drpuur
/
rych-openvpn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'rockylinux9-based' into 'master' 

Merge Rocky Linux 9 Version

See merge request drpuur/rych-openvpn!1
This commit is contained in:
Joerg Lehmann 2022-12-12 15:54:32 +00:00
parent 67a184fafe e9cb377d54
commit 8fe7bf4924
28 changed files with 160 additions and 681 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
*.log *.log
*.pwd *.pwd
*.pyc *.pyc
ccd/

237
README.md
View File

@ -1,44 +1,29 @@
## INSTALLATION ## INSTALLATION
Installation CentOS 7 Minimal Installation Rocky Linux 9 Minimal
Partitionierung (LVM; XFS als Filesystem): Partitionierung (LVM; XFS als Filesystem):
``` ```
/boot 500 MB /boot 1 GB
/ 50 GB / 64 GB
/home 73 GB /home 32 GB
swap 4 GB swap 4 GB
``` ```
Netzwerkkonfiguration: Netzwerkkonfiguration:
``` ```
Hostname: ryovpn.rych01.rychiger.com # hostnamectl hostname ryovpn01.rych01.rychiger.com
Hostname: ryovpn01.rych01.rychiger.com
DNS: 8.8.8.8 DNS: 8.8.8.8
NTP: server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
TYPE="Ethernet" ```
NAME="enp0s10f0"
DEVICE="enp0s10f0" Installation diverse Pakete
ONBOOT="yes" ```
IPV6INIT=no # yum update
UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 # yum install kbd-legacy
# dracut -f
TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="no"
NAME="enp0s10f1"
DEVICE="enp0s10f1"
ONBOOT="yes"
DNS1="8.8.8.8"
IPADDR=192.168.99.11
PREFIX=24
GATEWAY=192.168.99.1
UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
``` ```
Anschliessend Installation OpenVPN: Anschliessend Installation OpenVPN:
@ -47,14 +32,22 @@ Anschliessend Installation OpenVPN:
# yum install openvpn -y # yum install openvpn -y
Noch ein paar Zusatzpakete: Noch ein paar Zusatzpakete:
# yum install mailx -y # yum install s-nail -y
# yum install git -y # yum install git -y
# yum install net-tools -y # yum install net-tools -y
# yum install policycoreutils-devel -y # yum install policycoreutils-devel -y
# yum install bridge-utils -y # yum install bridge-utils -y
# yum install tcpdump -y # yum install tcpdump -y
# yum install chrony -y # yum install python3-bcrypt -y
# yum install py-bcrypt -y # yum install tar -y
Firewalld disablen (WICHTIG!!!)
# systemctl disable --now firewalld
Tiefere Sicherheitsstufe, siehe https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
# update-crypto-policies --set LEGACY
``` ```
Wegen Entropy: Wegen Entropy:
@ -66,33 +59,26 @@ Test:
# cat /proc/sys/kernel/random/entropy_avail # cat /proc/sys/kernel/random/entropy_avail
``` ```
Wegen Time-Sync Meldungen:
```
# cat /etc/rsyslog.d/time_msg.conf
:msg, contains, "Time has been changed" ~
```
Wegen fehlerhafter HW-Clock:
/etc/cron.d/sync-hw-clock:
```
MAILTO=root
*/10 * * * * root /sbin/hwclock --systohc
```
Installation NGINX (Zugang fuer Statusabfragen): Installation NGINX (Zugang fuer Statusabfragen):
``` ```
# yum install nginx # yum install nginx
# systemctl enable nginx
Konfiguration /etc/nginx/nginx.conf: Konfiguration /etc/nginx/nginx.conf:
... ...
root /opt/openvpn/status; root /opt/openvpn/status;
... ...
Installation von altem Server oder git uebernehmen...
# cd /opt
# git clone https://gitlab.com/drpuur/rych-openvpn.git openvpn # use personal access token in Gitlab
# cd openvpn && git checkout rockylinux9-based
SELinux: SELinux:
# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log
# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log
# semanage port -a -t ssh_port_t -p tcp 2202 # semanage port -a -t ssh_port_t -p tcp 2022
# restorecon -v /opt/openvpn/status/openvpnserver-status.log # restorecon -v /opt/openvpn/status/openvpnserver-status.log
# restorecon -v /opt/openvpn/status/openvpnserver-status-443.log # restorecon -v /opt/openvpn/status/openvpnserver-status-443.log
@ -104,74 +90,31 @@ Link erstellen:
Prinzipieller Aufbau: Prinzipieller Aufbau:
``` ```
enp0s10f0: Netzwerkinterface Richtung Internet ens4: Netzwerkinterface Richtung Intranet
enp0s10f1: Netzwerkinterface Richtung Intranet ens3: Netzwerkinterface Richtung Internet
enp0s10f0 (192.168.99.11) ==> hier hoert OpenVPN und bildet das Device tap0 ens3 (192.168.99.111/24) ==> hier hoert OpenVPN und bildet das Device tap0
Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP) Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP)
-- enp0s10f0 => tap0 --+-- br0 (10.3.5.1) -- ens3 => tap0 --+-- br0 (10.3.5.10/16)
tap1 | tap1 |
-- enp0s10f1 ----------+ -- ens4 ----------+
``` ```
OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged) OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged)
Hyper-V Integration: ```
Disable IPv6:
Als Network-Karte muss Legacy gewaehlt werden. Spoofing muss erlaubt sein (wegen Bridge). Zeit Synchronisation muss abgeschaltet sein. # nmcli connection modify ens3 ipv6.method "disabled"
# nmcli connection modify ens4 ipv6.method "disabled"
``` Set end4 to unmanaged:
# yum install hyperv-daemons
# systemctl enable hypervvssd
# systemctl enable hypervkvpd
```
Firewall: [root@ryovpn01 ~]# cat /etc/NetworkManager/conf.d/99-unmanaged-devices.conf
``` [keyfile]
/etc/sysconfig/iptables: unmanaged-devices=interface-name:ens4
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j LOG --log-prefix "INPUT:DROP-VPN-CLIENT-NET:" -m limit --limit 5/minute --log-level 6
-A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-I INPUT -i enp0s10f1 -p udp -m udp --dport 1194 -j ACCEPT
-I INPUT -i enp0s10f1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2022 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -s 10.3.5.2 --dport 80 -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT:DROP:" -m limit --limit 5/minute --log-level 6
#-A INPUT -j DROP
-A FORWARD -j LOG --log-prefix "FORWARD:DROP:" -m limit --limit 5/minute --log-level 6
#-A FORWARD -j DROP
-A OUTPUT -s 192.168.99.11/32 -j ACCEPT
-A OUTPUT -s 10.3.5.1/32 -d 10.3.5.2/32 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" -m limit --limit 5/minute --log-level 6
#-A OUTPUT -j DROP
COMMIT
```
```
/etc/sysctl.conf:
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
#net.ipv4.ip_forward = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.all.autoconf = 0
``` ```
``` ```
@ -179,10 +122,6 @@ net.ipv6.conf.all.autoconf = 0
Port 22 Port 22
Port 2022 Port 2022
... ...
# Ciphers and keying
#RekeyLimit default none
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
``` ```
@ -196,16 +135,17 @@ MAILTO=root
/etc/hosts: /etc/hosts:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 #::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.3.5.2 ewonshare
``` ```
Startup mit Systemd einrichten: Startup mit Systemd einrichten:
gemaess /opt/openvpn/systemd/README gemaess /opt/openvpn/systemd/README
Verzeichnis /opt/openvpn/users muss angelegt werden: Verzeichnis /opt/openvpn/users ccd, log und status muss angelegt werden:
``` ```
# mkdir /opt/openvpn/users # mkdir /opt/openvpn/users
# mkdir /opt/openvpn/ccd
# mkdir /opt/openvpn/status
# mkdir /opt/openvpn/log
``` ```
User anlegen: User anlegen:
@ -217,4 +157,81 @@ User anlegen:
# groupadd sysoper # groupadd sysoper
# useradd -m -g sysoper -s /opt/openvpn/sysoper/sysoper_shell sysoper # useradd -m -g sysoper -s /opt/openvpn/sysoper/sysoper_shell sysoper
# passwd sysoper # passwd sysoper
# cat /etc/sudoers.d/sysoper
sysoper ALL=NOPASSWD: /usr/bin/systemctl start myopenvpn
sysoper ALL=NOPASSWD: /usr/bin/systemctl stop myopenvpn
sysoper ALL=NOPASSWD: /usr/bin/systemctl status myopenvpn
```
Git Config:
```
# cat .gitconfig
[user]
name = Joerg Lehmann
email = joerg.lehmann@nbit.ch
[http]
sslVerify = false
```
Testen der Verbindung
```
[joerg@cinnamon test-openvpn-rychiger]$ sudo openvpn --config ewon.rychiger.com.conf
[joerg@cinnamon test-openvpn-rychiger]$ more ewon.rychiger.com.conf
dev tap1
proto tcp
suppress-timestamps
status-version 2
rport 443
verb 1
mute 10
comp-lzo
persist-key
up-delay
route-delay 0
nobind
client
tls-exit
ca cacert.pem
reneg-sec 86400
keepalive 30 120
hand-window 140
remote ewon.rychiger.com
resolv-retry 60
auth-user-pass
am besten auf Linux:
Testuser erstellt mit
$ string_to_hash="7355+TT" /opt/openvpn/sysoper/hashme.py >/opt/openvpn/users/testuser.pwd
auch CCD-File erstellen, siehe unten
[root@ryovpn openvpn]# more users/testuser.pwd ccd/testuser
::::::::::::::
users/testuser.pwd
::::::::::::::
$2b$12$OkJpfcPt7Uk8DMVjBbuStedJ63rahYw05E7vNAg9PQigL97ox18Am
::::::::::::::
ccd/testuser
::::::::::::::
ifconfig-push 10.3.6.254 255.255.0.0
Einrichten von Aide
```bash
# dnf install aide
# aide init
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Zum Testen:
# aide --check
Zum Updaten:
# aide --update
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
``` ```

13
bin/shutdown.sh.05jul2016
View File

@ -1,13 +0,0 @@
#!/bin/bash
# Zuerst stoppen wir Openvpn
pkill openvpn
# Dann unmounten wir den CIFS-Share
#/bin/umount /opt/openvpn/status
/bin/systemctl stop opt-openvpn-status.mount
#/bin/sleep 15
# Dann stoppen wir die Bridge mit TAP-Device
/opt/openvpn/scripts/bridge-stop.sh

13
bin/shutdown.sh.13oct2016
View File

@ -1,13 +0,0 @@
#!/bin/bash
# Zuerst stoppen wir Openvpn
/bin/pkill openvpn
# Dann unmounten wir den CIFS-Share
#/bin/umount /opt/openvpn/status
/bin/systemctl stop opt-openvpn-status.mount
#/bin/sleep 15
# Dann stoppen wir die Bridge mit TAP-Device
/opt/openvpn/scripts/bridge-stop.sh

8
bin/shutdown.sh.new
View File

@ -1,8 +0,0 @@
#!/bin/bash
# Zuerst stoppen wir Openvpn
/bin/pkill openvpn
# Dann stoppen wir die Bridge mit TAP-Device
/opt/openvpn/scripts/bridge-stop.sh

12
bin/startup.sh.05jul2016
View File

@ -1,12 +0,0 @@
#!/bin/bash
# Zuerst starten wir die Bridge mit TAP-Device
/opt/openvpn/scripts/bridge-start.sh
# Dann mounten wir den CIFS-Share
# (wird fuer Status-File gebraucht)
#/bin/mount /opt/openvpn/status
/bin/systemctl start opt-openvpn-status.mount
#
# Dann starten wir Openvpn
/sbin/openvpn /opt/openvpn/config/server.conf

15
bin/startup.sh.13oct2016
View File

@ -1,15 +0,0 @@
#!/bin/bash
# Zuerst starten wir die Bridge mit TAP-Device
/opt/openvpn/scripts/bridge-start.sh
# Pause...
sleep 10
# Dann mounten wir den CIFS-Share
# (wird fuer Status-File gebraucht)
#/bin/mount /opt/openvpn/status
/bin/systemctl start opt-openvpn-status.mount
#
# Dann starten wir Openvpn
/sbin/openvpn /opt/openvpn/config/server.conf

12
bin/startup.sh.31aug2016
View File

@ -1,12 +0,0 @@
#!/bin/bash
# Zuerst starten wir die Bridge mit TAP-Device
/opt/openvpn/scripts/bridge-start.sh
# Dann mounten wir den CIFS-Share
# (wird fuer Status-File gebraucht)
#/bin/mount /opt/openvpn/status
/bin/systemctl start opt-openvpn-status.mount
#
# Dann starten wir Openvpn
/sbin/openvpn /opt/openvpn/config/server.conf

25
bin/startup.sh.31aug2016-with-loop
View File

@ -1,25 +0,0 @@
#!/bin/bash
IP_OF_CIFS_SERVER=10.3.5.2
# Zuerst starten wir die Bridge mit TAP-Device
/opt/openvpn/scripts/bridge-start.sh
# Wir warten, bis ein ping erfolgreich ist...
((count = 20)) # Maximum number to try.
while [[ $count -ne 0 ]] ; do
ping -q -c 1 -W 1 $IP_OF_CIFS_SERVER >/dev/null # Try once.
rc=$?
if [[ $rc -eq 0 ]] ; then
((count = 1)) # If okay, flag to exit loop.
fi
((count = count - 1)) # So we don't go forever.
done
# Dann mounten wir den CIFS-Share
# (wird fuer Status-File gebraucht)
#/bin/mount /opt/openvpn/status
/bin/systemctl start opt-openvpn-status.mount
#
# Dann starten wir Openvpn
/sbin/openvpn /opt/openvpn/config/server.conf

11
config/server-443.conf
View File

@ -3,17 +3,20 @@ daemon
tls-server tls-server
proto tcp proto tcp
port 443 port 443
local 192.168.99.11 local 192.168.99.111
client-config-dir /opt/openvpn/ccd client-config-dir /opt/openvpn/ccd
script-security 3 script-security 3
writepid /var/run/openvpn-server/myopenvpn-443.pid writepid /var/run/openvpn-server/myopenvpn-443.pid
; ciphers ; ciphers
tls-cipher "DEFAULT" tls-cipher "DEFAULT:@SECLEVEL=0"
tls-version-min 1.0
providers legacy default
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC
; tunnel configuration ; tunnel configuration
dev tap1 dev tap1
server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 server-bridge 10.3.5.10 255.255.0.0 10.3.6.1 10.3.7.254
passtos passtos
comp-lzo comp-lzo
persist-key persist-key
@ -36,7 +39,7 @@ client-disconnect /opt/openvpn/scripts/logoff.sh
management localhost 6667 management localhost 6667
; certificates and authentication ; certificates and authentication
dh /opt/openvpn/private/dh1024.pem dh /opt/openvpn/private/dh2048.pem
ca /opt/openvpn/ca/cacert.pem ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/ewon.rychiger.com-cert.pem cert /opt/openvpn/certs/ewon.rychiger.com-cert.pem
key /opt/openvpn/private/ewon.rychiger.com-key.pem key /opt/openvpn/private/ewon.rychiger.com-key.pem

51
config/server-443.conf.22feb2019
View File

@ -1,51 +0,0 @@
mode server
daemon
tls-server
proto tcp
port 443
local 192.168.99.11
client-config-dir /opt/openvpn/ccd
script-security 3
writepid /var/run/openvpn-server/myopenvpn-443.pid
; ciphers
tls-cipher "DEFAULT"
; tunnel configuration
dev tap1
server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
passtos
comp-lzo
persist-key
persist-tun
persist-local-ip
persist-remote-ip
; loggin and status
ifconfig-pool-persist /opt/openvpn/leases/openvpn-443.leases
status-version 2
status /opt/openvpn/status/openvpnserver-status-443.log 5;
verb 3
client-connect /opt/openvpn/scripts/logon.sh
client-disconnect /opt/openvpn/scripts/logoff.sh
; routing
;push "route 10.3.0.0 255.255.0.0"
; management
management localhost 6667
; certificates and authentication
dh /opt/openvpn/private/dh1024.pem
ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/hostcert.pem
key /opt/openvpn/private/hostkey.pem
verify-client-cert none
username-as-common-name
auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env
;client-to-client
keepalive 10 60
max-clients 50
; explicit exit
push "explicit-exit-notify"

48
config/server-443.conf.5jul2018
View File

@ -1,48 +0,0 @@
mode server
daemon
tls-server
proto tcp
port 443
local 192.168.99.11
client-config-dir /opt/openvpn/ccd
script-security 3
writepid /var/run/openvpn-server/myopenvpn-443.pid
; tunnel configuration
dev tap1
server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
passtos
comp-lzo
persist-key
persist-tun
persist-local-ip
persist-remote-ip
; loggin and status
ifconfig-pool-persist /opt/openvpn/leases/openvpn-443.leases
status-version 2
status /opt/openvpn/status/openvpnserver-status-443.log 5;
verb 3
client-connect /opt/openvpn/scripts/logon.sh
client-disconnect /opt/openvpn/scripts/logoff.sh
; routing
;push "route 10.3.0.0 255.255.0.0"
; management
management localhost 6667
; certificates and authentication
dh /opt/openvpn/private/dh1024.pem
ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/hostcert.pem
key /opt/openvpn/private/hostkey.pem
verify-client-cert none
username-as-common-name
auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env
;client-to-client
keepalive 10 60
max-clients 50
; explicit exit
push "explicit-exit-notify"

15
config/server.conf
View File

@ -3,17 +3,20 @@ daemon
tls-server tls-server
proto udp proto udp
port 1194 port 1194
local 192.168.99.11 local 192.168.99.111
client-config-dir /opt/openvpn/ccd client-config-dir /opt/openvpn/ccd
script-security 3 script-security 3
writepid /var/run/openvpn-server/myopenvpn.pid writepid /var/run/openvpn-server/myopenvpn.pid
; ciphers ; ciphers
tls-cipher "DEFAULT" tls-cipher "DEFAULT:@SECLEVEL=0"
tls-version-min 1.0
providers legacy default
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC
; tunnel configuration ; tunnel configuration
dev tap0 dev tap0
server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 server-bridge 10.3.5.10 255.255.0.0 10.3.6.1 10.3.7.254
passtos passtos
comp-lzo comp-lzo
persist-key persist-key
@ -36,10 +39,10 @@ client-disconnect /opt/openvpn/scripts/logoff.sh
management localhost 6666 management localhost 6666
; certificates and authentication ; certificates and authentication
dh /opt/openvpn/private/dh1024.pem dh /opt/openvpn/private/dh2048.pem
ca /opt/openvpn/ca/cacert.pem ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/hostcert.pem cert /opt/openvpn/certs/ewon.rychiger.com-cert.pem
key /opt/openvpn/private/hostkey.pem key /opt/openvpn/private/ewon.rychiger.com-key.pem
verify-client-cert none verify-client-cert none
username-as-common-name username-as-common-name
auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env

45
config/server.conf.15sep2016
View File

@ -1,45 +0,0 @@
mode server
daemon
tls-server
proto udp
port 1194
local 192.168.99.11
client-config-dir /opt/openvpn/ccd
script-security 3
writepid /var/run/openvpn/myopenvpn.pid
; tunnel configuration
dev tap0
server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
passtos
comp-lzo
persist-key
persist-tun
persist-local-ip
persist-remote-ip
; loggin and status
ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases
status-version 2
status /opt/openvpn/status/openvpnserver-status.log 30;
verb 3
client-connect /opt/openvpn/scripts/logon.sh
client-disconnect /opt/openvpn/scripts/logoff.sh
; routing
;push "route 10.3.0.0 255.255.0.0"
; management
management localhost 6666
; certificates and authentication
dh /opt/openvpn/private/dh1024.pem
ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/hostcert.pem
key /opt/openvpn/private/hostkey.pem
client-cert-not-required
username-as-common-name
auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env
;client-to-client
keepalive 10 60
max-clients 50

45
config/server.conf.19sep2016
View File

@ -1,45 +0,0 @@
mode server
daemon
tls-server
proto udp
port 1194
local 192.168.99.11
client-config-dir /opt/openvpn/ccd
script-security 3
writepid /var/run/openvpn/myopenvpn.pid
; tunnel configuration
dev tap0
server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
passtos
comp-lzo
persist-key
persist-tun
persist-local-ip
persist-remote-ip
; loggin and status
ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases
status-version 2
status /opt/openvpn/status/openvpnserver-status.log 5;
verb 3
client-connect /opt/openvpn/scripts/logon.sh
client-disconnect /opt/openvpn/scripts/logoff.sh
; routing
;push "route 10.3.0.0 255.255.0.0"
; management
management localhost 6666
; certificates and authentication
dh /opt/openvpn/private/dh1024.pem
ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/hostcert.pem
key /opt/openvpn/private/hostkey.pem
client-cert-not-required
username-as-common-name
auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env
;client-to-client
keepalive 10 60
max-clients 50

44
config/server.conf.2jul2016
View File

@ -1,44 +0,0 @@
mode server
daemon
tls-server
proto udp
port 1194
local 192.168.99.11
client-config-dir /opt/openvpn/ccd
script-security 3
; tunnel configuration
dev tap0
server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
passtos
comp-lzo
persist-key
persist-tun
persist-local-ip
persist-remote-ip
; loggin and status
ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases
status-version 2
status /opt/openvpn/status/openvpnserver-status.log 30;
verb 3
client-connect /opt/openvpn/scripts/logon.sh
client-disconnect /opt/openvpn/scripts/logoff.sh
; routing
;push "route 10.3.0.0 255.255.0.0"
; management
management localhost 6666
; certificates and authentication
dh /opt/openvpn/private/dh1024.pem
ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/hostcert.pem
key /opt/openvpn/private/hostkey.pem
client-cert-not-required
username-as-common-name
auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.sh via-env
;client-to-client
keepalive 10 60
max-clients 50

48
config/server.conf.5jul2018
View File

@ -1,48 +0,0 @@
mode server
daemon
tls-server
proto udp
port 1194
local 192.168.99.11
client-config-dir /opt/openvpn/ccd
script-security 3
writepid /var/run/openvpn-server/myopenvpn.pid
; tunnel configuration
dev tap0
server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
passtos
comp-lzo
persist-key
persist-tun
persist-local-ip
persist-remote-ip
; loggin and status
ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases
status-version 2
status /opt/openvpn/status/openvpnserver-status.log 5;
verb 3
client-connect /opt/openvpn/scripts/logon.sh
client-disconnect /opt/openvpn/scripts/logoff.sh
; routing
;push "route 10.3.0.0 255.255.0.0"
; management
management localhost 6666
; certificates and authentication
dh /opt/openvpn/private/dh1024.pem
ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/hostcert.pem
key /opt/openvpn/private/hostkey.pem
verify-client-cert none
username-as-common-name
auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env
;client-to-client
keepalive 10 60
max-clients 50
; explicit exit
push "explicit-exit-notify"

5
private/dh1024.pem
View File

@ -1,5 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIGHAoGBAIPEsURCfpqVznQaOYeWUrTyvMBD2N+6V96Saz3VPJ9WfEoPWM/3CkWH
G/wOFuSYCV8pGok9Y+d2N0V45x56CmhJp6CJdD0L9JwHNhXqRdDOxT1emOb43/Kk
CAXggVkAWnA+XFYXol8lYDP9W5XrU7svRfUe33Q/ijHsaY23myqDAgEC
-----END DH PARAMETERS-----

8
private/dh2048.pem Normal file
View File

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAyC5BozEDJWU9xKcMEDRxQTyvTKyJ+VhqqJiyiif/LtU1mjTy40Ss
BGO13FjRsXM0VLgl//J/NPi9kfYK5UPSv/mr3TIxMKDRi+U+y48HU2f68XgFhnCE
ePYVwCpOdymOwnYKxtCIwsF4GvNAoLHUIfIwK40BWtpuwB5AbVIkjSCrBWeP9Gxs
g6M06c5G3+xdE/5RqWVtWjnQNutsUrbKTFrBCEBUzElNpYE3mp2cA/8lePtIa8rI
QUHKGcQyln4eH3R/Pt+RETzSybnzliWNfctyiJ7xj/2qYlUdxhlfPipqZbg9u8Jd
NhpXiGhCh2DAcVoRYMERsOkyTKgC6KbBDwIBAg==
-----END DH PARAMETERS-----

4
scripts/bridge-start.sh
View File

@ -3,8 +3,8 @@
br="br0" br="br0"
tap="tap0" tap="tap0"
tap1="tap1" tap1="tap1"
eth="enp0s10f0" eth="ens4"
br_ip="10.3.5.1" br_ip="10.3.5.10"
br_netmask="255.255.0.0" br_netmask="255.255.0.0"
br_broadcast="10.3.255.255" br_broadcast="10.3.255.255"
# Create the tap adapter # Create the tap adapter

2
scripts/bridge-stop.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
ifconfig br0 down ifconfig br0 down
brctl delif br0 enp0s10f0 brctl delif br0 ens4
brctl delif br0 tap0 brctl delif br0 tap0
brctl delif br0 tap1 brctl delif br0 tap1
brctl delbr br0 brctl delbr br0

2
scripts/openvpn-auth.py
View File

@ -11,7 +11,7 @@ if not password:
file = open('/opt/openvpn/users/'+username+'.pwd', 'r') file = open('/opt/openvpn/users/'+username+'.pwd', 'r')
hashed=file.read().rstrip() hashed=file.read().rstrip()
if bcrypt.hashpw(password, hashed) == hashed: if bcrypt.hashpw(password.encode('utf-8'), hashed.encode('utf-8')) == hashed.encode('utf-8'):
sys.exit(0) sys.exit(0)
else: else:
sys.exit(1) sys.exit(1)

2
scripts/reboot-if-ping-fails.sh
View File

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
DEST="10.3.5.2" DEST="10.3.5.11"
ping -c4 ${DEST} > /dev/null ping -c4 ${DEST} > /dev/null

4
sysoper/hashme.py
View File

@ -13,6 +13,6 @@ if not password:
sys.exit() sys.exit()
# Hash a password for the first time, with a randomly-generated salt # Hash a password for the first time, with a randomly-generated salt
hashed = bcrypt.hashpw(password, bcrypt.gensalt()) hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
print "%s" % (hashed) print("%s" % (hashed.decode("utf-8")))

143
sysoper/sysoper_shell.05jul2016
View File

@ -1,143 +0,0 @@
#!/bin/bash
ReadToContinue() {
echo "Return Taste zum fortfahren..."
read
}
AddUser() {
echo -n "Benutzername : "
read username
echo -n "IP Adresse : "
read ip
echo -n "Passwort : "
read pwd
export string_to_hash="${pwd}"
hash="$(/opt/openvpn/sysoper/hashme.py)"
echo "${hash}" > /opt/openvpn/users/${username}.pwd
echo "ifconfig-push ${ip} 255.255.0.0" > /opt/openvpn/ccd/${username}
echo "User ${username} wurde erzeugt"
ReadToContinue
}
ChangePassword() {
echo -n "Benutzername : "
read username
if [ -f /opt/openvpn/users/${username}.pwd ]; then
echo -n "Passwort : "
read pwd
export string_to_hash="${pwd}"
hash="$(/opt/openvpn/sysoper/hashme.py)"
echo "${hash}" > /opt/openvpn/users/${username}.pwd
ReadToContinue
else
echo "User ${username} existiert nicht"
ReadToContinue
fi
}
DeleteUser() {
echo -n "Benutzername : "
read username
if [ -f /opt/openvpn/users/${username}.pwd ]; then
rm /opt/openvpn/users/${username}.pwd
echo "User ${username} wurde geloescht"
# Das CCD-File loeschen wir auch, falls vorhanden
if [ -f /opt/openvpn/ccd/${username} ]; then
rm /opt/openvpn/ccd/${username}
fi
ReadToContinue
else
echo "User ${username} existiert nicht"
ReadToContinue
fi
}
ShowUser() {
echo -n "Benutzername : "
read username
ip=""
if [ -f /opt/openvpn/users/${username}.pwd ]; then
if [ -f /opt/openvpn/ccd/${username} ]; then
ip="$(cat /opt/openvpn/ccd/${username} |awk '{print $2}')"
fi
echo "User ${username} existiert und hat die IP Adresse ${ip}"
echo
echo "Folgendes sind die letzten 20 Logeintraege fuer diesen User:"
echo
if [ -f /opt/openvpn/log/${username}.log ]; then
tail -20 /opt/openvpn/log/${username}.log
else
echo "Es existieren keine Logeintraege"
fi
ReadToContinue
else
echo "User ${username} existiert nicht"
ReadToContinue
fi
}
ListUsers() {
echo
echo "Username IP Adresse"
echo "=================================="
for userfile in $(ls -1 /opt/openvpn/users/*.pwd 2>/dev/null) ; do
user="${userfile##*/}"
user="${user%.pwd}"
ip="N/A"
if [ -f /opt/openvpn/ccd/${user} ]; then
ip="$(cat /opt/openvpn/ccd/${user} |awk '{print $2}')"
fi
printf "%-20s %-15s\n" "$user" "$ip"
done
echo
ReadToContinue
}
ShowLogfile() {
echo "Hinweis: mit Taste G zum Ende des Logs gehen..., Space fuer Seitenweises vorwaertsgehen..."
echo
ReadToContinue
/bin/less /opt/openvpn/log/logon.log
}
character=0
while [ "${character}" != "9" ]; do
clear
echo "Userverwaltung OpenVPN"
echo "======================"
echo "1 - OpenVPN Benutzer hinzufuegen"
echo "2 - OpenVPN Benutzer Passwort setzen"
echo "3 - OpenVPN Benutzer entfernen"
echo "4 - OpenVPN Benutzer anzeigen"
echo "5 - OpenVPN Benutzer auflisten"
echo
echo "7 - Logfile anzeigen"
echo "8 - Passwort von sysoper aendern"
echo
echo "9 - Exit"
echo
echo -n "Bitte Option waehlen > "
read character
case ${character} in
1) AddUser
;;
2) ChangePassword
;;
3) DeleteUser
;;
4) ShowUser
;;
5) ListUsers
;;
7) ShowLogfile
;;
8) passwd sysoper
;;
9) echo Exit...
;;
*) echo "Ungueltige Option..."
read
esac
done
exit 0

2
systemd/myopenvpn.service
View File

@ -1,6 +1,6 @@
[Unit] [Unit]
Description=My OpenVPN Service Description=My OpenVPN Service
After=network-online.target network.target remote-fs.target nss-lookup.target After=network-online.target network.target remote-fs.target
Requires=network-online.target Requires=network-online.target
[Service] [Service]

13
systemd/myopenvpn.service.05jul2016
View File

@ -1,13 +0,0 @@
[Unit]
Description=My OpenVPN Service
After=network-online.target
[Service]
PrivateTmp=true
Type=forking
ExecStart=/opt/openvpn/bin/startup.sh
ExecStop=/opt/openvpn/bin/shutdown.sh
PIDFile=/var/run/openvpn/myopenvpn.pid
[Install]
WantedBy=multi-user.target

13
systemd/myopenvpn.service.31aug2016
View File

@ -1,13 +0,0 @@
[Unit]
Description=My OpenVPN Service
After=network-online.target
[Service]
PrivateTmp=true
Type=forking
ExecStart=/opt/openvpn/bin/startup.sh
ExecStop=/opt/openvpn/bin/shutdown.sh
PIDFile=/var/run/openvpn/myopenvpn.pid
[Install]
WantedBy=multi-user.target