Difference between revisions of "CMU OpenVPN Implementation"
From CMU ITSC Network
| (12 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== บทนำ == | == บทนำ == | ||
| − | บทความนี้เป็นการ implement [https://openvpn.net/ OpenVPN] Server ที่ให้ user log in ด้วย account ที่อยู่บน directory ขององค์กรโดยใช้ protocol [https://en.wikipedia.org/wiki/RADIUS radius] โดยตัวอย่างจะใช้ server เป็น Ubuntu 18.04 | + | บทความนี้เป็นการ implement [https://openvpn.net/ OpenVPN] Server ที่ให้ user log in ด้วย account ที่อยู่บน directory ขององค์กรโดยใช้ protocol [https://en.wikipedia.org/wiki/RADIUS radius] โดยตัวอย่างจะใช้ server เป็น '''Ubuntu 18.04''' |
| − | == การติดตั้ง == | + | == การติดตั้ง package ที่จำเป็น == |
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
sudo add-apt-repository universe | sudo add-apt-repository universe | ||
| − | sudo apt-get update && sudo apt-get install openvpn easy-rsa | + | sudo apt-get update && sudo apt-get install openvpn easy-rsa libgcrypt11-dev build-essential -y |
| + | </syntaxhighlight> | ||
| + | == radiusplugin == | ||
| + | === ติดตั้ง radiusplugin === | ||
| + | <syntaxhighlight lang=bash> | ||
| + | cd | ||
| + | wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz | ||
| + | tar xvf radiusplugin_v2.1a_beta1.tar.gz | ||
| + | cd radiusplugin_v2.1a_beta1 | ||
| + | sudo make | ||
| + | sudo mkdir /etc/openvpn/radius | ||
| + | sudo cp -r radiusplugin.so /etc/openvpn/radius | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | === ตั้งค่า radiusplugin === | ||
| + | สร้างไฟล์ '''/etc/openvpn/radius/radius.cnf''' โดยระบุ ip address และ secret ของ radius server ของท่าน | ||
| + | <syntaxhighlight lang=bash> | ||
| + | NAS-Identifier=openvpn | ||
| + | |||
| + | # The service type which is sent to the RADIUS server | ||
| + | Service-Type=5 | ||
| + | |||
| + | # The framed protocol which is sent to the RADIUS server | ||
| + | Framed-Protocol=1 | ||
| + | |||
| + | # The NAS port type which is sent to the RADIUS server | ||
| + | NAS-Port-Type=5 | ||
| + | |||
| + | # The NAS IP address which is sent to the RADIUS server | ||
| + | NAS-IP-Address=10.1.1.1 # ip address ของ OpenVPN Server | ||
| + | |||
| + | # Path to the OpenVPN configfile. The plugin searches there for | ||
| + | # client-config-dir PATH (searches for the path) | ||
| + | # status FILE (searches for the file, version must be 1) | ||
| + | # client-cert-not-required (if the option is used or not) | ||
| + | # username-as-common-name (if the option is used or not) | ||
| + | |||
| + | OpenVPNConfig=/etc/openvpn/server.conf | ||
| + | |||
| + | |||
| + | # Support for topology option in OpenVPN 2.1 | ||
| + | # If you don't specify anything, option "net30" (default in OpenVPN) is used. | ||
| + | # You can only use one of the options at the same time. | ||
| + | # If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK" | ||
| + | subnet=255.255.255.0 | ||
| + | # If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK" | ||
| + | # p2p=10.8.0.1 | ||
| + | |||
| + | |||
| + | # Allows the plugin to overwrite the client config in client config file directory, | ||
| + | # default is true | ||
| + | overwriteccfiles=true | ||
| + | |||
| + | # Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them. | ||
| + | # default is false | ||
| + | # useauthcontrolfile=false | ||
| + | |||
| + | # Only the accouting functionality is used, if no user name to forwarded to the plugin, the common name of certificate is used | ||
| + | # as user name for radius accounting. | ||
| + | # default is false | ||
| + | # accountingonly=false | ||
| + | |||
| + | |||
| + | # If the accounting is non essential, nonfatalaccounting can be set to true. | ||
| + | # If set to true all errors during the accounting procedure are ignored, which can be | ||
| + | # - radius accounting can fail | ||
| + | # - FramedRouted (if configured) maybe not configured correctly | ||
| + | # - errors during vendor specific attributes script execution are ignored | ||
| + | # But if set to true the performance is increased because OpenVPN does not block during the accounting procedure. | ||
| + | # default is false | ||
| + | nonfatalaccounting=false | ||
| + | |||
| + | # Path to a script for vendor specific attributes. | ||
| + | # Leave it out if you don't use an own script. | ||
| + | # vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl | ||
| + | |||
| + | # Path to the pipe for communication with the vsascript. | ||
| + | # Leave it out if you don't use an own script. | ||
| + | # vsanamedpipe=/tmp/vsapipe | ||
| + | |||
| + | # A radius server definition, there could be more than one. | ||
| + | # The priority of the server depends on the order in this file. The first one has the highest priority. | ||
| + | server | ||
| + | { | ||
| + | # The UDP port for radius accounting. | ||
| + | acctport=1813 | ||
| + | # The UDP port for radius authentication. | ||
| + | authport=1812 | ||
| + | # The name or ip address of the radius server. | ||
| + | name=192.168.0.153 | ||
| + | # How many times should the plugin send the if there is no response? | ||
| + | retry=1 | ||
| + | # How long should the plugin wait for a response? | ||
| + | wait=1 | ||
| + | # The shared secret. | ||
| + | sharedsecret=mysecret | ||
| + | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | == การตั้งค่า Server == | + | == การตั้งค่า OpenVPN Server == |
สร้าง directory สำหรับเก็บ CA(certificate authority), key pairs,DH, tls-auth-key | สร้าง directory สำหรับเก็บ CA(certificate authority), key pairs,DH, tls-auth-key | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
| + | cd | ||
make-cadir certificates && cd certificates | make-cadir certificates && cd certificates | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 61: | Line 158: | ||
ifconfig-pool-persist /var/log/openvpn/ipp.txt | ifconfig-pool-persist /var/log/openvpn/ipp.txt | ||
push "redirect-gateway def1 bypass-dhcp" | push "redirect-gateway def1 bypass-dhcp" | ||
| + | push "dhcp-option DNS 1.0.0.1" | ||
| + | push "dhcp-option DNS 8.8.8.8" | ||
duplicate-cn | duplicate-cn | ||
keepalive 10 120 | keepalive 10 120 | ||
| Line 74: | Line 173: | ||
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf | plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | |||
| + | === ตั้งค่า Firewall policy / NAT / IP Forwarding === | ||
| + | อนุญาต ssh และ ssl | ||
| + | <syntaxhighlight lang=bash> | ||
| + | sudo ufw allow ssh | ||
| + | sudo ufw allow https | ||
| + | sudo ufw enable | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | เพิ่ม NAT policy โดยแก้ไขไฟล์ '''/etc/ufw/before.rules''' เพิ่มบรรทัดต่อไปนี้ที่บรรทัดบนสุดของไฟล์ | ||
| + | <syntaxhighlight lang=bash> | ||
| + | *nat | ||
| + | :POSTROUTING ACCEPT [0:0] | ||
| + | -A POSTROUTING -s 10.10.10.0/24 -o ens3 -j MASQUERADE | ||
| + | COMMIT | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | เปิด ip forwarding โดยแก้ไขไฟล์ '''/etc/sysctl.conf''' เอา comment ออก | ||
| + | <syntaxhighlight lang=bash> | ||
| + | net.ipv4.ip_forward=1 | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | แล้ว run คำสั่ง | ||
| + | <syntaxhighlight lang=bash> | ||
| + | sudo sysctl -p | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | แก้ firewall forward policy โดยการแก้ไขไฟล์ '''/etc/default/ufw''' เปลี่ยนค่า '''DEFAULT_FORWARD_POLICY''' จาก '''DROP''' เป็น '''ACCEPT''' | ||
| + | <syntaxhighlight lang=bash> | ||
| + | DEFAULT_FORWARD_POLICY="ACCEPT" | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | reload firewall policy | ||
| + | <syntaxhighlight lang=bash> | ||
| + | sudo ufw reload | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | === Start OpenVPN Service === | ||
| + | <syntaxhighlight lang=bash> | ||
| + | sudo service openvpn@server start | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | == ตั้งค่า Client file == | ||
| + | === สร้างไฟล์ Certificate/Key pairs ของ client === | ||
| + | <syntaxhighlight lang=bash> | ||
| + | source vars && ./build-key client | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | === สร้างไฟล์ .ovpn สำหรับให้ client เชื่อมต่อ === | ||
| + | สร้างไฟล์ client.ovpn โดยเปลี่ยนข้อมูล<br> | ||
| + | remote '''10.110.0.177''' เป็น '''ip address''' ของ OpenVPN Server ของท่าน<br> | ||
| + | ข้อความระหว่าง '''<ca></ca>''' ให้ใช้จากไฟล์ '''keys/ca.crt'''<br> | ||
| + | ข้อความระหว่าง '''<cert></cert>''' ให้ใช้จากไฟล์ '''keys/client.crt'''<br> | ||
| + | ข้อความระหว่าง '''<key></key>''' ให้ใช้จากไฟล์ '''keys/cleint.key'''<br> | ||
| + | ข้อความระหว่าง '''<tls-auth></tls-auth>''' ให้ใช้จากไฟล์ '''keys/ta.key''' | ||
| + | <syntaxhighlight lang=bash> | ||
| + | client | ||
| + | dev tun | ||
| + | proto tcp | ||
| + | remote 10.110.0.177 443 | ||
| + | resolv-retry infinite | ||
| + | nobind | ||
| + | auth-user-pass | ||
| + | auth-nocache | ||
| + | persist-key | ||
| + | persist-tun | ||
| + | remote-cert-tls server | ||
| + | key-direction 1 | ||
| + | cipher AES-256-CBC | ||
| + | verb 3 | ||
| + | <ca> | ||
| + | -----BEGIN CERTIFICATE----- | ||
| + | MIIElTCCA32gAwIBAgIJAKaWxSZFE2m9MA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD | ||
| + | VQQGEwJUSDEMMAoGA1UECBMDQ05YMQwwCgYDVQQHEwNDTlgxDDAKBgNVBAoTA0NN | ||
| + | VTENMAsGA1UECxMESVRTQzEPMA0GA1UEAxMGQ01VIENBMRAwDgYDVQQpEwdFYXN5 | ||
| + | UlNBMSIwIAYJKoZIhvcNAQkBFhNzdXBhd2l0LndAY211LmFjLnRoMB4XDTE4MTIx | ||
| + | MzA4MTAyNloXDTI4MTIxMDA4MTAyNlowgY0xCzAJBgNVBAYTAlRIMQwwCgYDVQQI | ||
| + | EwNDTlgxDDAKBgNVBAcTA0NOWDEMMAoGA1UEChMDQ01VMQ0wCwYDVQQLEwRJVFND | ||
| + | MQ8wDQYDVQQDEwZDTVUgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExIjAgBgkqhkiG9w0B | ||
| + | CQEWE3N1cGF3aXQud0BjbXUuYWMudGgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw | ||
| + | ggEKAoIBAQCW9f3xSgQymkizdf1ymWlpscxM+0oNB5TYFSZnhh1gF/jKfKq+9Rcp | ||
| + | /XIWvL0ZpjZia+J+Ky1O9t7GWRFeHI3lQzhaicjuyPXCzt/iJKyfLVVChlk3MkSj | ||
| + | aDXq1EVy+dQE+3BaruPWqTpfvaEimjMFHTNYtmm913gVXKhWqAPELRRBohlfXtvk | ||
| + | EWW77oKr/xE7cARXpvdQ88yrrB1QiUaLHuPmXXFxhvycBVKeemz+LccW1EcVGoW6 | ||
| + | 846X6Fx76PNKRgiJ1ZdzI96bVAQ5Ro1buyUL5YSaRzv95jDmalbG4i8UoP5G39oy | ||
| + | 4CTCtrrvb3+x8+WoQAGibclYZ9BRane7AgMBAAGjgfUwgfIwHQYDVR0OBBYEFL0t | ||
| + | PwmRAdErIEXQtVuH9z7nxatqMIHCBgNVHSMEgbowgbeAFL0tPwmRAdErIEXQtVuH | ||
| + | 9z7nxatqoYGTpIGQMIGNMQswCQYDVQQGEwJUSDEMMAoGA1UECBMDQ05YMQwwCgYD | ||
| + | VQQHEwNDTlgxDDAKBgNVBAoTA0NNVTENMAsGA1UECxMESVRTQzEPMA0GA1UEAxMG | ||
| + | Q01VIENBMRAwDgYDVQQpEwdFYXN5UlNBMSIwIAYJKoZIhvcNAQkBFhNzdXBhd2l0 | ||
| + | LndAY211LmFjLnRoggkAppbFJkUTab0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B | ||
| + | AQsFAAOCAQEAjyzABzRvbk62BgjC9FuAvWJAoLvyAHLH0dAPG0bOxbBvSYfqUDhj | ||
| + | w2rfD2YU//IeCoU8zO15/qLQoJ52VedCx1mjFkqzsmm8XVj1eIg0Yt+nMTNW+nrJ | ||
| + | K+k4mbEA95NgAkxCF69f9Dx6dSQ0HeGJ2l8frCeN/176Tlza4+VaTf4VmOnJZLk5 | ||
| + | UqB5aPXi+wIsKDvIi/9zsi+GXS4AkPP6IuuDOayyuX4boPedPl++jRokr+NGn3M3 | ||
| + | SbnKEoP0v3uR+WZg0hbIwNBPObU0cGGz/Ecvf4zx79TiJ/HHSI5q8b3BDsQ4blIe | ||
| + | EUAl+OBXZmOg60ZDF7gULqWYbszk9nLEsw== | ||
| + | -----END CERTIFICATE----- | ||
| + | </ca> | ||
| + | <cert> | ||
| + | -----BEGIN CERTIFICATE----- | ||
| + | MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCVEgx | ||
| + | DDAKBgNVBAgTA0NOWDEMMAoGA1UEBxMDQ05YMQwwCgYDVQQKEwNDTVUxDTALBgNV | ||
| + | BAsTBElUU0MxDzANBgNVBAMTBkNNVSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEiMCAG | ||
| + | CSqGSIb3DQEJARYTc3VwYXdpdC53QGNtdS5hYy50aDAeFw0xODEyMTQwNzU0NTla | ||
| + | Fw0yODEyMTEwNzU0NTlaMIGNMQswCQYDVQQGEwJUSDEMMAoGA1UECBMDQ05YMQww | ||
| + | CgYDVQQHEwNDTlgxDDAKBgNVBAoTA0NNVTENMAsGA1UECxMESVRTQzEPMA0GA1UE | ||
| + | AxMGY2xpZW50MRAwDgYDVQQpEwdFYXN5UlNBMSIwIAYJKoZIhvcNAQkBFhNzdXBh | ||
| + | d2l0LndAY211LmFjLnRoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA | ||
| + | oVTSDQvSybJJpWT5MKu4l718oJwryjkKjMEjLn9t5VWN7r6WhvLRaKbujjJZ6zOk | ||
| + | Kn11Ro3R5CzYkxJCuOtBUjOLQrT2v9YHr5Bw+iEepwdyOz4ixVCcrtKbNbKK3koy | ||
| + | 4kuRCRSPlhxHtpvz435dDcyAwWqA839ZBAvsVolSFGT2k58DvO5d5XNZHU5Wc+Ry | ||
| + | tyczPTqo95aAhkLKW5i442Nk9u66gVcD5M862VlY/LtZ7QN57vWXbYTrCFBhwHWg | ||
| + | u+Wu2tOFfnJSL8p4hkhw6WqUP74gI9BAQ9yiEAyESNCj0V40RvTqx0A6+yMrQ1Cj | ||
| + | N0P0cnCDci/vjJTDV7qW7wIDAQABo4IBVzCCAVMwCQYDVR0TBAIwADAtBglghkgB | ||
| + | hvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW | ||
| + | BBSx6XxyYP43LzfOH23su4j7f3xomTCBwgYDVR0jBIG6MIG3gBS9LT8JkQHRKyBF | ||
| + | 0LVbh/c+58WraqGBk6SBkDCBjTELMAkGA1UEBhMCVEgxDDAKBgNVBAgTA0NOWDEM | ||
| + | MAoGA1UEBxMDQ05YMQwwCgYDVQQKEwNDTVUxDTALBgNVBAsTBElUU0MxDzANBgNV | ||
| + | BAMTBkNNVSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEiMCAGCSqGSIb3DQEJARYTc3Vw | ||
| + | YXdpdC53QGNtdS5hYy50aIIJAKaWxSZFE2m9MBMGA1UdJQQMMAoGCCsGAQUFBwMC | ||
| + | MAsGA1UdDwQEAwIHgDARBgNVHREECjAIggZjbGllbnQwDQYJKoZIhvcNAQELBQAD | ||
| + | ggEBAChm94qlqEqo9e+BY5stU3TbuYY1WqPNPAquNgT2f/Yk0KR+xvLPzNJVWi4J | ||
| + | pxHvj/0hkszVPP7F/xiyJ+bNqKpk4gUj2r82Am0hWNHTtRX+zKYYXT6EPO0/9U1E | ||
| + | roALEpGeRJeZAyN9nYuxdd7E5xHk/WD7wRoTAoSffLukzFkR/HprJt6MUPS5fIV/ | ||
| + | vKewGQDYiE0myHnqnXPs4mb4xDfm4zS64T1dn7sINlRmKBXv7nXS8Qxx+vxILgV+ | ||
| + | HvnN7UUvFZ82fAkmcwuA1FQlT5T4xjKmGU2LyxcWg0OBgbSP751IFDp+qOj6znPx | ||
| + | UhikQLX/U13Pv1J9XiGuYe6FhWI= | ||
| + | -----END CERTIFICATE----- | ||
| + | </cert> | ||
| + | <key> | ||
| + | -----BEGIN PRIVATE KEY----- | ||
| + | MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQChVNINC9LJskml | ||
| + | ZPkwq7iXvXygnCvKOQqMwSMuf23lVY3uvpaG8tFopu6OMlnrM6QqfXVGjdHkLNiT | ||
| + | EkK460FSM4tCtPa/1gevkHD6IR6nB3I7PiLFUJyu0ps1soreSjLiS5EJFI+WHEe2 | ||
| + | m/Pjfl0NzIDBaoDzf1kEC+xWiVIUZPaTnwO87l3lc1kdTlZz5HK3JzM9Oqj3loCG | ||
| + | QspbmLjjY2T27rqBVwPkzzrZWVj8u1ntA3nu9ZdthOsIUGHAdaC75a7a04V+clIv | ||
| + | yniGSHDpapQ/viAj0EBD3KIQDIRI0KPRXjRG9OrHQDr7IytDUKM3Q/RycINyL++M | ||
| + | lMNXupbvAgMBAAECggEAZ/HPeEpi4EM3whGhoCMzxsh2cMDOUfeYfYG+2imOM9GA | ||
| + | pg8zyvTNyWCsmP+GAc1++0Vj9zZOwnXGgFOmm6AvsPe2xR71UDplL0+gCvil2DYq | ||
| + | +lKZconyuYzGJb3ITVp/GGBZrQELVksYRWaLp8p1x/s4BeZJ+RjW0I2iE0tcj/hK | ||
| + | 8SWCJCZc3VJSEBUAiDpY7eC7PVqq2xqoifwsLkZm/09qyXaPFyRADoqc1MFVBMqt | ||
| + | Im6Jsc8XxO0uj42GeYGRcVkt/68o4qiyGXWfuzDto686DmsH2eReOxPGXh3xikoT | ||
| + | 8jqpEW/J/SLEeUuXZL6aBRIrWUneAWRN4Z1dAQw20QKBgQDTvcjd47W3fj4WfMXJ | ||
| + | h79iGD9Ka9Jh/wkkVwI3UCWPLLNkrYm6ZbFTF1YKFokKfvkhIwzc5YnmUwyIZnpu | ||
| + | L+Humy2qlIzWTeTl/ArFk1/RgNur17fmrmnn3elwcHQT/bLH6RmCg3AyfVlIhnNx | ||
| + | VmeNDm2XHy99cNrIcd9LhEeNpwKBgQDDDZx1fbHf8lv/u/X/bBy3Lnldz3+FRGNc | ||
| + | BeZgsmWCCaK6qaae0I1ExYbx0j4P5givBKQFCpR3Z2zWvd6Sj3eZ7o1BAxZwg5KE | ||
| + | UBNh0v8S+RhgXDUcuLmzkTti8EVNVxfIXwi7Xdc8zYg8rolxHBKeLfQD1H4V9fgZ | ||
| + | kRIUOwSleQKBgEGmtoEV+WHLYrTWOv0hedWQbw9EHxcDXHJICAfeccbStUyiAfIp | ||
| + | VbHNqn+2PQdkFxqPI43aHcesOFaSb6N6dTLmKmKZbJGF1VL5st1PtIXgzjuZxwtf | ||
| + | SLb7t0WFmHgaUTRqsd4losQE2YoDJggeIj06HACfSro6I5vCstlXSlhBAoGAOK0k | ||
| + | 0FL0s5D1wIp6QXzFn0imxWZ8tFmZ0Wx5c5GCw1VPbpPLMYyB8ADBZFTl6bK6xThA | ||
| + | /KIFX+iyjHdhTA7Z/uV9L+3YwFrK4R1vdFZd/cJZne5NFIpsk0vZCLeuO3naFEPh | ||
| + | AqiS2T0ToCZLE43HryTFKbO9612seKlZqn03rWkCgYB+b6J5GjZXrfSq6xjULUnu | ||
| + | Oa35KF0bMJIcxfWtjvR7oEHmEQ78kOXvJVJKmzVBfPCKEgDU2wBcjf7Wqd6s7LQo | ||
| + | ldMxsPW0ABEbXAdeQpVItxCtQ0Es2eiE0784rTfbgrN1NYgqi1wYC+N6bWucKwcy | ||
| + | uaHphFSJNTUHFzuqokVjJQ== | ||
| + | -----END PRIVATE KEY----- | ||
| + | </key> | ||
| + | <tls-auth> | ||
| + | -----BEGIN OpenVPN Static key V1----- | ||
| + | 4d17259d1ecc65a8f3a3db759cc8cd0e | ||
| + | 4149c83166f719af426e77d963f418ec | ||
| + | 3c0c02b1796e8a39af04b0038d038cb5 | ||
| + | 29cd4d6ac982badb6460126f0bf1d2e1 | ||
| + | e99afe618242d4784ff8f0b900084507 | ||
| + | f88ba51c006e9e2f479af4e1b5f232d8 | ||
| + | fbead0e3a82154cb77518714fb11b21f | ||
| + | 8c1b152b61521625a17d158ae71fe6f8 | ||
| + | 171208b40f7ac13ecbdeb1ae882a60a8 | ||
| + | d7cf607bac1c6134c75bd8869b040546 | ||
| + | dbbc8525dbff628cd272f150a37176d9 | ||
| + | 102c54114e24ee931e3030837d0e7e01 | ||
| + | 5ca55607c7e6aef0482e8d2d2df42c26 | ||
| + | 2e4507b4496c067e525bab6385df21ed | ||
| + | dd8d7ddb6e718d328674ec63602e1d20 | ||
| + | 056cf2ff31a9ad14e84ea64fde542a59 | ||
| + | -----END OpenVPN Static key V1----- | ||
| + | </tls-auth> | ||
| + | </syntaxhighlight> | ||
| + | === การตั้งค่าฝั่ง Client === | ||
| + | เผยแพร่ไฟล์ .ovpn ที่สร้างให้กับผู้ใช้งานและใช้งานตามคู่มือ [[CMU_OpenVPN | CMU_OpenVPN]] | ||
| + | |||
| + | == ติดต่อสอบถามเพิ่มเติม == | ||
| + | * [mailto:supawit.w@cmu.ac.th supawit.w@cmu.ac.th] | ||
| + | * [https://teams.microsoft.com/l/team/19%3a0c78e248b5b64bb984916f19dc2e9d4f%40thread.skype/conversations?groupId=c8d4d9f1-57f7-4658-a716-a19d8f76cb00&tenantId=cf81f1df-de59-4c29-91da-a2dfd04aa751 Microsoft Teams : Admin IT CMU] | ||
Latest revision as of 05:07, 19 December 2018
บทนำ
บทความนี้เป็นการ implement OpenVPN Server ที่ให้ user log in ด้วย account ที่อยู่บน directory ขององค์กรโดยใช้ protocol radius โดยตัวอย่างจะใช้ server เป็น Ubuntu 18.04
การติดตั้ง package ที่จำเป็น
sudo add-apt-repository universe
sudo apt-get update && sudo apt-get install openvpn easy-rsa libgcrypt11-dev build-essential -y
radiusplugin
ติดตั้ง radiusplugin
cd
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
tar xvf radiusplugin_v2.1a_beta1.tar.gz
cd radiusplugin_v2.1a_beta1
sudo make
sudo mkdir /etc/openvpn/radius
sudo cp -r radiusplugin.so /etc/openvpn/radius
ตั้งค่า radiusplugin
สร้างไฟล์ /etc/openvpn/radius/radius.cnf โดยระบุ ip address และ secret ของ radius server ของท่าน
NAS-Identifier=openvpn
# The service type which is sent to the RADIUS server
Service-Type=5
# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1
# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5
# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=10.1.1.1 # ip address ของ OpenVPN Server
# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH (searches for the path)
# status FILE (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name (if the option is used or not)
OpenVPNConfig=/etc/openvpn/server.conf
# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used.
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"
subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
# p2p=10.8.0.1
# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true
# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them.
# default is false
# useauthcontrolfile=false
# Only the accouting functionality is used, if no user name to forwarded to the plugin, the common name of certificate is used
# as user name for radius accounting.
# default is false
# accountingonly=false
# If the accounting is non essential, nonfatalaccounting can be set to true.
# If set to true all errors during the accounting procedure are ignored, which can be
# - radius accounting can fail
# - FramedRouted (if configured) maybe not configured correctly
# - errors during vendor specific attributes script execution are ignored
# But if set to true the performance is increased because OpenVPN does not block during the accounting procedure.
# default is false
nonfatalaccounting=false
# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl
# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe
# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=192.168.0.153
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret=mysecret
}
การตั้งค่า OpenVPN Server
สร้าง directory สำหรับเก็บ CA(certificate authority), key pairs,DH, tls-auth-key
cd
make-cadir certificates && cd certificates
ตั้งค่าตัวแปรสำหรับสร้าง CA
แก้ไขไฟล์ vars ในส่วนของตัวแปรต่อไปนี้ตามต้องการ
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
จากนั้นทำการประกาศค่าตัวแปร
ln -s openssl-1.0.0.cnf openssl.cnf
source vars
สร้าง CA
./clean-all && ./build-ca
สร้าง Certificate/Key pairs
./build-key-server server
สร้าง DH
./build-dh
openvpn --genkey --secret keys/ta.key
sudo cp keys/{server.crt,server.key,ca.crt,dh2048.pem,ta.key} /etc/openvpn
ตั้งค่า OpenVPN server
สร้างไฟล์ /etc/openvpn/server.conf ดังนี้
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.10.10.0 255.255.255.0 #ระบุ ip network ที่ต้องการ
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 8.8.8.8"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf
ตั้งค่า Firewall policy / NAT / IP Forwarding
อนุญาต ssh และ ssl
sudo ufw allow ssh
sudo ufw allow https
sudo ufw enable
เพิ่ม NAT policy โดยแก้ไขไฟล์ /etc/ufw/before.rules เพิ่มบรรทัดต่อไปนี้ที่บรรทัดบนสุดของไฟล์
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o ens3 -j MASQUERADE
COMMIT
เปิด ip forwarding โดยแก้ไขไฟล์ /etc/sysctl.conf เอา comment ออก
net.ipv4.ip_forward=1
แล้ว run คำสั่ง
sudo sysctl -p
แก้ firewall forward policy โดยการแก้ไขไฟล์ /etc/default/ufw เปลี่ยนค่า DEFAULT_FORWARD_POLICY จาก DROP เป็น ACCEPT
DEFAULT_FORWARD_POLICY="ACCEPT"
reload firewall policy
sudo ufw reload
Start OpenVPN Service
sudo service openvpn@server start
ตั้งค่า Client file
สร้างไฟล์ Certificate/Key pairs ของ client
source vars && ./build-key client
สร้างไฟล์ .ovpn สำหรับให้ client เชื่อมต่อ
สร้างไฟล์ client.ovpn โดยเปลี่ยนข้อมูล
remote 10.110.0.177 เป็น ip address ของ OpenVPN Server ของท่าน
ข้อความระหว่าง <ca></ca> ให้ใช้จากไฟล์ keys/ca.crt
ข้อความระหว่าง <cert></cert> ให้ใช้จากไฟล์ keys/client.crt
ข้อความระหว่าง <key></key> ให้ใช้จากไฟล์ keys/cleint.key
ข้อความระหว่าง <tls-auth></tls-auth> ให้ใช้จากไฟล์ keys/ta.key
client
dev tun
proto tcp
remote 10.110.0.177 443
resolv-retry infinite
nobind
auth-user-pass
auth-nocache
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIElTCCA32gAwIBAgIJAKaWxSZFE2m9MA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD
VQQGEwJUSDEMMAoGA1UECBMDQ05YMQwwCgYDVQQHEwNDTlgxDDAKBgNVBAoTA0NN
VTENMAsGA1UECxMESVRTQzEPMA0GA1UEAxMGQ01VIENBMRAwDgYDVQQpEwdFYXN5
UlNBMSIwIAYJKoZIhvcNAQkBFhNzdXBhd2l0LndAY211LmFjLnRoMB4XDTE4MTIx
MzA4MTAyNloXDTI4MTIxMDA4MTAyNlowgY0xCzAJBgNVBAYTAlRIMQwwCgYDVQQI
EwNDTlgxDDAKBgNVBAcTA0NOWDEMMAoGA1UEChMDQ01VMQ0wCwYDVQQLEwRJVFND
MQ8wDQYDVQQDEwZDTVUgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExIjAgBgkqhkiG9w0B
CQEWE3N1cGF3aXQud0BjbXUuYWMudGgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCW9f3xSgQymkizdf1ymWlpscxM+0oNB5TYFSZnhh1gF/jKfKq+9Rcp
/XIWvL0ZpjZia+J+Ky1O9t7GWRFeHI3lQzhaicjuyPXCzt/iJKyfLVVChlk3MkSj
aDXq1EVy+dQE+3BaruPWqTpfvaEimjMFHTNYtmm913gVXKhWqAPELRRBohlfXtvk
EWW77oKr/xE7cARXpvdQ88yrrB1QiUaLHuPmXXFxhvycBVKeemz+LccW1EcVGoW6
846X6Fx76PNKRgiJ1ZdzI96bVAQ5Ro1buyUL5YSaRzv95jDmalbG4i8UoP5G39oy
4CTCtrrvb3+x8+WoQAGibclYZ9BRane7AgMBAAGjgfUwgfIwHQYDVR0OBBYEFL0t
PwmRAdErIEXQtVuH9z7nxatqMIHCBgNVHSMEgbowgbeAFL0tPwmRAdErIEXQtVuH
9z7nxatqoYGTpIGQMIGNMQswCQYDVQQGEwJUSDEMMAoGA1UECBMDQ05YMQwwCgYD
VQQHEwNDTlgxDDAKBgNVBAoTA0NNVTENMAsGA1UECxMESVRTQzEPMA0GA1UEAxMG
Q01VIENBMRAwDgYDVQQpEwdFYXN5UlNBMSIwIAYJKoZIhvcNAQkBFhNzdXBhd2l0
LndAY211LmFjLnRoggkAppbFJkUTab0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAQEAjyzABzRvbk62BgjC9FuAvWJAoLvyAHLH0dAPG0bOxbBvSYfqUDhj
w2rfD2YU//IeCoU8zO15/qLQoJ52VedCx1mjFkqzsmm8XVj1eIg0Yt+nMTNW+nrJ
K+k4mbEA95NgAkxCF69f9Dx6dSQ0HeGJ2l8frCeN/176Tlza4+VaTf4VmOnJZLk5
UqB5aPXi+wIsKDvIi/9zsi+GXS4AkPP6IuuDOayyuX4boPedPl++jRokr+NGn3M3
SbnKEoP0v3uR+WZg0hbIwNBPObU0cGGz/Ecvf4zx79TiJ/HHSI5q8b3BDsQ4blIe
EUAl+OBXZmOg60ZDF7gULqWYbszk9nLEsw==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCVEgx
DDAKBgNVBAgTA0NOWDEMMAoGA1UEBxMDQ05YMQwwCgYDVQQKEwNDTVUxDTALBgNV
BAsTBElUU0MxDzANBgNVBAMTBkNNVSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEiMCAG
CSqGSIb3DQEJARYTc3VwYXdpdC53QGNtdS5hYy50aDAeFw0xODEyMTQwNzU0NTla
Fw0yODEyMTEwNzU0NTlaMIGNMQswCQYDVQQGEwJUSDEMMAoGA1UECBMDQ05YMQww
CgYDVQQHEwNDTlgxDDAKBgNVBAoTA0NNVTENMAsGA1UECxMESVRTQzEPMA0GA1UE
AxMGY2xpZW50MRAwDgYDVQQpEwdFYXN5UlNBMSIwIAYJKoZIhvcNAQkBFhNzdXBh
d2l0LndAY211LmFjLnRoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
oVTSDQvSybJJpWT5MKu4l718oJwryjkKjMEjLn9t5VWN7r6WhvLRaKbujjJZ6zOk
Kn11Ro3R5CzYkxJCuOtBUjOLQrT2v9YHr5Bw+iEepwdyOz4ixVCcrtKbNbKK3koy
4kuRCRSPlhxHtpvz435dDcyAwWqA839ZBAvsVolSFGT2k58DvO5d5XNZHU5Wc+Ry
tyczPTqo95aAhkLKW5i442Nk9u66gVcD5M862VlY/LtZ7QN57vWXbYTrCFBhwHWg
u+Wu2tOFfnJSL8p4hkhw6WqUP74gI9BAQ9yiEAyESNCj0V40RvTqx0A6+yMrQ1Cj
N0P0cnCDci/vjJTDV7qW7wIDAQABo4IBVzCCAVMwCQYDVR0TBAIwADAtBglghkgB
hvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
BBSx6XxyYP43LzfOH23su4j7f3xomTCBwgYDVR0jBIG6MIG3gBS9LT8JkQHRKyBF
0LVbh/c+58WraqGBk6SBkDCBjTELMAkGA1UEBhMCVEgxDDAKBgNVBAgTA0NOWDEM
MAoGA1UEBxMDQ05YMQwwCgYDVQQKEwNDTVUxDTALBgNVBAsTBElUU0MxDzANBgNV
BAMTBkNNVSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEiMCAGCSqGSIb3DQEJARYTc3Vw
YXdpdC53QGNtdS5hYy50aIIJAKaWxSZFE2m9MBMGA1UdJQQMMAoGCCsGAQUFBwMC
MAsGA1UdDwQEAwIHgDARBgNVHREECjAIggZjbGllbnQwDQYJKoZIhvcNAQELBQAD
ggEBAChm94qlqEqo9e+BY5stU3TbuYY1WqPNPAquNgT2f/Yk0KR+xvLPzNJVWi4J
pxHvj/0hkszVPP7F/xiyJ+bNqKpk4gUj2r82Am0hWNHTtRX+zKYYXT6EPO0/9U1E
roALEpGeRJeZAyN9nYuxdd7E5xHk/WD7wRoTAoSffLukzFkR/HprJt6MUPS5fIV/
vKewGQDYiE0myHnqnXPs4mb4xDfm4zS64T1dn7sINlRmKBXv7nXS8Qxx+vxILgV+
HvnN7UUvFZ82fAkmcwuA1FQlT5T4xjKmGU2LyxcWg0OBgbSP751IFDp+qOj6znPx
UhikQLX/U13Pv1J9XiGuYe6FhWI=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQChVNINC9LJskml
ZPkwq7iXvXygnCvKOQqMwSMuf23lVY3uvpaG8tFopu6OMlnrM6QqfXVGjdHkLNiT
EkK460FSM4tCtPa/1gevkHD6IR6nB3I7PiLFUJyu0ps1soreSjLiS5EJFI+WHEe2
m/Pjfl0NzIDBaoDzf1kEC+xWiVIUZPaTnwO87l3lc1kdTlZz5HK3JzM9Oqj3loCG
QspbmLjjY2T27rqBVwPkzzrZWVj8u1ntA3nu9ZdthOsIUGHAdaC75a7a04V+clIv
yniGSHDpapQ/viAj0EBD3KIQDIRI0KPRXjRG9OrHQDr7IytDUKM3Q/RycINyL++M
lMNXupbvAgMBAAECggEAZ/HPeEpi4EM3whGhoCMzxsh2cMDOUfeYfYG+2imOM9GA
pg8zyvTNyWCsmP+GAc1++0Vj9zZOwnXGgFOmm6AvsPe2xR71UDplL0+gCvil2DYq
+lKZconyuYzGJb3ITVp/GGBZrQELVksYRWaLp8p1x/s4BeZJ+RjW0I2iE0tcj/hK
8SWCJCZc3VJSEBUAiDpY7eC7PVqq2xqoifwsLkZm/09qyXaPFyRADoqc1MFVBMqt
Im6Jsc8XxO0uj42GeYGRcVkt/68o4qiyGXWfuzDto686DmsH2eReOxPGXh3xikoT
8jqpEW/J/SLEeUuXZL6aBRIrWUneAWRN4Z1dAQw20QKBgQDTvcjd47W3fj4WfMXJ
h79iGD9Ka9Jh/wkkVwI3UCWPLLNkrYm6ZbFTF1YKFokKfvkhIwzc5YnmUwyIZnpu
L+Humy2qlIzWTeTl/ArFk1/RgNur17fmrmnn3elwcHQT/bLH6RmCg3AyfVlIhnNx
VmeNDm2XHy99cNrIcd9LhEeNpwKBgQDDDZx1fbHf8lv/u/X/bBy3Lnldz3+FRGNc
BeZgsmWCCaK6qaae0I1ExYbx0j4P5givBKQFCpR3Z2zWvd6Sj3eZ7o1BAxZwg5KE
UBNh0v8S+RhgXDUcuLmzkTti8EVNVxfIXwi7Xdc8zYg8rolxHBKeLfQD1H4V9fgZ
kRIUOwSleQKBgEGmtoEV+WHLYrTWOv0hedWQbw9EHxcDXHJICAfeccbStUyiAfIp
VbHNqn+2PQdkFxqPI43aHcesOFaSb6N6dTLmKmKZbJGF1VL5st1PtIXgzjuZxwtf
SLb7t0WFmHgaUTRqsd4losQE2YoDJggeIj06HACfSro6I5vCstlXSlhBAoGAOK0k
0FL0s5D1wIp6QXzFn0imxWZ8tFmZ0Wx5c5GCw1VPbpPLMYyB8ADBZFTl6bK6xThA
/KIFX+iyjHdhTA7Z/uV9L+3YwFrK4R1vdFZd/cJZne5NFIpsk0vZCLeuO3naFEPh
AqiS2T0ToCZLE43HryTFKbO9612seKlZqn03rWkCgYB+b6J5GjZXrfSq6xjULUnu
Oa35KF0bMJIcxfWtjvR7oEHmEQ78kOXvJVJKmzVBfPCKEgDU2wBcjf7Wqd6s7LQo
ldMxsPW0ABEbXAdeQpVItxCtQ0Es2eiE0784rTfbgrN1NYgqi1wYC+N6bWucKwcy
uaHphFSJNTUHFzuqokVjJQ==
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
4d17259d1ecc65a8f3a3db759cc8cd0e
4149c83166f719af426e77d963f418ec
3c0c02b1796e8a39af04b0038d038cb5
29cd4d6ac982badb6460126f0bf1d2e1
e99afe618242d4784ff8f0b900084507
f88ba51c006e9e2f479af4e1b5f232d8
fbead0e3a82154cb77518714fb11b21f
8c1b152b61521625a17d158ae71fe6f8
171208b40f7ac13ecbdeb1ae882a60a8
d7cf607bac1c6134c75bd8869b040546
dbbc8525dbff628cd272f150a37176d9
102c54114e24ee931e3030837d0e7e01
5ca55607c7e6aef0482e8d2d2df42c26
2e4507b4496c067e525bab6385df21ed
dd8d7ddb6e718d328674ec63602e1d20
056cf2ff31a9ad14e84ea64fde542a59
-----END OpenVPN Static key V1-----
</tls-auth>
การตั้งค่าฝั่ง Client
เผยแพร่ไฟล์ .ovpn ที่สร้างให้กับผู้ใช้งานและใช้งานตามคู่มือ CMU_OpenVPN
