2017年10月20日 星期五

使用 Debian 8.9 去 Build VyOS ISO 小筆記

前導文件:

vyos [ vyatta ]
http://xrcd2.blogspot.tw/2014/09/vyos-vyatta.html

VyOS OpenVpn Plugin OTP ( SOP )
http://xrcd2.blogspot.tw/2015/03/vyos-openvpn-plugin-otp-sop.html

VyOS+OpenVPN+MFA
http://xrcd2.blogspot.tw/2016/09/vyosopenvpnmfa.html


Debian 9(stretch) — 當前的穩定版

https://www.debian.org/releases/

發行版目錄

下一代 Debian 正式發行版的代號為 buster — 發布時間尚未確定
Debian 9(stretch) — 當前的穩定版
Debian 8(jessie) — 被淘汰的穩定版
Debian 7(wheezy) — 被淘汰的穩定版
Debian 6.0(squeeze) — 被淘汰的穩定版


VyOS build 的方式可參考:

https://wiki.vyos.net/wiki/Howto_build_an_ISO_image

1.2.0-beta and newer
The image build scripts for 1.2.0 had been rewritten from scratch to clean up the legacy code and
make it easier to add new features.

The build procedures also got much simpler.

Build host preparation
For building VyOS 1.2.0, the build host should run Debian Jessie. Building on Wheezy or Stretch
is theoretically possible but wasn't tested, you can try it at your own risk.



https://github.com/vyos/vyos-build/

===============================

VyOS 官網 https://vyos.io/


這裡選擇使用 Debian 8(jessie)做出 ISO  ( live-image-amd64.hybrid.iso ) ,
使用它去開機即可看到如下畫面:





開機完成後即可以看 vyos login 的登入畫面,如下所示: ( default id/pwd vyos/vyos )






安裝及設定方式可參考如下URL

https://wiki.vyos.net/wiki/Installation
https://wiki.vyos.net/wiki/User_Guide
https://wiki.vyos.net/wiki/OpenVPN

為方便安裝 debian 套件所以必需修改 /etc/apt/sources.list
可參考 https://linuxconfig.org/debian-apt-get-jessie-sources-list


Security Updates

# /etc/apt/sources.list :
deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free


Taiwan Mirror

# /etc/apt/sources.list :
deb http://ftp.tw.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.tw.debian.org/debian/ jessie main contrib non-free


之後下 apt-get update 即可透過  apt-get install 去安裝 google-authenticator

google-authenticator  git url  https://github.com/google/google-authenticator 

#apt-get install libpam-google-authenticator


OpenVPN MFA 的介接設定


root@Test-OTP-VPN-Server:~# cat /etc/pam.d/openvpn

## A B part

auth required    /lib/security/pam_google_authenticator.so   forward_pass
auth required    /lib/x86_64-linux-gnu/security/pam_unix.so  use_first_pass


vyos@Test-OTP-VPN-Server:~$ cat /etc/debian_version
8.9

root@Test-OTP-VPN-Server:~# uname  -ar
Linux Test-OTP-VPN-Server 4.4.47-amd64-vyos #1 SMP Sun Jul 23 11:41:18
EDT 2017 x86_64 GNU/Linux
root@Test-OTP-VPN-Server:~#


vyos@Test-OTP-VPN-Server:~$ show version
Version:          VyOS 999.201709061524
Built by:         root@debian
Built on:         Wed 06 Sep 2017 15:24 UTC
Build ID:         b1b93737-e3ee-459c-9e72-082479727dac

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-42 3a e8 ed 94 81 e8 34-4f c3 a7 33 b3 2a 8a ef
Hardware UUID:    423AE8ED-9481-E834-4FC3-A733B32A8AEF

Copyright:        VyOS maintainers and contributors
vyos@Test-OTP-VPN-Server:~$


vyos@Test-OTP-VPN-Server:~$ show system image
The system currently has the following image(s) installed:

   1: 999.201709061524 (default boot)

vyos@Test-OTP-VPN-Server:~$

OpenVpn MFA 參考設定:

vyos@Test-OTP-VPN-Server:~$ show configuration commands
set interfaces ethernet eth0 address '192.168.1.168/24'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:50:56:ba:38:3b'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces loopback 'lo'
set interfaces openvpn vtun0 encryption 'aes128'
set interfaces openvpn vtun0 hash 'sha1'
set interfaces openvpn vtun0 local-port '1194'
set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 openvpn-option '--reneg-sec 0
                                                --duplicate-cn --comp-lzo
                                               --script-security 2
                                               --plugin  /usr/lib/openvpn/openvpn-plugin-auth-pam.so
                                                openvpn
                                          --username-as-common-name'
set interfaces openvpn vtun0 protocol 'tcp-passive'
set interfaces openvpn vtun0 server push-route '192.168.1.0/24'
set interfaces openvpn vtun0 server push-route '192.168.2.0/24'
set interfaces openvpn vtun0 server subnet '192.168.168.0/28'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/keys/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/keys/vpn-server.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/keys/dh1024.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/keys/vpn-server.key'
set nat source rule 10 destination address '0.0.0.0/0'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 protocol 'all'
set nat source rule 10 source address '192.168.170.0/28'
set nat source rule 10 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop '192.168.1.202'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system host-name 'Test-OTP-VPN-Server'
set system login user vyos authentication encrypted-password 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system name-server '168.95.1.1'
set system name-server '168.95.192.1'
set system ntp server '168.95.195.12'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system time-zone 'Asia/Taipei'


PC 的 client.ovpn  參考設定


client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 1194
ca ca.crt
cert client.crt
key client.key
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3
route-method exe
route-delay 2
auth-user-pass
reneg-sec 0
keepalive 10 120
auth-nocache
inactive 600