前言
3月中旬,周日晚上,我接到了一个电话,其实质是200个以上的人星期一不会来办公室,但会转移到remote。这句话:一个在“远程”上,一个在“扩展”上,管理员在我脑海中旋转。
这并不是说我们根本无法远程访问内部资源,而是在大量Shrew soft VPN客户端+ Pfsense上使用IPSEC VPN,以使一些IT专家可以紧急访问支持他们的信息系统。Shrew软VPN客户端显示出一种特殊性,即在成功连接大量ipv4路由后,该路由停止工作。重新启动Windows服务或重新启动最终设备可以解决这种情况。每天无限次向同事解释这种细微差别的前景同时引起四肢的神经性抽动和震颤。
选择的面粉
我已经确定了以下针对组织办公系统VPN的解决方案要求:
- 设置简单。希望有人能自己应付;
- 流行操作系统的客户端可用性;
- 支持密码认证的Active Directory;我的计划中没有紧急发行密钥(证书)
- 两因素身份验证。最好是免费的;
- 最小的投资,更好的免费,因为2020年IT设备的预算并不意味着远程访问网关的成本
- 以及可预测的稳定性和性能;
WireGuard , openvpn-gui, , , SoftEther VPN, , Shrew soft . Openconnect VPN Server + OpenConnect SSL VPN Client — 1 , tcp, , LDAP, ! Cisco Anyconnect client :)
Centos 8. Centos 8 , glibc-langpack-en, >
dnf install glibc-langpack-en
setfont UniCyr_8x16
/etc/vconsole.conf FONT="UniCyr_8x16"
:
firewall-cmd --set-default-zone=trusted
firewall-cmd --permanent --new-service=ocserv
firewall-cmd --permanent --service=ocserv --set-description="OpenConnect SSL VPN Server"
firewall-cmd --permanent --service=ocserv --add-port=443/tcp
firewall-cmd --permanent --service=ocserv --add-port=443/udp
firewall-cmd --zone=drop --change-interface=ens192 --permanent
firewall-cmd --reload
firewall-cmd --zone=drop --permanent --add-service=ocserv
firewall-cmd --reload
OpenConnect SSL VPN服务器可以使用pam机制进行授权。对于Active Directory客户端的“端到端”授权,请将我们的新服务器添加到域中:
dnf install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation
检查Active Directory基础结构可用性realm discover mydomain.ru
mydomain.ru
type: kerberos
realm-name: MYDOMAIN.RU
domain-name: mydomain.ru
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
realm join mydomain.ru -U Username
系统安全服务守护程序SSSD /etc/sssd/sssd.conf的配置文件将自动生成。您必须将尚未安装的ocserv服务器VPN服务添加到设置中。use_fully_qualified_names参数负责用户名格式。列出/etc/sssd/sssd.conf[sssd]
domains = mydomain.ru
config_file_version = 2
services = nss, pam
default_domain_suffix = mydomain.ru
[domain/mydomain.ru]
ad_domain = mydomain.ru
ad_gpo_map_remote_interactive = +ocserv
krb5_realm = MYDOMAIN.RU
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
打开并启动SSSD服务systemctl enable sssd
systemctl start sssd
可以限制具有连接权限的用户数量。在这种情况下,我允许所有用户连接到服务器。realm permit --all
在此阶段,应该为域用户对服务器进行ssh身份验证。选择一个模块实现2 - 因子 2 -一步到位的认证,我看着的成本铎安全从包装盒中的支持和选择TOTP(基于时间的一次性密码)由谷歌身份验证表示。在此实现中,精确时间服务进行服务器时间同步的时间至关重要。您可以使用以下命令检查chronyd守护程序的正确操作:chronyc sources
年代来源的结论210 Number of sources = 2
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^- ntp1.vniiftri.ru 1 6 17 1 -171us[ -171us] ± 2166us
^* ntp2.vniiftri.ru 1 6 17 1 -237us[ -57us] ± 2494us
安装Google Authenticator:dnf install epel-release
dnf install google-authenticator qrencode-libs
接下来,您需要从服务器上的用户帐户(sudo su DomainUser)运行google-authenticator命令,并肯定地回答所有问题,以在用户的智能手机(IOS,Google Play)上获取Google Authenticator应用程序的标识符/ qr代码Openconnect VPN Server:
dnf install ocserv
systemctl enable ocserv
/etc/ocserv/ocserv.confauth = «pam»
#IPv4
listen-host = 1.1.111.1
tcp-port = 443
udp-port = 443
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 0
# -
max-same-clients = 1
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = true
#LetsenCrypt
server-cert = /etc/letsencrypt/live/vpn.mydomain.ru/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.mydomain.ru/privkey.pem
########################
cert-user-oid = 0.9.2342.19200300.100.1.1
compression = true
tls-priorities = "@SYSTEM"
auth-timeout = 240
idle-timeout = 1200
mobile-idle-timeout = 2400
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = vpn.mydomain.ru
# VPN
ipv4-network = 192.168.178.0/24
# DNS-
tunnel-all-dns = true
dns = 192.168.1.1
########################
ping-leases = false
# VPN
route = 192.168.1.0/255.255.255.0
route = 192.168.2.0/255.255.255.0
########################
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
LetsEncrypt VPN . . , , 3- COVID-19 .
firewall-cmd --zone=drop --add-service=http
curl -O https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
certbot-auto certonly --standalone --preferred-challenges http -d vpn.mydomain.ru
firewall-cmd --zone=drop --remove-service=http
VPN
sed '/^#%PAM-1.0$/a auth required pam_google_authenticator\.so' /etc/pam.d/ocserv
systemctl start ocserv
systemctl start ocserv
echo "net.ipv4.ip_forward=1">/etc/sysctl.d/0-ocserv.conf
sysctl -w net.ipv4.ip_forward=1
openconnect-gui. vpn.mydomain.ru
Password OTP Google Authenticator. Password1 Active Directory.
...