eona ea ho boloka:
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bakLikahare tsa faele ke tse latelang:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
Litlhaloso
Ha e le hantle ena ke melao e tloaelehileng ea li-iptables, ho seng joalo e phuthetsoe ka mor'a ho fihla ha firewalld.
Sehokelo sa sebaka se nang le litlhophiso tsa kamehla ke tun0, mme sebopeho sa kantle sa kotopo se ka fapana, mohlala, en192, ho latela sethala se sebelisitsoeng.
Mohala oa ho qetela ke oa ho rema lipakete tse theohileng. Bakeng sa ho rema lifate ho sebetsa, o hloka ho fetola boemo ba debug ho tlhophiso ea firewalld:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Ho sebelisa litlhophiso ke taelo e tloaelehileng ea firewalld ea ho bala litlhophiso hape:
$ sudo firewall-cmd --reloadU ka sheba lipakete tse lahliloeng ka tsela ena:
grep forward_fw /var/log/messages
Ke eng e tlang
Sena se phethela ho seta!
Ho setseng ke ho kenya software ea bareki ka lehlakoreng la bareki, ho kenya profil le ho hokela. Bakeng sa litsamaiso tsa ts'ebetso tsa Windows, lisebelisoa tsa kabo li fumaneha .
Qetellong, re hokela seva sa rona se secha lits'ebetsong tsa ho beha leihlo le ho boloka litokomane, 'me u se ke oa lebala ho kenya liapdeite khafetsa.
Khokahano e tsitsitseng!
Source: www.habr.com