new VM has been built, not tested yet (missing FW-forwarding

2022-10-21 14:27:05 +02:00 · 2022-10-21 14:27:05 +02:00 · 313aa93ce5
parent ab1cc24da2
commit 313aa93ce5
7 changed files with 35 additions and 91 deletions
--- a/README.md
+++ b/README.md
@ -5,43 +5,23 @@ Installation Rocky Linux 9 Minimal
 Partitionierung (LVM; XFS als Filesystem):
 ```
 /boot      1 GB
-/          XXX GB
+/          64 GB
-swap       X GB
+/home      32 GB
 swap       4 GB
 ```
 Netzwerkkonfiguration:
 ```
 # hostnamectl hostname ryovpn01.rych01.rychiger.com
 Hostname: ryovpn01.rych01.rychiger.com
 DNS:      8.8.8.8
 NTP:      XXXXXX
          XXXXXX
 TODO:
 TYPE="Ethernet"
 NAME="enp0s10f0"
 DEVICE="enp0s10f0"
 ONBOOT="yes"
 IPV6INIT=no
 UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03
 TYPE="Ethernet"
 BOOTPROTO="none"
 DEFROUTE="yes"
 IPV4_FAILURE_FATAL="no"
 IPV6INIT="no"
 NAME="enp0s10f1"
 DEVICE="enp0s10f1"
 ONBOOT="yes"
 DNS1="8.8.8.8"
 IPADDR=192.168.99.11
 PREFIX=24
 GATEWAY=192.168.99.1
 UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
 ```
 Installation diverse Pakete
 ```
 # yum update 
 # yum install kbd-legacy
 # dracut -f
 ```
@ -59,6 +39,7 @@ Noch ein paar Zusatzpakete:
 # yum install bridge-utils -y
 # yum install tcpdump -y
 # yum install python3-bcrypt -y
 # yum install tar -y
 ```
 Wegen Entropy:
@ -84,12 +65,12 @@ Konfiguration /etc/nginx/nginx.conf:
 Installation von altem Server oder git uebernehmen...
 # cd /opt
 # git clone https://gitlab.com/drpuur/rych-openvpn.git openvpn    # use personal access token in Gitlab
-
+# cd openvpn && git checkout rockylinux9-based
 SELinux:
 # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log
 # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log
-# semanage port -a -t ssh_port_t -p tcp 2202
+# semanage port -a -t ssh_port_t -p tcp 2022
 # restorecon -v /opt/openvpn/status/openvpnserver-status.log
 # restorecon -v /opt/openvpn/status/openvpnserver-status-443.log
@ -101,66 +82,31 @@ Link erstellen:
 Prinzipieller Aufbau:
 ```
-enp0s10f0: Netzwerkinterface Richtung Intranet
+ens4: Netzwerkinterface Richtung Intranet
-enp0s10f1: Netzwerkinterface Richtung Internet
+ens3: Netzwerkinterface Richtung Internet
-enp0s10f1 (192.168.99.11/24) ==> hier hoert OpenVPN und bildet das Device tap0
+ens3 (192.168.99.111/24) ==> hier hoert OpenVPN und bildet das Device tap0
 Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP)
-- enp0s10f1 => tap0 --+-- br0 (10.3.5.1/16)
+-- ens3 => tap0 --+-- br0 (10.3.5.10/16)
-                tap1   |
+           tap1   |
-- enp0s10f0 ----------+
+-- ens4 ----------+
 ```
 OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged)
 Hyper-V Integration:
 Als Network-Karte muss Legacy gewaehlt werden. Spoofing muss erlaubt sein (wegen Bridge). Zeit Synchronisation muss abgeschaltet sein.
 ```
 # yum install hyperv-daemons
 # systemctl enable hypervvssd
 # systemctl enable hypervkvpd
 ```
 Firewall:
 ```
 /etc/sysconfig/iptables:
 # sample configuration for iptables service
 # you can edit this manually or use system-config-firewall
 # please do not ask us to add additional ports/services to this default configuration
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j LOG --log-prefix "INPUT:DROP-VPN-CLIENT-NET:" -m limit --limit 5/minute --log-level 6
 -A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j DROP
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -I INPUT -i enp0s10f1 -p udp -m udp --dport 1194 -j ACCEPT
 -I INPUT -i enp0s10f1 -p tcp -m tcp --dport 443 -j ACCEPT
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 2022 -j ACCEPT
 -A INPUT -p tcp -m state --state NEW -m tcp -s 10.3.5.2 --dport 80 -j ACCEPT
 -A INPUT -j LOG --log-prefix "INPUT:DROP:" -m limit --limit 5/minute --log-level 6
 #-A INPUT -j DROP
 -A FORWARD -j LOG --log-prefix "FORWARD:DROP:" -m limit --limit 5/minute --log-level 6
 #-A FORWARD -j DROP
 -A OUTPUT -s 192.168.99.11/32 -j ACCEPT
 -A OUTPUT -s 10.3.5.1/32 -d 10.3.5.2/32 -j ACCEPT
 -A OUTPUT -p icmp -j ACCEPT
 -A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" -m limit --limit 5/minute --log-level 6
 #-A OUTPUT -j DROP
 COMMIT
 ```
 ```
 Disable IPv6:
-# nmcli connection modify <Connection Name> ipv6.method "disabled"
+# nmcli connection modify ens3 ipv6.method "disabled"
 # nmcli connection modify ens4 ipv6.method "disabled"
 Set end4 to unmanaged:
 [root@ryovpn01 ~]# cat /etc/NetworkManager/conf.d/99-unmanaged-devices.conf
 [keyfile]
 unmanaged-devices=interface-name:ens4
 ```
 ```
@ -168,10 +114,6 @@ Disable IPv6:
 Port 22
 Port 2022
 ...
 # Ciphers and keying
 #RekeyLimit default none
 Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
 ```
@ -190,9 +132,11 @@ MAILTO=root
 Startup mit Systemd einrichten:
 gemaess /opt/openvpn/systemd/README
-Verzeichnis /opt/openvpn/users muss angelegt werden:
+Verzeichnis /opt/openvpn/users ccd und status  muss angelegt werden:
 ```
 # mkdir /opt/openvpn/users
 # mkdir /opt/openvpn/ccd
 # mkdir /opt/openvpn/status
 ```
 User anlegen:
--- a/config/server-443.conf
+++ b/config/server-443.conf
@ -3,7 +3,7 @@ daemon
 tls-server
 proto tcp
 port  443
-local 192.168.99.11
+local 192.168.99.111
 client-config-dir /opt/openvpn/ccd
 script-security 3
 writepid /var/run/openvpn-server/myopenvpn-443.pid
@ -13,7 +13,7 @@ tls-cipher "DEFAULT:@SECLEVEL=0"
 ; tunnel configuration
 dev tap1
-server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
+server-bridge 10.3.5.10 255.255.0.0 10.3.6.1 10.3.7.254
 passtos
 comp-lzo
 persist-key
--- a/config/server.conf
+++ b/config/server.conf
@ -3,7 +3,7 @@ daemon
 tls-server
 proto udp
 port  1194
-local 192.168.99.11
+local 192.168.99.111
 client-config-dir /opt/openvpn/ccd
 script-security 3
 writepid /var/run/openvpn-server/myopenvpn.pid
@ -13,7 +13,7 @@ tls-cipher "DEFAULT:@SECLEVEL=0"
 ; tunnel configuration
 dev tap0
-server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
+server-bridge 10.3.5.10 255.255.0.0 10.3.6.1 10.3.7.254
 passtos
 comp-lzo
 persist-key
--- a/scripts/bridge-start.sh
+++ b/scripts/bridge-start.sh
@ -3,8 +3,8 @@
 br="br0"
 tap="tap0"
 tap1="tap1"
-eth="enp0s10f0"
+eth="ens4"
-br_ip="10.3.5.1"
+br_ip="10.3.5.10"
 br_netmask="255.255.0.0"
 br_broadcast="10.3.255.255"
 # Create the tap adapter
--- a/scripts/bridge-stop.sh
+++ b/scripts/bridge-stop.sh
@ -1,7 +1,7 @@
 #!/bin/bash
 ifconfig br0 down
-brctl delif br0 enp0s10f0
+brctl delif br0 ens4
 brctl delif br0 tap0
 brctl delif br0 tap1
 brctl delbr br0
--- a/scripts/reboot-if-ping-fails.sh
+++ b/scripts/reboot-if-ping-fails.sh
@ -1,5 +1,5 @@
 #!/bin/bash
-DEST="10.3.5.2"
+DEST="10.3.5.11"
 ping -c4 ${DEST} > /dev/null
--- a/systemd/myopenvpn.service
+++ b/systemd/myopenvpn.service
@ -1,6 +1,6 @@
 [Unit]
 Description=My OpenVPN Service
-After=network-online.target network.target remote-fs.target nss-lookup.target
+After=network-online.target network.target remote-fs.target
 Requires=network-online.target
 [Service]