diff --git a/README.md b/README.md index 3023142..fe826fc 100644 --- a/README.md +++ b/README.md @@ -5,43 +5,23 @@ Installation Rocky Linux 9 Minimal Partitionierung (LVM; XFS als Filesystem): ``` /boot 1 GB -/ XXX GB -swap X GB +/ 64 GB +/home 32 GB +swap 4 GB ``` Netzwerkkonfiguration: ``` +# hostnamectl hostname ryovpn01.rych01.rychiger.com + Hostname: ryovpn01.rych01.rychiger.com DNS: 8.8.8.8 -NTP: XXXXXX - XXXXXX -TODO: - -TYPE="Ethernet" -NAME="enp0s10f0" -DEVICE="enp0s10f0" -ONBOOT="yes" -IPV6INIT=no -UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 - -TYPE="Ethernet" -BOOTPROTO="none" -DEFROUTE="yes" -IPV4_FAILURE_FATAL="no" -IPV6INIT="no" -NAME="enp0s10f1" -DEVICE="enp0s10f1" -ONBOOT="yes" -DNS1="8.8.8.8" -IPADDR=192.168.99.11 -PREFIX=24 -GATEWAY=192.168.99.1 -UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04 ``` Installation diverse Pakete ``` +# yum update # yum install kbd-legacy # dracut -f ``` @@ -59,6 +39,7 @@ Noch ein paar Zusatzpakete: # yum install bridge-utils -y # yum install tcpdump -y # yum install python3-bcrypt -y +# yum install tar -y ``` Wegen Entropy: @@ -84,12 +65,12 @@ Konfiguration /etc/nginx/nginx.conf: Installation von altem Server oder git uebernehmen... # cd /opt # git clone https://gitlab.com/drpuur/rych-openvpn.git openvpn # use personal access token in Gitlab - +# cd openvpn && git checkout rockylinux9-based SELinux: # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log -# semanage port -a -t ssh_port_t -p tcp 2202 +# semanage port -a -t ssh_port_t -p tcp 2022 # restorecon -v /opt/openvpn/status/openvpnserver-status.log # restorecon -v /opt/openvpn/status/openvpnserver-status-443.log @@ -101,66 +82,31 @@ Link erstellen: Prinzipieller Aufbau: ``` -enp0s10f0: Netzwerkinterface Richtung Intranet -enp0s10f1: Netzwerkinterface Richtung Internet +ens4: Netzwerkinterface Richtung Intranet +ens3: Netzwerkinterface Richtung Internet -enp0s10f1 (192.168.99.11/24) ==> hier hoert OpenVPN und bildet das Device tap0 +ens3 (192.168.99.111/24) ==> hier hoert OpenVPN und bildet das Device tap0 Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP) --- enp0s10f1 => tap0 --+-- br0 (10.3.5.1/16) - tap1 | --- enp0s10f0 ----------+ +-- ens3 => tap0 --+-- br0 (10.3.5.10/16) + tap1 | +-- ens4 ----------+ ``` OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged) -Hyper-V Integration: - -Als Network-Karte muss Legacy gewaehlt werden. Spoofing muss erlaubt sein (wegen Bridge). Zeit Synchronisation muss abgeschaltet sein. - -``` -# yum install hyperv-daemons -# systemctl enable hypervvssd -# systemctl enable hypervkvpd -``` - -Firewall: -``` -/etc/sysconfig/iptables: -# sample configuration for iptables service -# you can edit this manually or use system-config-firewall -# please do not ask us to add additional ports/services to this default configuration -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j LOG --log-prefix "INPUT:DROP-VPN-CLIENT-NET:" -m limit --limit 5/minute --log-level 6 --A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j DROP --A INPUT -p icmp -j ACCEPT --A INPUT -i lo -j ACCEPT --I INPUT -i enp0s10f1 -p udp -m udp --dport 1194 -j ACCEPT --I INPUT -i enp0s10f1 -p tcp -m tcp --dport 443 -j ACCEPT --A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT --A INPUT -p tcp -m state --state NEW -m tcp --dport 2022 -j ACCEPT --A INPUT -p tcp -m state --state NEW -m tcp -s 10.3.5.2 --dport 80 -j ACCEPT --A INPUT -j LOG --log-prefix "INPUT:DROP:" -m limit --limit 5/minute --log-level 6 -#-A INPUT -j DROP --A FORWARD -j LOG --log-prefix "FORWARD:DROP:" -m limit --limit 5/minute --log-level 6 -#-A FORWARD -j DROP --A OUTPUT -s 192.168.99.11/32 -j ACCEPT --A OUTPUT -s 10.3.5.1/32 -d 10.3.5.2/32 -j ACCEPT --A OUTPUT -p icmp -j ACCEPT --A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" -m limit --limit 5/minute --log-level 6 -#-A OUTPUT -j DROP -COMMIT -``` - ``` Disable IPv6: -# nmcli connection modify ipv6.method "disabled" +# nmcli connection modify ens3 ipv6.method "disabled" +# nmcli connection modify ens4 ipv6.method "disabled" + +Set end4 to unmanaged: + +[root@ryovpn01 ~]# cat /etc/NetworkManager/conf.d/99-unmanaged-devices.conf +[keyfile] +unmanaged-devices=interface-name:ens4 ``` ``` @@ -168,10 +114,6 @@ Disable IPv6: Port 22 Port 2022 ... -# Ciphers and keying -#RekeyLimit default none -Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com -KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 ``` @@ -190,9 +132,11 @@ MAILTO=root Startup mit Systemd einrichten: gemaess /opt/openvpn/systemd/README -Verzeichnis /opt/openvpn/users muss angelegt werden: +Verzeichnis /opt/openvpn/users ccd und status muss angelegt werden: ``` # mkdir /opt/openvpn/users +# mkdir /opt/openvpn/ccd +# mkdir /opt/openvpn/status ``` User anlegen: diff --git a/config/server-443.conf b/config/server-443.conf index 7cc76cc..f847b33 100644 --- a/config/server-443.conf +++ b/config/server-443.conf @@ -3,7 +3,7 @@ daemon tls-server proto tcp port 443 -local 192.168.99.11 +local 192.168.99.111 client-config-dir /opt/openvpn/ccd script-security 3 writepid /var/run/openvpn-server/myopenvpn-443.pid @@ -13,7 +13,7 @@ tls-cipher "DEFAULT:@SECLEVEL=0" ; tunnel configuration dev tap1 -server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 +server-bridge 10.3.5.10 255.255.0.0 10.3.6.1 10.3.7.254 passtos comp-lzo persist-key diff --git a/config/server.conf b/config/server.conf index 25d167e..9de9786 100644 --- a/config/server.conf +++ b/config/server.conf @@ -3,7 +3,7 @@ daemon tls-server proto udp port 1194 -local 192.168.99.11 +local 192.168.99.111 client-config-dir /opt/openvpn/ccd script-security 3 writepid /var/run/openvpn-server/myopenvpn.pid @@ -13,7 +13,7 @@ tls-cipher "DEFAULT:@SECLEVEL=0" ; tunnel configuration dev tap0 -server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 +server-bridge 10.3.5.10 255.255.0.0 10.3.6.1 10.3.7.254 passtos comp-lzo persist-key diff --git a/scripts/bridge-start.sh b/scripts/bridge-start.sh index fea6d54..675e450 100755 --- a/scripts/bridge-start.sh +++ b/scripts/bridge-start.sh @@ -3,8 +3,8 @@ br="br0" tap="tap0" tap1="tap1" -eth="enp0s10f0" -br_ip="10.3.5.1" +eth="ens4" +br_ip="10.3.5.10" br_netmask="255.255.0.0" br_broadcast="10.3.255.255" # Create the tap adapter diff --git a/scripts/bridge-stop.sh b/scripts/bridge-stop.sh index f98c141..1534764 100755 --- a/scripts/bridge-stop.sh +++ b/scripts/bridge-stop.sh @@ -1,7 +1,7 @@ #!/bin/bash ifconfig br0 down -brctl delif br0 enp0s10f0 +brctl delif br0 ens4 brctl delif br0 tap0 brctl delif br0 tap1 brctl delbr br0 diff --git a/scripts/reboot-if-ping-fails.sh b/scripts/reboot-if-ping-fails.sh index 302395a..7ea9d83 100755 --- a/scripts/reboot-if-ping-fails.sh +++ b/scripts/reboot-if-ping-fails.sh @@ -1,5 +1,5 @@ #!/bin/bash -DEST="10.3.5.2" +DEST="10.3.5.11" ping -c4 ${DEST} > /dev/null diff --git a/systemd/myopenvpn.service b/systemd/myopenvpn.service index 70896e4..280c838 100644 --- a/systemd/myopenvpn.service +++ b/systemd/myopenvpn.service @@ -1,6 +1,6 @@ [Unit] Description=My OpenVPN Service -After=network-online.target network.target remote-fs.target nss-lookup.target +After=network-online.target network.target remote-fs.target Requires=network-online.target [Service]