Every enterprise, sooner or later, all of a sudden, needs remote access.
Practically every IT specialist is faced with the need to organize remote access to their networks at the enterprise.
I, like many, this need covered with the stamp "yesterday." After analyzing all the pros and cons, as well as shoveling tons of information and digging a bit in theory, I decided to proceed with the installation.
For security reasons, I chose OpenVPN in the following implementation: a virtual machine was installed on a server running Windows Server 2012, it also had Windows Server 2012, and on it, in turn, an OpenVPN server that issued and signed certificates.
For convenience, we will call it a “certification server”. Further, he took the server certificate, pushed it into Mikrotik, and on the router Mikrotik raised OpenVPN with accounts, profiles. I also used a certification server to issue a client certificate.
The implementation, of course, is awful, and although at that time my experience in such things was, say, not enough, in matters of security, this was not a bad decision.
This bundle worked for a while and I was given a new introductory: transfer the certification server to Linux, while maintaining the connection with Mikrotik - the clients should not suffer.
My knowledge of Linux at that time ended on Ubuntu 16.04LTS with a graphical interface, which was used as a terminal for connecting via RDP to a Windows server. That is, sudo apt-get -f install -y, and not a centimeter more.
Having studied the question which OS from the Linux family is more stable and promising for my organization, I settled on CentOS 7 Minimal.
To begin with, I decided to delve a little into the theory, to understand how it generally works and works. I watched the video tutorials on the channel www.youtube.com/channel/UCKdRgZWgy42YxoFcTJ30LTA (Generally not an advertisement, they just got me first). The girl with a pleasant voice introduced me to the basics of working in the selected OS.
To start, I launched Hyper-V on my computer, installed CentOS 7 Minimal there, during the installation I created the Admin user and completely closed ssh for root. Saying goodbye to a beautiful multi-colored screen, plunged into the black and white world of the terminal.
I think it makes no sense to describe the software installation process, it’s better to focus on the problems that arose during the process and for which I had to write a small script (it is under a cat. The description of each of the utilities can be found on the Internet, but at that moment when I’m all did it, this script was not there yet, everything was done for the first time, to the touch and at random).
In the script, I tried to automate the installation of the minimum necessary utilities for the server, disable Selinux, connect the Epel repository, install OpenVPN, etc. Below is the script itself, it is simple, but it can be used. I will not disassemble it, but if someone needs it, write a reply.
After using the script, an already configured OpenVPN server will appear, winking with a green eye.
#!/bin/bash cd /etc/sysconfig/ sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' selinux sudo setenforce 0 cd /home/Admin sudo yum update -y sudo yum install epel-release -y sudo yum install mc -y sudo yum install nano -y sudo cp /usr/share/mc/syntax/sh.syntax /usr/share/mc/syntax/unknown.syntax sudo yum install chrony -y sudo systemctl start chronyd sudo systemctl enable chronyd sudo yum install net-tools -y sudo yum install iftop -y sudo yum install htop -y sudo yum install lsof -y sudo yum install dos2unix -y sudo yum install wget -y sudo yum install tcpdump -y sudo yum install openvpn -y wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz sudo tar -xvzf EasyRSA-3.0.3.tgz sudo chown -R Admin:Admin /var/log sudo chmod 755 /var/log mkdir /var/log/openvpn mkdir /etc/openvpn/ccd sudo chown -R Admin:Admin /etc/openvpn/ccd sudo chown -R Admin:Admin /var/log/openvpn chmod 755 /etc/openvpn/ccd chmod 755 /var/log/openvpn echo >/var/log/openvpn/openvpn-status.log echo >/var/log/openvpn/openvpn.log sudo chown -R Admin:Admin /etc/resolv.conf chmod 755 /etc/resolv.conf echo nameserver 8.8.8.8 >>/etc/resolv.conf cd /etc/openvpn/ sudo /home/Admin/EasyRSA-3.0.3/easyrsa init-pki sudo chown -R Admin:Admin /etc/openvpn chmod 755 /etc/openvpn echo set_var EASYRSA_DN "org" >/home/Admin/EasyRSA-3.0.3/test echo set_var EASYRSA_REQ_COUNTRY "RU" >>/home/Admin/EasyRSA-3.0.3/test echo set_var EASYRSA_KEY_SIZE 4096 >>/home/Admin/EasyRSA-3.0.3/test echo set_var EASYRSA_REQ_PROVINCE "LIP" >>/home/Admin/EasyRSA-3.0.3/test echo set_var EASYRSA_REQ_CITY "Lipetsk" >>/home/Admin/EasyRSA-3.0.3/test echo set_var EASYRSA_REQ_ORG "Cool-Admin" >>/home/Admin/EasyRSA-3.0.3/test echo set_var EASYRSA_REQ_EMAIL "xxx.ru" >>/home/Admin/EasyRSA-3.0.3/test echo set_var EASYRSA_REQ_OU "Our_ORG" >>/home/Admin/EasyRSA-3.0.3/test echo set_var EASYRSA_REQ_CN "changeme" >>/home/Admin/EasyRSA-3.0.3/test echo set_var EASYRSA_CERT_EXPIRE 3650 >>/home/Admin/EasyRSA-3.0.3/test echo set_var EASYRSA_DH_KEY_SIZE=2048 >>/home/Admin/EasyRSA-3.0.3/test sudo /home/Admin/EasyRSA-3.0.3/easyrsa build-ca nopass sudo /home/Admin/EasyRSA-3.0.3/easyrsa build-server-full Serv nopass sudo /home/Admin/EasyRSA-3.0.3/easyrsa build-client-full Client1 nopass sudo /home/Admin/EasyRSA-3.0.3/easyrsa --vars=vars gen-dh sudo /home/Admin/EasyRSA-3.0.3/easyrsa --vars=vars gen-crl mkdir keys sudo chown -R Admin:Admin /etc/openvpn/keys chmod 755 /etc/openvpn/keys sudo cp /etc/openvpn/pki/ca.crt /etc/openvpn/keys sudo cp /etc/openvpn/pki/dh.pem /etc/openvpn/keys sudo cp /etc/openvpn/pki/crl.pem /etc/openvpn/keys sudo cp /etc/openvpn/pki/issued/Serv.crt /etc/openvpn/keys sudo cp /etc/openvpn/pki/private/Serv.key /etc/openvpn/keys echo port 443 >/etc/openvpn/server.conf echo proto udp >>/etc/openvpn/server.conf echo dev tun >>/etc/openvpn/server.conf echo ca /etc/openvpn/keys/ca.crt >>/etc/openvpn/server.conf echo cert /etc/openvpn/keys/Serv.crt >>/etc/openvpn/server.conf echo key /etc/openvpn/keys/Serv.key >>/etc/openvpn/server.conf echo dh /etc/openvpn/keys/dh.pem >>/etc/openvpn/server.conf echo crl-verify /etc/openvpn/keys/crl.pem >>/etc/openvpn/server.conf echo client-config-dir /etc/openvpn/ccd >>/etc/openvpn/server.conf echo topology subnet >>/etc/openvpn/server.conf echo server 172.21.0.0 255.255.255.0 >>/etc/openvpn/server.conf echo route 172.21.0.0 255.255.255.0 >>/etc/openvpn/server.conf echo push \"dhcp-option DNS 8.8.8.8\" >>/etc/openvpn/server.conf echo push \"dhcp-option DNS 8.8.4.4\" >>/etc/openvpn/server.conf echo keepalive 10 120 >>/etc/openvpn/server.conf echo persist-key >>/etc/openvpn/server.conf echo persist-tun >>/etc/openvpn/server.conf echo status /var/log/openvpn/openvpn-status.log >>/etc/openvpn/server.conf echo log-append /var/log/openvpn/openvpn.log >>/etc/openvpn/server.conf echo verb 2 >>/etc/openvpn/server.conf echo mute 20 >>/etc/openvpn/server.conf echo daemon >>/etc/openvpn/server.conf echo mode server >>/etc/openvpn/server.conf echo user nobody >>/etc/openvpn/server.conf echo group nobody >>/etc/openvpn/server.conf sudo chown -R Admin:Admin /etc/sysctl.conf chmod 755 /etc/sysctl.conf echo net.ipv4.ip_forward=1 >>/etc/sysctl.conf sudo sysctl -p /etc/sysctl.conf sudo systemctl enable openvpn@server sudo systemctl start openvpn@server sudo systemctl status openvpn@server
Installing OpenVPN was not entirely successful.
Not knowing about the features of the rights policy on Linux systems, I spent a lot of time studying logs and assigning all the required rights to all files.
When the OpenVPN button turned green, I was very happy, but as it turned out, this was only the beginning. For the sake of simplicity, I expected to replace the root certificates and the crl.pem file, hoping that everything worked. As a result, I needed to transfer the following files from the server to Windows:
Serv.crt - Server Certificate
Serv.key - Server Key
Ca.crt - Root Certificate
Ca.key - Root Key
Crl.pem - Certificate Revocation File
Dh.pem - Diffie-Hellman key
Index.txt - File with information about current certificates
Serial - it is also responsible for the relevance of certificates
It also required the certs_by_serial folder, the vars file, and all client keys and certificates.
At Mikrotik, the certificates remained in place, so it worked.
Problems appeared when I tried to revoke the certificate, it didn’t work from the word at all - the index.txt file needed to be converted to unix format, but I didn’t do it right away. Used the dos2unix utility.
Now the certificates were revoked, but continued to work without any problems, because Mikrotik did not know that they were revoked and he needed to somehow inform about it.
After reading the instructions, as well as consulting with Alexander ERI (thank you very much!), I picked up a simple Apache http server on the certification server and published a file of revoked certificates on it. Completely closed access to it, except for the published file from one ip.
In the Mikrotik terminal, in the / System / Certificates / CRL tab, indicated the path to the published crl.pem. Here it should be clarified that Mikrotik accepts only http and an absolute address for the CRL tab, i.e. It should look something like this: 127.0.0.1/crl/1.crl
Everything worked, at least for versions 6.4.2.x of RouterOS, but I had to create client configurations by hand, and this was unfortunate for me and caused a lot of inconvenience. When in a week I needed to create configurations for about 50 clients, I decided to speed up this process and for this I used a piece of someone else's script found on the Internet.
The script works like this: after launch, specify “client name”, answer the question “set a password or not”, after that we pick up the ready-made configuration file “client.ovpn”, with certificates and settings integrated into it. To use it, you must have / etc / openvpn. I will sign komenty lines in which the path must be replaced with your own. It is also necessary to create a file with client settings so that the script substitutes them in the process of creating the configuration.
#!/bin/bash function newClient () { echo "" echo "Tell me a name for the client." echo "Use one word only, no special characters." until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do read -rp "Client name: " -e CLIENT done echo "" echo "Do you want to protect the configuration file with a password?" echo "(eg encrypt the private key with a password)" echo " 1) Add a passwordless client" echo " 2) Use a password for the client" until [[ "$PASS" =~ ^[1-2]$ ]]; do read -rp "Select an option [1-2]: " -e -i 1 PASS done #cd /etc/openvpn/easy-rsa/ || return case $PASS in 1) sudo /home/admin/EasyRSA-3.0.3/easyrsa build-client-full "$CLIENT" nopass ;; 2) echo "You will be asked for the client password below" ./easyrsa build-client-full "$CLIENT" ;; esac # Generates the custom client.ovpn cp /etc/openvpn/client-template.txt "$home/home/admin/IT/Temp/$CLIENT.ovpn" # . #, { echo "<ca>" cat "/etc/openvpn/pki/ca.crt" # echo "</ca>" echo "<cert>" awk '/BEGIN/,/END/' "/etc/openvpn/pki/issued/$CLIENT.crt" # # echo "</cert>" echo "<key>" cat "/etc/openvpn/pki/private/$CLIENT.key" # echo "</key>" } >> "$home/home/admin/IT/Temp/$CLIENT.ovpn" #, # echo "" echo "Client $CLIENT added, the configuration file is available at $home/admin/IT/OVPN/Temp/$CLIENT.ovpn." echo "Download the .ovpn file and import it in your OpenVPN client." exit 0; } newClient
After some time, a new introductory ban on remote access forced to kill both this server and the working bundle with Mikrotik. A new OpenVPN server was created for the IT department, which now works completely on CentOS. But this is a completely different story.
I express my deep gratitude to Ivan and Pavel for their help in editing the article.