Inqaku lichaza ukuseta iseva ye-OpenVPN ukunika amandla ukuqinisekiswa kwezinto ezimbini kunye ne-Telegram bot eya kuthumela isicelo sokuqinisekisa xa uxhuma.
I-OpenVPN yiseva eyaziwayo, ekhululekile, evulekileyo ye-VPN esetyenziswa ngokubanzi ukuququzelela ukufikelela kwabasebenzi ngokukhuselekileyo kwimithombo yangaphakathi yentlangano.
Njengobungqina bokudibanisa kwi-server ye-VPN, indibaniselwano yesitshixo kunye nokungena komsebenzisi / igama lokugqitha lidla ngokusetyenziswa. Ngexesha elifanayo, igama eligqithisiweyo eligcinwe kumxhasi lijika yonke isethi ibe yinto enye enganikeli umgangatho ofanelekileyo wokhuseleko. Umhlaseli, efumene ukufikelela kwikhompyuter yomxhasi, ufumana ukufikelela kwiseva yeVPN. Oku kuyinyani ngakumbi kunxibelelwano olusuka koomatshini abasebenzisa iWindows.
Ukusebenzisa into yesibini kunciphisa umngcipheko wokufikelela okungagunyaziswanga nge-99% kwaye ayinzima inkqubo yokudibanisa kubasebenzisi nonke.
Makhe ndenze ugcino ngoko nangoko: ukuphunyezwa kuya kufuneka udibanise i-third-party server yokuqinisekisa i-multifactor.ru, apho ungasebenzisa khona intlawulo yamahhala kwiimfuno zakho.
ukuba isebenza njani
- I-OpenVPN isebenzisa i-openvpn-plugin-auth-pam plugin ukwenzela ukuqinisekiswa
- Iplagin ijonga igama eligqithisiweyo lomsebenzisi kumncedisi kwaye icela into yesibini ngeRADIUS protocol kwinkonzo yeMultifactor.
- I-Multifactor ithumela umyalezo kumsebenzisi ngeTelegram bot eqinisekisa ukufikelela
- Umsebenzisi uqinisekisa isicelo sokufikelela kwingxoxo yeTelegram kwaye udibanisa neVPN
Ukufakela iseva ye-OpenVPN
Kukho amanqaku amaninzi kwi-Intanethi achaza inkqubo yokufaka kunye nokuqwalasela i-OpenVPN, ngoko asiyi kuwaphinda. Ukuba ufuna uncedo, kukho amakhonkco amaninzi kwii-tutorials ekupheleni kwenqaku.
Ukumisela i-Multifactor
Yiya ku , yiya kwicandelo elithi "Izixhobo" kwaye wenze iVPN entsha.
Nje ukuba yenziwe, uya kuba neenketho ezimbini ezifumanekayo kuwe: NAS-Isichongi ΠΈ Imfihlo ekwabelwana ngayo, ziya kufunwa kuqwalaselo olulandelayo.
Kwicandelo elithi "Amaqela", yiya kwisethingi yeqela elithi "Bonke abasebenzisi" kwaye ususe iflegi ethi "Zonke izixhobo" ukwenzela ukuba abasebenzisi beqela elithile kuphela banokuxhuma kwiseva yeVPN.
Yenza iqela elitsha "abasebenzisi be-VPN", khubaza zonke iindlela zokuqinisekisa ngaphandle kweTelegram kwaye ubonise ukuba abasebenzisi banokufikelela kwisixhobo seVPN esidaliweyo.
Kwicandelo elithi "Abasebenzisi", yenza abasebenzisi abaya kuba nokufikelela kwi-VPN, bongeze kwiqela elithi "abasebenzisi be-VPN" kwaye ubathumele ikhonkco ukuqwalasela into yesibini yokuqinisekisa. Ukungena komsebenzisi kufuneka kuhambelane nokungena kwiseva yeVPN.
Ukuseta iseva ye-OpenVPN
Vula ifayile /etc/openvpn/server.conf kwaye yongeza iplagi yokuqinisekisa usebenzisa imodyuli yePAM
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpnI-plugin inokufumaneka kulawulo /usr/lib/openvpn/plugins/ okanye /usr/lib64/openvpn/plugins/ kuxhomekeke kwindlela yakho.
Okulandelayo kufuneka ufakele im_radius_auth imodyuli
$ sudo yum install pam_radiusVula ifayile ukuze ihlelwe /etc/pam_radius.conf kwaye ucacise idilesi ye-RADIUS yomncedisi we-Multifactor
radius.multifactor.ru shared_secret 40apho:
- radius.multifactor.ru - idilesi yeseva
- i-shared_secret - ikopi kwi-parameter ye-VPN ehambelanayo
- Imizuzwana engama-40 - ixesha lokulinda isicelo esinomda omkhulu
Abancedisi abaseleyo kufuneka bacinywe okanye banikwe izimvo (beka isemicolon ekuqaleni)
Okulandelayo, yenza ifayile yohlobo lwenkonzo openvpn
$ sudo vi /etc/pam.d/openvpnkwaye uyibhale
auth required pam_radius_auth.so skip_passwd client_id=[NAS-IDentifier]
auth substack password-auth
account substack password-authUmgca wokuqala uqhagamshela i PAM imodyuli pam_radius_auth ngeparameters:
- skip_passwd - ikhubaza ukuhanjiswa kwegama lokugqitha lomsebenzisi kwi-RADIUS Multifactor iseva (akufuneki ukuba ayazi).
- client_id - buyisela i- [NAS-Identifier] kunye nepharamitha ehambelanayo ukusuka kwisethingi yezibonelelo zeVPN.
Zonke iiparameters ezinokwenzeka zichazwe kwi .
Imigca yesibini neyesithathu ibandakanya ukuqinisekiswa kwenkqubo yokungena, igama lokugqitha kunye namalungelo omsebenzisi kumncedisi wakho kunye nento yesibini yokuqinisekisa.
Qala kwakhona i-OpenVPN
$ sudo systemctl restart openvpn@serverUkuseta umxumi
Bandakanya isicelo sokungena komsebenzisi kunye negama lokugqitha kwifayile yoqwalaselo lomxhasi
auth-user-passukuhlola
Qalisa umxhasi we-OpenVPN, qhagamshela kwiseva, faka igama lakho lomsebenzisi kunye negama lokugqitha. I-Telegram bot iya kuthumela isicelo sokufikelela kunye namaqhosha amabini
Iqhosha elinye livumela ukufikelela, okwesibini liyayivimba.
Ngoku ungagcina ngokukhuselekileyo igama eliyimfihlo kumxhasi; into yesibini iya kukhusela ngokuthembekileyo iseva yakho ye-OpenVPN ekufikeleleni okungagunyaziswanga.
Ukuba kukho into engasebenzi
Jonga ngokulandelelana ukuba akukho nto uyiphosileyo:
- Kukho umsebenzisi kwiseva ene-OpenVPN enegama lokugqitha
- Umncedisi unokufikelela nge-UDP port 1812 kwidilesi radius.multifactor.ru
- Isichongi se-NAS kunye neeparamitha zeMfihlo ekwabelwana ngazo zichazwe ngokuchanekileyo
- Umsebenzisi onegama elifanayo lenziwe kwi-Multifactor system kwaye unikwe imvume yokufikelela kwiqela labasebenzisi beVPN
- Umsebenzisi uqwalasele indlela yokuqinisekisa ngeTelegram
Ukuba awukaseti i-OpenVPN ngaphambili, funda .
Imiyalelo yenziwe ngemizekelo kwi-CentOS 7.
umthombo: www.habr.com