Џџ ѕЃ ° °
Eli nqaku lichaza umbutho wokufikelela kude kubasebenzi kwiimveliso zomthombo ovulekileyo kwaye ingasetyenziselwa zombini ukwakha inkqubo yokuzimela ngokupheleleyo, kwaye iya kuba luncedo ekwandiseni xa kukho ukunqongophala kweelayisensi kwinkqubo yorhwebo ekhoyo okanye ukusebenza kwayo akwanelanga.
Injongo yenqaku kukuphumeza inkqubo epheleleyo yokubonelela ngokufikelela kude kumbutho, okungaphezulu "kokufaka i-OpenVPN kwimizuzu eli-10."
Ngenxa yoko, siya kufumana inkqubo apho izatifikethi kunye (ngokuzithandela) i-Active Directory iya kusetyenziselwa ukuqinisekisa abasebenzisi. Oko. siya kufumana inkqubo enezinto ezimbini zokuqinisekisa - into endinayo (isatifikethi) kunye nento endiyaziyo (igama lokugqithisa).
Uphawu lokuba umsebenzisi uvumelekile ukuba aqhagamshele bubulungu babo kwiqela le-myVPNUsr. Igunya lesatifikethi liya kusetyenziswa ngaphandle kweintanethi.
Iindleko zokuphumeza isisombululo zizixhobo ezincinci ze-hardware kunye neyure ye-1 yomsebenzi womlawuli wenkqubo.
Siza kusebenzisa umatshini obonakalayo kunye ne-OpenVPN kunye ne-Easy-RSA inguqulo ye-3 kwi-CetntOS 7, eyabelwe i-100 vCPUs kunye ne-4 GiB RAM ngokudibanisa kwe-4.
Ngokomzekelo, inethiwekhi yombutho wethu yi-172.16.0.0/16, apho iseva ye-VPN enedilesi 172.16.19.123 ifumaneka kwicandelo 172.16.19.0/24, iiseva ze-DNS 172.16.16.16 kunye ne-172.16.17.17 kunye ne-172.16.20.0. .23/XNUMX yabelwe abaxhasi beVPN .
Ukuxhuma ngaphandle, uxhulumaniso nge-port 1194/udp lusetyenziswa, kwaye i-A-record gw.abc.ru yenziwe kwi-DNS kwiseva yethu.
Akukhuthazwa ngokungqongqo ukukhubaza i-SELinux! I-OpenVPN isebenza ngaphandle kokuvala imigaqo-nkqubo yokhuseleko.
Iziqulatho
Ukufakwa kwe-OS kunye nesoftware yesicelo
Sisebenzisa ukuhanjiswa kwe-CentOS 7.8.2003. Kufuneka sifake i-OS kuqwalaselo oluncinci. Kukulungele ukwenza oku usebenzisa , ukulinganisa umfanekiso we-OS ofakwe ngaphambili kunye nezinye iindlela.
Emva kofakelo, ukunika idilesi kunxibelelwano lwenethiwekhi (ngokwemiqathango yomsebenzi 172.16.19.123), sihlaziya i-OS:
$ sudo yum update -y && reboot
Kwakhona kufuneka siqinisekise ukuba ungqamaniso lwexesha luyenziwa kumatshini wethu.
Ukufakela isoftware yesicelo, udinga i-openvpn, i-openvpn-auth-ldap, iipakethe ezilula ze-rsa kunye ne-vim njengomhleli oyintloko (uya kufuna indawo yokugcina ye-EPEL).
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
Kuluncedo ukufakela iarhente yeendwendwe kumatshini wenyani:
$ sudo yum install open-vm-toolsyeVMware ESXi iinginginya, okanye i-oVirt
$ sudo yum install ovirt-guest-agent
Ukumisela i-cryptography
Yiya kuluhlu olulula lwe-rsa:
$ cd /usr/share/easy-rsa/3/Yenza ifayile eguquguqukayo:
$ sudo vim varsumxholo olandelayo:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
Iiparamitha zombutho onemiqathango i-ABC LLC zichazwe apha; unokuzilungisa kwezokwenyani okanye uzishiye kumzekelo. Into ebaluleke kakhulu kwiiparameters ngumgca wokugqibela, omisela ixesha lokuqinisekiswa kwesatifikethi ngeentsuku. Umzekelo usebenzisa ixabiso leminyaka eyi-10 (365*10+2 leap iminyaka). Eli xabiso liya kufuna ukulungiswa phambi kokuba kukhutshwe izatifikethi zomsebenzisi.
Okulandelayo, siqwalasela igunya lezatifiketi ezizimeleyo.
Ukuseta kubandakanya ukuthumela ngaphandle izinto eziguquguqukayo, ukuqalisa i-CA, ukukhupha isitshixo sengcambu ye-CA kunye nesatifikethi, isitshixo seDiffie-Hellman, isitshixo seTLS, kunye nesitshixo somncedisi kunye nesatifikethi. Iqhosha le-CA kufuneka likhuselwe ngononophelo kwaye ligcinwe liyimfihlo! Zonke iiparamitha zombuzo zinokushiywa njengezihlala zikhona.
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
Oku kugqiba inxalenye ephambili yokuseta i-cryptographic mechanism.
Ukuseta i-OpenVPN
Yiya kuluhlu lwe-OpenVPN, yenza abalawuli benkonzo kwaye wongeze ikhonkco kwi-easy-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Yenza eyona fayile yoqwalaselo ye-OpenVPN:
$ sudo vim server.confimixholo elandelayo
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Amanye amanqaku kwiiparamitha:
- ukuba igama elahlukileyo lichaziwe xa kukhutshwa isiqinisekiso, libonise;
- khankanya uthotho lweedilesi ezilungele imisebenzi yakho*;
- kunokubakho indlela enye okanye ngaphezulu kunye neeseva ze-DNS;
- Imigca emi-2 yokugqibela iyafuneka ukuphumeza ukuqinisekiswa kwe-AD**.
*Uluhlu lweedilesi ezikhethiweyo kumzekelo ziyakuvumela ukuya kuthi ga kwi-127 abathengi ukuba baqhagamshelane ngaxeshanye, kuba inethiwekhi ye-23 ikhethiwe, kwaye i-OpenVPN yenza i-subnet yomxhasi ngamnye usebenzisa i-/30 imaski.
Ukuba kuyimfuneko, izibuko kunye neprothokholi inokutshintshwa, nangona kunjalo, kufuneka ikhunjulwe ukuba ukutshintsha inombolo yezibuko kuya kubandakanya ukuqwalasela i-SELinux, kwaye ukusebenzisa i-tcp protocol kuyakwandisa phezulu, kuba Ukulawulwa kwepakethe ye-TCP sele yenziwe kwinqanaba leepakethi ezifakwe kwi-tunnel.
**Ukuba ukuqinisekiswa kwe-AD akufuneki, phawula kubo, tsiba icandelo elilandelayo, kwaye kwitemplate susa i-auth-user-pass line.
AD Uqinisekiso
Ukuxhasa into yesibini, siya kusebenzisa ukuqinisekiswa kwe-akhawunti kwi-AD.
Sidinga i-akhawunti kwi-domain kunye namalungelo omsebenzisi oqhelekileyo kunye neqela, ubulungu apho kuya kugqiba ukukwazi ukuxhuma.
Yenza ifayile yoqwalaselo:
/etc/openvpn/ldap.confimixholo elandelayo
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
Iiparameters eziphambili:
- I-URL "ldap://ldap.abc.ru" - idilesi yomlawuli wesizinda;
- BindDN “CN=bindUsr,CN=Users,DC=abc,DC=ru” - igama le-canonical lokubophelela kwi-LDAP (UZ - bindUsr kwi-abc.ru/Users container);
- Igama lokugqithisa b1ndP@SS — igama lokugqitha lomsebenzisi lokubopha;
- I-BaseDN “OU=alUsr,DC=abc,DC=ru” — indlela yokuqalisa ukukhangela umsebenzisi;
- BaseDN “OU=myGrp,DC=abc,DC=ru” – isikhongozeli seqela elivumelayo (iqela myVPNUsr kwisingxobo abc.rumyGrp);
- Isihluzi sokukhangela "(cn=myVPNUsr)" ligama leqela elivumelayo.
Ukuqalisa kunye nokuxilongwa
Ngoku sinokuzama ukwenza kwaye siqale iseva yethu:
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
Ukujonga ukuqaliswa:
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Ukukhutshwa kwesatifikethi kunye nokurhoxiswa
Ngokuba Ukongeza kwizatifikethi ngokwazo, ufuna izitshixo kunye nolunye useto; kulungele kakhulu ukusonga konke oku kwifayile yeprofayile enye. Le fayile emva koko idluliselwe kumsebenzisi kwaye iprofayile ingeniswe kumxhasi we-OpenVPN. Ukwenza oku, siya kudala itemplate yesethingi kunye neskripthi esenza iprofayili.
Kufuneka udibanise imixholo yesatifikethi sengcambu (ca.crt) kunye neqhosha leTLS (ta.key) iifayile kwiprofayile.
Phambi kokukhupha izatifikethi zomsebenzisi ungalibali ukuseta ixesha elifunekayo lokuqinisekisa iziqinisekiso kwifayile yeparameters. Akufunekanga uyenze ibe nde kakhulu; Ndincoma ukuzibekela umda ukuya kubuninzi beentsuku ezili-180.
vim /usr/share/easy-rsa/3/vars...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpnclient
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Amanqaku:
- Imitya BEKA EYAKHO... utshintsho kumxholo zazo izatifikethi;
- kumyalelo okude, khankanya igama/idilesi yesango lakho;
- i-auth-user-pass directive isetyenziselwa uqinisekiso olongezelelweyo lwangaphandle.
Kuluhlu lwasekhaya (okanye enye indawo efanelekileyo) senza iskripthi sokucela isatifikethi kunye nokwenza iprofayile:
vim ~/make.profile.sh#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Ukwenza ifayile iphunyezwe:
chmod a+x ~/make.profile.shKwaye sinokukhupha isatifikethi sethu sokuqala.
~/make.profile.sh my-first-userIngxelo
Kwimeko yokuthotywa kwesatifikethi (ilahleko, ubusela), kuyafuneka ukuba usirhoxise esi satifikethi:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Jonga izatifikethi ezikhutshiweyo nezirhoxisiweyo
Ukujonga izatifikethi ezikhutshiweyo nezirhoxisiweyo, jonga ngokulula ifayile yesalathiso:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Iinkcazo:
- umgca wokuqala sisiqinisekiso somncedisi;
- umlinganiswa wokuqala
- V (Esebenzayo) - esebenzayo;
- R (Irhoxisiwe) - ikhunjulwe.
Ukucwangciswa kwenethiwekhi
Amanyathelo okugqibela kukuqwalasela inethiwekhi yothumelo - umzila kunye ne-firewall.
Ukuvumela uqhagamshelo kwifirewall yendawo:
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
Okulandelayo, vula i-IP indlela yetrafikhi:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
Kwimeko yenkampani, kunokwenzeka ukuba kubekho i-subnetting kwaye kufuneka sixelele i-router (ii) indlela yokuthumela iipakethi ezilungiselelwe abathengi bethu be-VPN. Kumgca womyalelo senza umyalelo ngendlela (kuxhomekeke kwisixhobo esisetyenzisiweyo):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123kwaye ugcine uqwalaselo.
Ukongezelela, kwi-interface ye-router yomda apho idilesi yangaphandle i-gw.abc.ru ihanjiswa khona, kuyimfuneko ukuvumela ukuhamba kweepakethi ze-udp/1194.
Kwimeko apho umbutho unemithetho engqongqo yokhuseleko, i-firewall kufuneka iqwalaselwe kwiseva yethu yeVPN. Ngokombono wam, ukuguquguquka okukhulu kubonelelwa ngokuseta ii-iptables FORWARD chain, nangona ukuseta kungenakulungeleka. Kancinci ngakumbi malunga nokuseta. Ukwenza oku, kulula kakhulu ukusebenzisa "imithetho ethe ngqo" - imithetho ethe ngqo, egcinwe kwifayile /etc/firewalld/direct.xml. Uqwalaselo lwangoku lwemigaqo lunokufumaneka ngolu hlobo lulandelayo:
$ sudo firewall-cmd --direct --get-all-ruleNgaphambi kokutshintsha ifayile, yenza ikopi yayo yokugcina:
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bakImixholo eqikelelweyo yefayile yile:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
Iingcaciso
Le yimithetho eqhelekileyo ye-iptables, kungenjalo ipakishwe emva kokufika kwe-firewalld.
I-interface yendawo kunye nemimiselo engagqibekanga yi-tun0, kwaye ujongano lwangaphandle lwetonela lunokwahluka, umzekelo, i-ens192, kuxhomekeke kwiqonga elisetyenzisiweyo.
Umgca wokugqibela ngowokuloga iipakethi eziwisiweyo. Ukuze ukuloga kusebenze, kufuneka utshintshe inqanaba le-debug kuqwalaselo lwe-firewalld:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Ukusebenzisa useto ngumyalelo wefirewall oqhelekileyo wokufunda kwakhona useto:
$ sudo firewall-cmd --reloadUngajonga iipakethi eziwisiweyo ngolu hlobo:
grep forward_fw /var/log/messages
Yintoni elandelayo
Oku kugqiba ukuseta!
Konke okuseleyo kukufaka isoftware yomxhasi kwicala lomxhasi, ngenisa iprofayile kwaye uqhagamshele. Kwiinkqubo zokusebenza zeWindows, ikhithi yokuhambisa ibekwe kuyo .
Ekugqibeleni, sidibanisa iseva yethu entsha kwiinkqubo zokubeka iliso kunye nokugcinwa kwe-archive, kwaye ungalibali ukufaka rhoqo uhlaziyo.
Uqhagamshelwano oluzinzileyo!
umthombo: www.habr.com