CMU OpenVPN Implementation
From CMU ITSC Network
Revision as of 07:34, 14 December 2018 by Supawit (talk | contribs) (→ตั้งค่า Firewall policy / NAT / IP Forwarding)
บทนำ
บทความนี้เป็นการ implement OpenVPN Server ที่ให้ user log in ด้วย account ที่อยู่บน directory ขององค์กรโดยใช้ protocol radius โดยตัวอย่างจะใช้ server เป็น Ubuntu 18.04
การติดตั้ง package ที่จำเป็น
sudo add-apt-repository universe
sudo apt-get update && sudo apt-get install openvpn easy-rsa libgcrypt11-dev build-essential -y
radiusplugin
ติดตั้ง radiusplugin
cd
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
tar xvf radiusplugin_v2.1a_beta1.tar.gz
cd radiusplugin_v2.1a_beta1
sudo make
sudo mkdir /etc/openvpn/radius
sudo cp -r radiusplugin.so /etc/openvpn/radius
ตั้งค่า radiusplugin
สร้างไฟล์ /etc/openvpn/radius/radius.cnf
NAS-Identifier=openvpn
# The service type which is sent to the RADIUS server
Service-Type=5
# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1
# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5
# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=10.1.1.1 # ip address ของ OpenVPN Server
# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH (searches for the path)
# status FILE (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name (if the option is used or not)
OpenVPNConfig=/etc/openvpn/server.conf
# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used.
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"
subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
# p2p=10.8.0.1
# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true
# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them.
# default is false
# useauthcontrolfile=false
# Only the accouting functionality is used, if no user name to forwarded to the plugin, the common name of certificate is used
# as user name for radius accounting.
# default is false
# accountingonly=false
# If the accounting is non essential, nonfatalaccounting can be set to true.
# If set to true all errors during the accounting procedure are ignored, which can be
# - radius accounting can fail
# - FramedRouted (if configured) maybe not configured correctly
# - errors during vendor specific attributes script execution are ignored
# But if set to true the performance is increased because OpenVPN does not block during the accounting procedure.
# default is false
nonfatalaccounting=false
# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl
# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe
# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=192.168.0.153
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret=mysecret
}
การตั้งค่า OpenVPN Server
สร้าง directory สำหรับเก็บ CA(certificate authority), key pairs,DH, tls-auth-key
cd
make-cadir certificates && cd certificates
ตั้งค่าตัวแปรสำหรับสร้าง CA
แก้ไขไฟล์ vars ในส่วนของตัวแปรต่อไปนี้ตามต้องการ
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
จากนั้นทำการประกาศค่าตัวแปร
ln -s openssl-1.0.0.cnf openssl.cnf
source vars
สร้าง CA
./clean-all && ./build-ca
สร้าง Certificate/Key pairs
./build-key-server server
สร้าง DH
./build-dh
openvpn --genkey --secret keys/ta.key
sudo cp keys/{server.crt,server.key,ca.crt,dh2048.pem,ta.key} /etc/openvpn
ตั้งค่า OpenVPN server
สร้างไฟล์ /etc/openvpn/server.conf ดังนี้
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.10.10.0 255.255.255.0 #ระบุ ip network ที่ต้องการ
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf
ตั้งค่า Firewall policy / NAT / IP Forwarding
อนุญาต ssh และ ssl
ufw allow ssh
ufw allow https
ufw enable
เพิ่ม NAT policy โดยแก้ไขไฟล์ /etc/ufw/before.rules เพิ่มบรรทัดต่อไปนี้ที่บรรทัดบนสุดของไฟล์
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o ens3 -j MASQUERADE
COMMIT