Zweite OpenVPN Instanz auf Port 443/tcp

README.md

@@ -77,8 +77,10 @@ Konfiguration /etc/nginx/nginx.conf:
 
 SELinux:
 # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log
+# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log
 # semanage port -a -t ssh_port_t -p tcp 2202
 # restorecon -v /opt/openvpn/status/openvpnserver-status.log
+# restorecon -v /opt/openvpn/status/openvpnserver-status-443.log
 
 Link erstellen:
 # cd /etc/openvpn && ln -s /opt/openvpn/config/server.conf .
@@ -93,8 +95,10 @@ enp0s10f1: Netzwerkinterface Richtung Intranet
 
 enp0s10f0 (192.168.99.11) ==> hier hoert OpenVPN und bildet das Device tap0
 
+Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP)
+
 -- enp0s10f0 => tap0 --+-- br0 (10.3.5.1)
-                       |
+                tap1   |
 -- enp0s10f1 ----------+
 ```
 
@@ -126,6 +130,7 @@ Firewall:
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -I INPUT -i enp0s10f1 -p udp -m udp --dport 1194 -j ACCEPT
+-I INPUT -i enp0s10f1 -p tcp -m udp --dport 443 -j ACCEPT
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 2022 -j ACCEPT
 -A INPUT -p tcp -m state --state NEW -m tcp -s 10.3.5.2 --dport 80 -j ACCEPT

bin/startup.sh

@@ -5,3 +5,5 @@
 
 # Dann starten wir Openvpn
 /sbin/openvpn /opt/openvpn/config/server.conf
+# und jetzt noch die zweite Instanz...
+/sbin/openvpn /opt/openvpn/config/server-443.conf

ccd/010003006017

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.17 255.255.0.0

ccd/010003006018

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.18 255.255.0.0

ccd/010003006019

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.19 255.255.0.0

ccd/010003006020

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.20 255.255.0.0

ccd/010003006021

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.21 255.255.0.0

ccd/010003006022

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.22 255.255.0.0

ccd/010003006023

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.23 255.255.0.0

ccd/010003006024

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.24 255.255.0.0

ccd/010003006025

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.25 255.255.0.0

ccd/010003006026

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.26 255.255.0.0

ccd/010003006027

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.27 255.255.0.0

ccd/010003006028

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.28 255.255.0.0

ccd/010003006029

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.29 255.255.0.0

ccd/010003006030

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.30 255.255.0.0

ccd/010003006031

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.31 255.255.0.0

ccd/010003006032

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.32 255.255.0.0

ccd/010003006033

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.33 255.255.0.0

ccd/010003006034

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.34 255.255.0.0

ccd/010003006035

@@ -0,0 +1 @@
+ifconfig-push 10.3.6.35 255.255.0.0

config/server-443.conf

@@ -0,0 +1,48 @@
+mode server
+daemon
+tls-server
+proto tcp
+port  443
+local 192.168.99.11
+client-config-dir /opt/openvpn/ccd
+script-security 3
+writepid /var/run/openvpn-server/myopenvpn-443.pid
+
+; tunnel configuration
+dev tap1
+server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
+passtos
+comp-lzo
+persist-key
+persist-tun
+persist-local-ip
+persist-remote-ip
+
+; loggin and status
+ifconfig-pool-persist /opt/openvpn/leases/openvpn-443.leases
+status-version 2
+status /opt/openvpn/status/openvpnserver-status-443.log 5;
+verb 3
+client-connect     /opt/openvpn/scripts/logon.sh
+client-disconnect  /opt/openvpn/scripts/logoff.sh
+
+; routing
+;push "route 10.3.0.0 255.255.0.0"
+
+; management 
+management localhost 6667
+
+; certificates and authentication
+dh   /opt/openvpn/private/dh1024.pem
+ca   /opt/openvpn/ca/cacert.pem
+cert /opt/openvpn/certs/hostcert.pem
+key  /opt/openvpn/private/hostkey.pem
+verify-client-cert none
+username-as-common-name
+auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env
+;client-to-client
+keepalive 10 60
+max-clients 50
+
+; explicit exit
+push "explicit-exit-notify"

config/server.conf

@@ -6,7 +6,7 @@ port  1194
 local 192.168.99.11
 client-config-dir /opt/openvpn/ccd
 script-security 3
-writepid /var/run/openvpn/myopenvpn.pid
+writepid /var/run/openvpn-server/myopenvpn.pid
 
 ; tunnel configuration
 dev tap0
@@ -37,7 +37,7 @@ dh   /opt/openvpn/private/dh1024.pem
 ca   /opt/openvpn/ca/cacert.pem
 cert /opt/openvpn/certs/hostcert.pem
 key  /opt/openvpn/private/hostkey.pem
-client-cert-not-required
+verify-client-cert none
 username-as-common-name
 auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env
 ;client-to-client

scripts/bridge-start.sh

@@ -2,17 +2,21 @@
 
 br="br0"
 tap="tap0"
+tap1="tap1"
 eth="enp0s10f0"
 br_ip="10.3.5.1"
 br_netmask="255.255.0.0"
 br_broadcast="10.3.255.255"
 # Create the tap adapter
 openvpn --mktun --dev $tap
+openvpn --mktun --dev $tap1
 # Create the bridge and add interfaces
 brctl addbr $br
 brctl addif $br $eth
 brctl addif $br $tap
+brctl addif $br $tap1
 # Configure the bridge
 ifconfig $tap 0.0.0.0 promisc up
+ifconfig $tap1 0.0.0.0 promisc up
 ifconfig $eth 0.0.0.0 promisc up
 ifconfig $br $br_ip netmask $br_netmask broadcast $br_broadcast

scripts/bridge-stop.sh

@@ -3,5 +3,7 @@
 ifconfig br0 down
 brctl delif br0 enp0s10f0
 brctl delif br0 tap0
+brctl delif br0 tap1
 brctl delbr br0
 openvpn --rmtun --dev tap0
+openvpn --rmtun --dev tap1

systemd/myopenvpn.service

@@ -8,7 +8,7 @@ PrivateTmp=true
 Type=forking
 ExecStart=/opt/openvpn/bin/startup.sh
 ExecStop=/opt/openvpn/bin/shutdown.sh
-PIDFile=/var/run/openvpn/myopenvpn.pid
+PIDFile=/var/run/openvpn-server/myopenvpn.pid
 
 [Install]
 WantedBy=multi-user.target