Mholo!
Ishishini ngalinye ngokukhawuleza okanye kamva ngokukhawuleza lifuna ukufikelela kude.
Phantse zonke iingcali ze-IT zijongene nesidingo sokuququzelela ukufikelela kude kuthungelwano lwabo kwishishini.
Kum, njengabanye abaninzi, le mfuno indifikele “njengezolo.” Emva kokuhlalutya zonke izinto ezilungileyo kunye nezingalunganga, kunye nokuhluza iitoni zolwazi kunye nokuphonononga kancinci kwithiyori, ndigqibe kwelokuba ndiqhubeke nofakelo.
Ngenxa yezizathu zokhuseleko, yakhethwa OpenVPN kuphunyezo olulandelayo: kwiseva enenkqubo yokusebenza Windows Server Ngo-2012 kwafakelwa umatshini obonakalayo kuwo, Windows Server 2012, kwaye kuyo, iseva OpenVPN, eyayikhuphe yaza yasayina izatifikethi.
Ukuze kube lula, masiyibize ngokuba "yiseva yokuqinisekisa." Emva koko, ndathatha isatifikethi seseva, ndasityhala kwiMikrotik, ndaza ndasivula kwi-router yeMikrotik ngokwayo. OpenVPN ngeeakhawunti kunye neeprofayili. Iseva yesatifikethi ikwasetyenziswa ukukhupha izatifikethi zabaxumi.
Ukuphunyezwa, ngokuqinisekileyo, kwakusoyikeka, kwaye nangona ngelo xesha amava am kwizinto ezinjalo, athi, akwanele, kwimibandela yokhuseleko, kwakungesona sigqibo esibi kakhulu.
Olu qhagamshelo lusebenze okwethutyana kwaye ndanikwa igalelo elitsha: hambisa iseva yesatifikethi uye Linux, ngelixa kugcinwa unxibelelwano neMikrotik - abathengi akufuneki bonzakale.
Ulwazi lwam malunga Linux ngelo xesha laphela ngo Ubuntu I-16.04LTS ene-graphical interface, eyayisetyenziswa njenge-terminal yokunxibelelana nge-RDP kwiseva WindowsOko kukuthi, sudo apt-get -f install -y, kwaye akukho sentimitha engaphezulu.
Emva kokufunda umbuzo wokuba yeyiphi i-OS Linux Usapho luzinzile kwaye luthembisa ngakumbi kumbutho wam, ndazimisela CentOS 7 Ubuncinci.
Ukuqala, ndaye ndagqiba kwelokuba ndijonge kancinci kwithiyori, ukuqonda ukuba isebenza njani kwaye isebenza njani ngokubanzi. Ubukele izifundo zevidiyo kwitshaneli (Ayiyontengiso kwaphela, yayingabokuqala endadibana nabo). Intombazana enelizwi elimnandi yandazisa kwiziseko zokusebenza kwi-OS ekhethiweyo.
Okokuqala, ndiqalise iHyper-V kwikhompyutha yam ndaza ndayifaka apho. CentOS 7 Okuncinci. Ngexesha lokufakela, ndenze umsebenzisi we-Admin kwaye ndayicima ngokupheleleyo i-SSH ye-root. Emva kokuba ndivalelise isikrini esihle esinemibala emininzi, ndangena kwihlabathi elimnyama nelimhlophe le-terminal.
Ndicinga ukuba akukho sizathu sokuchaza inkqubo yokufakela isofthiwe; kungcono ukugxila kwiingxaki eziye zavela ngexesha lenkqubo kunye nokusombulula apho kwafuneka ndibhale iskripthi esincinci (siphantsi kokusikwa. Iinkcazo nganye nganye izinto eziluncedo zinokufumaneka kwi-Intanethi, kodwa okwangoku xa ndisenza oku, esi script sasingekabikho, yonke into yenziwa okokuqala, ngokuchukumisa nangokungenamkhethe).
Kwiskripthi, ndizame ukwenza ngokuzenzekelayo ukufakelwa kwezixhobo ezifunekayo kwiseva, ndikhubaze iSelinux, ndiqhagamshele indawo yokugcina i-Epel, ndifake OpenVPN, njl. Apha ngezantsi kukho iskripthi ngokwaso; silula, kodwa sisebenziseka. Andiyi kungena kwiinkcukacha, kodwa ukuba kukho umntu osidingayo, ndixelele.
Emva kokusebenzisa iskripthi, iseva elungiselelwe kwangaphambili iya kuvela. OpenVPN, eqhwanyaza iliso eliluhlaza.
#!/bin/bash
cd /etc/sysconfig/
sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' selinux
sudo setenforce 0
cd /home/Admin
sudo yum update -y
sudo yum install epel-release -y
sudo yum install mc -y
sudo yum install nano -y
sudo cp /usr/share/mc/syntax/sh.syntax /usr/share/mc/syntax/unknown.syntax
sudo yum install chrony -y
sudo systemctl start chronyd
sudo systemctl enable chronyd
sudo yum install net-tools -y
sudo yum install iftop -y
sudo yum install htop -y
sudo yum install lsof -y
sudo yum install dos2unix -y
sudo yum install wget -y
sudo yum install tcpdump -y
sudo yum install openvpn -y
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz
sudo tar -xvzf EasyRSA-3.0.3.tgz
sudo chown -R Admin:Admin /var/log
sudo chmod 755 /var/log
mkdir /var/log/openvpn
mkdir /etc/openvpn/ccd
sudo chown -R Admin:Admin /etc/openvpn/ccd
sudo chown -R Admin:Admin /var/log/openvpn
chmod 755 /etc/openvpn/ccd
chmod 755 /var/log/openvpn
echo >/var/log/openvpn/openvpn-status.log
echo >/var/log/openvpn/openvpn.log
sudo chown -R Admin:Admin /etc/resolv.conf
chmod 755 /etc/resolv.conf
echo nameserver 8.8.8.8 >>/etc/resolv.conf
cd /etc/openvpn/
sudo /home/Admin/EasyRSA-3.0.3/easyrsa init-pki
sudo chown -R Admin:Admin /etc/openvpn
chmod 755 /etc/openvpn
echo set_var EASYRSA_DN "org" >/home/Admin/EasyRSA-3.0.3/test
echo set_var EASYRSA_REQ_COUNTRY "RU" >>/home/Admin/EasyRSA-3.0.3/test
echo set_var EASYRSA_KEY_SIZE 4096 >>/home/Admin/EasyRSA-3.0.3/test
echo set_var EASYRSA_REQ_PROVINCE "LIP" >>/home/Admin/EasyRSA-3.0.3/test
echo set_var EASYRSA_REQ_CITY "Lipetsk" >>/home/Admin/EasyRSA-3.0.3/test
echo set_var EASYRSA_REQ_ORG "Cool-Admin" >>/home/Admin/EasyRSA-3.0.3/test
echo set_var EASYRSA_REQ_EMAIL "xxx.ru" >>/home/Admin/EasyRSA-3.0.3/test
echo set_var EASYRSA_REQ_OU "Our_ORG" >>/home/Admin/EasyRSA-3.0.3/test
echo set_var EASYRSA_REQ_CN "changeme" >>/home/Admin/EasyRSA-3.0.3/test
echo set_var EASYRSA_CERT_EXPIRE 3650 >>/home/Admin/EasyRSA-3.0.3/test
echo set_var EASYRSA_DH_KEY_SIZE=2048 >>/home/Admin/EasyRSA-3.0.3/test
sudo /home/Admin/EasyRSA-3.0.3/easyrsa build-ca nopass
sudo /home/Admin/EasyRSA-3.0.3/easyrsa build-server-full Serv nopass
sudo /home/Admin/EasyRSA-3.0.3/easyrsa build-client-full Client1 nopass
sudo /home/Admin/EasyRSA-3.0.3/easyrsa --vars=vars gen-dh
sudo /home/Admin/EasyRSA-3.0.3/easyrsa --vars=vars gen-crl
mkdir keys
sudo chown -R Admin:Admin /etc/openvpn/keys
chmod 755 /etc/openvpn/keys
sudo cp /etc/openvpn/pki/ca.crt /etc/openvpn/keys
sudo cp /etc/openvpn/pki/dh.pem /etc/openvpn/keys
sudo cp /etc/openvpn/pki/crl.pem /etc/openvpn/keys
sudo cp /etc/openvpn/pki/issued/Serv.crt /etc/openvpn/keys
sudo cp /etc/openvpn/pki/private/Serv.key /etc/openvpn/keys
echo port 443 >/etc/openvpn/server.conf
echo proto udp >>/etc/openvpn/server.conf
echo dev tun >>/etc/openvpn/server.conf
echo ca /etc/openvpn/keys/ca.crt >>/etc/openvpn/server.conf
echo cert /etc/openvpn/keys/Serv.crt >>/etc/openvpn/server.conf
echo key /etc/openvpn/keys/Serv.key >>/etc/openvpn/server.conf
echo dh /etc/openvpn/keys/dh.pem >>/etc/openvpn/server.conf
echo crl-verify /etc/openvpn/keys/crl.pem >>/etc/openvpn/server.conf
echo client-config-dir /etc/openvpn/ccd >>/etc/openvpn/server.conf
echo topology subnet >>/etc/openvpn/server.conf
echo server 172.21.0.0 255.255.255.0 >>/etc/openvpn/server.conf
echo route 172.21.0.0 255.255.255.0 >>/etc/openvpn/server.conf
echo push "dhcp-option DNS 8.8.8.8" >>/etc/openvpn/server.conf
echo push "dhcp-option DNS 8.8.4.4" >>/etc/openvpn/server.conf
echo keepalive 10 120 >>/etc/openvpn/server.conf
echo persist-key >>/etc/openvpn/server.conf
echo persist-tun >>/etc/openvpn/server.conf
echo status /var/log/openvpn/openvpn-status.log >>/etc/openvpn/server.conf
echo log-append /var/log/openvpn/openvpn.log >>/etc/openvpn/server.conf
echo verb 2 >>/etc/openvpn/server.conf
echo mute 20 >>/etc/openvpn/server.conf
echo daemon >>/etc/openvpn/server.conf
echo mode server >>/etc/openvpn/server.conf
echo user nobody >>/etc/openvpn/server.conf
echo group nobody >>/etc/openvpn/server.conf
sudo chown -R Admin:Admin /etc/sysctl.conf
chmod 755 /etc/sysctl.conf
echo net.ipv4.ip_forward=1 >>/etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf
sudo systemctl enable openvpn@server
sudo systemctl start openvpn@server
sudo systemctl status openvpn@serverisicwangciso OpenVPN Ayizange iphumelele ngokupheleleyo.
Ukungazi ngeenkcukacha zomgaqo-nkqubo wamalungelo Linux kwiinkqubo, ndichithe ixesha elininzi ndifunda iilog kwaye ndinika zonke iifayile imvume efunekayo.
Xa iqhosha OpenVPN ndajika ndaluhlaza, ndonwabile kakhulu, kodwa njengoko kwavela, oku yayikukuqala nje. Ekubeni ndandingenalwazi, ndandithembele ekutshintsheni izatifikethi zengcambu kunye nefayile ye-crl.pem, ndinethemba lokuba yonke into iza kusebenza. Ekugqibeleni, kwafuneka nditshintshele kwiseva ukuya Windows ezi fayile zilandelayo:
Serv.crt — Isatifikethi somncedisi
Serv.key — Iqhosha leseva
Ca.crt -Isatifikethi esiyingcambu
Ca.key - Ingcambu yeqhosha
Crl.pem — Ifayile yokurhoxiswa kwesatifikethi
Dh.pem - isitshixo seDiffie-Hellman
Index.txt-Fayile enolwazi malunga nezatifikethi zangoku
Uthotho - ikwanoxanduva lokufaneleka kwezatifikethi
Ukwafuna ifolda ye-certs_by_serial, ifayile ye-vars, kunye nawo onke amaqhosha abaxhasi kunye nezatifikethi.
KwiMikrotik, izatifikethi zahlala zikhona, ngoko yonke into yasebenza.
Iingxaki zavela xa ndizama ukurhoxisa isatifikethi, asizange sisebenze konke konke - ifayile ye index.txt kwafuneka iguqulelwe kwifomati ye-unix, kodwa andizange ndiyenze ngokukhawuleza. Ndisebenzise into eluncedo ye dos2unix.
Ngoku izatifikethi zachithwa, kodwa zaqhubeka zisebenza ngaphandle kweengxaki, kuba uMikrotik wayengazi ukuba bachithwa kwaye bafuna ukwaziswa ngandlela-thile.
Emva kokufunda imiyalelo, kunye nokubonisana no-Alexander ERI (enkosi kakhulu!), Ndafakela iseva ye-Apache http elula kwi-server yokuqinisekisa kwaye ndapapasha ifayile yezatifikethi ezirhoxisiweyo kuyo. Ivalwe ngokupheleleyo ukufikelela kuyo, ngaphandle kwefayile epapashwe kwi-IP enye.
Kwi-terminal ye-Mikrotik, kwi-tab ye-/System/Certificates/CRL, ibonise indlela eya kwi-crl.pem epapashwe. Apha kufanele kucaciswe ukuba iMikrotik yamkela kuphela i-http kunye nedilesi epheleleyo ye-CRL tab, oko kukuthi. Bekufanele kujongeke ngolu hlobo:
Yonke into yasebenza, ubuncinane kwiinguqulelo ze-6.4.2.x ze-RouterOS, kodwa ulungelelwaniso lwabaxumi kwafuneka lwenziwe ngesandla, kwaye oku kwakungelishwa kum kwaye kubangele ukuphazamiseka okukhulu. Xa emva kweveki kufuneka ndenze ulungelelwaniso malunga nabaxhasi be-50, ndagqiba ekubeni ndikhawulezise le nkqubo kwaye ngenxa yale nto ndasebenzisa isiqwenga somnye umntu ofunyenwe kwi-Intanethi.
Iskripthi sisebenza ngolu hlobo: emva kokuqalisa, sibonisa "igama lomxhasi", phendula umbuzo "ukusetha igama eliyimfihlo okanye hayi", emva koko sithatha ifayile yoqwalaselo esele yenziwe "client.ovpn", kunye nezatifikethi kunye nezicwangciso ezidibeneyo. kuyo. Ukuyisebenzisa, kufuneka ube kwi/etc/openvpn. Ndiza kutyikitya ngamagqabantshintshi imigca apho indlela kufuneka itshintshwe ngeyakho. Kukwafuneka ukuba wenze ifayile enezicwangciso zomxhasi ukuze iskripthi sithathe indawo yazo ngexesha lenkqubo yokudala uqwalaselo.
#!/bin/bash
function newClient () {
echo ""
echo "Tell me a name for the client."
echo "Use one word only, no special characters."
until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do
read -rp "Client name: " -e CLIENT
done
echo ""
echo "Do you want to protect the configuration file with a password?"
echo "(e.g. encrypt the private key with a password)"
echo " 1) Add a passwordless client"
echo " 2) Use a password for the client"
until [[ "$PASS" =~ ^[1-2]$ ]]; do
read -rp "Select an option [1-2]: " -e -i 1 PASS
done
#cd /etc/openvpn/easy-rsa/ || return
case $PASS in
1)
sudo /home/admin/EasyRSA-3.0.3/easyrsa build-client-full "$CLIENT" nopass
;;
2)
echo "You will be asked for the client password below"
./easyrsa build-client-full "$CLIENT"
;;
esac
# Generates the custom client.ovpn
cp /etc/openvpn/client-template.txt "$home/home/admin/IT/Temp/$CLIENT.ovpn"
#Директория в которой хранится файл с настройками клиента.
#Директория, в которой сформируется файл конфигурации
{
echo "<ca>"
cat "/etc/openvpn/pki/ca.crt" #Директория хранения корневого сертификата
echo "</ca>"
echo "<cert>"
awk '/BEGIN/,/END/' "/etc/openvpn/pki/issued/$CLIENT.crt" #Директория с созданным #сертификатом клиента
echo "</cert>"
echo "<key>"
cat "/etc/openvpn/pki/private/$CLIENT.key" #Директория с созданным ключом клиента
echo "</key>"
} >> "$home/home/admin/IT/Temp/$CLIENT.ovpn" #Директория, в которой сформируется файл #конфигурации
echo ""
echo "Client $CLIENT added, the configuration file is available at $home/admin/IT/OVPN/Temp/$CLIENT.ovpn."
echo "Download the .ovpn file and import it in your OpenVPN client."
exit 0;
}
newClient
Emva kwexesha elithile, umda omtsha wokufikelela kude wanyanzelisa ukutshatyalaliswa kwale seva kunye noqhagamshelo lweMikrotik olukhoyo. Kwadalwa iseva entsha. OpenVPN, kubasebenzi besebe le-IT, ngoku abasebenza ngokupheleleyo kwi CentOSKodwa elo libali elahlukileyo ngokupheleleyo.
Ndivakalisa umbulelo ongazenzisiyo kuIvan noPavel ngoncedo lwabo ekuhleleni eli nqaku.
umthombo: www.habr.com
