Igbekalẹ iṣoro naa
Nkan naa ṣe apejuwe eto ti iraye si latọna jijin fun awọn oṣiṣẹ lori awọn ọja orisun ṣiṣi ati pe o le ṣee lo mejeeji lati kọ eto adase patapata, ati pe yoo wulo fun imugboroosi nigbati aito awọn iwe-aṣẹ ba wa ninu eto iṣowo ti o wa tabi iṣẹ rẹ ko to.
Ibi-afẹde ti nkan naa ni lati ṣe eto pipe lati pese iraye si latọna jijin si agbari kan, eyiti o jẹ diẹ sii ju “fifi OpenVPN sori ẹrọ ni iṣẹju mẹwa 10.”
Bi abajade, a yoo gba eto kan ninu eyiti awọn iwe-ẹri ati (iyan) Atọka Active Ajọ yoo ṣee lo lati jẹri awọn olumulo. Iyẹn. a yoo gba eto pẹlu meji ijerisi ifosiwewe - ohun ti mo ni (ijẹrisi) ati ohun ti mo ti mọ (ọrọigbaniwọle).
Ami ti olumulo gba laaye lati sopọ ni ọmọ ẹgbẹ wọn ninu ẹgbẹ myVPNUsr. Aṣẹ ijẹrisi naa yoo ṣee lo ni aisinipo.
Iye idiyele ti imuse ojutu jẹ awọn orisun ohun elo kekere nikan ati wakati 1 ti iṣẹ ti oluṣakoso eto.
A yoo lo ẹrọ foju kan pẹlu OpenVPN ati Easy-RSA version 3 lori CetntOS 7, eyiti o pin 100 vCPUs ati 4 GiB Ramu fun awọn asopọ 4.
Ninu apẹẹrẹ, nẹtiwọọki ti ajo wa jẹ 172.16.0.0/16, ninu eyiti olupin VPN pẹlu adirẹsi 172.16.19.123 wa ni apakan 172.16.19.0/24, awọn olupin DNS 172.16.16.16 ati 172.16.17.17. .172.16.20.0/23 jẹ ipin fun awọn alabara VPN.
Lati sopọ lati ita, asopọ kan nipasẹ ibudo 1194/udp ti lo, ati pe gw.abc.ru A-record ti ṣẹda ninu DNS fun olupin wa.
O ti wa ni muna ko niyanju lati mu SELinux! OpenVPN ṣiṣẹ laisi piparẹ awọn eto imulo aabo.
Awọn akoonu
Fifi sori ẹrọ ti OS ati sọfitiwia ohun elo
A lo pinpin CentOS 7.8.2003. A nilo lati fi sori ẹrọ ni OS ni iwonba iṣeto ni. O rọrun lati ṣe eyi ni lilo , cloning aworan OS ti a fi sii tẹlẹ ati awọn ọna miiran.
Lẹhin fifi sori ẹrọ, yiyan adirẹsi si wiwo nẹtiwọọki (ni ibamu si awọn ofin iṣẹ-ṣiṣe 172.16.19.123), a ṣe imudojuiwọn OS naa:
$ sudo yum update -y && reboot
A tun nilo lati rii daju pe amuṣiṣẹpọ akoko ni a ṣe lori ẹrọ wa.
Lati fi sọfitiwia ohun elo sori ẹrọ, o nilo openvpn, openvpn-auth-ldap, rọrun-rsa ati awọn idii vim gẹgẹbi oluṣatunṣe akọkọ (iwọ yoo nilo ibi ipamọ EPEL).
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
O wulo lati fi sori ẹrọ aṣoju alejo kan fun ẹrọ foju kan:
$ sudo yum install open-vm-toolsfun VMware ESXi ogun, tabi fun oVirt
$ sudo yum install ovirt-guest-agent
Ṣiṣeto cryptography
Lọ si itọsọna rọrun-rsa:
$ cd /usr/share/easy-rsa/3/Ṣẹda faili oniyipada:
$ sudo vim varsakoonu wọnyi:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
Awọn paramita fun ajo ipo ABC LLC ni apejuwe nibi; o le ṣe atunṣe wọn si awọn ti gidi tabi fi wọn silẹ lati apẹẹrẹ. Ohun pataki julọ ninu awọn paramita jẹ laini to kẹhin, eyiti o pinnu akoko ifọwọsi ti ijẹrisi ni awọn ọjọ. Apẹẹrẹ nlo iye ọdun 10 (365 * 10 + 2 ọdun fifo). Iye yii yoo nilo lati ṣatunṣe ṣaaju ki o to fun awọn iwe-ẹri olumulo.
Nigbamii ti, a tunto aṣẹ iwe-ẹri adase.
Iṣeto pẹlu awọn oniyipada okeere, ipilẹṣẹ CA, fifun bọtini root CA ati ijẹrisi, bọtini Diffie-Hellman, bọtini TLS, ati bọtini olupin ati ijẹrisi. Bọtini CA gbọdọ ni aabo ni pẹkipẹki ati tọju aṣiri! Gbogbo awọn paramita ibeere le jẹ osi bi aiyipada.
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
Eyi pari apakan akọkọ ti siseto ẹrọ cryptographic.
Ṣiṣeto OpenVPN
Lọ si itọsọna OpenVPN, ṣẹda awọn ilana iṣẹ ati ṣafikun ọna asopọ si irọrun-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Ṣẹda faili iṣeto OpenVPN akọkọ:
$ sudo vim server.confwọnyi awọn akoonu
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Diẹ ninu awọn akọsilẹ lori awọn paramita:
- ti o ba jẹ pe orukọ ti o yatọ ni pato nigbati o ba n funni ni ijẹrisi, tọkasi;
- pato adagun ti awọn adirẹsi lati ba awọn iṣẹ ṣiṣe rẹ jẹ;
- O le jẹ ọkan tabi diẹ sii awọn ipa-ọna ati awọn olupin DNS;
- Awọn laini 2 ti o kẹhin ni a nilo lati ṣe ijẹrisi ni AD ***.
* Iwọn awọn adirẹsi ti a yan ninu apẹẹrẹ yoo gba awọn alabara 127 laaye lati sopọ ni nigbakannaa, nitori awọn / 23 nẹtiwọki ti yan, ati OpenVPN ṣẹda a subnet fun kọọkan ose lilo / 30 boju.
Ti o ba jẹ pataki paapaa, ibudo ati ilana le yipada, sibẹsibẹ, o yẹ ki o gbe ni lokan pe iyipada nọmba ibudo ibudo yoo jẹ atunto SELinux, ati lilo ilana tcp yoo pọ si ni oke, nitori Iṣakoso ifijiṣẹ apo TCP ti ṣe tẹlẹ ni ipele ti awọn apo-iwe ti a fi sinu eefin.
** Ti ko ba nilo ijẹrisi ni AD, sọ asọye wọn, fo apakan ti o tẹle, ati ninu awoṣe yọ auth-olumulo-kọja ila.
AD Ijeri
Lati ṣe atilẹyin ifosiwewe keji, a yoo lo ijẹrisi akọọlẹ ni AD.
A nilo akọọlẹ kan ni agbegbe pẹlu awọn ẹtọ ti olumulo lasan ati ẹgbẹ kan, ẹgbẹ ninu eyiti yoo pinnu agbara lati sopọ.
Ṣẹda faili iṣeto kan:
/etc/openvpn/ldap.confwọnyi awọn akoonu
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
Awọn eto akọkọ:
- URL “ldap://ldap.abc.ru” - adirẹsi oludari agbegbe;
- BindDN "CN = bindUsr, CN = Awọn olumulo, DC = abc, DC = ru" - orukọ canonical fun sisopọ si LDAP (UZ - bindUsr ninu apo abc.ru/Awọn olumulo);
- Ọrọigbaniwọle b1ndP@SS — ọrọigbaniwọle olumulo fun abuda;
- BaseDN “OU=allUsr,DC=abc,DC=ru” — ọna lati eyiti o le bẹrẹ wiwa olumulo;
- BaseDN "OU = myGrp, DC = abc, DC = ru" - eiyan ti ẹgbẹ gbigba (ẹgbẹ myVPNUsr ninu apo abc.rumyGrp);
- SearchFilter "(cn=myVPNUsr)" ni orukọ ẹgbẹ gbigba.
Ibẹrẹ ati awọn iwadii aisan
Bayi a le gbiyanju lati mu ṣiṣẹ ati bẹrẹ olupin wa:
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
Ayẹwo ibẹrẹ:
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Ọrọ ijẹrisi ati ifagile
Nitori Ni afikun si awọn iwe-ẹri funrararẹ, o nilo awọn bọtini ati awọn eto miiran; o rọrun pupọ lati fi ipari si gbogbo eyi ni faili profaili kan. Faili yii yoo gbe lọ si olumulo ati pe profaili ti wa ni agbewọle lori alabara OpenVPN. Lati ṣe eyi, a yoo ṣẹda awoṣe eto ati iwe afọwọkọ ti o ṣe ipilẹṣẹ profaili.
O nilo lati ṣafikun awọn akoonu ti ijẹrisi root (ca.crt) ati bọtini TLS (ta.key) awọn faili si profaili naa.
Ṣaaju ki o to fifun awọn iwe-ẹri olumulo maṣe gbagbe lati ṣeto akoko idaniloju ti a beere fun awọn iwe-ẹri ninu awọn paramita faili. O yẹ ki o ko gun ju; Mo ṣeduro idinku ararẹ si o pọju awọn ọjọ 180.
vim /usr/share/easy-rsa/3/vars...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpnclient
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Awọn akọsilẹ:
- okun FI RẸ... yipada si akoonu sвоих awọn iwe-ẹri;
- ninu itọnisọna latọna jijin, pato orukọ / adirẹsi ẹnu-ọna rẹ;
- auth-user-pass šẹ ti lo fun afikun ìfàṣẹsí ita.
Ninu itọsọna ile (tabi aaye irọrun miiran) a ṣẹda iwe afọwọkọ kan fun ibeere ijẹrisi ati ṣiṣẹda profaili kan:
vim ~/make.profile.sh#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Ṣiṣe faili naa ni ṣiṣe:
chmod a+x ~/make.profile.shAti pe a le fun iwe-ẹri akọkọ wa.
~/make.profile.sh my-first-userEsi
Ni ọran ti adehun ijẹrisi (pipadanu, ole), o jẹ dandan lati fagilee ijẹrisi yii:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Wo awọn iwe-ẹri ti a fun ati ti fagile
Lati wo awọn iwe-ẹri ti a fun ati ti fagile, wo faili atọka nirọrun:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Awọn alaye:
- ila akọkọ jẹ ijẹrisi olupin;
- akọkọ ohun kikọ
- V (Wiwulo) - wulo;
- R (Fagilee) - idasi.
Iṣeto ni nẹtiwọki
Awọn igbesẹ ti o kẹhin ni lati tunto nẹtiwọọki gbigbe - ipa-ọna ati awọn ogiriina.
Gbigba awọn asopọ ni ogiriina agbegbe:
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
Nigbamii, mu ipa ọna opopona IP ṣiṣẹ:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
Ni agbegbe ile-iṣẹ, o ṣee ṣe lati wa subnetting ati pe a nilo lati sọ fun olulana (awọn) bi o ṣe le fi awọn apo-iwe ranṣẹ ti a pinnu fun awọn alabara VPN wa. Lori laini aṣẹ a ṣiṣẹ aṣẹ ni ọna (da lori ohun elo ti a lo):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123ki o si fi iṣeto ni.
Ni afikun, ni wiwo olulana aala nibiti adirẹsi gw.abc.ru ti wa ni ita, o jẹ dandan lati gba aye ti awọn apo-iwe udp/1194 laaye.
Ni ọran ti ajo naa ni awọn ofin aabo to muna, ogiriina tun gbọdọ tunto lori olupin VPN wa. Ni ero mi, irọrun ti o tobi julọ ni a pese nipasẹ siseto awọn ẹwọn iptables FORWARD, botilẹjẹpe iṣeto wọn ko rọrun. Diẹ diẹ sii nipa iṣeto wọn. Lati ṣe eyi, o rọrun julọ lati lo “awọn ofin taara” - awọn ofin taara, ti o fipamọ sinu faili kan /etc/firewalld/direct.xml. Iṣeto ni lọwọlọwọ ti awọn ofin le ṣee rii bi atẹle:
$ sudo firewall-cmd --direct --get-all-ruleṢaaju ki o to yi faili pada, ṣe ẹda afẹyinti fun rẹ:
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bakAwọn akoonu isunmọ ti faili naa jẹ:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
Awọn alaye
Iwọnyi jẹ pataki awọn ofin iptables deede, bibẹẹkọ ti a ṣajọ lẹhin dide ti ogiriina.
Ni wiwo opin irin ajo pẹlu awọn eto aiyipada tun0, ati wiwo ita fun oju eefin le yatọ, fun apẹẹrẹ, ens192, da lori pẹpẹ ti a lo.
Laini ti o kẹhin jẹ fun gedu awọn apo-iwe silẹ. Fun wíwọlé lati ṣiṣẹ, o nilo lati yi ipele yokokoro pada ni iṣeto ni ogiriina:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Lilo awọn eto jẹ aṣẹ firewalld deede lati tun ka awọn eto naa:
$ sudo firewall-cmd --reloadO le wo awọn apo-iwe ti o lọ silẹ bi eleyi:
grep forward_fw /var/log/messages
Kini atẹle
Eyi pari iṣeto naa!
Gbogbo ohun ti o ku ni lati fi sọfitiwia alabara sori ẹgbẹ alabara, gbe profaili wọle ati sopọ. Fun awọn ọna ṣiṣe Windows, ohun elo pinpin wa lori .
Ni ipari, a so olupin tuntun wa pọ si awọn eto ibojuwo ati fifipamọ, ati pe maṣe gbagbe lati fi awọn imudojuiwọn sori ẹrọ nigbagbogbo.
Iduroṣinṣin asopọ!
orisun: www.habr.com