前導文件:
vyos [ vyatta ]
http://xrcd2.blogspot.tw/2014/09/vyos-vyatta.html
VyOS OpenVpn Plugin OTP ( SOP )
http://xrcd2.blogspot.tw/2015/03/vyos-openvpn-plugin-otp-sop.html
VyOS+OpenVPN+MFA
http://xrcd2.blogspot.tw/2016/09/vyosopenvpnmfa.html
Debian 9(stretch) — 當前的穩定版
https://www.debian.org/releases/
發行版目錄
下一代 Debian 正式發行版的代號為 buster — 發布時間尚未確定
Debian 9(stretch) — 當前的穩定版
Debian 8(jessie) — 被淘汰的穩定版
Debian 7(wheezy) — 被淘汰的穩定版
Debian 6.0(squeeze) — 被淘汰的穩定版
VyOS build 的方式可參考:
https://wiki.vyos.net/wiki/Howto_build_an_ISO_image
1.2.0-beta and newer
The image build scripts for 1.2.0 had been rewritten from scratch to clean up the legacy code and
make it easier to add new features.
The build procedures also got much simpler.
Build host preparation
For building VyOS 1.2.0, the build host should run Debian Jessie. Building on Wheezy or Stretch
is theoretically possible but wasn't tested, you can try it at your own risk.
或
https://github.com/vyos/vyos-build/
===============================
VyOS 官網 https://vyos.io/
這裡選擇使用 Debian 8(jessie)做出 ISO ( live-image-amd64.hybrid.iso ) ,
使用它去開機即可看到如下畫面:
開機完成後即可以看 vyos login 的登入畫面,如下所示: ( default id/pwd vyos/vyos )
安裝及設定方式可參考如下URL
https://wiki.vyos.net/wiki/Installation
https://wiki.vyos.net/wiki/User_Guide
https://wiki.vyos.net/wiki/OpenVPN
為方便安裝 debian 套件所以必需修改 /etc/apt/sources.list
可參考 https://linuxconfig.org/debian-apt-get-jessie-sources-list
Security Updates
# /etc/apt/sources.list :
deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free
Taiwan Mirror
# /etc/apt/sources.list :
deb http://ftp.tw.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.tw.debian.org/debian/ jessie main contrib non-free
之後下 apt-get update 即可透過 apt-get install 去安裝 google-authenticator
google-authenticator git url https://github.com/google/google-authenticator
#apt-get install libpam-google-authenticator
OpenVPN MFA 的介接設定
root@Test-OTP-VPN-Server:~# cat /etc/pam.d/openvpn
## A B part
auth required /lib/security/pam_google_authenticator.so forward_pass
auth required /lib/x86_64-linux-gnu/security/pam_unix.so use_first_pass
vyos@Test-OTP-VPN-Server:~$ cat /etc/debian_version
8.9
root@Test-OTP-VPN-Server:~# uname -ar
Linux Test-OTP-VPN-Server 4.4.47-amd64-vyos #1 SMP Sun Jul 23 11:41:18
EDT 2017 x86_64 GNU/Linux
root@Test-OTP-VPN-Server:~#
vyos@Test-OTP-VPN-Server:~$ show version
Version: VyOS 999.201709061524
Built by: root@debian
Built on: Wed 06 Sep 2017 15:24 UTC
Build ID: b1b93737-e3ee-459c-9e72-082479727dac
Architecture: x86_64
Boot via: installed image
System type: VMware guest
Hardware vendor: VMware, Inc.
Hardware model: VMware Virtual Platform
Hardware S/N: VMware-42 3a e8 ed 94 81 e8 34-4f c3 a7 33 b3 2a 8a ef
Hardware UUID: 423AE8ED-9481-E834-4FC3-A733B32A8AEF
Copyright: VyOS maintainers and contributors
vyos@Test-OTP-VPN-Server:~$
vyos@Test-OTP-VPN-Server:~$ show system image
The system currently has the following image(s) installed:
1: 999.201709061524 (default boot)
vyos@Test-OTP-VPN-Server:~$
OpenVpn MFA 參考設定:
vyos@Test-OTP-VPN-Server:~$ show configuration commands
set interfaces ethernet eth0 address '192.168.1.168/24'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:50:56:ba:38:3b'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces loopback 'lo'
set interfaces openvpn vtun0 encryption 'aes128'
set interfaces openvpn vtun0 hash 'sha1'
set interfaces openvpn vtun0 local-port '1194'
set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 openvpn-option '--reneg-sec 0
--duplicate-cn --comp-lzo
--script-security 2
--plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so
openvpn
--username-as-common-name'
set interfaces openvpn vtun0 protocol 'tcp-passive'
set interfaces openvpn vtun0 server push-route '192.168.1.0/24'
set interfaces openvpn vtun0 server push-route '192.168.2.0/24'
set interfaces openvpn vtun0 server subnet '192.168.168.0/28'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/keys/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/keys/vpn-server.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/keys/dh1024.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/keys/vpn-server.key'
set nat source rule 10 destination address '0.0.0.0/0'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 protocol 'all'
set nat source rule 10 source address '192.168.170.0/28'
set nat source rule 10 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop '192.168.1.202'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system host-name 'Test-OTP-VPN-Server'
set system login user vyos authentication encrypted-password 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system name-server '168.95.1.1'
set system name-server '168.95.192.1'
set system ntp server '168.95.195.12'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system time-zone 'Asia/Taipei'
PC 的 client.ovpn 參考設定
client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 1194
ca ca.crt
cert client.crt
key client.key
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3
route-method exe
route-delay 2
auth-user-pass
reneg-sec 0
keepalive 10 120
auth-nocache
inactive 600