From 7be42d56d0106c934e67e9f99fb21537b2fa07c2 Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Mon, 29 May 2017 20:41:13 +0200 Subject: [PATCH] Zweite OpenVPN Instanz auf Port 443/tcp --- README.md | 7 +++++- bin/startup.sh | 2 ++ ccd/010003006017 | 1 + ccd/010003006018 | 1 + ccd/010003006019 | 1 + ccd/010003006020 | 1 + ccd/010003006021 | 1 + ccd/010003006022 | 1 + ccd/010003006023 | 1 + ccd/010003006024 | 1 + ccd/010003006025 | 1 + ccd/010003006026 | 1 + ccd/010003006027 | 1 + ccd/010003006028 | 1 + ccd/010003006029 | 1 + ccd/010003006030 | 1 + ccd/010003006031 | 1 + ccd/010003006032 | 1 + ccd/010003006033 | 1 + ccd/010003006034 | 1 + ccd/010003006035 | 1 + config/server-443.conf | 48 +++++++++++++++++++++++++++++++++++++++ config/server.conf | 4 ++-- leases/openvpn-443.leases | 0 scripts/bridge-start.sh | 4 ++++ scripts/bridge-stop.sh | 2 ++ systemd/myopenvpn.service | 2 +- 27 files changed, 84 insertions(+), 4 deletions(-) create mode 100644 ccd/010003006017 create mode 100644 ccd/010003006018 create mode 100644 ccd/010003006019 create mode 100644 ccd/010003006020 create mode 100644 ccd/010003006021 create mode 100644 ccd/010003006022 create mode 100644 ccd/010003006023 create mode 100644 ccd/010003006024 create mode 100644 ccd/010003006025 create mode 100644 ccd/010003006026 create mode 100644 ccd/010003006027 create mode 100644 ccd/010003006028 create mode 100644 ccd/010003006029 create mode 100644 ccd/010003006030 create mode 100644 ccd/010003006031 create mode 100644 ccd/010003006032 create mode 100644 ccd/010003006033 create mode 100644 ccd/010003006034 create mode 100644 ccd/010003006035 create mode 100644 config/server-443.conf create mode 100644 leases/openvpn-443.leases diff --git a/README.md b/README.md index c9c2a00..ca829a8 100644 --- a/README.md +++ b/README.md @@ -77,8 +77,10 @@ Konfiguration /etc/nginx/nginx.conf: SELinux: # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log +# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log # semanage port -a -t ssh_port_t -p tcp 2202 # restorecon -v /opt/openvpn/status/openvpnserver-status.log +# restorecon -v /opt/openvpn/status/openvpnserver-status-443.log Link erstellen: # cd /etc/openvpn && ln -s /opt/openvpn/config/server.conf . @@ -93,8 +95,10 @@ enp0s10f1: Netzwerkinterface Richtung Intranet enp0s10f0 (192.168.99.11) ==> hier hoert OpenVPN und bildet das Device tap0 +Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP) + -- enp0s10f0 => tap0 --+-- br0 (10.3.5.1) - | + tap1 | -- enp0s10f1 ----------+ ``` @@ -126,6 +130,7 @@ Firewall: -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -I INPUT -i enp0s10f1 -p udp -m udp --dport 1194 -j ACCEPT +-I INPUT -i enp0s10f1 -p tcp -m udp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 2022 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -s 10.3.5.2 --dport 80 -j ACCEPT diff --git a/bin/startup.sh b/bin/startup.sh index 2e42776..65d2578 100755 --- a/bin/startup.sh +++ b/bin/startup.sh @@ -5,3 +5,5 @@ # Dann starten wir Openvpn /sbin/openvpn /opt/openvpn/config/server.conf +# und jetzt noch die zweite Instanz... +/sbin/openvpn /opt/openvpn/config/server-443.conf diff --git a/ccd/010003006017 b/ccd/010003006017 new file mode 100644 index 0000000..ba4ca30 --- /dev/null +++ b/ccd/010003006017 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.17 255.255.0.0 diff --git a/ccd/010003006018 b/ccd/010003006018 new file mode 100644 index 0000000..2af266d --- /dev/null +++ b/ccd/010003006018 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.18 255.255.0.0 diff --git a/ccd/010003006019 b/ccd/010003006019 new file mode 100644 index 0000000..a7bdf13 --- /dev/null +++ b/ccd/010003006019 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.19 255.255.0.0 diff --git a/ccd/010003006020 b/ccd/010003006020 new file mode 100644 index 0000000..191579a --- /dev/null +++ b/ccd/010003006020 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.20 255.255.0.0 diff --git a/ccd/010003006021 b/ccd/010003006021 new file mode 100644 index 0000000..dd1dbf9 --- /dev/null +++ b/ccd/010003006021 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.21 255.255.0.0 diff --git a/ccd/010003006022 b/ccd/010003006022 new file mode 100644 index 0000000..ba89f6c --- /dev/null +++ b/ccd/010003006022 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.22 255.255.0.0 diff --git a/ccd/010003006023 b/ccd/010003006023 new file mode 100644 index 0000000..4e3e219 --- /dev/null +++ b/ccd/010003006023 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.23 255.255.0.0 diff --git a/ccd/010003006024 b/ccd/010003006024 new file mode 100644 index 0000000..d9be7e0 --- /dev/null +++ b/ccd/010003006024 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.24 255.255.0.0 diff --git a/ccd/010003006025 b/ccd/010003006025 new file mode 100644 index 0000000..5e18f8d --- /dev/null +++ b/ccd/010003006025 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.25 255.255.0.0 diff --git a/ccd/010003006026 b/ccd/010003006026 new file mode 100644 index 0000000..0c16217 --- /dev/null +++ b/ccd/010003006026 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.26 255.255.0.0 diff --git a/ccd/010003006027 b/ccd/010003006027 new file mode 100644 index 0000000..a5da678 --- /dev/null +++ b/ccd/010003006027 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.27 255.255.0.0 diff --git a/ccd/010003006028 b/ccd/010003006028 new file mode 100644 index 0000000..fa3c0f5 --- /dev/null +++ b/ccd/010003006028 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.28 255.255.0.0 diff --git a/ccd/010003006029 b/ccd/010003006029 new file mode 100644 index 0000000..2a92ab0 --- /dev/null +++ b/ccd/010003006029 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.29 255.255.0.0 diff --git a/ccd/010003006030 b/ccd/010003006030 new file mode 100644 index 0000000..2b8f23b --- /dev/null +++ b/ccd/010003006030 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.30 255.255.0.0 diff --git a/ccd/010003006031 b/ccd/010003006031 new file mode 100644 index 0000000..b6f7af2 --- /dev/null +++ b/ccd/010003006031 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.31 255.255.0.0 diff --git a/ccd/010003006032 b/ccd/010003006032 new file mode 100644 index 0000000..ad6cce1 --- /dev/null +++ b/ccd/010003006032 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.32 255.255.0.0 diff --git a/ccd/010003006033 b/ccd/010003006033 new file mode 100644 index 0000000..36541ca --- /dev/null +++ b/ccd/010003006033 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.33 255.255.0.0 diff --git a/ccd/010003006034 b/ccd/010003006034 new file mode 100644 index 0000000..9b5101e --- /dev/null +++ b/ccd/010003006034 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.34 255.255.0.0 diff --git a/ccd/010003006035 b/ccd/010003006035 new file mode 100644 index 0000000..6d3a0e9 --- /dev/null +++ b/ccd/010003006035 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.35 255.255.0.0 diff --git a/config/server-443.conf b/config/server-443.conf new file mode 100644 index 0000000..e579931 --- /dev/null +++ b/config/server-443.conf @@ -0,0 +1,48 @@ +mode server +daemon +tls-server +proto tcp +port 443 +local 192.168.99.11 +client-config-dir /opt/openvpn/ccd +script-security 3 +writepid /var/run/openvpn-server/myopenvpn-443.pid + +; tunnel configuration +dev tap1 +server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 +passtos +comp-lzo +persist-key +persist-tun +persist-local-ip +persist-remote-ip + +; loggin and status +ifconfig-pool-persist /opt/openvpn/leases/openvpn-443.leases +status-version 2 +status /opt/openvpn/status/openvpnserver-status-443.log 5; +verb 3 +client-connect /opt/openvpn/scripts/logon.sh +client-disconnect /opt/openvpn/scripts/logoff.sh + +; routing +;push "route 10.3.0.0 255.255.0.0" + +; management +management localhost 6667 + +; certificates and authentication +dh /opt/openvpn/private/dh1024.pem +ca /opt/openvpn/ca/cacert.pem +cert /opt/openvpn/certs/hostcert.pem +key /opt/openvpn/private/hostkey.pem +verify-client-cert none +username-as-common-name +auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env +;client-to-client +keepalive 10 60 +max-clients 50 + +; explicit exit +push "explicit-exit-notify" diff --git a/config/server.conf b/config/server.conf index 35ba302..5cd8a74 100644 --- a/config/server.conf +++ b/config/server.conf @@ -6,7 +6,7 @@ port 1194 local 192.168.99.11 client-config-dir /opt/openvpn/ccd script-security 3 -writepid /var/run/openvpn/myopenvpn.pid +writepid /var/run/openvpn-server/myopenvpn.pid ; tunnel configuration dev tap0 @@ -37,7 +37,7 @@ dh /opt/openvpn/private/dh1024.pem ca /opt/openvpn/ca/cacert.pem cert /opt/openvpn/certs/hostcert.pem key /opt/openvpn/private/hostkey.pem -client-cert-not-required +verify-client-cert none username-as-common-name auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env ;client-to-client diff --git a/leases/openvpn-443.leases b/leases/openvpn-443.leases new file mode 100644 index 0000000..e69de29 diff --git a/scripts/bridge-start.sh b/scripts/bridge-start.sh index 941f344..fea6d54 100755 --- a/scripts/bridge-start.sh +++ b/scripts/bridge-start.sh @@ -2,17 +2,21 @@ br="br0" tap="tap0" +tap1="tap1" eth="enp0s10f0" br_ip="10.3.5.1" br_netmask="255.255.0.0" br_broadcast="10.3.255.255" # Create the tap adapter openvpn --mktun --dev $tap +openvpn --mktun --dev $tap1 # Create the bridge and add interfaces brctl addbr $br brctl addif $br $eth brctl addif $br $tap +brctl addif $br $tap1 # Configure the bridge ifconfig $tap 0.0.0.0 promisc up +ifconfig $tap1 0.0.0.0 promisc up ifconfig $eth 0.0.0.0 promisc up ifconfig $br $br_ip netmask $br_netmask broadcast $br_broadcast diff --git a/scripts/bridge-stop.sh b/scripts/bridge-stop.sh index 6c3d55c..f98c141 100755 --- a/scripts/bridge-stop.sh +++ b/scripts/bridge-stop.sh @@ -3,5 +3,7 @@ ifconfig br0 down brctl delif br0 enp0s10f0 brctl delif br0 tap0 +brctl delif br0 tap1 brctl delbr br0 openvpn --rmtun --dev tap0 +openvpn --rmtun --dev tap1 diff --git a/systemd/myopenvpn.service b/systemd/myopenvpn.service index 60c9404..70896e4 100644 --- a/systemd/myopenvpn.service +++ b/systemd/myopenvpn.service @@ -8,7 +8,7 @@ PrivateTmp=true Type=forking ExecStart=/opt/openvpn/bin/startup.sh ExecStop=/opt/openvpn/bin/shutdown.sh -PIDFile=/var/run/openvpn/myopenvpn.pid +PIDFile=/var/run/openvpn-server/myopenvpn.pid [Install] WantedBy=multi-user.target