Ukwakheka kwenkinga
Lesi sihloko sichaza inhlangano yokufinyelela kude kwabasebenzi emikhiqizweni yomthombo ovulekile futhi ingasetshenziswa kokubili ukwakha uhlelo oluzimele ngokuphelele, futhi izoba usizo ekwandiseni uma kukhona ukushoda kwamalayisensi ohlelweni olukhona lwezohwebo noma ukusebenza kwayo akwanele.
Umgomo we-athikili ukusebenzisa uhlelo oluphelele lokuhlinzeka ngokufinyelela kude enhlanganweni, okungaphezu "kokufaka i-OpenVPN ngemizuzu eyi-10."
Njengomphumela walokho, sizothola isistimu lapho izitifiketi kanye (ngokuzithandela) Uhla Lwemibhalo Olusebenzayo lwebhizinisi luzosetshenziswa ukuze kugunyazwe abasebenzisi. Lokho. sizothola isistimu enezici ezimbili zokuqinisekisa - enginakho (isitifiketi) nalokho engikwaziyo (iphasiwedi).
Uphawu lokuthi umsebenzisi uvunyelwe ukuxhuma ubulungu bakhe eqenjini le-myVPNUsr. Isiphathimandla sesitifiketi sizosetshenziswa ungaxhunyiwe ku-inthanethi.
Izindleko zokusebenzisa isisombululo yizinsiza ezincane ze-hardware kanye nehora elingu-1 lomsebenzi womphathi wesistimu.
Sizosebenzisa umshini obonakalayo one-OpenVPN kanye nenguqulo 3 ye-Easy-RSA ku-CetntOS 7, enikezwa ama-vCPU angu-100 no-4 GiB RAM ekuxhumekeni okungu-4.
Isibonelo, inethiwekhi yenhlangano yethu ithi 172.16.0.0/16, lapho iseva ye-VPN enekheli elithi 172.16.19.123 itholakala esigabeni 172.16.19.0/24, amaseva e-DNS 172.16.16.16 kanye ne-172.16.17.17, ne-172.16.20.0. I-.23/XNUMX yabelwe amaklayenti e-VPN .
Ukuze uxhume ngaphandle, uxhumano nge-port 1194/udp luyasetshenziswa, futhi i-A-record gw.abc.ru idalwe ku-DNS yeseva yethu.
Akunconywa neze ukukhubaza i-SELinux! I-OpenVPN isebenza ngaphandle kokukhubaza izinqubomgomo zokuphepha.
Okuqukethwe
Ukufakwa kwe-OS nesofthiwe yohlelo lokusebenza
Sisebenzisa ukusatshalaliswa kwe-CentOS 7.8.2003. Sidinga ukufaka i-OS ekucushweni okuncane. Kulula ukwenza lokhu usebenzisa , ukwenza isithombe se-OS esifakwe ngaphambilini nezinye izindlela.
Ngemva kokufaka, ukwabela ikheli kusixhumi esibonakalayo senethiwekhi (ngokuvumelana nemibandela yomsebenzi 172.16.19.123), sibuyekeza i-OS:
$ sudo yum update -y && reboot
Kudingeka futhi siqinisekise ukuthi ukuvumelanisa isikhathi kwenziwa emshinini wethu.
Ukufaka isofthiwe yohlelo lokusebenza, udinga i-openvpn, i-openvpn-auth-ldap, amaphakheji alula-rsa kanye ne-vim njengomhleli oyinhloko (uzodinga inqolobane ye-EPEL).
$ sudo yum install epel-release
$ sudo yum install openvpn openvpn-auth-ldap easy-rsa vim
Kuyasiza ukufaka i-ejenti yesivakashi yomshini obonakalayo:
$ sudo yum install open-vm-toolskubasingathi be-VMware ESXi, noma i-oVirt
$ sudo yum install ovirt-guest-agent
Isetha i-cryptography
Iya kumkhombandlela we-easy-rsa:
$ cd /usr/share/easy-rsa/3/Dala ifayela eliguquguqukayo:
$ sudo vim varsokuqukethwe okulandelayo:
export KEY_COUNTRY="RU"
export KEY_PROVINCE="MyRegion"
export KEY_CITY="MyCity"
export KEY_ORG="ABC LLC"
export KEY_EMAIL="[email protected]"
export KEY_CN="allUsers"
export KEY_OU="allUsers"
export KEY_NAME="gw.abc.ru"
export KEY_ALTNAMES="abc-openvpn-server"
export EASYRSA_CERT_EXPIRE=3652
Amapharamitha enhlangano enemibandela i-ABC LLC achazwe lapha; ungawalungisa abe awangempela noma uwashiye esibonelweni. Into ebaluleke kakhulu kumapharamitha umugqa wokugcina, onquma isikhathi sokufaneleka sesitifiketi ngezinsuku. Isibonelo sisebenzisa inani leminyaka eyi-10 (iminyaka egxumayo engu-365*10+2). Leli nani lizodinga ukulungiswa ngaphambi kokuthi kukhishwe izitifiketi zomsebenzisi.
Okulandelayo, silungiselela ukugunyazwa kwezitifiketi ezizimele.
Ukusetha kuhlanganisa ukuthumela okuhlukile, ukuqalisa i-CA, ukukhipha ukhiye wempande ye-CA nesitifiketi, ukhiye we-Diffie-Hellman, ukhiye we-TLS, nokhiye weseva nesitifiketi. Ukhiye we-CA kumele uvikelwe ngokucophelela futhi ugcinwe uyimfihlo! Wonke amapharamitha wombuzo angashiywa njengokuzenzakalelayo.
cd /usr/share/easy-rsa/3/
. ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa gen-req myvpngw nopass
./easyrsa sign-req server myvpngw
./easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
Lokhu kuqeda ingxenye eyinhloko yokusetha indlela ye-cryptographic.
Ilungiselela i-OpenVPN
Iya kumkhombandlela we-OpenVPN, dala izinkomba zesevisi bese wengeza isixhumanisi ku-easy-rsa:
cd /etc/openvpn/
mkdir /var/log/openvpn/ /etc/openvpn/ccd /usr/share/easy-rsa/3/client
ln -s /usr/share/easy-rsa/3/pki/ /etc/openvpn/
Dala ifayela lokucushwa le-OpenVPN eliyinhloko:
$ sudo vim server.confokulandelayo okuqukethwe
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/myvpngw.crt
key /etc/openvpn/pki/private/myvpngw.key
crl-verify /etc/openvpn/pki/crl.pem
dh /etc/openvpn/pki/dh.pem
server 172.16.20.0 255.255.254.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"
push "route 172.17.0.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.16.16"
push "dhcp-option DNS 172.16.17.17"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
Amanye amanothi kumapharamitha:
- uma kucacisiwe igama elehlukile ngenkathi kukhishwa isitifiketi, likhombise;
- cacisa inqwaba yamakheli afanele imisebenzi yakho*;
- kungaba khona umzila owodwa noma ngaphezulu kanye namaseva e-DNS;
- Imigqa yokugcina emi-2 iyadingeka ukuze kusetshenziswe ukufakazela ubuqiniso ngo-AD**.
*Ibanga lamakheli akhethiwe esibonelweni lizovumela amaklayenti angafika kwangu-127 ukuthi axhumeke kanyekanye, ngoba inethiwekhi /23 ikhethiwe, futhi i-OpenVPN idala i-subnet yeklayenti ngalinye isebenzisa imaski /30.
Uma kunesidingo, ichweba kanye nephrothokholi kungashintshwa, noma kunjalo, kufanele kukhunjulwe ukuthi ukushintsha inombolo yembobo kuzobandakanya ukumisa i-SELinux, futhi ukusebenzisa umthetho olandelwayo we-tcp kuzokhuphuka phezulu, ngoba Ukulawulwa kokulethwa kwephakethe le-TCP sekuvele kwenziwa ezingeni lamaphakethe ahlanganiswe emhubheni.
**Uma ubuqiniso nge-AD bungadingeki, phawula ngabo, yeqa isigaba esilandelayo, nakuthempulethi susa umugqa wokudlula womsebenzisi.
Ukuqinisekiswa kwe-AD
Ukuze sisekele isici sesibili, sizosebenzisa ukuqinisekiswa kwe-akhawunti ngo-AD.
Sidinga i-akhawunti esizindeni enamalungelo omsebenzisi ojwayelekile kanye neqembu, ubulungu obuzonquma ikhono lokuxhuma.
Dala ifayela lokumisa:
/etc/openvpn/ldap.confokulandelayo okuqukethwe
<LDAP>
URL "ldap://ldap.abc.ru"
BindDN "CN=bindUsr,CN=Users,DC=abc,DC=ru"
Password b1ndP@SS
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "OU=allUsr,DC=abc,DC=ru"
SearchFilter "(sAMAccountName=%u)"
RequireGroup true
<Group>
BaseDN "OU=myGrp,DC=abc,DC=ru"
SearchFilter "(cn=myVPNUsr)"
MemberAttribute "member"
</Group>
</Authorization>
Izinhlaka ezibalulekile:
- I-URL "ldap://ldap.abc.ru" - ikheli lesilawuli sesizinda;
- I-BindDN “CN=bindUsr,CN=Users,DC=abc,DC=ru” - igama le-canonical lokubophezela ku-LDAP (UZ - bindUsr esitsheni abc.ru/Users);
- Iphasiwedi b1ndP@SS — iphasiwedi yomsebenzisi yokubopha;
- I-BaseDN “OU=alUsr,DC=abc,DC=ru” — indlela ongaqala ngayo ukusesha umsebenzisi;
- I-BaseDN “OU=myGrp,DC=abc,DC=ru” – isitsha seqembu elivumelayo (iqembu myVPNUsr esitsheni abc.rumyGrp);
- I-SearchFilter "(cn=myVPNUsr)" igama leqembu elivumelayo.
Ukuqala nokuxilonga
Manje singazama ukunika amandla futhi siqale iseva yethu:
$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
Ukuhlola ukuqalisa:
systemctl status [email protected]
journalctl -xe
cat /var/log/messages
cat /var/log/openvpn/*log
Ukukhishwa kwesitifiketi nokuhoxiswa
Ngoba Ngaphezu kwezitifiketi ngokwazo, udinga okhiye nezinye izilungiselelo; kulula kakhulu ukugoqa konke lokhu ngefayela elilodwa lephrofayili. Leli fayela libe selidluliselwa kumsebenzisi futhi iphrofayela ingeniswa kuklayenti le-OpenVPN. Ukuze senze lokhu, sizodala isifanekiso sezilungiselelo kanye nombhalo okhiqiza iphrofayela.
Udinga ukwengeza okuqukethwe kwesitifiketi sempande (ca.crt) kanye namafayela okhiye we-TLS (ta.key) kuphrofayela.
Ngaphambi kokukhipha izitifiketi zomsebenzisi ungakhohlwa ukusetha isikhathi sokuqinisekisa esidingekayo sezitifiketi kufayela lepharamitha. Akufanele uyenze ibe yinde kakhulu; ngincoma ukuthi uzibekele umkhawulo ezinsukwini eziyi-180.
vim /usr/share/easy-rsa/3/vars...
export EASYRSA_CERT_EXPIRE=180
vim /usr/share/easy-rsa/3/client/template.ovpnclient
dev tun
proto udp
remote gw.abc.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
PUT YOUR CA CERT (ca.crt) HERE
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PUT YOUR TA KEY (ta.key) HERE
-----END OpenVPN Static key V1-----
</tls-auth>
Amanothi:
- izintambo BEKA YAKHO... shintshela kokuqukethwe yabo izitifiketi;
- kumyalelo wesilawuli kude, cacisa igama/ikheli lesango lakho;
- i-auth-user-pass directive isetshenziselwa ukufakazela ubuqiniso kwangaphandle okwengeziwe.
Embhalweni wasekhaya (noma enye indawo elula) sakha umbhalo wokucela isitifiketi nokudala iphrofayela:
vim ~/make.profile.sh#!/bin/bash
if [ -z "$1" ] ; then
echo Missing mandatory client name. Usage: $0 vpn-username
exit 1
fi
#Set variables
basepath=/usr/share/easy-rsa/3
clntpath=$basepath/client
privpath=$basepath/pki/private
certpath=$basepath/pki/issued
profile=$clntpath/$1.ovpn
#Get current year and lowercase client name
year=`date +%F`
client=${1,,}
echo Processing $year year cert for user/device $client
cd $basepath
if [ -f client/$client* ]; then
echo "*** ERROR! ***"
echo "Certificate $client already issued!"
echo "*** ERROR! ***"
exit 1
fi
. ./vars
./easyrsa --batch --req-cn=$client gen-req $client nopass
./easyrsa --batch sign-req client $client
#Make profile
cp $clntpath/template.ovpn $profile
echo "<key>" >> $profile
cat $privpath/$1.key >> $profile
echo "</key>" >> $profile
echo -e "n" >> $profile
openssl x509 -in $certpath/$1.crt -out $basepath/$1.crt
echo "<cert>" >> $profile
cat $basepath/$1.crt >> $profile
echo "</cert>" >> $profile
echo -e "n" >> $profile
#remove tmp file
rm -f $basepath/$1.crt
echo Complete. See $profile file.
cd ~
Ukwenza ifayela lisebenze:
chmod a+x ~/make.profile.shFuthi singakhipha isitifiketi sethu sokuqala.
~/make.profile.sh my-first-userImpendulo
Esimeni sokwehliswa kwesitifiketi (ukulahlekelwa, ukweba), kuyadingeka ukuhoxisa lesi sitifiketi:
cd /usr/share/easy-rsa/3/
./easyrsa revoke my-first-user
./easyrsa gen-crl
Buka izitifiketi ezikhishiwe nezihoxisiwe
Ukuze ubuke izitifiketi ezikhishiwe nezihoxisiwe, vele ubuke ifayela lenkomba:
cd /usr/share/easy-rsa/3/
cat pki/index.txt
Izincazelo:
- umugqa wokuqala yisitifiketi seseva;
- uhlamvu lokuqala
- V (Kuyasebenza) - okusebenzayo;
- R (Ichithiwe) - ukhumbuliwe.
Ukusethwa kwenethiwekhi
Izinyathelo zokugcina ziwukumisa inethiwekhi yokudlulisela - umzila nama-firewall.
Ivumela ukuxhumeka ku-firewall yendawo:
$ sudo firewall-cmd --add-service=openvpn
$ sudo firewall-cmd --add-service=openvpn --permanent
Okulandelayo, nika amandla umzila wethrafikhi we-IP:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/50-sysctl.conf
Esimeni sebhizinisi, kungenzeka kube ne-subnetting futhi sidinga ukutshela umzila(ama) ukuthi athunyelwa kanjani amaphakethe amiselwe amaklayenti ethu e-VPN. Emgqeni womyalo senza umyalo ngendlela (kuye ngokuthi imishini esetshenzisiwe):
# ip route 172.16.20.0 255.255.254.0 172.16.19.123bese ugcine ukumisa.
Ngaphezu kwalokho, ku-interface ye-router emngceleni lapho ikheli langaphandle elithi gw.abc.ru linikezwa khona, kuyadingeka ukuvumela ukudlula kwamaphakethe we-udp/1194.
Esimeni lapho inhlangano inemithetho eqinile yezokuphepha, i-firewall kufanele futhi ilungiselelwe kuseva yethu ye-VPN. Ngokubona kwami, ukuguquguquka okukhulu kunakho konke kunikezwa ngokusetha amaketanga e-iptables FORWARD, nakuba ukuwamisa kulula kakhulu. Okuningi mayelana nokuwamisa. Ukuze wenze lokhu, kulula kakhulu ukusebenzisa "imithetho eqondile" - imithetho eqondile, egcinwe efayeleni /etc/firewalld/direct.xml. Ukucushwa kwamanje kwemithetho kungatholakala ngale ndlela elandelayo:
$ sudo firewall-cmd --direct --get-all-ruleNgaphambi kokushintsha ifayela, yenza ikhophi yalo eyisipele:
cp /etc/firewalld/direct.xml /etc/firewalld/direct.xml.`date +%F.%T`.bakOkuqukethwe kwefayela okulinganiselwe yilokhu:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!--Common Remote Services-->
<!--DNS-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o ens192 -p udp --dport 53 -j ACCEPT</rule>
<!--web-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.200 --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p tcp -d 172.16.19.201 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--Some Other Systems-->
<rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -p udp -d 172.16.19.100 --dport 7000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT</rule>
<!--just logging-->
<rule priority="1" table="filter" ipv="ipv4" chain="FORWARD">-i tun0 -o eth0 -j LOG --log-prefix 'forward_fw '</rule>
</direct>
Izincazelo
Lena imithetho evamile yama-iptables, uma kungenjalo ihlanganiswe ngemva kokufika kwe-firewalld.
I-interface yendawo enezilungiselelo ezizenzakalelayo yi-tun0, futhi isixhumi esibonakalayo sangaphandle somhubhe singahluka, isibonelo, i-ens192, kuye ngeplathifomu esetshenzisiwe.
Umugqa wokugcina owokugawula amaphakethe awisiwe. Ukuze ungene kusebenze, udinga ukushintsha ileveli yokususa iphutha ekucushweni kwe-firewalld:
vim /etc/sysconfig/firewalld
FIREWALLD_ARGS=--debug=2
Ukusebenzisa izilungiselelo kuwumyalo ojwayelekile we-firewalld wokufunda kabusha izilungiselelo:
$ sudo firewall-cmd --reloadUngabuka amaphakethe awehlisiwe kanje:
grep forward_fw /var/log/messages
Yini elandelayo
Lokhu kuqeda ukusetha!
Okusele nje ukufaka isofthiwe yeklayenti ohlangothini lweklayenti, ngenisa iphrofayela bese uxhuma. Kuzinhlelo zokusebenza zeWindows, ikhithi yokusabalalisa itholakala kuyo .
Ekugcineni, sixhuma iseva yethu entsha kumasistimu okuqapha nawokugcina kungobo yomlando, futhi ungakhohlwa ukufaka izibuyekezo njalo.
Ukuxhumana okuzinzile!
Source: www.habr.com