From d7797e4b1e704133dd0c90687e04cc89cd9fa19a Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Wed, 19 Oct 2022 19:21:24 +0200 Subject: [PATCH 01/12] Rocky Linux 9 version, cleanups --- README.md | 78 +++++++-------- bin/shutdown.sh.05jul2016 | 13 --- bin/shutdown.sh.13oct2016 | 13 --- bin/shutdown.sh.new | 8 -- bin/startup.sh.05jul2016 | 12 --- bin/startup.sh.13oct2016 | 15 --- bin/startup.sh.31aug2016 | 12 --- bin/startup.sh.31aug2016-with-loop | 25 ----- config/server-443.conf | 4 +- config/server-443.conf.22feb2019 | 51 ---------- config/server-443.conf.5jul2018 | 48 ---------- config/server.conf | 4 +- config/server.conf.15sep2016 | 45 --------- config/server.conf.19sep2016 | 45 --------- config/server.conf.2jul2016 | 44 --------- config/server.conf.5jul2018 | 48 ---------- private/dh1024.pem | 5 - private/dh2048.pem | 8 ++ sysoper/sysoper_shell.05jul2016 | 143 ---------------------------- systemd/myopenvpn.service.05jul2016 | 13 --- systemd/myopenvpn.service.31aug2016 | 13 --- 21 files changed, 49 insertions(+), 598 deletions(-) delete mode 100755 bin/shutdown.sh.05jul2016 delete mode 100755 bin/shutdown.sh.13oct2016 delete mode 100755 bin/shutdown.sh.new delete mode 100755 bin/startup.sh.05jul2016 delete mode 100755 bin/startup.sh.13oct2016 delete mode 100755 bin/startup.sh.31aug2016 delete mode 100755 bin/startup.sh.31aug2016-with-loop delete mode 100644 config/server-443.conf.22feb2019 delete mode 100644 config/server-443.conf.5jul2018 delete mode 100644 config/server.conf.15sep2016 delete mode 100644 config/server.conf.19sep2016 delete mode 100644 config/server.conf.2jul2016 delete mode 100644 config/server.conf.5jul2018 delete mode 100644 private/dh1024.pem create mode 100644 private/dh2048.pem delete mode 100755 sysoper/sysoper_shell.05jul2016 delete mode 100644 systemd/myopenvpn.service.05jul2016 delete mode 100644 systemd/myopenvpn.service.31aug2016 diff --git a/README.md b/README.md index d7087fe..2c8de55 100644 --- a/README.md +++ b/README.md @@ -1,23 +1,22 @@ ## INSTALLATION -Installation CentOS 7 Minimal +Installation Rocky Linux 9 Minimal Partitionierung (LVM; XFS als Filesystem): ``` -/boot 500 MB -/ 50 GB -/home 73 GB -swap 4 GB +/boot 1 GB +/ XXX GB +swap X GB ``` Netzwerkkonfiguration: ``` -Hostname: ryovpn.rych01.rychiger.com +Hostname: ryovpn01.rych01.rychiger.com DNS: 8.8.8.8 -NTP: server 0.centos.pool.ntp.org iburst - server 1.centos.pool.ntp.org iburst - server 2.centos.pool.ntp.org iburst - server 3.centos.pool.ntp.org iburst +NTP: XXXXXX + XXXXXX + +TODO: TYPE="Ethernet" NAME="enp0s10f0" @@ -40,6 +39,12 @@ PREFIX=24 GATEWAY=192.168.99.1 UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04 ``` + +Installation diverse Pakete +``` +# yum install kbd-legacy +# dracut -f +``` Anschliessend Installation OpenVPN: ``` @@ -47,14 +52,13 @@ Anschliessend Installation OpenVPN: # yum install openvpn -y Noch ein paar Zusatzpakete: -# yum install mailx -y +# yum install s-nail -y # yum install git -y # yum install net-tools -y # yum install policycoreutils-devel -y # yum install bridge-utils -y # yum install tcpdump -y -# yum install chrony -y -# yum install py-bcrypt -y +# yum install python3-bcrypt -y ``` Wegen Entropy: @@ -66,29 +70,22 @@ Test: # cat /proc/sys/kernel/random/entropy_avail ``` -Wegen Time-Sync Meldungen: -``` -# cat /etc/rsyslog.d/time_msg.conf -:msg, contains, "Time has been changed" ~ -``` - -Wegen fehlerhafter HW-Clock: - -/etc/cron.d/sync-hw-clock: -``` -MAILTO=root -*/10 * * * * root /sbin/hwclock --systohc -``` Installation NGINX (Zugang fuer Statusabfragen): ``` # yum install nginx +# systemctl enable nginx Konfiguration /etc/nginx/nginx.conf: ... root /opt/openvpn/status; ... +Installation von altem Server oder git uebernehmen... +# cd /opt +# git clone https://gitlab.com/drpuur/rych-openvpn.git openvpn # use personal access token in Gitlab + + SELinux: # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log @@ -107,11 +104,11 @@ Prinzipieller Aufbau: enp0s10f0: Netzwerkinterface Richtung Internet enp0s10f1: Netzwerkinterface Richtung Intranet -enp0s10f0 (192.168.99.11) ==> hier hoert OpenVPN und bildet das Device tap0 +enp0s10f0 (192.168.99.11/24) ==> hier hoert OpenVPN und bildet das Device tap0 Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP) --- enp0s10f0 => tap0 --+-- br0 (10.3.5.1) +-- enp0s10f0 => tap0 --+-- br0 (10.3.5.1/16) tap1 | -- enp0s10f1 ----------+ ``` @@ -161,17 +158,9 @@ COMMIT ``` ``` -/etc/sysctl.conf: -# System default settings live in /usr/lib/sysctl.d/00-system.conf. -# To override those settings, enter new settings here, or in an /etc/sysctl.d/.conf file -# -# For more information, see sysctl.conf(5) and sysctl.d(5). -#net.ipv4.ip_forward = 1 -net.ipv6.conf.all.disable_ipv6 = 1 -net.ipv6.conf.default.disable_ipv6 = 1 -net.bridge.bridge-nf-call-iptables = 1 -net.ipv6.conf.default.autoconf = 0 -net.ipv6.conf.all.autoconf = 0 +Disable IPv6: + +# nmcli connection modify ipv6.method "disabled" ``` ``` @@ -196,8 +185,6 @@ MAILTO=root /etc/hosts: 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 #::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 - -10.3.5.2 ewonshare ``` Startup mit Systemd einrichten: @@ -218,3 +205,12 @@ User anlegen: # useradd -m -g sysoper -s /opt/openvpn/sysoper/sysoper_shell sysoper # passwd sysoper ``` +Git Config: +``` +# cat .gitconfig +[user] + name = Joerg Lehmann + email = joerg.lehmann@nbit.ch +[http] + sslVerify = false +``` diff --git a/bin/shutdown.sh.05jul2016 b/bin/shutdown.sh.05jul2016 deleted file mode 100755 index 89e518f..0000000 --- a/bin/shutdown.sh.05jul2016 +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -# Zuerst stoppen wir Openvpn -pkill openvpn - -# Dann unmounten wir den CIFS-Share -#/bin/umount /opt/openvpn/status -/bin/systemctl stop opt-openvpn-status.mount -#/bin/sleep 15 - -# Dann stoppen wir die Bridge mit TAP-Device -/opt/openvpn/scripts/bridge-stop.sh - diff --git a/bin/shutdown.sh.13oct2016 b/bin/shutdown.sh.13oct2016 deleted file mode 100755 index f75a2c2..0000000 --- a/bin/shutdown.sh.13oct2016 +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -# Zuerst stoppen wir Openvpn -/bin/pkill openvpn - -# Dann unmounten wir den CIFS-Share -#/bin/umount /opt/openvpn/status -/bin/systemctl stop opt-openvpn-status.mount -#/bin/sleep 15 - -# Dann stoppen wir die Bridge mit TAP-Device -/opt/openvpn/scripts/bridge-stop.sh - diff --git a/bin/shutdown.sh.new b/bin/shutdown.sh.new deleted file mode 100755 index ab96223..0000000 --- a/bin/shutdown.sh.new +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -# Zuerst stoppen wir Openvpn -/bin/pkill openvpn - -# Dann stoppen wir die Bridge mit TAP-Device -/opt/openvpn/scripts/bridge-stop.sh - diff --git a/bin/startup.sh.05jul2016 b/bin/startup.sh.05jul2016 deleted file mode 100755 index fe972bf..0000000 --- a/bin/startup.sh.05jul2016 +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# Zuerst starten wir die Bridge mit TAP-Device -/opt/openvpn/scripts/bridge-start.sh - -# Dann mounten wir den CIFS-Share -# (wird fuer Status-File gebraucht) -#/bin/mount /opt/openvpn/status -/bin/systemctl start opt-openvpn-status.mount -# -# Dann starten wir Openvpn -/sbin/openvpn /opt/openvpn/config/server.conf diff --git a/bin/startup.sh.13oct2016 b/bin/startup.sh.13oct2016 deleted file mode 100755 index 16286a1..0000000 --- a/bin/startup.sh.13oct2016 +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -# Zuerst starten wir die Bridge mit TAP-Device -/opt/openvpn/scripts/bridge-start.sh - -# Pause... -sleep 10 - -# Dann mounten wir den CIFS-Share -# (wird fuer Status-File gebraucht) -#/bin/mount /opt/openvpn/status -/bin/systemctl start opt-openvpn-status.mount -# -# Dann starten wir Openvpn -/sbin/openvpn /opt/openvpn/config/server.conf diff --git a/bin/startup.sh.31aug2016 b/bin/startup.sh.31aug2016 deleted file mode 100755 index fe972bf..0000000 --- a/bin/startup.sh.31aug2016 +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# Zuerst starten wir die Bridge mit TAP-Device -/opt/openvpn/scripts/bridge-start.sh - -# Dann mounten wir den CIFS-Share -# (wird fuer Status-File gebraucht) -#/bin/mount /opt/openvpn/status -/bin/systemctl start opt-openvpn-status.mount -# -# Dann starten wir Openvpn -/sbin/openvpn /opt/openvpn/config/server.conf diff --git a/bin/startup.sh.31aug2016-with-loop b/bin/startup.sh.31aug2016-with-loop deleted file mode 100755 index 7f36edd..0000000 --- a/bin/startup.sh.31aug2016-with-loop +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -IP_OF_CIFS_SERVER=10.3.5.2 - -# Zuerst starten wir die Bridge mit TAP-Device -/opt/openvpn/scripts/bridge-start.sh - -# Wir warten, bis ein ping erfolgreich ist... -((count = 20)) # Maximum number to try. -while [[ $count -ne 0 ]] ; do - ping -q -c 1 -W 1 $IP_OF_CIFS_SERVER >/dev/null # Try once. - rc=$? - if [[ $rc -eq 0 ]] ; then - ((count = 1)) # If okay, flag to exit loop. - fi - ((count = count - 1)) # So we don't go forever. -done - -# Dann mounten wir den CIFS-Share -# (wird fuer Status-File gebraucht) -#/bin/mount /opt/openvpn/status -/bin/systemctl start opt-openvpn-status.mount -# -# Dann starten wir Openvpn -/sbin/openvpn /opt/openvpn/config/server.conf diff --git a/config/server-443.conf b/config/server-443.conf index d3b8e12..7cc76cc 100644 --- a/config/server-443.conf +++ b/config/server-443.conf @@ -9,7 +9,7 @@ script-security 3 writepid /var/run/openvpn-server/myopenvpn-443.pid ; ciphers -tls-cipher "DEFAULT" +tls-cipher "DEFAULT:@SECLEVEL=0" ; tunnel configuration dev tap1 @@ -36,7 +36,7 @@ client-disconnect /opt/openvpn/scripts/logoff.sh management localhost 6667 ; certificates and authentication -dh /opt/openvpn/private/dh1024.pem +dh /opt/openvpn/private/dh2048.pem ca /opt/openvpn/ca/cacert.pem cert /opt/openvpn/certs/ewon.rychiger.com-cert.pem key /opt/openvpn/private/ewon.rychiger.com-key.pem diff --git a/config/server-443.conf.22feb2019 b/config/server-443.conf.22feb2019 deleted file mode 100644 index afbff88..0000000 --- a/config/server-443.conf.22feb2019 +++ /dev/null @@ -1,51 +0,0 @@ -mode server -daemon -tls-server -proto tcp -port 443 -local 192.168.99.11 -client-config-dir /opt/openvpn/ccd -script-security 3 -writepid /var/run/openvpn-server/myopenvpn-443.pid - -; ciphers -tls-cipher "DEFAULT" - -; tunnel configuration -dev tap1 -server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 -passtos -comp-lzo -persist-key -persist-tun -persist-local-ip -persist-remote-ip - -; loggin and status -ifconfig-pool-persist /opt/openvpn/leases/openvpn-443.leases -status-version 2 -status /opt/openvpn/status/openvpnserver-status-443.log 5; -verb 3 -client-connect /opt/openvpn/scripts/logon.sh -client-disconnect /opt/openvpn/scripts/logoff.sh - -; routing -;push "route 10.3.0.0 255.255.0.0" - -; management -management localhost 6667 - -; certificates and authentication -dh /opt/openvpn/private/dh1024.pem -ca /opt/openvpn/ca/cacert.pem -cert /opt/openvpn/certs/hostcert.pem -key /opt/openvpn/private/hostkey.pem -verify-client-cert none -username-as-common-name -auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env -;client-to-client -keepalive 10 60 -max-clients 50 - -; explicit exit -push "explicit-exit-notify" diff --git a/config/server-443.conf.5jul2018 b/config/server-443.conf.5jul2018 deleted file mode 100644 index e579931..0000000 --- a/config/server-443.conf.5jul2018 +++ /dev/null @@ -1,48 +0,0 @@ -mode server -daemon -tls-server -proto tcp -port 443 -local 192.168.99.11 -client-config-dir /opt/openvpn/ccd -script-security 3 -writepid /var/run/openvpn-server/myopenvpn-443.pid - -; tunnel configuration -dev tap1 -server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 -passtos -comp-lzo -persist-key -persist-tun -persist-local-ip -persist-remote-ip - -; loggin and status -ifconfig-pool-persist /opt/openvpn/leases/openvpn-443.leases -status-version 2 -status /opt/openvpn/status/openvpnserver-status-443.log 5; -verb 3 -client-connect /opt/openvpn/scripts/logon.sh -client-disconnect /opt/openvpn/scripts/logoff.sh - -; routing -;push "route 10.3.0.0 255.255.0.0" - -; management -management localhost 6667 - -; certificates and authentication -dh /opt/openvpn/private/dh1024.pem -ca /opt/openvpn/ca/cacert.pem -cert /opt/openvpn/certs/hostcert.pem -key /opt/openvpn/private/hostkey.pem -verify-client-cert none -username-as-common-name -auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env -;client-to-client -keepalive 10 60 -max-clients 50 - -; explicit exit -push "explicit-exit-notify" diff --git a/config/server.conf b/config/server.conf index 37673b7..25d167e 100644 --- a/config/server.conf +++ b/config/server.conf @@ -9,7 +9,7 @@ script-security 3 writepid /var/run/openvpn-server/myopenvpn.pid ; ciphers -tls-cipher "DEFAULT" +tls-cipher "DEFAULT:@SECLEVEL=0" ; tunnel configuration dev tap0 @@ -36,7 +36,7 @@ client-disconnect /opt/openvpn/scripts/logoff.sh management localhost 6666 ; certificates and authentication -dh /opt/openvpn/private/dh1024.pem +dh /opt/openvpn/private/dh2048.pem ca /opt/openvpn/ca/cacert.pem cert /opt/openvpn/certs/hostcert.pem key /opt/openvpn/private/hostkey.pem diff --git a/config/server.conf.15sep2016 b/config/server.conf.15sep2016 deleted file mode 100644 index a834e28..0000000 --- a/config/server.conf.15sep2016 +++ /dev/null @@ -1,45 +0,0 @@ -mode server -daemon -tls-server -proto udp -port 1194 -local 192.168.99.11 -client-config-dir /opt/openvpn/ccd -script-security 3 -writepid /var/run/openvpn/myopenvpn.pid - -; tunnel configuration -dev tap0 -server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 -passtos -comp-lzo -persist-key -persist-tun -persist-local-ip -persist-remote-ip - -; loggin and status -ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases -status-version 2 -status /opt/openvpn/status/openvpnserver-status.log 30; -verb 3 -client-connect /opt/openvpn/scripts/logon.sh -client-disconnect /opt/openvpn/scripts/logoff.sh - -; routing -;push "route 10.3.0.0 255.255.0.0" - -; management -management localhost 6666 - -; certificates and authentication -dh /opt/openvpn/private/dh1024.pem -ca /opt/openvpn/ca/cacert.pem -cert /opt/openvpn/certs/hostcert.pem -key /opt/openvpn/private/hostkey.pem -client-cert-not-required -username-as-common-name -auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env -;client-to-client -keepalive 10 60 -max-clients 50 diff --git a/config/server.conf.19sep2016 b/config/server.conf.19sep2016 deleted file mode 100644 index f3b373c..0000000 --- a/config/server.conf.19sep2016 +++ /dev/null @@ -1,45 +0,0 @@ -mode server -daemon -tls-server -proto udp -port 1194 -local 192.168.99.11 -client-config-dir /opt/openvpn/ccd -script-security 3 -writepid /var/run/openvpn/myopenvpn.pid - -; tunnel configuration -dev tap0 -server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 -passtos -comp-lzo -persist-key -persist-tun -persist-local-ip -persist-remote-ip - -; loggin and status -ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases -status-version 2 -status /opt/openvpn/status/openvpnserver-status.log 5; -verb 3 -client-connect /opt/openvpn/scripts/logon.sh -client-disconnect /opt/openvpn/scripts/logoff.sh - -; routing -;push "route 10.3.0.0 255.255.0.0" - -; management -management localhost 6666 - -; certificates and authentication -dh /opt/openvpn/private/dh1024.pem -ca /opt/openvpn/ca/cacert.pem -cert /opt/openvpn/certs/hostcert.pem -key /opt/openvpn/private/hostkey.pem -client-cert-not-required -username-as-common-name -auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env -;client-to-client -keepalive 10 60 -max-clients 50 diff --git a/config/server.conf.2jul2016 b/config/server.conf.2jul2016 deleted file mode 100644 index 27143ef..0000000 --- a/config/server.conf.2jul2016 +++ /dev/null @@ -1,44 +0,0 @@ -mode server -daemon -tls-server -proto udp -port 1194 -local 192.168.99.11 -client-config-dir /opt/openvpn/ccd -script-security 3 - -; tunnel configuration -dev tap0 -server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 -passtos -comp-lzo -persist-key -persist-tun -persist-local-ip -persist-remote-ip - -; loggin and status -ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases -status-version 2 -status /opt/openvpn/status/openvpnserver-status.log 30; -verb 3 -client-connect /opt/openvpn/scripts/logon.sh -client-disconnect /opt/openvpn/scripts/logoff.sh - -; routing -;push "route 10.3.0.0 255.255.0.0" - -; management -management localhost 6666 - -; certificates and authentication -dh /opt/openvpn/private/dh1024.pem -ca /opt/openvpn/ca/cacert.pem -cert /opt/openvpn/certs/hostcert.pem -key /opt/openvpn/private/hostkey.pem -client-cert-not-required -username-as-common-name -auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.sh via-env -;client-to-client -keepalive 10 60 -max-clients 50 diff --git a/config/server.conf.5jul2018 b/config/server.conf.5jul2018 deleted file mode 100644 index 5cd8a74..0000000 --- a/config/server.conf.5jul2018 +++ /dev/null @@ -1,48 +0,0 @@ -mode server -daemon -tls-server -proto udp -port 1194 -local 192.168.99.11 -client-config-dir /opt/openvpn/ccd -script-security 3 -writepid /var/run/openvpn-server/myopenvpn.pid - -; tunnel configuration -dev tap0 -server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 -passtos -comp-lzo -persist-key -persist-tun -persist-local-ip -persist-remote-ip - -; loggin and status -ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases -status-version 2 -status /opt/openvpn/status/openvpnserver-status.log 5; -verb 3 -client-connect /opt/openvpn/scripts/logon.sh -client-disconnect /opt/openvpn/scripts/logoff.sh - -; routing -;push "route 10.3.0.0 255.255.0.0" - -; management -management localhost 6666 - -; certificates and authentication -dh /opt/openvpn/private/dh1024.pem -ca /opt/openvpn/ca/cacert.pem -cert /opt/openvpn/certs/hostcert.pem -key /opt/openvpn/private/hostkey.pem -verify-client-cert none -username-as-common-name -auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env -;client-to-client -keepalive 10 60 -max-clients 50 - -; explicit exit -push "explicit-exit-notify" diff --git a/private/dh1024.pem b/private/dh1024.pem deleted file mode 100644 index bea3589..0000000 --- a/private/dh1024.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIGHAoGBAIPEsURCfpqVznQaOYeWUrTyvMBD2N+6V96Saz3VPJ9WfEoPWM/3CkWH -G/wOFuSYCV8pGok9Y+d2N0V45x56CmhJp6CJdD0L9JwHNhXqRdDOxT1emOb43/Kk -CAXggVkAWnA+XFYXol8lYDP9W5XrU7svRfUe33Q/ijHsaY23myqDAgEC ------END DH PARAMETERS----- diff --git a/private/dh2048.pem b/private/dh2048.pem new file mode 100644 index 0000000..9ea927e --- /dev/null +++ b/private/dh2048.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEAyC5BozEDJWU9xKcMEDRxQTyvTKyJ+VhqqJiyiif/LtU1mjTy40Ss +BGO13FjRsXM0VLgl//J/NPi9kfYK5UPSv/mr3TIxMKDRi+U+y48HU2f68XgFhnCE +ePYVwCpOdymOwnYKxtCIwsF4GvNAoLHUIfIwK40BWtpuwB5AbVIkjSCrBWeP9Gxs +g6M06c5G3+xdE/5RqWVtWjnQNutsUrbKTFrBCEBUzElNpYE3mp2cA/8lePtIa8rI +QUHKGcQyln4eH3R/Pt+RETzSybnzliWNfctyiJ7xj/2qYlUdxhlfPipqZbg9u8Jd +NhpXiGhCh2DAcVoRYMERsOkyTKgC6KbBDwIBAg== +-----END DH PARAMETERS----- diff --git a/sysoper/sysoper_shell.05jul2016 b/sysoper/sysoper_shell.05jul2016 deleted file mode 100755 index 29983c3..0000000 --- a/sysoper/sysoper_shell.05jul2016 +++ /dev/null @@ -1,143 +0,0 @@ -#!/bin/bash - -ReadToContinue() { - echo "Return Taste zum fortfahren..." - read -} - -AddUser() { - echo -n "Benutzername : " - read username - echo -n "IP Adresse : " - read ip - echo -n "Passwort : " - read pwd - export string_to_hash="${pwd}" - hash="$(/opt/openvpn/sysoper/hashme.py)" - echo "${hash}" > /opt/openvpn/users/${username}.pwd - echo "ifconfig-push ${ip} 255.255.0.0" > /opt/openvpn/ccd/${username} - echo "User ${username} wurde erzeugt" - ReadToContinue -} - -ChangePassword() { - echo -n "Benutzername : " - read username - if [ -f /opt/openvpn/users/${username}.pwd ]; then - echo -n "Passwort : " - read pwd - export string_to_hash="${pwd}" - hash="$(/opt/openvpn/sysoper/hashme.py)" - echo "${hash}" > /opt/openvpn/users/${username}.pwd - ReadToContinue - else - echo "User ${username} existiert nicht" - ReadToContinue - fi -} - -DeleteUser() { - echo -n "Benutzername : " - read username - if [ -f /opt/openvpn/users/${username}.pwd ]; then - rm /opt/openvpn/users/${username}.pwd - echo "User ${username} wurde geloescht" - # Das CCD-File loeschen wir auch, falls vorhanden - if [ -f /opt/openvpn/ccd/${username} ]; then - rm /opt/openvpn/ccd/${username} - fi - ReadToContinue - else - echo "User ${username} existiert nicht" - ReadToContinue - fi -} - -ShowUser() { - echo -n "Benutzername : " - read username - ip="" - if [ -f /opt/openvpn/users/${username}.pwd ]; then - if [ -f /opt/openvpn/ccd/${username} ]; then - ip="$(cat /opt/openvpn/ccd/${username} |awk '{print $2}')" - fi - echo "User ${username} existiert und hat die IP Adresse ${ip}" - echo - echo "Folgendes sind die letzten 20 Logeintraege fuer diesen User:" - echo - if [ -f /opt/openvpn/log/${username}.log ]; then - tail -20 /opt/openvpn/log/${username}.log - else - echo "Es existieren keine Logeintraege" - fi - ReadToContinue - else - echo "User ${username} existiert nicht" - ReadToContinue - fi -} - -ListUsers() { - echo - echo "Username IP Adresse" - echo "==================================" - for userfile in $(ls -1 /opt/openvpn/users/*.pwd 2>/dev/null) ; do - user="${userfile##*/}" - user="${user%.pwd}" - ip="N/A" - if [ -f /opt/openvpn/ccd/${user} ]; then - ip="$(cat /opt/openvpn/ccd/${user} |awk '{print $2}')" - fi - printf "%-20s %-15s\n" "$user" "$ip" - done - echo - ReadToContinue -} - -ShowLogfile() { - echo "Hinweis: mit Taste G zum Ende des Logs gehen..., Space fuer Seitenweises vorwaertsgehen..." - echo - ReadToContinue - /bin/less /opt/openvpn/log/logon.log -} - -character=0 -while [ "${character}" != "9" ]; do - clear - echo "Userverwaltung OpenVPN" - echo "======================" - echo "1 - OpenVPN Benutzer hinzufuegen" - echo "2 - OpenVPN Benutzer Passwort setzen" - echo "3 - OpenVPN Benutzer entfernen" - echo "4 - OpenVPN Benutzer anzeigen" - echo "5 - OpenVPN Benutzer auflisten" - echo - echo "7 - Logfile anzeigen" - echo "8 - Passwort von sysoper aendern" - echo - echo "9 - Exit" - echo - echo -n "Bitte Option waehlen > " - read character - case ${character} in - 1) AddUser - ;; - 2) ChangePassword - ;; - 3) DeleteUser - ;; - 4) ShowUser - ;; - 5) ListUsers - ;; - 7) ShowLogfile - ;; - 8) passwd sysoper - ;; - 9) echo Exit... - ;; - *) echo "Ungueltige Option..." - read - esac -done -exit 0 diff --git a/systemd/myopenvpn.service.05jul2016 b/systemd/myopenvpn.service.05jul2016 deleted file mode 100644 index 3e6bea5..0000000 --- a/systemd/myopenvpn.service.05jul2016 +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=My OpenVPN Service -After=network-online.target - -[Service] -PrivateTmp=true -Type=forking -ExecStart=/opt/openvpn/bin/startup.sh -ExecStop=/opt/openvpn/bin/shutdown.sh -PIDFile=/var/run/openvpn/myopenvpn.pid - -[Install] -WantedBy=multi-user.target diff --git a/systemd/myopenvpn.service.31aug2016 b/systemd/myopenvpn.service.31aug2016 deleted file mode 100644 index 3e6bea5..0000000 --- a/systemd/myopenvpn.service.31aug2016 +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=My OpenVPN Service -After=network-online.target - -[Service] -PrivateTmp=true -Type=forking -ExecStart=/opt/openvpn/bin/startup.sh -ExecStop=/opt/openvpn/bin/shutdown.sh -PIDFile=/var/run/openvpn/myopenvpn.pid - -[Install] -WantedBy=multi-user.target From cf4837f5b0d8547e1ddba3dabba2c1f84857746a Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Thu, 20 Oct 2022 19:28:27 +0200 Subject: [PATCH 02/12] document client test --- README.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/README.md b/README.md index 2c8de55..e82db30 100644 --- a/README.md +++ b/README.md @@ -214,3 +214,51 @@ Git Config: [http] sslVerify = false ``` + + +Testen der Verbindung + +``` +[joerg@cinnamon test-openvpn-rychiger]$ sudo openvpn --config ewon.rychiger.com.conf + +[joerg@cinnamon test-openvpn-rychiger]$ more ewon.rychiger.com.conf +dev tap1 +proto tcp +suppress-timestamps +status-version 2 +rport 443 +verb 1 +mute 10 +comp-lzo +persist-key +up-delay +route-delay 0 +nobind +client +tls-exit +ca cacert.pem +reneg-sec 86400 +keepalive 30 120 +hand-window 140 +remote ewon.rychiger.com +resolv-retry 60 +auth-user-pass + + +am besten auf Linux: + +Testuser erstellt mit + +$ string_to_hash="7355+TT" /opt/openvpn/sysoper/hashme.py >/opt/openvpn/users/testuser.pwd + +auch CCD-File erstellen, siehe unten + +[root@ryovpn openvpn]# more users/testuser.pwd ccd/testuser +:::::::::::::: +users/testuser.pwd +:::::::::::::: +$2b$12$OkJpfcPt7Uk8DMVjBbuStedJ63rahYw05E7vNAg9PQigL97ox18Am +:::::::::::::: +ccd/testuser +:::::::::::::: +ifconfig-push 10.3.6.254 255.255.0.0 From ab1cc24da24dc40cbcd30c47c745d919faadf069 Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Thu, 20 Oct 2022 20:03:56 +0200 Subject: [PATCH 03/12] fix interface names --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index e82db30..3023142 100644 --- a/README.md +++ b/README.md @@ -101,16 +101,16 @@ Link erstellen: Prinzipieller Aufbau: ``` -enp0s10f0: Netzwerkinterface Richtung Internet -enp0s10f1: Netzwerkinterface Richtung Intranet +enp0s10f0: Netzwerkinterface Richtung Intranet +enp0s10f1: Netzwerkinterface Richtung Internet -enp0s10f0 (192.168.99.11/24) ==> hier hoert OpenVPN und bildet das Device tap0 +enp0s10f1 (192.168.99.11/24) ==> hier hoert OpenVPN und bildet das Device tap0 Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP) --- enp0s10f0 => tap0 --+-- br0 (10.3.5.1/16) +-- enp0s10f1 => tap0 --+-- br0 (10.3.5.1/16) tap1 | --- enp0s10f1 ----------+ +-- enp0s10f0 ----------+ ``` OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged) From 313aa93ce542ff971fb667b003d170967442a589 Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Fri, 21 Oct 2022 14:27:05 +0200 Subject: [PATCH 04/12] new VM has been built, not tested yet (missing FW-forwarding --- README.md | 108 ++++++++------------------------ config/server-443.conf | 4 +- config/server.conf | 4 +- scripts/bridge-start.sh | 4 +- scripts/bridge-stop.sh | 2 +- scripts/reboot-if-ping-fails.sh | 2 +- systemd/myopenvpn.service | 2 +- 7 files changed, 35 insertions(+), 91 deletions(-) diff --git a/README.md b/README.md index 3023142..fe826fc 100644 --- a/README.md +++ b/README.md @@ -5,43 +5,23 @@ Installation Rocky Linux 9 Minimal Partitionierung (LVM; XFS als Filesystem): ``` /boot 1 GB -/ XXX GB -swap X GB +/ 64 GB +/home 32 GB +swap 4 GB ``` Netzwerkkonfiguration: ``` +# hostnamectl hostname ryovpn01.rych01.rychiger.com + Hostname: ryovpn01.rych01.rychiger.com DNS: 8.8.8.8 -NTP: XXXXXX - XXXXXX -TODO: - -TYPE="Ethernet" -NAME="enp0s10f0" -DEVICE="enp0s10f0" -ONBOOT="yes" -IPV6INIT=no -UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 - -TYPE="Ethernet" -BOOTPROTO="none" -DEFROUTE="yes" -IPV4_FAILURE_FATAL="no" -IPV6INIT="no" -NAME="enp0s10f1" -DEVICE="enp0s10f1" -ONBOOT="yes" -DNS1="8.8.8.8" -IPADDR=192.168.99.11 -PREFIX=24 -GATEWAY=192.168.99.1 -UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04 ``` Installation diverse Pakete ``` +# yum update # yum install kbd-legacy # dracut -f ``` @@ -59,6 +39,7 @@ Noch ein paar Zusatzpakete: # yum install bridge-utils -y # yum install tcpdump -y # yum install python3-bcrypt -y +# yum install tar -y ``` Wegen Entropy: @@ -84,12 +65,12 @@ Konfiguration /etc/nginx/nginx.conf: Installation von altem Server oder git uebernehmen... # cd /opt # git clone https://gitlab.com/drpuur/rych-openvpn.git openvpn # use personal access token in Gitlab - +# cd openvpn && git checkout rockylinux9-based SELinux: # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log -# semanage port -a -t ssh_port_t -p tcp 2202 +# semanage port -a -t ssh_port_t -p tcp 2022 # restorecon -v /opt/openvpn/status/openvpnserver-status.log # restorecon -v /opt/openvpn/status/openvpnserver-status-443.log @@ -101,66 +82,31 @@ Link erstellen: Prinzipieller Aufbau: ``` -enp0s10f0: Netzwerkinterface Richtung Intranet -enp0s10f1: Netzwerkinterface Richtung Internet +ens4: Netzwerkinterface Richtung Intranet +ens3: Netzwerkinterface Richtung Internet -enp0s10f1 (192.168.99.11/24) ==> hier hoert OpenVPN und bildet das Device tap0 +ens3 (192.168.99.111/24) ==> hier hoert OpenVPN und bildet das Device tap0 Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP) --- enp0s10f1 => tap0 --+-- br0 (10.3.5.1/16) - tap1 | --- enp0s10f0 ----------+ +-- ens3 => tap0 --+-- br0 (10.3.5.10/16) + tap1 | +-- ens4 ----------+ ``` OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged) -Hyper-V Integration: - -Als Network-Karte muss Legacy gewaehlt werden. Spoofing muss erlaubt sein (wegen Bridge). Zeit Synchronisation muss abgeschaltet sein. - -``` -# yum install hyperv-daemons -# systemctl enable hypervvssd -# systemctl enable hypervkvpd -``` - -Firewall: -``` -/etc/sysconfig/iptables: -# sample configuration for iptables service -# you can edit this manually or use system-config-firewall -# please do not ask us to add additional ports/services to this default configuration -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j LOG --log-prefix "INPUT:DROP-VPN-CLIENT-NET:" -m limit --limit 5/minute --log-level 6 --A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j DROP --A INPUT -p icmp -j ACCEPT --A INPUT -i lo -j ACCEPT --I INPUT -i enp0s10f1 -p udp -m udp --dport 1194 -j ACCEPT --I INPUT -i enp0s10f1 -p tcp -m tcp --dport 443 -j ACCEPT --A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT --A INPUT -p tcp -m state --state NEW -m tcp --dport 2022 -j ACCEPT --A INPUT -p tcp -m state --state NEW -m tcp -s 10.3.5.2 --dport 80 -j ACCEPT --A INPUT -j LOG --log-prefix "INPUT:DROP:" -m limit --limit 5/minute --log-level 6 -#-A INPUT -j DROP --A FORWARD -j LOG --log-prefix "FORWARD:DROP:" -m limit --limit 5/minute --log-level 6 -#-A FORWARD -j DROP --A OUTPUT -s 192.168.99.11/32 -j ACCEPT --A OUTPUT -s 10.3.5.1/32 -d 10.3.5.2/32 -j ACCEPT --A OUTPUT -p icmp -j ACCEPT --A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" -m limit --limit 5/minute --log-level 6 -#-A OUTPUT -j DROP -COMMIT -``` - ``` Disable IPv6: -# nmcli connection modify ipv6.method "disabled" +# nmcli connection modify ens3 ipv6.method "disabled" +# nmcli connection modify ens4 ipv6.method "disabled" + +Set end4 to unmanaged: + +[root@ryovpn01 ~]# cat /etc/NetworkManager/conf.d/99-unmanaged-devices.conf +[keyfile] +unmanaged-devices=interface-name:ens4 ``` ``` @@ -168,10 +114,6 @@ Disable IPv6: Port 22 Port 2022 ... -# Ciphers and keying -#RekeyLimit default none -Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com -KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 ``` @@ -190,9 +132,11 @@ MAILTO=root Startup mit Systemd einrichten: gemaess /opt/openvpn/systemd/README -Verzeichnis /opt/openvpn/users muss angelegt werden: +Verzeichnis /opt/openvpn/users ccd und status muss angelegt werden: ``` # mkdir /opt/openvpn/users +# mkdir /opt/openvpn/ccd +# mkdir /opt/openvpn/status ``` User anlegen: diff --git a/config/server-443.conf b/config/server-443.conf index 7cc76cc..f847b33 100644 --- a/config/server-443.conf +++ b/config/server-443.conf @@ -3,7 +3,7 @@ daemon tls-server proto tcp port 443 -local 192.168.99.11 +local 192.168.99.111 client-config-dir /opt/openvpn/ccd script-security 3 writepid /var/run/openvpn-server/myopenvpn-443.pid @@ -13,7 +13,7 @@ tls-cipher "DEFAULT:@SECLEVEL=0" ; tunnel configuration dev tap1 -server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 +server-bridge 10.3.5.10 255.255.0.0 10.3.6.1 10.3.7.254 passtos comp-lzo persist-key diff --git a/config/server.conf b/config/server.conf index 25d167e..9de9786 100644 --- a/config/server.conf +++ b/config/server.conf @@ -3,7 +3,7 @@ daemon tls-server proto udp port 1194 -local 192.168.99.11 +local 192.168.99.111 client-config-dir /opt/openvpn/ccd script-security 3 writepid /var/run/openvpn-server/myopenvpn.pid @@ -13,7 +13,7 @@ tls-cipher "DEFAULT:@SECLEVEL=0" ; tunnel configuration dev tap0 -server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 +server-bridge 10.3.5.10 255.255.0.0 10.3.6.1 10.3.7.254 passtos comp-lzo persist-key diff --git a/scripts/bridge-start.sh b/scripts/bridge-start.sh index fea6d54..675e450 100755 --- a/scripts/bridge-start.sh +++ b/scripts/bridge-start.sh @@ -3,8 +3,8 @@ br="br0" tap="tap0" tap1="tap1" -eth="enp0s10f0" -br_ip="10.3.5.1" +eth="ens4" +br_ip="10.3.5.10" br_netmask="255.255.0.0" br_broadcast="10.3.255.255" # Create the tap adapter diff --git a/scripts/bridge-stop.sh b/scripts/bridge-stop.sh index f98c141..1534764 100755 --- a/scripts/bridge-stop.sh +++ b/scripts/bridge-stop.sh @@ -1,7 +1,7 @@ #!/bin/bash ifconfig br0 down -brctl delif br0 enp0s10f0 +brctl delif br0 ens4 brctl delif br0 tap0 brctl delif br0 tap1 brctl delbr br0 diff --git a/scripts/reboot-if-ping-fails.sh b/scripts/reboot-if-ping-fails.sh index 302395a..7ea9d83 100755 --- a/scripts/reboot-if-ping-fails.sh +++ b/scripts/reboot-if-ping-fails.sh @@ -1,5 +1,5 @@ #!/bin/bash -DEST="10.3.5.2" +DEST="10.3.5.11" ping -c4 ${DEST} > /dev/null diff --git a/systemd/myopenvpn.service b/systemd/myopenvpn.service index 70896e4..280c838 100644 --- a/systemd/myopenvpn.service +++ b/systemd/myopenvpn.service @@ -1,6 +1,6 @@ [Unit] Description=My OpenVPN Service -After=network-online.target network.target remote-fs.target nss-lookup.target +After=network-online.target network.target remote-fs.target Requires=network-online.target [Service] From 49be541e75a3584bafc305c15e20e3756a9ab26b Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Fri, 21 Oct 2022 14:41:41 +0200 Subject: [PATCH 05/12] add missing steps in doc --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fe826fc..3a93425 100644 --- a/README.md +++ b/README.md @@ -132,11 +132,12 @@ MAILTO=root Startup mit Systemd einrichten: gemaess /opt/openvpn/systemd/README -Verzeichnis /opt/openvpn/users ccd und status muss angelegt werden: +Verzeichnis /opt/openvpn/users ccd, log und status muss angelegt werden: ``` # mkdir /opt/openvpn/users # mkdir /opt/openvpn/ccd # mkdir /opt/openvpn/status +# mkdir /opt/openvpn/log ``` User anlegen: @@ -148,6 +149,11 @@ User anlegen: # groupadd sysoper # useradd -m -g sysoper -s /opt/openvpn/sysoper/sysoper_shell sysoper # passwd sysoper + +# cat /etc/sudoers.d/sysoper +sysoper ALL=NOPASSWD: /usr/bin/systemctl start myopenvpn +sysoper ALL=NOPASSWD: /usr/bin/systemctl stop myopenvpn +sysoper ALL=NOPASSWD: /usr/bin/systemctl status myopenvpn ``` Git Config: ``` From d2c08b6390d8371f99e394452b0e57dd894eb9df Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Fri, 21 Oct 2022 15:04:26 +0200 Subject: [PATCH 06/12] adapt ro new Python version --- sysoper/hashme.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sysoper/hashme.py b/sysoper/hashme.py index 0ff7ba2..f051ce5 100755 --- a/sysoper/hashme.py +++ b/sysoper/hashme.py @@ -13,6 +13,6 @@ if not password: sys.exit() # Hash a password for the first time, with a randomly-generated salt -hashed = bcrypt.hashpw(password, bcrypt.gensalt()) +hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt()) -print "%s" % (hashed) +print("%s" % (hashed.decode("utf-8"))) From 58b7e59e5237e4f85798cc814a6117301c1960d5 Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Fri, 21 Oct 2022 15:19:26 +0200 Subject: [PATCH 07/12] adapt ro new Python version --- scripts/openvpn-auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/openvpn-auth.py b/scripts/openvpn-auth.py index 6cedcbb..750008c 100755 --- a/scripts/openvpn-auth.py +++ b/scripts/openvpn-auth.py @@ -11,7 +11,7 @@ if not password: file = open('/opt/openvpn/users/'+username+'.pwd', 'r') hashed=file.read().rstrip() -if bcrypt.hashpw(password, hashed) == hashed: +if bcrypt.hashpw(password.encode('utf-8'), hashed.encode('utf-8')) == hashed.encode('utf-8'): sys.exit(0) else: sys.exit(1) From 0457852f6ffb0ac8454e1ef2102025228771a74a Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Sat, 22 Oct 2022 10:23:10 +0200 Subject: [PATCH 08/12] use newer server cert to get rif of @SECLEVEL=0 (at least try if it works) --- config/server-443.conf | 2 +- config/server.conf | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/server-443.conf b/config/server-443.conf index f847b33..bcd37fe 100644 --- a/config/server-443.conf +++ b/config/server-443.conf @@ -9,7 +9,7 @@ script-security 3 writepid /var/run/openvpn-server/myopenvpn-443.pid ; ciphers -tls-cipher "DEFAULT:@SECLEVEL=0" +tls-cipher "DEFAULT" ; tunnel configuration dev tap1 diff --git a/config/server.conf b/config/server.conf index 9de9786..bc1524e 100644 --- a/config/server.conf +++ b/config/server.conf @@ -9,7 +9,7 @@ script-security 3 writepid /var/run/openvpn-server/myopenvpn.pid ; ciphers -tls-cipher "DEFAULT:@SECLEVEL=0" +tls-cipher "DEFAULT" ; tunnel configuration dev tap0 @@ -38,8 +38,8 @@ management localhost 6666 ; certificates and authentication dh /opt/openvpn/private/dh2048.pem ca /opt/openvpn/ca/cacert.pem -cert /opt/openvpn/certs/hostcert.pem -key /opt/openvpn/private/hostkey.pem +cert /opt/openvpn/certs/ewon.rychiger.com-cert.pem +key /opt/openvpn/private/ewon.rychiger.com-key.pem verify-client-cert none username-as-common-name auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env From 2afa3e3657afc159878ee6939080d3e741882e98 Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Fri, 28 Oct 2022 18:55:50 +0200 Subject: [PATCH 09/12] make it work (UDP/1194) with a Real-Ewon! (lower security levels) --- README.md | 8 ++++++++ config/server.conf | 5 ++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3a93425..3eef771 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,14 @@ Noch ein paar Zusatzpakete: # yum install tcpdump -y # yum install python3-bcrypt -y # yum install tar -y + + +Firewalld disablen (WICHTIG!!!) +# systemctl disable --now firewalld + +Tiefere Sicherheitsstufe, siehe https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening + +# update-crypto-policies --set LEGACY ``` Wegen Entropy: diff --git a/config/server.conf b/config/server.conf index bc1524e..e2a6608 100644 --- a/config/server.conf +++ b/config/server.conf @@ -9,7 +9,10 @@ script-security 3 writepid /var/run/openvpn-server/myopenvpn.pid ; ciphers -tls-cipher "DEFAULT" +tls-cipher "DEFAULT:@SECLEVEL=0" +tls-version-min 1.0 +providers legacy default +data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC ; tunnel configuration dev tap0 From 6675b6fd51389db6ad5b4f7f1dcd3d04725d0daa Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Wed, 9 Nov 2022 17:27:58 +0100 Subject: [PATCH 10/12] same cipher settings for tls/443 --- config/server-443.conf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/config/server-443.conf b/config/server-443.conf index bcd37fe..b68579f 100644 --- a/config/server-443.conf +++ b/config/server-443.conf @@ -9,7 +9,10 @@ script-security 3 writepid /var/run/openvpn-server/myopenvpn-443.pid ; ciphers -tls-cipher "DEFAULT" +tls-cipher "DEFAULT:@SECLEVEL=0" +tls-version-min 1.0 +providers legacy default +data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC ; tunnel configuration dev tap1 From dfea6d76dcc9534714cad1988fdf4a7d7d4debf3 Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Mon, 28 Nov 2022 17:28:42 +0100 Subject: [PATCH 11/12] ignore ccd files in Git --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index ae5ac22..cb70382 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ *.log *.pwd *.pyc +ccd/ From e9cb377d54a0646b64264fbae54f36ded999c767 Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Mon, 12 Dec 2022 16:51:15 +0100 Subject: [PATCH 12/12] add aide --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index 3eef771..9abf7fb 100644 --- a/README.md +++ b/README.md @@ -220,3 +220,18 @@ $2b$12$OkJpfcPt7Uk8DMVjBbuStedJ63rahYw05E7vNAg9PQigL97ox18Am ccd/testuser :::::::::::::: ifconfig-push 10.3.6.254 255.255.0.0 + + +Einrichten von Aide + +```bash +# dnf install aide +# aide init +# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz +Zum Testen: +# aide --check + +Zum Updaten: +# aide --update +# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz +```