Продолжение:
Совместимый с CISCO AnyClient VPN сервер OpenConnect на Linux
Set up OpenConnect VPN Server (ocserv) on Ubuntu 16.04/18.04 with Let’s Encrypt
How to Set up Certificate Authentication in OpenConnect VPN Server (ocserv)
Перевод?
Настройка OpenConnect VPN Server (ocserv) на Ubuntu 16.04 / 17.10 с Let’s Encrypt
Настройка аутентификации по сертификату в OpenConnect VPN Server (ocserv)
мануал
Клиент Windows 10:
After installing the GUI in Windows 10 ...
Windows 10 - invalid routes
Ссылка на рабочий клиент 1.51 !!! (не старше)
Установка с картинками
В данном описании вариант для 1С без перенаправления интернет трафика:
# apt update
# apt upgrade
# apt install mc
# adduser user
# usermod -aG sudo user
# su user
$ cd ~
$ mkdir ~/.ssh
$ cd ~/.ssh
$ ssh-keygen -t rsa
Скачать и использовать для входа /home/user/.ssh/id_rsa
$ cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
$ rm ~/.ssh/id_rsa.pub
$ rm ~/.ssh/id_rsa
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
$ exit
# nano /etc/ssh/sshd_config
Проверить:
PasswordAuthentication no
.....
PubkeyAuthentication yes
ChallengeResponseAuthentication no
Сохранить.
$ sudo systemctl reload sshd
После проверки входа и sudo
Отключить вход root по ssh
$ sudo nano /etc/ssh/sshd_config
Исправить:
PermitRootLogin no
Сохранить.
$ sudo systemctl reload sshd
# отключим ipv6
$ sudo /bin/su -c "echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.default.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.lo.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf"
$ sudo sysctl -p
=========================================================
$ sudo apt install ocserv
$ sudo systemctl status ocserv
#$ sudo apt install software-properties-common
#$ sudo add-apt-repository ppa:certbot/certbot
#$ sudo apt update
$ sudo apt install certbot
$ certbot --version
certbot 0.31.0
#$ sudo certbot certonly --standalone --preferred-challenges http --agree-tos --email your-email-address -d vpn.example.com
$ sudo apt install apache2
$ sudo nano /etc/apache2/sites-available/vpn.example.com.conf
<VirtualHost *:80>
ServerName vpn.example.com
DocumentRoot /var/www/vpn.example.com
</VirtualHost>
Сохранить.
$ sudo mkdir /var/www/vpn.example.com
$ sudo chown www-data:www-data /var/www/vpn.example.com -R
$ sudo a2ensite vpn.example.com
$ sudo systemctl reload apache2
$ sudo certbot certonly --webroot --agree-tos --email your-email-address -d vpn.example.com -w /var/www/vpn.example.com
$ sudo nano /etc/ocserv/ocserv.conf
Изменить:
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.example.com/privkey.pem
ca-cert = /etc/letsencrypt/live/vpn.example.com/chain.pem
max-clients = 16
max-same-clients = 0
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"
try-mtu-discovery = true
default-domain = vpn.example.com
ipv4-network = 10.10.10.0
ipv4-netmask = 255.255.255.0
tunnel-all-dns = true
#dns = 1.1.1.1
#route = default
route = 10.10.10.0/255.255.255.0
no-route = 192.168.0.0/255.255.255.0
Сохранить.
$ sudo systemctl restart ocserv
$ sudo cp /lib/systemd/system/ocserv.service /etc/systemd/system/ocserv.service
$ sudo nano /etc/systemd/system/ocserv.service
[Unit]
Description=OpenConnect SSL VPN server
Documentation=man:ocserv(8)
After=network-online.target
#Requires=ocserv.socket #Заккоменитировать!
[Service]
PrivateTmp=true
PIDFile=/var/run/ocserv.pid
ExecStart=/usr/sbin/ocserv --foreground --pid-file /var/run/ocserv.pid --config /etc/ocserv/ocserv.conf
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
#Also=ocserv.socket #Заккоменитировать!
Сохранить.
$ sudo systemctl daemon-reload
$ sudo systemctl stop ocserv.socket
$ sudo systemctl disable ocserv.socket
$ sudo systemctl restart ocserv.service
$ systemctl status ocserv
$ sudo ocpasswd -c /etc/ocserv/ocpasswd username
Можно проверерять вход с клиента
На клиенте:
$ sudo apt install openconnect
$ sudo apt install net-tools
$ route
Таблица маршутизации ядра протокола IP
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 100 0 0 enp0s3
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s3
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
$ sudo openconnect -b vpn.example.com:443
$ route
Таблица маршутизации ядра протокола IP
Destination Gateway Genmask Flags Metric Ref Use Iface
default 0.0.0.0 0.0.0.0 U 0 0 0 tun0
default _gateway 0.0.0.0 UG 100 0 0 enp0s3
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s3
XXX.XXX.XXX.XXX _gateway 255.255.255.255 UGH 0 0 0 enp0s3
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
user@ud1804:~$ wget -O - -q icanhazip.com
XXX.XXX.XXX.XXX
Для адекватной проверки скорости соединения, нужно создать nat до перезагрузки
Узнаем имя сетевого адаптера :
$ ip a
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group
В данном случае ens18:
$ sudo iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
$ sudo iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
$ sudo nano /etc/ocserv/ocserv.conf
Изменить:
dns = 10.10.10.1
route = default
#route = 10.10.10.0/255.255.255.0
Сохранить.
$ sudo systemctl restart ocserv
Адекватное измерение www.speedtest.net
После измерения
$ sudo nano /etc/ocserv/ocserv.conf
Изменить:
#dns = 10.10.10.1
#route = default
route = 10.10.10.0/255.255.255.0
Сохранить.
$ sudo reboot
Для подключения без пароля, настроим аутенфикацию по сертификату в соответствии с
How to Set up Certificate Authentication in OpenConnect VPN Server (ocserv)
и переводом:
Настройка аутентификации по сертификату в OpenConnect VPN Server (ocserv)
$ sudo apt install gnutls-bin
$ sudo mkdir /etc/ocserv/ssl/
$ cd /etc/ocserv/ssl/
$ sudo certtool --generate-privkey --outfile ca-privkey.pem
$ sudo nano ca-cert.cfg
Скопировать ниже:
# X.509 Certificate options
# The organization of the subject.
organization = "Example Org"
# The common name of the certificate owner.
cn = "Example CA"
# The serial number of the certificate.
serial = 001
# In how many days, counting from today, this certificate will expire. Use -1 if there is no expiration date.
expiration_days = -1
# Whether this is a CA certificate or not
ca
# Whether this certificate will be used to sign data
signing_key
# Whether this key will be used to sign other certificates.
cert_signing_key
# Whether this key will be used to sign CRLs.
crl_signing_key
Сохранить.
$ sudo certtool --generate-self-signed --load-privkey ca-privkey.pem --template ca-cert.cfg --outfile ca-cert.pem
$ sudo certtool --generate-privkey --outfile client-privkey.pem
$ sudo nano client-cert.cfg
Скопировать ниже, uid = "username", пользователя созданного выше:
# X.509 Certificate options
# The organization of the subject.
organization = "My Org"
# The common name of the certificate owner.
cn = "John Doe"
# A user id of the certificate owner.
uid = "username"
# In how many days, counting from today, this certificate will expire. Use -1 if there is no expiration date.
expiration_days = 3650
# Whether this certificate will be used for a TLS server
tls_www_client
# Whether this certificate will be used to sign data
signing_key
# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
encryption_key
Сохранить.
$ sudo certtool --generate-certificate --load-privkey client-privkey.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-privkey.pem --template client-cert.cfg --outfile client-cert.pem
$ sudo certtool --to-p12 --load-privkey client-privkey.pem --load-certificate client-cert.pem --pkcs-cipher aes-256 --outfile client.p12 --outder
Generating a PKCS #12 structure...
Loading private key list...
Loaded 1 private keys.
Enter a name for the key: user
Enter password:
Confirm password:
===========================================
Note that the Ciso AnyConnect app on iOS doesn’t support AES-256 cipher, so if the user is using iOS device, then you can use the 3des-pkcs12cipher.
$ sudo certtool --to-p12 --load-privkey client-privkey.pem --load-certificate client-cert.pem --pkcs-cipher 3des-pkcs12 --outfile client.p12 --outder
===========================================
$ sudo nano /etc/ocserv/ocserv.conf
Отредактируем:
auth = "certificate"
ca-cert = /etc/ocserv/ssl/ca-cert.pem
Сохранить.
$ sudo systemctl restart ocserv
Теперь скачиваем на компьютер клиента
/etc/ocserv/ssl/client.p12
И можем подключаться без пароля (один раз нужно ввести пинкод)
$ sudo apt install fail2ban
$ sudo crontab -e
Добавить.
0 3 * * * /usr/bin/certbot renew & > /dev/null
Сохранить.
Совместимый с CISCO AnyClient VPN сервер OpenConnect на Linux
Set up OpenConnect VPN Server (ocserv) on Ubuntu 16.04/18.04 with Let’s Encrypt
How to Set up Certificate Authentication in OpenConnect VPN Server (ocserv)
Перевод?
Настройка OpenConnect VPN Server (ocserv) на Ubuntu 16.04 / 17.10 с Let’s Encrypt
Настройка аутентификации по сертификату в OpenConnect VPN Server (ocserv)
мануал
Клиент Windows 10:
After installing the GUI in Windows 10 ...
Windows 10 - invalid routes
Ссылка на рабочий клиент 1.51 !!! (не старше)
Установка с картинками
В данном описании вариант для 1С без перенаправления интернет трафика:
# apt update
# apt upgrade
# apt install mc
# adduser user
# usermod -aG sudo user
# su user
$ cd ~
$ mkdir ~/.ssh
$ cd ~/.ssh
$ ssh-keygen -t rsa
Скачать и использовать для входа /home/user/.ssh/id_rsa
$ cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
$ rm ~/.ssh/id_rsa.pub
$ rm ~/.ssh/id_rsa
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
$ exit
# nano /etc/ssh/sshd_config
Проверить:
PasswordAuthentication no
.....
PubkeyAuthentication yes
ChallengeResponseAuthentication no
Сохранить.
$ sudo systemctl reload sshd
После проверки входа и sudo
Отключить вход root по ssh
$ sudo nano /etc/ssh/sshd_config
Исправить:
PermitRootLogin no
Сохранить.
$ sudo systemctl reload sshd
# отключим ipv6
$ sudo /bin/su -c "echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.default.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.lo.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf"
$ sudo sysctl -p
=========================================================
$ sudo apt install ocserv
$ sudo systemctl status ocserv
#$ sudo apt install software-properties-common
#$ sudo add-apt-repository ppa:certbot/certbot
#$ sudo apt update
$ sudo apt install certbot
$ certbot --version
certbot 0.31.0
#$ sudo certbot certonly --standalone --preferred-challenges http --agree-tos --email your-email-address -d vpn.example.com
$ sudo apt install apache2
$ sudo nano /etc/apache2/sites-available/vpn.example.com.conf
<VirtualHost *:80>
ServerName vpn.example.com
DocumentRoot /var/www/vpn.example.com
</VirtualHost>
Сохранить.
$ sudo mkdir /var/www/vpn.example.com
$ sudo chown www-data:www-data /var/www/vpn.example.com -R
$ sudo a2ensite vpn.example.com
$ sudo systemctl reload apache2
$ sudo certbot certonly --webroot --agree-tos --email your-email-address -d vpn.example.com -w /var/www/vpn.example.com
$ sudo nano /etc/ocserv/ocserv.conf
Изменить:
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.example.com/privkey.pem
ca-cert = /etc/letsencrypt/live/vpn.example.com/chain.pem
max-clients = 16
max-same-clients = 0
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"
try-mtu-discovery = true
default-domain = vpn.example.com
ipv4-network = 10.10.10.0
ipv4-netmask = 255.255.255.0
tunnel-all-dns = true
#dns = 1.1.1.1
#route = default
route = 10.10.10.0/255.255.255.0
no-route = 192.168.0.0/255.255.255.0
Сохранить.
$ sudo systemctl restart ocserv
$ sudo cp /lib/systemd/system/ocserv.service /etc/systemd/system/ocserv.service
$ sudo nano /etc/systemd/system/ocserv.service
[Unit]
Description=OpenConnect SSL VPN server
Documentation=man:ocserv(8)
After=network-online.target
#Requires=ocserv.socket #Заккоменитировать!
[Service]
PrivateTmp=true
PIDFile=/var/run/ocserv.pid
ExecStart=/usr/sbin/ocserv --foreground --pid-file /var/run/ocserv.pid --config /etc/ocserv/ocserv.conf
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
#Also=ocserv.socket #Заккоменитировать!
Сохранить.
$ sudo systemctl daemon-reload
$ sudo systemctl stop ocserv.socket
$ sudo systemctl disable ocserv.socket
$ sudo systemctl restart ocserv.service
$ systemctl status ocserv
$ sudo ocpasswd -c /etc/ocserv/ocpasswd username
Можно проверерять вход с клиента
На клиенте:
$ sudo apt install openconnect
$ sudo apt install net-tools
$ route
Таблица маршутизации ядра протокола IP
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 100 0 0 enp0s3
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s3
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
$ sudo openconnect -b vpn.example.com:443
$ route
Таблица маршутизации ядра протокола IP
Destination Gateway Genmask Flags Metric Ref Use Iface
default 0.0.0.0 0.0.0.0 U 0 0 0 tun0
default _gateway 0.0.0.0 UG 100 0 0 enp0s3
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s3
XXX.XXX.XXX.XXX _gateway 255.255.255.255 UGH 0 0 0 enp0s3
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
user@ud1804:~$ wget -O - -q icanhazip.com
XXX.XXX.XXX.XXX
Для адекватной проверки скорости соединения, нужно создать nat до перезагрузки
Узнаем имя сетевого адаптера :
$ ip a
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group
В данном случае ens18:
$ sudo iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
$ sudo iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
$ sudo nano /etc/ocserv/ocserv.conf
Изменить:
dns = 10.10.10.1
route = default
#route = 10.10.10.0/255.255.255.0
Сохранить.
$ sudo systemctl restart ocserv
Адекватное измерение www.speedtest.net
После измерения
$ sudo nano /etc/ocserv/ocserv.conf
Изменить:
#dns = 10.10.10.1
#route = default
route = 10.10.10.0/255.255.255.0
Сохранить.
$ sudo reboot
Для подключения без пароля, настроим аутенфикацию по сертификату в соответствии с
How to Set up Certificate Authentication in OpenConnect VPN Server (ocserv)
и переводом:
Настройка аутентификации по сертификату в OpenConnect VPN Server (ocserv)
$ sudo apt install gnutls-bin
$ sudo mkdir /etc/ocserv/ssl/
$ cd /etc/ocserv/ssl/
$ sudo certtool --generate-privkey --outfile ca-privkey.pem
$ sudo nano ca-cert.cfg
Скопировать ниже:
# X.509 Certificate options
# The organization of the subject.
organization = "Example Org"
# The common name of the certificate owner.
cn = "Example CA"
# The serial number of the certificate.
serial = 001
# In how many days, counting from today, this certificate will expire. Use -1 if there is no expiration date.
expiration_days = -1
# Whether this is a CA certificate or not
ca
# Whether this certificate will be used to sign data
signing_key
# Whether this key will be used to sign other certificates.
cert_signing_key
# Whether this key will be used to sign CRLs.
crl_signing_key
Сохранить.
$ sudo certtool --generate-self-signed --load-privkey ca-privkey.pem --template ca-cert.cfg --outfile ca-cert.pem
$ sudo certtool --generate-privkey --outfile client-privkey.pem
$ sudo nano client-cert.cfg
Скопировать ниже, uid = "username", пользователя созданного выше:
# X.509 Certificate options
# The organization of the subject.
organization = "My Org"
# The common name of the certificate owner.
cn = "John Doe"
# A user id of the certificate owner.
uid = "username"
# In how many days, counting from today, this certificate will expire. Use -1 if there is no expiration date.
expiration_days = 3650
# Whether this certificate will be used for a TLS server
tls_www_client
# Whether this certificate will be used to sign data
signing_key
# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
encryption_key
Сохранить.
$ sudo certtool --generate-certificate --load-privkey client-privkey.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-privkey.pem --template client-cert.cfg --outfile client-cert.pem
$ sudo certtool --to-p12 --load-privkey client-privkey.pem --load-certificate client-cert.pem --pkcs-cipher aes-256 --outfile client.p12 --outder
Generating a PKCS #12 structure...
Loading private key list...
Loaded 1 private keys.
Enter a name for the key: user
Enter password:
Confirm password:
===========================================
Note that the Ciso AnyConnect app on iOS doesn’t support AES-256 cipher, so if the user is using iOS device, then you can use the 3des-pkcs12cipher.
$ sudo certtool --to-p12 --load-privkey client-privkey.pem --load-certificate client-cert.pem --pkcs-cipher 3des-pkcs12 --outfile client.p12 --outder
===========================================
$ sudo nano /etc/ocserv/ocserv.conf
Отредактируем:
auth = "certificate"
ca-cert = /etc/ocserv/ssl/ca-cert.pem
Сохранить.
$ sudo systemctl restart ocserv
Теперь скачиваем на компьютер клиента
/etc/ocserv/ssl/client.p12
И можем подключаться без пароля (один раз нужно ввести пинкод)
$ sudo apt install fail2ban
$ sudo crontab -e
Добавить.
0 3 * * * /usr/bin/certbot renew & > /dev/null
Сохранить.
Комментариев нет:
Отправить комментарий