From 8809349e6d7627c59f22f854f714481c44b402c2 Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Sat, 17 Dec 2016 15:44:44 +0100 Subject: [PATCH] Initial commit --- .gitignore | 3 + bin/shutdown.sh | 8 ++ bin/shutdown.sh.05jul2016 | 13 ++ bin/shutdown.sh.13oct2016 | 13 ++ bin/shutdown.sh.new | 8 ++ bin/startup.sh | 7 ++ bin/startup.sh.05jul2016 | 12 ++ bin/startup.sh.13oct2016 | 15 +++ bin/startup.sh.31aug2016 | 12 ++ bin/startup.sh.31aug2016-with-loop | 25 ++++ ca/cacert.pem | 21 ++++ ccd/010002005012 | 1 + ccd/010003006001 | 1 + ccd/010003006002 | 1 + ccd/010003006003 | 1 + ccd/010003006004 | 1 + ccd/010003006005 | 1 + ccd/010003006006 | 1 + ccd/010003006007 | 1 + ccd/010003006008 | 1 + ccd/010003006009 | 1 + ccd/010003006010 | 1 + ccd/010003006011 | 1 + ccd/010003006013 | 1 + ccd/010003006014 | 1 + ccd/010003006015 | 1 + ccd/010003006016 | 1 + certs/hostcert.pem | 20 ++++ config/server.conf | 48 ++++++++ config/server.conf.15sep2016 | 45 +++++++ config/server.conf.19sep2016 | 45 +++++++ config/server.conf.2jul2016 | 44 +++++++ leases/openvpn.leases | 0 private/dh1024.pem | 5 + private/hostkey.pem | 15 +++ scripts/bridge-start.sh | 18 +++ scripts/bridge-stop.sh | 7 ++ scripts/logoff.sh | 6 + scripts/logon.sh | 6 + scripts/openvpn-auth.py | 17 +++ scripts/openvpn-auth.sh | 6 + scripts/reboot-if-ping-fails.sh | 10 ++ sysoper/hashme.py | 18 +++ sysoper/sysoper_shell | 178 ++++++++++++++++++++++++++++ sysoper/sysoper_shell.05jul2016 | 143 ++++++++++++++++++++++ systemd/README | 4 + systemd/myopenvpn.service | 14 +++ systemd/myopenvpn.service.05jul2016 | 13 ++ systemd/myopenvpn.service.31aug2016 | 13 ++ 49 files changed, 828 insertions(+) create mode 100644 .gitignore create mode 100755 bin/shutdown.sh create mode 100755 bin/shutdown.sh.05jul2016 create mode 100755 bin/shutdown.sh.13oct2016 create mode 100755 bin/shutdown.sh.new create mode 100755 bin/startup.sh create mode 100755 bin/startup.sh.05jul2016 create mode 100755 bin/startup.sh.13oct2016 create mode 100755 bin/startup.sh.31aug2016 create mode 100755 bin/startup.sh.31aug2016-with-loop create mode 100644 ca/cacert.pem create mode 100644 ccd/010002005012 create mode 100644 ccd/010003006001 create mode 100644 ccd/010003006002 create mode 100644 ccd/010003006003 create mode 100644 ccd/010003006004 create mode 100644 ccd/010003006005 create mode 100644 ccd/010003006006 create mode 100644 ccd/010003006007 create mode 100644 ccd/010003006008 create mode 100644 ccd/010003006009 create mode 100644 ccd/010003006010 create mode 100644 ccd/010003006011 create mode 100644 ccd/010003006013 create mode 100644 ccd/010003006014 create mode 100644 ccd/010003006015 create mode 100644 ccd/010003006016 create mode 100644 certs/hostcert.pem create mode 100644 config/server.conf create mode 100644 config/server.conf.15sep2016 create mode 100644 config/server.conf.19sep2016 create mode 100644 config/server.conf.2jul2016 create mode 100644 leases/openvpn.leases create mode 100644 private/dh1024.pem create mode 100644 private/hostkey.pem create mode 100755 scripts/bridge-start.sh create mode 100755 scripts/bridge-stop.sh create mode 100755 scripts/logoff.sh create mode 100755 scripts/logon.sh create mode 100755 scripts/openvpn-auth.py create mode 100755 scripts/openvpn-auth.sh create mode 100755 scripts/reboot-if-ping-fails.sh create mode 100755 sysoper/hashme.py create mode 100755 sysoper/sysoper_shell create mode 100755 sysoper/sysoper_shell.05jul2016 create mode 100644 systemd/README create mode 100644 systemd/myopenvpn.service create mode 100644 systemd/myopenvpn.service.05jul2016 create mode 100644 systemd/myopenvpn.service.31aug2016 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ae5ac22 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +*.log +*.pwd +*.pyc diff --git a/bin/shutdown.sh b/bin/shutdown.sh new file mode 100755 index 0000000..ab96223 --- /dev/null +++ b/bin/shutdown.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# Zuerst stoppen wir Openvpn +/bin/pkill openvpn + +# Dann stoppen wir die Bridge mit TAP-Device +/opt/openvpn/scripts/bridge-stop.sh + diff --git a/bin/shutdown.sh.05jul2016 b/bin/shutdown.sh.05jul2016 new file mode 100755 index 0000000..89e518f --- /dev/null +++ b/bin/shutdown.sh.05jul2016 @@ -0,0 +1,13 @@ +#!/bin/bash + +# Zuerst stoppen wir Openvpn +pkill openvpn + +# Dann unmounten wir den CIFS-Share +#/bin/umount /opt/openvpn/status +/bin/systemctl stop opt-openvpn-status.mount +#/bin/sleep 15 + +# Dann stoppen wir die Bridge mit TAP-Device +/opt/openvpn/scripts/bridge-stop.sh + diff --git a/bin/shutdown.sh.13oct2016 b/bin/shutdown.sh.13oct2016 new file mode 100755 index 0000000..f75a2c2 --- /dev/null +++ b/bin/shutdown.sh.13oct2016 @@ -0,0 +1,13 @@ +#!/bin/bash + +# Zuerst stoppen wir Openvpn +/bin/pkill openvpn + +# Dann unmounten wir den CIFS-Share +#/bin/umount /opt/openvpn/status +/bin/systemctl stop opt-openvpn-status.mount +#/bin/sleep 15 + +# Dann stoppen wir die Bridge mit TAP-Device +/opt/openvpn/scripts/bridge-stop.sh + diff --git a/bin/shutdown.sh.new b/bin/shutdown.sh.new new file mode 100755 index 0000000..ab96223 --- /dev/null +++ b/bin/shutdown.sh.new @@ -0,0 +1,8 @@ +#!/bin/bash + +# Zuerst stoppen wir Openvpn +/bin/pkill openvpn + +# Dann stoppen wir die Bridge mit TAP-Device +/opt/openvpn/scripts/bridge-stop.sh + diff --git a/bin/startup.sh b/bin/startup.sh new file mode 100755 index 0000000..2e42776 --- /dev/null +++ b/bin/startup.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# Zuerst starten wir die Bridge mit TAP-Device +/opt/openvpn/scripts/bridge-start.sh + +# Dann starten wir Openvpn +/sbin/openvpn /opt/openvpn/config/server.conf diff --git a/bin/startup.sh.05jul2016 b/bin/startup.sh.05jul2016 new file mode 100755 index 0000000..fe972bf --- /dev/null +++ b/bin/startup.sh.05jul2016 @@ -0,0 +1,12 @@ +#!/bin/bash + +# Zuerst starten wir die Bridge mit TAP-Device +/opt/openvpn/scripts/bridge-start.sh + +# Dann mounten wir den CIFS-Share +# (wird fuer Status-File gebraucht) +#/bin/mount /opt/openvpn/status +/bin/systemctl start opt-openvpn-status.mount +# +# Dann starten wir Openvpn +/sbin/openvpn /opt/openvpn/config/server.conf diff --git a/bin/startup.sh.13oct2016 b/bin/startup.sh.13oct2016 new file mode 100755 index 0000000..16286a1 --- /dev/null +++ b/bin/startup.sh.13oct2016 @@ -0,0 +1,15 @@ +#!/bin/bash + +# Zuerst starten wir die Bridge mit TAP-Device +/opt/openvpn/scripts/bridge-start.sh + +# Pause... +sleep 10 + +# Dann mounten wir den CIFS-Share +# (wird fuer Status-File gebraucht) +#/bin/mount /opt/openvpn/status +/bin/systemctl start opt-openvpn-status.mount +# +# Dann starten wir Openvpn +/sbin/openvpn /opt/openvpn/config/server.conf diff --git a/bin/startup.sh.31aug2016 b/bin/startup.sh.31aug2016 new file mode 100755 index 0000000..fe972bf --- /dev/null +++ b/bin/startup.sh.31aug2016 @@ -0,0 +1,12 @@ +#!/bin/bash + +# Zuerst starten wir die Bridge mit TAP-Device +/opt/openvpn/scripts/bridge-start.sh + +# Dann mounten wir den CIFS-Share +# (wird fuer Status-File gebraucht) +#/bin/mount /opt/openvpn/status +/bin/systemctl start opt-openvpn-status.mount +# +# Dann starten wir Openvpn +/sbin/openvpn /opt/openvpn/config/server.conf diff --git a/bin/startup.sh.31aug2016-with-loop b/bin/startup.sh.31aug2016-with-loop new file mode 100755 index 0000000..7f36edd --- /dev/null +++ b/bin/startup.sh.31aug2016-with-loop @@ -0,0 +1,25 @@ +#!/bin/bash + +IP_OF_CIFS_SERVER=10.3.5.2 + +# Zuerst starten wir die Bridge mit TAP-Device +/opt/openvpn/scripts/bridge-start.sh + +# Wir warten, bis ein ping erfolgreich ist... +((count = 20)) # Maximum number to try. +while [[ $count -ne 0 ]] ; do + ping -q -c 1 -W 1 $IP_OF_CIFS_SERVER >/dev/null # Try once. + rc=$? + if [[ $rc -eq 0 ]] ; then + ((count = 1)) # If okay, flag to exit loop. + fi + ((count = count - 1)) # So we don't go forever. +done + +# Dann mounten wir den CIFS-Share +# (wird fuer Status-File gebraucht) +#/bin/mount /opt/openvpn/status +/bin/systemctl start opt-openvpn-status.mount +# +# Dann starten wir Openvpn +/sbin/openvpn /opt/openvpn/config/server.conf diff --git a/ca/cacert.pem b/ca/cacert.pem new file mode 100644 index 0000000..0bad34f --- /dev/null +++ b/ca/cacert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhDCCAmygAwIBAgIBATANBgkqhkiG9w0BAQUFADA6MQswCQYDVQQGEwJDSDET +MBEGA1UEChMKUnljaGlnZXJBRzEWMBQGA1UEAxMNUnljaGlnZXJBRyBDQTAeFw0x +MzA5MDEwMDAwMDBaFw0zMjAzMDcwNDU3MjBaMDoxCzAJBgNVBAYTAkNIMRMwEQYD +VQQKEwpSeWNoaWdlckFHMRYwFAYDVQQDEw1SeWNoaWdlckFHIENBMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv+1MWXKP2LnbZILvFiBaHcMV8HLkrEg3 +9H3R4ssXQIrTAYyDxHIgq/Yd0WAIMN6pTioQR2/oYFGy0VHkl6GgqkE3YB843kug +BTd4yrSS/FPu8hyjDp9nXytPj/EeujBVWNj/Q5qEzLzRVDKokoecaEpmG3Pu2DNe +BINH9bfKWL1XSk9CPJ8B2TdLF/ijlz3fRQRxfTiLPuLVmh9q7truwrJfcee/hG9C +4/2LDkLKDE6qtSD9PsC5vfrWf8cLm3Aa7e+6iQtbvJTRBSj5JA/nVN5F0jnj7OFk +uewRGzE37ao0uRi8DDNP31MMhtdlYY9BmHD6i6ahdvHAoagFvFfljwIDAQABo4GU +MIGRMB0GA1UdDgQWBBQmLa9T936sM1P1pvOTiRAjTvXr0jBiBgNVHSMEWzBZgBQm +La9T936sM1P1pvOTiRAjTvXr0qE+pDwwOjELMAkGA1UEBhMCQ0gxEzARBgNVBAoT +ClJ5Y2hpZ2VyQUcxFjAUBgNVBAMTDVJ5Y2hpZ2VyQUcgQ0GCAQEwDAYDVR0TBAUw +AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAqQjj8sNPFfSLnj9VHJFQ2VQDApOOH+e0 +yKGEtiua+tU/g1gm6ZUigE3vfg71nyttjfCOYnvz8IEBBXHwjQai8J/0Hncuk5X/ +bYMhqS13i0Bhf36hWQ+DbYAsVJI/WVimAIoUie4yppxiGqG6WkgIfv7jGOlZchkJ +vIdIPTMTQtfJtpOtHi49XZFJKyaXzOxdJZ0Bvs2Tp86IQHhN79p5oY6OGy0EbqOU +JQkSRlOWrV5mnu8e3yLK4xMNZp4WWFPZX/clMGI5bSqBvR/wv/K1ZFVHYy+BYR7b +C12Df38lY1e4vhsKTpzQ6HzDz2Wc03GPi14xQAmULA3QRV2kmcZ9gw== +-----END CERTIFICATE----- diff --git a/ccd/010002005012 b/ccd/010002005012 new file mode 100644 index 0000000..5865e81 --- /dev/null +++ b/ccd/010002005012 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.12 255.255.0.0 diff --git a/ccd/010003006001 b/ccd/010003006001 new file mode 100644 index 0000000..d00d629 --- /dev/null +++ b/ccd/010003006001 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.1 255.255.0.0 diff --git a/ccd/010003006002 b/ccd/010003006002 new file mode 100644 index 0000000..4808a85 --- /dev/null +++ b/ccd/010003006002 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.2 255.255.0.0 diff --git a/ccd/010003006003 b/ccd/010003006003 new file mode 100644 index 0000000..009654c --- /dev/null +++ b/ccd/010003006003 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.3 255.255.0.0 diff --git a/ccd/010003006004 b/ccd/010003006004 new file mode 100644 index 0000000..d2cd4ca --- /dev/null +++ b/ccd/010003006004 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.4 255.255.0.0 diff --git a/ccd/010003006005 b/ccd/010003006005 new file mode 100644 index 0000000..2498195 --- /dev/null +++ b/ccd/010003006005 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.5 255.255.0.0 diff --git a/ccd/010003006006 b/ccd/010003006006 new file mode 100644 index 0000000..198ccaa --- /dev/null +++ b/ccd/010003006006 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.6 255.255.0.0 diff --git a/ccd/010003006007 b/ccd/010003006007 new file mode 100644 index 0000000..cea4784 --- /dev/null +++ b/ccd/010003006007 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.7 255.255.0.0 diff --git a/ccd/010003006008 b/ccd/010003006008 new file mode 100644 index 0000000..35a0172 --- /dev/null +++ b/ccd/010003006008 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.8 255.255.0.0 diff --git a/ccd/010003006009 b/ccd/010003006009 new file mode 100644 index 0000000..df67515 --- /dev/null +++ b/ccd/010003006009 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.9 255.255.0.0 diff --git a/ccd/010003006010 b/ccd/010003006010 new file mode 100644 index 0000000..fbca43f --- /dev/null +++ b/ccd/010003006010 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.10 255.255.0.0 diff --git a/ccd/010003006011 b/ccd/010003006011 new file mode 100644 index 0000000..2b7c850 --- /dev/null +++ b/ccd/010003006011 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.11 255.255.0.0 diff --git a/ccd/010003006013 b/ccd/010003006013 new file mode 100644 index 0000000..7e52684 --- /dev/null +++ b/ccd/010003006013 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.13 255.255.0.0 diff --git a/ccd/010003006014 b/ccd/010003006014 new file mode 100644 index 0000000..8416da3 --- /dev/null +++ b/ccd/010003006014 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.14 255.255.0.0 diff --git a/ccd/010003006015 b/ccd/010003006015 new file mode 100644 index 0000000..49af6fb --- /dev/null +++ b/ccd/010003006015 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.15 255.255.0.0 diff --git a/ccd/010003006016 b/ccd/010003006016 new file mode 100644 index 0000000..f64b65e --- /dev/null +++ b/ccd/010003006016 @@ -0,0 +1 @@ +ifconfig-push 10.3.6.16 255.255.0.0 diff --git a/certs/hostcert.pem b/certs/hostcert.pem new file mode 100644 index 0000000..286c867 --- /dev/null +++ b/certs/hostcert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRTCCAi2gAwIBAgIBAjANBgkqhkiG9w0BAQQFADA6MQswCQYDVQQGEwJDSDET +MBEGA1UEChMKUnljaGlnZXJBRzEWMBQGA1UEAxMNUnljaGlnZXJBRyBDQTAeFw0x +MzA5MDEwMDAwMDBaFw0zMjAzMDcwNDU3MjFaMDoxCzAJBgNVBAYTAkNIMRMwEQYD +VQQKEwpSeWNoaWdlckFHMRYwFAYDVQQDEw0xOTIuMTY4LjIuMTcxMIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQCXKZ7MskpNXJfILLE8eFp9wvTChhaeGdbEFpgz +acy9fiH4oKq5clTAh9r2BvgzwF2qbxcgLN6ybCrCg/w4yKpeVoXjQmGNgWcYm7ea +eKMNGfpTvTRcEkJK8GDvFW2TiXTqu8VWOXpAfbxLPRCA0Yc4Bvdv4bDMWDKR1uM5 +9TQ/wwIDAQABo4HZMIHWMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMG +CWCGSAGG+EIBDQQmFiRPcGVuU1NMIFNlcnZlciBHZW5lcmF0ZWQgQ2VydGlmaWNh +dGUwHQYDVR0OBBYEFOBfur9RxlwjRARe7o6QJv9Qqyi0MGIGA1UdIwRbMFmAFCYt +r1P3fqwzU/Wm85OJECNO9evSoT6kPDA6MQswCQYDVQQGEwJDSDETMBEGA1UEChMK +UnljaGlnZXJBRzEWMBQGA1UEAxMNUnljaGlnZXJBRyBDQYIBATANBgkqhkiG9w0B +AQQFAAOCAQEAltlPrZ6pfiL6+MZkqP5URWG5Aj84SmkkNvbTuST6SyYgmqINqGC8 +354Dky2STZsN0nowNOgfhi3lfNUxMtju22SZ5LwJ+Ku4InOHp3/TAMvBv2gS+6ua +RLmf3KiSUcnKLh701wL1czVXL5/RGmhYHj64iTP2OTdoZcnwMYnfIetoTo57MW+e +oq2KMBpn87+5Png7ybWayUVrYEoILU+5wqz2Mp/iZCic3ehgPrd//nPaSRUsIAwl +qAAbg1xx76c/3DoCK7vmEkG2Cyj9XPt6YIam/pnOYc1CvHh81uMvjrjCQPiY+nOl +K2uGxZgmKwO6zCOLQPiMleTx6VhZW6lF7A== +-----END CERTIFICATE----- diff --git a/config/server.conf b/config/server.conf new file mode 100644 index 0000000..35ba302 --- /dev/null +++ b/config/server.conf @@ -0,0 +1,48 @@ +mode server +daemon +tls-server +proto udp +port 1194 +local 192.168.99.11 +client-config-dir /opt/openvpn/ccd +script-security 3 +writepid /var/run/openvpn/myopenvpn.pid + +; tunnel configuration +dev tap0 +server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 +passtos +comp-lzo +persist-key +persist-tun +persist-local-ip +persist-remote-ip + +; loggin and status +ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases +status-version 2 +status /opt/openvpn/status/openvpnserver-status.log 5; +verb 3 +client-connect /opt/openvpn/scripts/logon.sh +client-disconnect /opt/openvpn/scripts/logoff.sh + +; routing +;push "route 10.3.0.0 255.255.0.0" + +; management +management localhost 6666 + +; certificates and authentication +dh /opt/openvpn/private/dh1024.pem +ca /opt/openvpn/ca/cacert.pem +cert /opt/openvpn/certs/hostcert.pem +key /opt/openvpn/private/hostkey.pem +client-cert-not-required +username-as-common-name +auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env +;client-to-client +keepalive 10 60 +max-clients 50 + +; explicit exit +push "explicit-exit-notify" diff --git a/config/server.conf.15sep2016 b/config/server.conf.15sep2016 new file mode 100644 index 0000000..a834e28 --- /dev/null +++ b/config/server.conf.15sep2016 @@ -0,0 +1,45 @@ +mode server +daemon +tls-server +proto udp +port 1194 +local 192.168.99.11 +client-config-dir /opt/openvpn/ccd +script-security 3 +writepid /var/run/openvpn/myopenvpn.pid + +; tunnel configuration +dev tap0 +server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 +passtos +comp-lzo +persist-key +persist-tun +persist-local-ip +persist-remote-ip + +; loggin and status +ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases +status-version 2 +status /opt/openvpn/status/openvpnserver-status.log 30; +verb 3 +client-connect /opt/openvpn/scripts/logon.sh +client-disconnect /opt/openvpn/scripts/logoff.sh + +; routing +;push "route 10.3.0.0 255.255.0.0" + +; management +management localhost 6666 + +; certificates and authentication +dh /opt/openvpn/private/dh1024.pem +ca /opt/openvpn/ca/cacert.pem +cert /opt/openvpn/certs/hostcert.pem +key /opt/openvpn/private/hostkey.pem +client-cert-not-required +username-as-common-name +auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env +;client-to-client +keepalive 10 60 +max-clients 50 diff --git a/config/server.conf.19sep2016 b/config/server.conf.19sep2016 new file mode 100644 index 0000000..f3b373c --- /dev/null +++ b/config/server.conf.19sep2016 @@ -0,0 +1,45 @@ +mode server +daemon +tls-server +proto udp +port 1194 +local 192.168.99.11 +client-config-dir /opt/openvpn/ccd +script-security 3 +writepid /var/run/openvpn/myopenvpn.pid + +; tunnel configuration +dev tap0 +server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 +passtos +comp-lzo +persist-key +persist-tun +persist-local-ip +persist-remote-ip + +; loggin and status +ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases +status-version 2 +status /opt/openvpn/status/openvpnserver-status.log 5; +verb 3 +client-connect /opt/openvpn/scripts/logon.sh +client-disconnect /opt/openvpn/scripts/logoff.sh + +; routing +;push "route 10.3.0.0 255.255.0.0" + +; management +management localhost 6666 + +; certificates and authentication +dh /opt/openvpn/private/dh1024.pem +ca /opt/openvpn/ca/cacert.pem +cert /opt/openvpn/certs/hostcert.pem +key /opt/openvpn/private/hostkey.pem +client-cert-not-required +username-as-common-name +auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env +;client-to-client +keepalive 10 60 +max-clients 50 diff --git a/config/server.conf.2jul2016 b/config/server.conf.2jul2016 new file mode 100644 index 0000000..27143ef --- /dev/null +++ b/config/server.conf.2jul2016 @@ -0,0 +1,44 @@ +mode server +daemon +tls-server +proto udp +port 1194 +local 192.168.99.11 +client-config-dir /opt/openvpn/ccd +script-security 3 + +; tunnel configuration +dev tap0 +server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 +passtos +comp-lzo +persist-key +persist-tun +persist-local-ip +persist-remote-ip + +; loggin and status +ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases +status-version 2 +status /opt/openvpn/status/openvpnserver-status.log 30; +verb 3 +client-connect /opt/openvpn/scripts/logon.sh +client-disconnect /opt/openvpn/scripts/logoff.sh + +; routing +;push "route 10.3.0.0 255.255.0.0" + +; management +management localhost 6666 + +; certificates and authentication +dh /opt/openvpn/private/dh1024.pem +ca /opt/openvpn/ca/cacert.pem +cert /opt/openvpn/certs/hostcert.pem +key /opt/openvpn/private/hostkey.pem +client-cert-not-required +username-as-common-name +auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.sh via-env +;client-to-client +keepalive 10 60 +max-clients 50 diff --git a/leases/openvpn.leases b/leases/openvpn.leases new file mode 100644 index 0000000..e69de29 diff --git a/private/dh1024.pem b/private/dh1024.pem new file mode 100644 index 0000000..bea3589 --- /dev/null +++ b/private/dh1024.pem @@ -0,0 +1,5 @@ +-----BEGIN DH PARAMETERS----- +MIGHAoGBAIPEsURCfpqVznQaOYeWUrTyvMBD2N+6V96Saz3VPJ9WfEoPWM/3CkWH +G/wOFuSYCV8pGok9Y+d2N0V45x56CmhJp6CJdD0L9JwHNhXqRdDOxT1emOb43/Kk +CAXggVkAWnA+XFYXol8lYDP9W5XrU7svRfUe33Q/ijHsaY23myqDAgEC +-----END DH PARAMETERS----- diff --git a/private/hostkey.pem b/private/hostkey.pem new file mode 100644 index 0000000..fca3d31 --- /dev/null +++ b/private/hostkey.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQCXKZ7MskpNXJfILLE8eFp9wvTChhaeGdbEFpgzacy9fiH4oKq5 +clTAh9r2BvgzwF2qbxcgLN6ybCrCg/w4yKpeVoXjQmGNgWcYm7eaeKMNGfpTvTRc +EkJK8GDvFW2TiXTqu8VWOXpAfbxLPRCA0Yc4Bvdv4bDMWDKR1uM59TQ/wwIDAQAB +AoGAZgnLTyP+8g/RyWcZ0NbxRrlmXTUEaX7JsZ4K6ZG+ih9tsRZLiFk8CqbqUG9N +9ikhUR4iPy7quQg5KQrNJEuYbIJfXyEGjiq8khp1U91rAeklgq19jWRN/QdwVLIK +kXlcPjH7SGfSRPUnRnBdeADFf+oDN+3ZgDBvJu4IFqlyMJECQQDH+/XesmSNJnFa +67t+azipOiPYzLCk4I0xOMgk2fVj0LQ2bULosfclfwrcL2Mc5dPrjWa1yPvmsk8k +5wJPSL6ZAkEAwYDcwwLbwFvG2T1wm7QvaEDbQVVBwxZPGgG4titgyOYb+E/6QKaa +ZbEuBmL/W8WhJga9yAYUJhGarQmWJ3r2uwJBAJal5lSJPBfcYr3kIIyeBsPsST6z +C0pY4eO3a4XfLuyvNmJdsm6KSaxUZIDzrY0CUL77+Oht69yga+BXqTTCjtkCQCT6 +ZzWtGimMYFerchWPPXAC1OOLU2HgpYUmxxGpAHnj33x4bC5mqCK+1TjLOlljTwRh +TWsoHjmYK6LdriAlU3kCQGVnfQhlOcw5b0igA7DWo/cJsMfZplkilrW6JA16HxaT +xBmbi6l71pbcSlR9RlzU7Y4kTLaVPAy5oKbWOSzbfHw= +-----END RSA PRIVATE KEY----- diff --git a/scripts/bridge-start.sh b/scripts/bridge-start.sh new file mode 100755 index 0000000..941f344 --- /dev/null +++ b/scripts/bridge-start.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +br="br0" +tap="tap0" +eth="enp0s10f0" +br_ip="10.3.5.1" +br_netmask="255.255.0.0" +br_broadcast="10.3.255.255" +# Create the tap adapter +openvpn --mktun --dev $tap +# Create the bridge and add interfaces +brctl addbr $br +brctl addif $br $eth +brctl addif $br $tap +# Configure the bridge +ifconfig $tap 0.0.0.0 promisc up +ifconfig $eth 0.0.0.0 promisc up +ifconfig $br $br_ip netmask $br_netmask broadcast $br_broadcast diff --git a/scripts/bridge-stop.sh b/scripts/bridge-stop.sh new file mode 100755 index 0000000..6c3d55c --- /dev/null +++ b/scripts/bridge-stop.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +ifconfig br0 down +brctl delif br0 enp0s10f0 +brctl delif br0 tap0 +brctl delbr br0 +openvpn --rmtun --dev tap0 diff --git a/scripts/logoff.sh b/scripts/logoff.sh new file mode 100755 index 0000000..018d9a9 --- /dev/null +++ b/scripts/logoff.sh @@ -0,0 +1,6 @@ +#!/bin/bash +echo logoff ${common_name} ${trusted_ip} $(date) ${bytes_sent} ${bytes_received} >> /opt/openvpn/log/logon.log +echo logoff ${common_name} ${trusted_ip} $(date) ${bytes_sent} ${bytes_received} >> /opt/openvpn/log/${common_name}.log +# ARP Eintrag loeschen +#/sbin/arp -i br0 -d ${ifconfig_pool_remote_ip} +exit 0 diff --git a/scripts/logon.sh b/scripts/logon.sh new file mode 100755 index 0000000..a7d4d58 --- /dev/null +++ b/scripts/logon.sh @@ -0,0 +1,6 @@ +#!/bin/bash +echo logon ${common_name} ${trusted_ip} $(date) >> /opt/openvpn/log/logon.log +echo logon ${common_name} ${trusted_ip} $(date) >> /opt/openvpn/log/${common_name}.log +# noch einen ARP Eintrag erstellen +#/sbin/arp -i br0 -Ds ${ifconfig_pool_remote_ip} br0 pub +exit 0 diff --git a/scripts/openvpn-auth.py b/scripts/openvpn-auth.py new file mode 100755 index 0000000..6cedcbb --- /dev/null +++ b/scripts/openvpn-auth.py @@ -0,0 +1,17 @@ +#!/usr/bin/python +import bcrypt, os, sys + +username = os.environ.get('username') +if not username: + sys.exit(1) + +password = os.environ.get('password') +if not password: + sys.exit(1) + +file = open('/opt/openvpn/users/'+username+'.pwd', 'r') +hashed=file.read().rstrip() +if bcrypt.hashpw(password, hashed) == hashed: + sys.exit(0) +else: + sys.exit(1) diff --git a/scripts/openvpn-auth.sh b/scripts/openvpn-auth.sh new file mode 100755 index 0000000..5541e7c --- /dev/null +++ b/scripts/openvpn-auth.sh @@ -0,0 +1,6 @@ +#!/bin/bash +if grep "^${username} ${password};$" /opt/openvpn/users/users.txt >/dev/null ; then + exit 0 +fi + +exit 1 diff --git a/scripts/reboot-if-ping-fails.sh b/scripts/reboot-if-ping-fails.sh new file mode 100755 index 0000000..302395a --- /dev/null +++ b/scripts/reboot-if-ping-fails.sh @@ -0,0 +1,10 @@ +#!/bin/bash +DEST="10.3.5.2" + +ping -c4 ${DEST} > /dev/null + +if [ $? != 0 ] +then + echo "$(date): cannot ping ${DEST}, rebooting now..." >> /opt/openvpn/scripts/reboot-if-ping-fails.log + /sbin/shutdown -r now +fi diff --git a/sysoper/hashme.py b/sysoper/hashme.py new file mode 100755 index 0000000..0ff7ba2 --- /dev/null +++ b/sysoper/hashme.py @@ -0,0 +1,18 @@ +#!/usr/bin/python +# +# Input: String via Environment-Variable "string_to_hash" +# Output: STDOUT: Passwort Hash (bcrypt) +# +# 2. Juli 2016 +# Joerg Lehmann, nbit Informatik GmbH +# +import bcrypt, os, sys + +password = os.environ.get('string_to_hash') +if not password: + sys.exit() + +# Hash a password for the first time, with a randomly-generated salt +hashed = bcrypt.hashpw(password, bcrypt.gensalt()) + +print "%s" % (hashed) diff --git a/sysoper/sysoper_shell b/sysoper/sysoper_shell new file mode 100755 index 0000000..a635c5b --- /dev/null +++ b/sysoper/sysoper_shell @@ -0,0 +1,178 @@ +#!/bin/bash + +ReadToContinue() { + echo "Return Taste zum fortfahren..." + read +} + +AddUser() { + echo -n "Benutzername : " + read username + echo -n "IP Adresse : " + read ip + echo -n "Passwort : " + read pwd + export string_to_hash="${pwd}" + hash="$(/opt/openvpn/sysoper/hashme.py)" + echo "${hash}" > /opt/openvpn/users/${username}.pwd + echo "ifconfig-push ${ip} 255.255.0.0" > /opt/openvpn/ccd/${username} + echo "User ${username} wurde erzeugt" + ReadToContinue +} + +ChangePassword() { + echo -n "Benutzername : " + read username + if [ -f /opt/openvpn/users/${username}.pwd ]; then + echo -n "Passwort : " + read pwd + export string_to_hash="${pwd}" + hash="$(/opt/openvpn/sysoper/hashme.py)" + echo "${hash}" > /opt/openvpn/users/${username}.pwd + ReadToContinue + else + echo "User ${username} existiert nicht" + ReadToContinue + fi +} + +DeleteUser() { + echo -n "Benutzername : " + read username + if [ -f /opt/openvpn/users/${username}.pwd ]; then + rm /opt/openvpn/users/${username}.pwd + echo "User ${username} wurde geloescht" + # Das CCD-File loeschen wir auch, falls vorhanden + if [ -f /opt/openvpn/ccd/${username} ]; then + rm /opt/openvpn/ccd/${username} + fi + ReadToContinue + else + echo "User ${username} existiert nicht" + ReadToContinue + fi +} + +ShowUser() { + echo -n "Benutzername : " + read username + ip="" + if [ -f /opt/openvpn/users/${username}.pwd ]; then + if [ -f /opt/openvpn/ccd/${username} ]; then + ip="$(cat /opt/openvpn/ccd/${username} |awk '{print $2}')" + fi + echo "User ${username} existiert und hat die IP Adresse ${ip}" + echo + echo "Folgendes sind die letzten 20 Logeintraege fuer diesen User:" + echo + if [ -f /opt/openvpn/log/${username}.log ]; then + tail -20 /opt/openvpn/log/${username}.log + else + echo "Es existieren keine Logeintraege" + fi + ReadToContinue + else + echo "User ${username} existiert nicht" + ReadToContinue + fi +} + +ListUsers() { + echo + echo "Username IP Adresse" + echo "==================================" + for userfile in $(ls -1 /opt/openvpn/users/*.pwd 2>/dev/null) ; do + user="${userfile##*/}" + user="${user%.pwd}" + ip="N/A" + if [ -f /opt/openvpn/ccd/${user} ]; then + ip="$(cat /opt/openvpn/ccd/${user} |awk '{print $2}')" + fi + printf "%-20s %-15s\n" "$user" "$ip" + done + echo + ReadToContinue +} + +ShowLogfile() { + echo "Hinweis: mit Taste G zum Ende des Logs gehen..., Space fuer Seitenweises vorwaertsgehen..." + echo + ReadToContinue + /bin/less /opt/openvpn/log/logon.log +} + +AdvancedMenu() { + acharacter=0 + while [ "${acharacter}" != "9" ]; do + clear + echo "Advanced Functions" + echo "==================" + echo "1 - OpenVPN Dienst stoppen" + echo "2 - OpenVPN Dienst starten" + echo "3 - OpenVPN Dienst Statusabfrage" + echo "4 - Passwort von sysoper aendern" + echo + echo "9 - Zurueck zum Hauptmenu" + echo + echo -n "Bitte Option waehlen > " + read acharacter + case ${acharacter} in + 1) /bin/sudo /bin/systemctl stop myopenvpn + ReadToContinue + ;; + 2) /bin/sudo /bin/systemctl start myopenvpn + ReadToContinue + ;; + 3) /bin/sudo /bin/systemctl status myopenvpn + ReadToContinue + ;; + 4) /bin/passwd sysoper + ;; + 9) echo Zurueck... + ;; + *) echo "Ungueltige Option..." + read + esac + done +} + +character=0 +while [ "${character}" != "9" ]; do + clear + echo "Userverwaltung OpenVPN" + echo "======================" + echo "1 - OpenVPN Benutzer hinzufuegen" + echo "2 - OpenVPN Benutzer Passwort setzen" + echo "3 - OpenVPN Benutzer entfernen" + echo "4 - OpenVPN Benutzer anzeigen" + echo "5 - OpenVPN Benutzer auflisten" + echo + echo "7 - Logfile anzeigen" + echo "8 - Advanced Functions" + echo + echo "9 - Exit" + echo + echo -n "Bitte Option waehlen > " + read character + case ${character} in + 1) AddUser + ;; + 2) ChangePassword + ;; + 3) DeleteUser + ;; + 4) ShowUser + ;; + 5) ListUsers + ;; + 7) ShowLogfile + ;; + 8) AdvancedMenu + ;; + 9) echo Exit... + ;; + *) echo "Ungueltige Option..." + read + esac +done +exit 0 diff --git a/sysoper/sysoper_shell.05jul2016 b/sysoper/sysoper_shell.05jul2016 new file mode 100755 index 0000000..29983c3 --- /dev/null +++ b/sysoper/sysoper_shell.05jul2016 @@ -0,0 +1,143 @@ +#!/bin/bash + +ReadToContinue() { + echo "Return Taste zum fortfahren..." + read +} + +AddUser() { + echo -n "Benutzername : " + read username + echo -n "IP Adresse : " + read ip + echo -n "Passwort : " + read pwd + export string_to_hash="${pwd}" + hash="$(/opt/openvpn/sysoper/hashme.py)" + echo "${hash}" > /opt/openvpn/users/${username}.pwd + echo "ifconfig-push ${ip} 255.255.0.0" > /opt/openvpn/ccd/${username} + echo "User ${username} wurde erzeugt" + ReadToContinue +} + +ChangePassword() { + echo -n "Benutzername : " + read username + if [ -f /opt/openvpn/users/${username}.pwd ]; then + echo -n "Passwort : " + read pwd + export string_to_hash="${pwd}" + hash="$(/opt/openvpn/sysoper/hashme.py)" + echo "${hash}" > /opt/openvpn/users/${username}.pwd + ReadToContinue + else + echo "User ${username} existiert nicht" + ReadToContinue + fi +} + +DeleteUser() { + echo -n "Benutzername : " + read username + if [ -f /opt/openvpn/users/${username}.pwd ]; then + rm /opt/openvpn/users/${username}.pwd + echo "User ${username} wurde geloescht" + # Das CCD-File loeschen wir auch, falls vorhanden + if [ -f /opt/openvpn/ccd/${username} ]; then + rm /opt/openvpn/ccd/${username} + fi + ReadToContinue + else + echo "User ${username} existiert nicht" + ReadToContinue + fi +} + +ShowUser() { + echo -n "Benutzername : " + read username + ip="" + if [ -f /opt/openvpn/users/${username}.pwd ]; then + if [ -f /opt/openvpn/ccd/${username} ]; then + ip="$(cat /opt/openvpn/ccd/${username} |awk '{print $2}')" + fi + echo "User ${username} existiert und hat die IP Adresse ${ip}" + echo + echo "Folgendes sind die letzten 20 Logeintraege fuer diesen User:" + echo + if [ -f /opt/openvpn/log/${username}.log ]; then + tail -20 /opt/openvpn/log/${username}.log + else + echo "Es existieren keine Logeintraege" + fi + ReadToContinue + else + echo "User ${username} existiert nicht" + ReadToContinue + fi +} + +ListUsers() { + echo + echo "Username IP Adresse" + echo "==================================" + for userfile in $(ls -1 /opt/openvpn/users/*.pwd 2>/dev/null) ; do + user="${userfile##*/}" + user="${user%.pwd}" + ip="N/A" + if [ -f /opt/openvpn/ccd/${user} ]; then + ip="$(cat /opt/openvpn/ccd/${user} |awk '{print $2}')" + fi + printf "%-20s %-15s\n" "$user" "$ip" + done + echo + ReadToContinue +} + +ShowLogfile() { + echo "Hinweis: mit Taste G zum Ende des Logs gehen..., Space fuer Seitenweises vorwaertsgehen..." + echo + ReadToContinue + /bin/less /opt/openvpn/log/logon.log +} + +character=0 +while [ "${character}" != "9" ]; do + clear + echo "Userverwaltung OpenVPN" + echo "======================" + echo "1 - OpenVPN Benutzer hinzufuegen" + echo "2 - OpenVPN Benutzer Passwort setzen" + echo "3 - OpenVPN Benutzer entfernen" + echo "4 - OpenVPN Benutzer anzeigen" + echo "5 - OpenVPN Benutzer auflisten" + echo + echo "7 - Logfile anzeigen" + echo "8 - Passwort von sysoper aendern" + echo + echo "9 - Exit" + echo + echo -n "Bitte Option waehlen > " + read character + case ${character} in + 1) AddUser + ;; + 2) ChangePassword + ;; + 3) DeleteUser + ;; + 4) ShowUser + ;; + 5) ListUsers + ;; + 7) ShowLogfile + ;; + 8) passwd sysoper + ;; + 9) echo Exit... + ;; + *) echo "Ungueltige Option..." + read + esac +done +exit 0 diff --git a/systemd/README b/systemd/README new file mode 100644 index 0000000..c3afd9f --- /dev/null +++ b/systemd/README @@ -0,0 +1,4 @@ +Systemd Unit fuer myopenvpn + +ist nach /etc/systemd/system zu kopieren und anschliessend: +# systemctl daemon-reload diff --git a/systemd/myopenvpn.service b/systemd/myopenvpn.service new file mode 100644 index 0000000..60c9404 --- /dev/null +++ b/systemd/myopenvpn.service @@ -0,0 +1,14 @@ +[Unit] +Description=My OpenVPN Service +After=network-online.target network.target remote-fs.target nss-lookup.target +Requires=network-online.target + +[Service] +PrivateTmp=true +Type=forking +ExecStart=/opt/openvpn/bin/startup.sh +ExecStop=/opt/openvpn/bin/shutdown.sh +PIDFile=/var/run/openvpn/myopenvpn.pid + +[Install] +WantedBy=multi-user.target diff --git a/systemd/myopenvpn.service.05jul2016 b/systemd/myopenvpn.service.05jul2016 new file mode 100644 index 0000000..3e6bea5 --- /dev/null +++ b/systemd/myopenvpn.service.05jul2016 @@ -0,0 +1,13 @@ +[Unit] +Description=My OpenVPN Service +After=network-online.target + +[Service] +PrivateTmp=true +Type=forking +ExecStart=/opt/openvpn/bin/startup.sh +ExecStop=/opt/openvpn/bin/shutdown.sh +PIDFile=/var/run/openvpn/myopenvpn.pid + +[Install] +WantedBy=multi-user.target diff --git a/systemd/myopenvpn.service.31aug2016 b/systemd/myopenvpn.service.31aug2016 new file mode 100644 index 0000000..3e6bea5 --- /dev/null +++ b/systemd/myopenvpn.service.31aug2016 @@ -0,0 +1,13 @@ +[Unit] +Description=My OpenVPN Service +After=network-online.target + +[Service] +PrivateTmp=true +Type=forking +ExecStart=/opt/openvpn/bin/startup.sh +ExecStop=/opt/openvpn/bin/shutdown.sh +PIDFile=/var/run/openvpn/myopenvpn.pid + +[Install] +WantedBy=multi-user.target