I-athikili ichaza ukusetha iseva ye-OpenVPN ukuze inike amandla ukuqinisekiswa kwezinto ezimbili nge-Telegram bot ezothumela isicelo sokuqinisekisa lapho uxhuma.
I-OpenVPN iseva ye-VPN eyaziwayo, yamahhala, evulekile esetshenziswa kabanzi ukuhlela ukufinyelela kwabasebenzi okuvikelekile ezinsizeni zenhlangano zangaphakathi.
Njengokufakazela ubuqiniso bokuxhuma kuseva ye-VPN, inhlanganisela yokhiye kanye nokungena komsebenzisi/iphasiwedi kuvame ukusetshenziswa. Ngesikhathi esifanayo, iphasiwedi egcinwe kuklayenti iphendulela yonke isethi ibe yisici esisodwa esingahlinzeki ngezinga elifanele lokuphepha. Umhlaseli, othole ukufinyelela kukhompyutha yeklayenti, futhi uthola ukufinyelela kuseva ye-VPN. Lokhu kuyiqiniso ikakhulukazi ekuxhumekeni kwemishini esebenzisa iWindows.
Ukusebenzisa isici sesibili kunciphisa ubungozi bokufinyelela okungagunyaziwe ngama-99% futhi akwenzi kube nzima inqubo yokuxhuma kubasebenzisi nhlobo.
Ake ngenze ukubhuka ngokushesha: ukuze uqalise uzodinga ukuxhuma iseva yokuqinisekisa yenkampani yangaphandle i-multifactor.ru, lapho ungasebenzisa khona intela yamahhala yezidingo zakho.
Ukuthi isebenza kanjani
- I-OpenVPN isebenzisa i-openvpn-plugin-auth-pam plugin ukuze iqinisekise
- I-plugin ihlola iphasiwedi yomsebenzisi kuseva bese icela into yesibili ngephrothokholi ye-RADIUS kusevisi ye-Multifactor.
- I-Multifactor ithumela umlayezo kumsebenzisi nge-Telegraph bot eqinisekisa ukufinyelela
- Umsebenzisi uqinisekisa isicelo sokufinyelela engxoxweni yeTelegram futhi uxhumeke ku-VPN
Ifaka iseva ye-OpenVPN
Kunezindatshana eziningi ku-inthanethi ezichaza inqubo yokufaka nokulungisa i-OpenVPN, ngakho-ke ngeke siziphindaphinde. Uma udinga usizo, kunezixhumanisi ezimbalwa zokufundisa ekugcineni kwesihloko.
Ukusetha i-Multifactor
Iya ku
Uma usudaliwe, uzoba nezinketho ezimbili ongakhetha kuzo: Isihlonzi se-NAS ΠΈ Imfihlo Eyabiwe, zizodingeka ekucushweni okulandelayo.
Esigabeni esithi "Amaqembu", hamba kuzilungiselelo zeqembu elithi "Bonke abasebenzisi" bese ususa ifulegi elithi "Zonke izinsiza" ukuze abasebenzisi beqembu elithile kuphela baxhume kuseva ye-VPN.
Dala iqembu elisha "abasebenzisi be-VPN", khubaza zonke izindlela zokuqinisekisa ngaphandle kweTelegramu futhi ubonise ukuthi abasebenzisi banokufinyelela insiza ye-VPN edaliwe.
Esigabeni esithi "Abasebenzisi", dala abasebenzisi abazokwazi ukufinyelela i-VPN, bangeze eqenjini "labasebenzisi be-VPN" futhi ubathumele isixhumanisi ukuze balungiselele isici sesibili sokuqinisekisa. Ukungena ngemvume komsebenzisi kufanele kufane nokungena kuseva ye-VPN.
Isetha iseva ye-OpenVPN
Vula ifayela /etc/openvpn/server.conf bese wengeza i-plugin ukuze uqinisekise usebenzisa imojula ye-PAM
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
I-plugin ingatholakala ohlwini lwemibhalo /usr/lib/openvpn/plugins/ noma /usr/lib64/openvpn/plugins/ kuye ngohlelo lwakho.
Okulandelayo udinga ukufaka imojuli ye-pam_radius_auth
$ sudo yum install pam_radius
Vula ifayela ukuze lihlelwe /etc/pam_radius.conf futhi ucacise ikheli leseva ye-RADIUS ye-Multifactor
radius.multifactor.ru shared_secret 40
lapho:
- radius.multifactor.ru β ikheli leseva
- shared_secret - kopisha kupharamitha yezilungiselelo ze-VPN ehambisanayo
- Imizuzwana engu-40 - ukuphela kwesikhathi sokulinda isicelo esinomkhawulo omkhulu
Amaseva asele kufanele asuswe noma aphawulwe (beka isemicolon ekuqaleni)
Okulandelayo, dala ifayela lohlobo lwesevisi i-openvpn
$ sudo vi /etc/pam.d/openvpn
bese uyibhala
auth required pam_radius_auth.so skip_passwd client_id=[NAS-IDentifier]
auth substack password-auth
account substack password-auth
Umugqa wokuqala uxhuma imojuli ye-PAM pam_radius_auth namapharamitha:
- skip_passwd - ikhubaza ukudluliswa kwephasiwedi yomsebenzisi kuseva ye-RADIUS Multifactor (akudingi ukuthi ayazi).
- client_id β buyisela i-[NAS-Identifier] ngepharamitha ehambisanayo evela kuzilungiselelo zensiza ye-VPN.
Wonke amapharamitha angenzeka achazwe kuimibhalo yemojuli .
Ulayini wesibili nowesithathu uhlanganisa ukuqinisekiswa kwesistimu kokungena, iphasiwedi namalungelo omsebenzisi kuseva yakho kanye nesici sesibili sokuqinisekisa.
Qala kabusha i-OpenVPN
$ sudo systemctl restart openvpn@server
Ukusethwa kweklayenti
Faka isicelo sokungena ngemvume komsebenzisi nephasiwedi kufayela lokumisa leklayenti
auth-user-pass
wokuhlola
Yethula iklayenti le-OpenVPN, xhuma kuseva, faka igama lakho lomsebenzisi nephasiwedi. I-Telegraph bot izothumela isicelo sokufinyelela ngezinkinobho ezimbili
Inkinobho eyodwa ivumela ukufinyelela, eyesibili iyayivimba.
Manje usungakwazi ukulondoloza ngokuphephile iphasiwedi yakho kuklayenti; into yesibili izovikela ngokuthembekile iseva yakho ye-OpenVPN ekufinyeleleni okungagunyaziwe.
Uma kukhona kungasebenzi
Hlola ngokulandelana ukuthi awuphuthelwanga lutho:
- Kukhona umsebenzisi kuseva one-OpenVPN enesethi yephasiwedi
- Iseva inokufinyelela ngembobo ye-UDP 1812 kukheli elithi radius.multifactor.ru
- I-NAS-Identifier kanye nemingcele yemfihlo eyabiwe icaciswe kahle
- Umsebenzisi onokungena okufanayo udaliwe ohlelweni lwe-Multifactor futhi unikezwe imvume yokufinyelela eqenjini labasebenzisi be-VPN
- Umsebenzisi ulungiselele indlela yokuqinisekisa ngeTelegram
Uma ungakaze usethe i-OpenVPN ngaphambilini, funda
Imiyalo yenziwe ngezibonelo ku-CentOS 7.
Source: www.habr.com