Eto ti iṣẹ latọna jijin ti agbari SMB lori OpenVPN
Igbekalẹ iṣoro naa
Nkan naa ṣe apejuwe eto ti iraye si latọna jijin fun awọn oṣiṣẹ lori awọn ọja orisun ṣiṣi ati pe o le ṣee lo mejeeji lati kọ eto adase patapata, ati pe yoo wulo fun imugboroosi nigbati aito awọn iwe-aṣẹ ba wa ninu eto iṣowo ti o wa tabi iṣẹ rẹ ko to.
Ibi-afẹde ti nkan naa ni lati ṣe eto pipe lati pese iraye si latọna jijin si agbari kan, eyiti o jẹ diẹ sii ju “fifi OpenVPN sori ẹrọ ni iṣẹju mẹwa 10.”
Bi abajade, a yoo gba eto kan ninu eyiti awọn iwe-ẹri ati (iyan) Atọka Active Ajọ yoo ṣee lo lati jẹri awọn olumulo. Iyẹn. a yoo gba eto pẹlu meji ijerisi ifosiwewe - ohun ti mo ni (ijẹrisi) ati ohun ti mo ti mọ (ọrọigbaniwọle).
Ami ti olumulo gba laaye lati sopọ ni ọmọ ẹgbẹ wọn ninu ẹgbẹ myVPNUsr. Aṣẹ ijẹrisi naa yoo ṣee lo ni aisinipo.
Iye idiyele ti imuse ojutu jẹ awọn orisun ohun elo kekere nikan ati wakati 1 ti iṣẹ ti oluṣakoso eto.
A yoo lo ẹrọ foju kan pẹlu OpenVPN ati Easy-RSA version 3 lori CetntOS 7, eyiti o pin 100 vCPUs ati 4 GiB Ramu fun awọn asopọ 4.
Ninu apẹẹrẹ, nẹtiwọọki ti ajo wa jẹ 172.16.0.0/16, ninu eyiti olupin VPN pẹlu adirẹsi 172.16.19.123 wa ni apakan 172.16.19.0/24, awọn olupin DNS 172.16.16.16 ati 172.16.17.17. .172.16.20.0/23 jẹ ipin fun awọn alabara VPN.
Lati sopọ lati ita, asopọ kan nipasẹ ibudo 1194/udp ti lo, ati pe gw.abc.ru A-record ti ṣẹda ninu DNS fun olupin wa.
O ti wa ni muna ko niyanju lati mu SELinux! OpenVPN ṣiṣẹ laisi piparẹ awọn eto imulo aabo.
A lo pinpin CentOS 7.8.2003. A nilo lati fi sori ẹrọ ni OS ni iwonba iṣeto ni. O rọrun lati ṣe eyi ni lilo afẹsẹgba, cloning aworan OS ti a fi sii tẹlẹ ati awọn ọna miiran.
Lẹhin fifi sori ẹrọ, yiyan adirẹsi si wiwo nẹtiwọọki (ni ibamu si awọn ofin iṣẹ-ṣiṣe 172.16.19.123), a ṣe imudojuiwọn OS naa:
$ sudo yum update -y && reboot
A tun nilo lati rii daju pe amuṣiṣẹpọ akoko ni a ṣe lori ẹrọ wa.
Lati fi sọfitiwia ohun elo sori ẹrọ, o nilo openvpn, openvpn-auth-ldap, rọrun-rsa ati awọn idii vim gẹgẹbi oluṣatunṣe akọkọ (iwọ yoo nilo ibi ipamọ EPEL).
Awọn paramita fun ajo ipo ABC LLC ni apejuwe nibi; o le ṣe atunṣe wọn si awọn ti gidi tabi fi wọn silẹ lati apẹẹrẹ. Ohun pataki julọ ninu awọn paramita jẹ laini to kẹhin, eyiti o pinnu akoko ifọwọsi ti ijẹrisi ni awọn ọjọ. Apẹẹrẹ nlo iye ọdun 10 (365 * 10 + 2 ọdun fifo). Iye yii yoo nilo lati ṣatunṣe ṣaaju ki o to fun awọn iwe-ẹri olumulo.
Nigbamii ti, a tunto aṣẹ iwe-ẹri adase.
Iṣeto pẹlu awọn oniyipada okeere, ipilẹṣẹ CA, fifun bọtini root CA ati ijẹrisi, bọtini Diffie-Hellman, bọtini TLS, ati bọtini olupin ati ijẹrisi. Bọtini CA gbọdọ ni aabo ni pẹkipẹki ati tọju aṣiri! Gbogbo awọn paramita ibeere le jẹ osi bi aiyipada.
Eyi pari apakan akọkọ ti siseto ẹrọ cryptographic.
Ṣiṣeto OpenVPN
Lọ si itọsọna OpenVPN, ṣẹda awọn ilana iṣẹ ati ṣafikun ọna asopọ si irọrun-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Ṣẹda faili iṣeto OpenVPN akọkọ:
$ sudo vim server.conf
wọnyi awọn akoonu
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Diẹ ninu awọn akọsilẹ lori awọn paramita:
ti o ba jẹ pe orukọ ti o yatọ ni pato nigbati o ba n funni ni ijẹrisi, tọkasi;
pato adagun ti awọn adirẹsi lati ba awọn iṣẹ ṣiṣe rẹ jẹ;
O le jẹ ọkan tabi diẹ sii awọn ipa-ọna ati awọn olupin DNS;
Awọn laini 2 ti o kẹhin ni a nilo lati ṣe ijẹrisi ni AD ***.
* Iwọn awọn adirẹsi ti a yan ninu apẹẹrẹ yoo gba awọn alabara 127 laaye lati sopọ ni nigbakannaa, nitori awọn / 23 nẹtiwọki ti yan, ati OpenVPN ṣẹda a subnet fun kọọkan ose lilo / 30 boju.
Ti o ba jẹ pataki paapaa, ibudo ati ilana le yipada, sibẹsibẹ, o yẹ ki o gbe ni lokan pe iyipada nọmba ibudo ibudo yoo jẹ atunto SELinux, ati lilo ilana tcp yoo pọ si ni oke, nitori Iṣakoso ifijiṣẹ apo TCP ti ṣe tẹlẹ ni ipele ti awọn apo-iwe ti a fi sinu eefin.
** Ti ko ba nilo ijẹrisi ni AD, sọ asọye wọn, fo apakan ti o tẹle, ati ninu awoṣe yọ auth-olumulo-kọja ila.
AD Ijeri
Lati ṣe atilẹyin ifosiwewe keji, a yoo lo ijẹrisi akọọlẹ ni AD.
A nilo akọọlẹ kan ni agbegbe pẹlu awọn ẹtọ ti olumulo lasan ati ẹgbẹ kan, ẹgbẹ ninu eyiti yoo pinnu agbara lati sopọ.
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Ọrọ ijẹrisi ati ifagile
Nitori Ni afikun si awọn iwe-ẹri funrararẹ, o nilo awọn bọtini ati awọn eto miiran; o rọrun pupọ lati fi ipari si gbogbo eyi ni faili profaili kan. Faili yii yoo gbe lọ si olumulo ati pe profaili ti wa ni agbewọle lori alabara OpenVPN. Lati ṣe eyi, a yoo ṣẹda awoṣe eto ati iwe afọwọkọ ti o ṣe ipilẹṣẹ profaili.
O nilo lati ṣafikun awọn akoonu ti ijẹrisi root (ca.crt) ati bọtini TLS (ta.key) awọn faili si profaili naa.
Ṣaaju ki o to fifun awọn iwe-ẹri olumulo maṣe gbagbe lati ṣeto akoko idaniloju ti a beere fun awọn iwe-ẹri ninu awọn paramita faili. O yẹ ki o ko gun ju; Mo ṣeduro idinku ararẹ si o pọju awọn ọjọ 180.
vim /usr/share/easy-rsa/3/vars
...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpn
client
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Awọn akọsilẹ:
okun FI RẸ... yipada si akoonu sвоих awọn iwe-ẹri;
ninu itọnisọna latọna jijin, pato orukọ / adirẹsi ẹnu-ọna rẹ;
auth-user-pass šẹ ti lo fun afikun ìfàṣẹsí ita.
Ninu itọsọna ile (tabi aaye irọrun miiran) a ṣẹda iwe afọwọkọ kan fun ibeere ijẹrisi ati ṣiṣẹda profaili kan:
vim ~/make.profile.sh
#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Ṣiṣe faili naa ni ṣiṣe:
chmod a+x ~/make.profile.sh
Ati pe a le fun iwe-ẹri akọkọ wa.
~/make.profile.sh my-first-user
Esi
Ni ọran ti adehun ijẹrisi (pipadanu, ole), o jẹ dandan lati fagilee ijẹrisi yii:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Wo awọn iwe-ẹri ti a fun ati ti fagile
Lati wo awọn iwe-ẹri ti a fun ati ti fagile, wo faili atọka nirọrun:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Awọn alaye:
ila akọkọ jẹ ijẹrisi olupin;
akọkọ ohun kikọ
V (Wiwulo) - wulo;
R (Fagilee) - idasi.
Iṣeto ni nẹtiwọki
Awọn igbesẹ ti o kẹhin ni lati tunto nẹtiwọọki gbigbe - ipa-ọna ati awọn ogiriina.
Ni agbegbe ile-iṣẹ, o ṣee ṣe lati wa subnetting ati pe a nilo lati sọ fun olulana (awọn) bi o ṣe le fi awọn apo-iwe ranṣẹ ti a pinnu fun awọn alabara VPN wa. Lori laini aṣẹ a ṣiṣẹ aṣẹ ni ọna (da lori ohun elo ti a lo):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123
ki o si fi iṣeto ni.
Ni afikun, ni wiwo olulana aala nibiti adirẹsi gw.abc.ru ti wa ni ita, o jẹ dandan lati gba aye ti awọn apo-iwe udp/1194 laaye.
Ni ọran ti ajo naa ni awọn ofin aabo to muna, ogiriina tun gbọdọ tunto lori olupin VPN wa. Ni ero mi, irọrun ti o tobi julọ ni a pese nipasẹ siseto awọn ẹwọn iptables FORWARD, botilẹjẹpe iṣeto wọn ko rọrun. Diẹ diẹ sii nipa iṣeto wọn. Lati ṣe eyi, o rọrun julọ lati lo “awọn ofin taara” - awọn ofin taara, ti o fipamọ sinu faili kan /etc/firewalld/direct.xml. Iṣeto ni lọwọlọwọ ti awọn ofin le ṣee rii bi atẹle:
$ sudo firewall-cmd --direct --get-all-rule
Ṣaaju ki o to yi faili pada, ṣe ẹda afẹyinti fun rẹ:
Iwọnyi jẹ pataki awọn ofin iptables deede, bibẹẹkọ ti a ṣajọ lẹhin dide ti ogiriina.
Ni wiwo opin irin ajo pẹlu awọn eto aiyipada tun0, ati wiwo ita fun oju eefin le yatọ, fun apẹẹrẹ, ens192, da lori pẹpẹ ti a lo.
Laini ti o kẹhin jẹ fun gedu awọn apo-iwe silẹ. Fun wíwọlé lati ṣiṣẹ, o nilo lati yi ipele yokokoro pada ni iṣeto ni ogiriina:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Lilo awọn eto jẹ aṣẹ firewalld deede lati tun ka awọn eto naa:
$ sudo firewall-cmd --reload
O le wo awọn apo-iwe ti o lọ silẹ bi eleyi:
grep forward_fw /var/log/messages
Kini atẹle
Eyi pari iṣeto naa!
Gbogbo ohun ti o ku ni lati fi sọfitiwia alabara sori ẹgbẹ alabara, gbe profaili wọle ati sopọ. Fun awọn ọna ṣiṣe Windows, ohun elo pinpin wa lori Olùgbéejáde aaye ayelujara.
Ni ipari, a so olupin tuntun wa pọ si awọn eto ibojuwo ati fifipamọ, ati pe maṣe gbagbe lati fi awọn imudojuiwọn sori ẹrọ nigbagbogbo.