Merge branch 'rockylinux9-based' into 'master'
Merge Rocky Linux 9 Version See merge request drpuur/rych-openvpn!1
This commit is contained in:
		
						commit
						8fe7bf4924
					
				|  | @ -1,3 +1,4 @@ | |||
| *.log | ||||
| *.pwd | ||||
| *.pyc | ||||
| ccd/ | ||||
|  |  | |||
							
								
								
									
										235
									
								
								README.md
								
								
								
								
							
							
						
						
									
										235
									
								
								README.md
								
								
								
								
							|  | @ -1,44 +1,29 @@ | |||
| ## INSTALLATION | ||||
| 
 | ||||
| Installation CentOS 7 Minimal | ||||
| Installation Rocky Linux 9 Minimal | ||||
| 
 | ||||
| Partitionierung (LVM; XFS als Filesystem): | ||||
| ``` | ||||
| /boot      500 MB | ||||
| /          50 GB | ||||
| /home      73 GB | ||||
| /boot      1 GB | ||||
| /          64 GB | ||||
| /home      32 GB | ||||
| swap       4 GB | ||||
| ``` | ||||
| 
 | ||||
| Netzwerkkonfiguration: | ||||
| ``` | ||||
| Hostname: ryovpn.rych01.rychiger.com | ||||
| # hostnamectl hostname ryovpn01.rych01.rychiger.com | ||||
| 
 | ||||
| Hostname: ryovpn01.rych01.rychiger.com | ||||
| DNS:      8.8.8.8 | ||||
| NTP:      server 0.centos.pool.ntp.org iburst | ||||
|           server 1.centos.pool.ntp.org iburst | ||||
|           server 2.centos.pool.ntp.org iburst | ||||
|           server 3.centos.pool.ntp.org iburst | ||||
| 
 | ||||
| TYPE="Ethernet" | ||||
| NAME="enp0s10f0" | ||||
| DEVICE="enp0s10f0" | ||||
| ONBOOT="yes" | ||||
| IPV6INIT=no | ||||
| UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 | ||||
| ``` | ||||
|   | ||||
| TYPE="Ethernet" | ||||
| BOOTPROTO="none" | ||||
| DEFROUTE="yes" | ||||
| IPV4_FAILURE_FATAL="no" | ||||
| IPV6INIT="no" | ||||
| NAME="enp0s10f1" | ||||
| DEVICE="enp0s10f1" | ||||
| ONBOOT="yes" | ||||
| DNS1="8.8.8.8" | ||||
| IPADDR=192.168.99.11 | ||||
| PREFIX=24 | ||||
| GATEWAY=192.168.99.1 | ||||
| UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04 | ||||
| Installation diverse Pakete | ||||
| ``` | ||||
| # yum update  | ||||
| # yum install kbd-legacy | ||||
| # dracut -f | ||||
| ``` | ||||
| 
 | ||||
| Anschliessend Installation OpenVPN: | ||||
|  | @ -47,14 +32,22 @@ Anschliessend Installation OpenVPN: | |||
| # yum install openvpn -y | ||||
| 
 | ||||
| Noch ein paar Zusatzpakete: | ||||
| # yum install mailx -y | ||||
| # yum install s-nail -y | ||||
| # yum install git -y | ||||
| # yum install net-tools -y | ||||
| # yum install policycoreutils-devel -y | ||||
| # yum install bridge-utils -y | ||||
| # yum install tcpdump -y | ||||
| # yum install chrony -y | ||||
| # yum install py-bcrypt -y | ||||
| # yum install python3-bcrypt -y | ||||
| # yum install tar -y | ||||
| 
 | ||||
| 
 | ||||
| Firewalld disablen (WICHTIG!!!) | ||||
| # systemctl disable --now firewalld | ||||
| 
 | ||||
| Tiefere Sicherheitsstufe, siehe https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening | ||||
| 
 | ||||
| # update-crypto-policies --set LEGACY | ||||
| ``` | ||||
| 
 | ||||
| Wegen Entropy: | ||||
|  | @ -66,33 +59,26 @@ Test: | |||
| # cat /proc/sys/kernel/random/entropy_avail | ||||
| ``` | ||||
| 
 | ||||
| Wegen Time-Sync Meldungen: | ||||
| ``` | ||||
| # cat /etc/rsyslog.d/time_msg.conf | ||||
| :msg, contains, "Time has been changed" ~  | ||||
| ``` | ||||
| 
 | ||||
| Wegen fehlerhafter HW-Clock: | ||||
| 
 | ||||
| /etc/cron.d/sync-hw-clock: | ||||
| ``` | ||||
| MAILTO=root | ||||
| */10 * * * * root /sbin/hwclock --systohc | ||||
| ``` | ||||
| 
 | ||||
| Installation NGINX (Zugang fuer Statusabfragen): | ||||
| ``` | ||||
| # yum install nginx | ||||
| # systemctl enable nginx | ||||
| 
 | ||||
| Konfiguration /etc/nginx/nginx.conf: | ||||
| ... | ||||
|        root         /opt/openvpn/status; | ||||
| ... | ||||
| 
 | ||||
| Installation von altem Server oder git uebernehmen... | ||||
| # cd /opt | ||||
| # git clone https://gitlab.com/drpuur/rych-openvpn.git openvpn    # use personal access token in Gitlab | ||||
| # cd openvpn && git checkout rockylinux9-based | ||||
| 
 | ||||
| SELinux: | ||||
| # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log | ||||
| # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log | ||||
| # semanage port -a -t ssh_port_t -p tcp 2202 | ||||
| # semanage port -a -t ssh_port_t -p tcp 2022 | ||||
| # restorecon -v /opt/openvpn/status/openvpnserver-status.log | ||||
| # restorecon -v /opt/openvpn/status/openvpnserver-status-443.log | ||||
| 
 | ||||
|  | @ -104,74 +90,31 @@ Link erstellen: | |||
| Prinzipieller Aufbau: | ||||
| 
 | ||||
| ``` | ||||
| enp0s10f0: Netzwerkinterface Richtung Internet | ||||
| enp0s10f1: Netzwerkinterface Richtung Intranet | ||||
| ens4: Netzwerkinterface Richtung Intranet | ||||
| ens3: Netzwerkinterface Richtung Internet | ||||
| 
 | ||||
| enp0s10f0 (192.168.99.11) ==> hier hoert OpenVPN und bildet das Device tap0 | ||||
| ens3 (192.168.99.111/24) ==> hier hoert OpenVPN und bildet das Device tap0 | ||||
| 
 | ||||
| Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP) | ||||
| 
 | ||||
| -- enp0s10f0 => tap0 --+-- br0 (10.3.5.1) | ||||
|                 tap1   | | ||||
| -- enp0s10f1 ----------+ | ||||
| -- ens3 => tap0 --+-- br0 (10.3.5.10/16) | ||||
|            tap1   | | ||||
| -- ens4 ----------+ | ||||
| ``` | ||||
| 
 | ||||
| OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged) | ||||
| 
 | ||||
| Hyper-V Integration: | ||||
| ``` | ||||
| Disable IPv6: | ||||
| 
 | ||||
| Als Network-Karte muss Legacy gewaehlt werden. Spoofing muss erlaubt sein (wegen Bridge). Zeit Synchronisation muss abgeschaltet sein. | ||||
| # nmcli connection modify ens3 ipv6.method "disabled" | ||||
| # nmcli connection modify ens4 ipv6.method "disabled" | ||||
| 
 | ||||
| ``` | ||||
| # yum install hyperv-daemons | ||||
| # systemctl enable hypervvssd | ||||
| # systemctl enable hypervkvpd | ||||
| ``` | ||||
| Set end4 to unmanaged: | ||||
| 
 | ||||
| Firewall: | ||||
| ``` | ||||
| /etc/sysconfig/iptables: | ||||
| # sample configuration for iptables service | ||||
| # you can edit this manually or use system-config-firewall | ||||
| # please do not ask us to add additional ports/services to this default configuration | ||||
| *filter | ||||
| :INPUT ACCEPT [0:0] | ||||
| :FORWARD ACCEPT [0:0] | ||||
| :OUTPUT ACCEPT [0:0] | ||||
| -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||||
| -A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j LOG --log-prefix "INPUT:DROP-VPN-CLIENT-NET:" -m limit --limit 5/minute --log-level 6 | ||||
| -A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j DROP | ||||
| -A INPUT -p icmp -j ACCEPT | ||||
| -A INPUT -i lo -j ACCEPT | ||||
| -I INPUT -i enp0s10f1 -p udp -m udp --dport 1194 -j ACCEPT | ||||
| -I INPUT -i enp0s10f1 -p tcp -m tcp --dport 443 -j ACCEPT | ||||
| -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | ||||
| -A INPUT -p tcp -m state --state NEW -m tcp --dport 2022 -j ACCEPT | ||||
| -A INPUT -p tcp -m state --state NEW -m tcp -s 10.3.5.2 --dport 80 -j ACCEPT | ||||
| -A INPUT -j LOG --log-prefix "INPUT:DROP:" -m limit --limit 5/minute --log-level 6 | ||||
| #-A INPUT -j DROP | ||||
| -A FORWARD -j LOG --log-prefix "FORWARD:DROP:" -m limit --limit 5/minute --log-level 6 | ||||
| #-A FORWARD -j DROP | ||||
| -A OUTPUT -s 192.168.99.11/32 -j ACCEPT | ||||
| -A OUTPUT -s 10.3.5.1/32 -d 10.3.5.2/32 -j ACCEPT | ||||
| -A OUTPUT -p icmp -j ACCEPT | ||||
| -A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" -m limit --limit 5/minute --log-level 6 | ||||
| #-A OUTPUT -j DROP | ||||
| COMMIT | ||||
| ``` | ||||
| 
 | ||||
| ``` | ||||
| /etc/sysctl.conf: | ||||
| # System default settings live in /usr/lib/sysctl.d/00-system.conf. | ||||
| # To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file | ||||
| # | ||||
| # For more information, see sysctl.conf(5) and sysctl.d(5). | ||||
| #net.ipv4.ip_forward = 1 | ||||
| net.ipv6.conf.all.disable_ipv6 = 1 | ||||
| net.ipv6.conf.default.disable_ipv6 = 1 | ||||
| net.bridge.bridge-nf-call-iptables = 1 | ||||
| net.ipv6.conf.default.autoconf = 0 | ||||
| net.ipv6.conf.all.autoconf = 0 | ||||
| [root@ryovpn01 ~]# cat /etc/NetworkManager/conf.d/99-unmanaged-devices.conf | ||||
| [keyfile] | ||||
| unmanaged-devices=interface-name:ens4 | ||||
| ``` | ||||
| 
 | ||||
| ``` | ||||
|  | @ -179,10 +122,6 @@ net.ipv6.conf.all.autoconf = 0 | |||
| Port 22 | ||||
| Port 2022 | ||||
| ... | ||||
| # Ciphers and keying | ||||
| #RekeyLimit default none | ||||
| Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com | ||||
| KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 | ||||
| ``` | ||||
| 
 | ||||
| 
 | ||||
|  | @ -196,16 +135,17 @@ MAILTO=root | |||
| /etc/hosts: | ||||
| 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 | ||||
| #::1         localhost localhost.localdomain localhost6 localhost6.localdomain6 | ||||
| 
 | ||||
| 10.3.5.2     ewonshare | ||||
| ``` | ||||
| 
 | ||||
| Startup mit Systemd einrichten: | ||||
| gemaess /opt/openvpn/systemd/README | ||||
| 
 | ||||
| Verzeichnis /opt/openvpn/users muss angelegt werden: | ||||
| Verzeichnis /opt/openvpn/users ccd, log und status  muss angelegt werden: | ||||
| ``` | ||||
| # mkdir /opt/openvpn/users | ||||
| # mkdir /opt/openvpn/ccd | ||||
| # mkdir /opt/openvpn/status | ||||
| # mkdir /opt/openvpn/log | ||||
| ``` | ||||
| 
 | ||||
| User anlegen: | ||||
|  | @ -217,4 +157,81 @@ User anlegen: | |||
| # groupadd sysoper | ||||
| # useradd -m -g sysoper -s /opt/openvpn/sysoper/sysoper_shell sysoper | ||||
| # passwd sysoper | ||||
| 
 | ||||
| # cat /etc/sudoers.d/sysoper | ||||
| sysoper ALL=NOPASSWD: /usr/bin/systemctl start myopenvpn | ||||
| sysoper ALL=NOPASSWD: /usr/bin/systemctl stop myopenvpn | ||||
| sysoper ALL=NOPASSWD: /usr/bin/systemctl status myopenvpn | ||||
| ``` | ||||
| Git Config: | ||||
| ``` | ||||
| # cat .gitconfig | ||||
| [user] | ||||
| 	name = Joerg Lehmann | ||||
| 	email = joerg.lehmann@nbit.ch | ||||
| [http] | ||||
| 	sslVerify = false | ||||
| ``` | ||||
| 
 | ||||
| 
 | ||||
| Testen der Verbindung | ||||
| 
 | ||||
| ``` | ||||
| [joerg@cinnamon test-openvpn-rychiger]$ sudo openvpn --config ewon.rychiger.com.conf | ||||
| 
 | ||||
| [joerg@cinnamon test-openvpn-rychiger]$ more ewon.rychiger.com.conf | ||||
| dev tap1 | ||||
| proto tcp | ||||
| suppress-timestamps | ||||
| status-version 2 | ||||
| rport 443 | ||||
| verb 1 | ||||
| mute 10 | ||||
| comp-lzo | ||||
| persist-key | ||||
| up-delay | ||||
| route-delay 0 | ||||
| nobind | ||||
| client | ||||
| tls-exit | ||||
| ca cacert.pem | ||||
| reneg-sec 86400 | ||||
| keepalive 30 120 | ||||
| hand-window 140 | ||||
| remote ewon.rychiger.com | ||||
| resolv-retry 60 | ||||
| auth-user-pass | ||||
| 
 | ||||
| 
 | ||||
| am besten auf Linux: | ||||
| 
 | ||||
| Testuser erstellt mit  | ||||
| 
 | ||||
| $ string_to_hash="7355+TT" /opt/openvpn/sysoper/hashme.py  >/opt/openvpn/users/testuser.pwd | ||||
| 
 | ||||
| auch CCD-File erstellen, siehe unten | ||||
| 
 | ||||
| [root@ryovpn openvpn]# more users/testuser.pwd ccd/testuser | ||||
| :::::::::::::: | ||||
| users/testuser.pwd | ||||
| :::::::::::::: | ||||
| $2b$12$OkJpfcPt7Uk8DMVjBbuStedJ63rahYw05E7vNAg9PQigL97ox18Am | ||||
| :::::::::::::: | ||||
| ccd/testuser | ||||
| :::::::::::::: | ||||
| ifconfig-push 10.3.6.254 255.255.0.0 | ||||
| 
 | ||||
| 
 | ||||
| Einrichten von Aide | ||||
| 
 | ||||
| ```bash | ||||
| # dnf install aide | ||||
| # aide init | ||||
| # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz | ||||
| Zum Testen: | ||||
| # aide --check | ||||
| 
 | ||||
| Zum Updaten: | ||||
| # aide --update | ||||
| # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz | ||||
| ``` | ||||
|  |  | |||
|  | @ -1,13 +0,0 @@ | |||
| #!/bin/bash | ||||
| 
 | ||||
| # Zuerst stoppen wir Openvpn | ||||
| pkill openvpn | ||||
| 
 | ||||
| # Dann unmounten wir den CIFS-Share | ||||
| #/bin/umount /opt/openvpn/status | ||||
| /bin/systemctl stop opt-openvpn-status.mount | ||||
| #/bin/sleep 15 | ||||
| 
 | ||||
| # Dann stoppen wir die Bridge mit TAP-Device | ||||
| /opt/openvpn/scripts/bridge-stop.sh | ||||
| 
 | ||||
|  | @ -1,13 +0,0 @@ | |||
| #!/bin/bash | ||||
| 
 | ||||
| # Zuerst stoppen wir Openvpn | ||||
| /bin/pkill openvpn | ||||
| 
 | ||||
| # Dann unmounten wir den CIFS-Share | ||||
| #/bin/umount /opt/openvpn/status | ||||
| /bin/systemctl stop opt-openvpn-status.mount | ||||
| #/bin/sleep 15 | ||||
| 
 | ||||
| # Dann stoppen wir die Bridge mit TAP-Device | ||||
| /opt/openvpn/scripts/bridge-stop.sh | ||||
| 
 | ||||
|  | @ -1,8 +0,0 @@ | |||
| #!/bin/bash | ||||
| 
 | ||||
| # Zuerst stoppen wir Openvpn | ||||
| /bin/pkill openvpn | ||||
| 
 | ||||
| # Dann stoppen wir die Bridge mit TAP-Device | ||||
| /opt/openvpn/scripts/bridge-stop.sh | ||||
| 
 | ||||
|  | @ -1,12 +0,0 @@ | |||
| #!/bin/bash | ||||
| 
 | ||||
| # Zuerst starten wir die Bridge mit TAP-Device | ||||
| /opt/openvpn/scripts/bridge-start.sh | ||||
| 
 | ||||
| # Dann mounten wir den CIFS-Share | ||||
| # (wird fuer Status-File gebraucht) | ||||
| #/bin/mount /opt/openvpn/status | ||||
| /bin/systemctl start opt-openvpn-status.mount | ||||
| # | ||||
| # Dann starten wir Openvpn | ||||
| /sbin/openvpn /opt/openvpn/config/server.conf | ||||
|  | @ -1,15 +0,0 @@ | |||
| #!/bin/bash | ||||
| 
 | ||||
| # Zuerst starten wir die Bridge mit TAP-Device | ||||
| /opt/openvpn/scripts/bridge-start.sh | ||||
| 
 | ||||
| # Pause... | ||||
| sleep 10 | ||||
| 
 | ||||
| # Dann mounten wir den CIFS-Share | ||||
| # (wird fuer Status-File gebraucht) | ||||
| #/bin/mount /opt/openvpn/status | ||||
| /bin/systemctl start opt-openvpn-status.mount | ||||
| # | ||||
| # Dann starten wir Openvpn | ||||
| /sbin/openvpn /opt/openvpn/config/server.conf | ||||
|  | @ -1,12 +0,0 @@ | |||
| #!/bin/bash | ||||
| 
 | ||||
| # Zuerst starten wir die Bridge mit TAP-Device | ||||
| /opt/openvpn/scripts/bridge-start.sh | ||||
| 
 | ||||
| # Dann mounten wir den CIFS-Share | ||||
| # (wird fuer Status-File gebraucht) | ||||
| #/bin/mount /opt/openvpn/status | ||||
| /bin/systemctl start opt-openvpn-status.mount | ||||
| # | ||||
| # Dann starten wir Openvpn | ||||
| /sbin/openvpn /opt/openvpn/config/server.conf | ||||
|  | @ -1,25 +0,0 @@ | |||
| #!/bin/bash | ||||
| 
 | ||||
| IP_OF_CIFS_SERVER=10.3.5.2 | ||||
| 
 | ||||
| # Zuerst starten wir die Bridge mit TAP-Device | ||||
| /opt/openvpn/scripts/bridge-start.sh | ||||
| 
 | ||||
| # Wir warten, bis ein ping erfolgreich ist... | ||||
| ((count = 20))                            # Maximum number to try. | ||||
| while [[ $count -ne 0 ]] ; do | ||||
|     ping -q -c 1 -W 1 $IP_OF_CIFS_SERVER >/dev/null # Try once. | ||||
|     rc=$? | ||||
|     if [[ $rc -eq 0 ]] ; then | ||||
|         ((count = 1))                      # If okay, flag to exit loop. | ||||
|     fi | ||||
|     ((count = count - 1))                  # So we don't go forever. | ||||
| done | ||||
| 
 | ||||
| # Dann mounten wir den CIFS-Share | ||||
| # (wird fuer Status-File gebraucht) | ||||
| #/bin/mount /opt/openvpn/status | ||||
| /bin/systemctl start opt-openvpn-status.mount | ||||
| # | ||||
| # Dann starten wir Openvpn | ||||
| /sbin/openvpn /opt/openvpn/config/server.conf | ||||
|  | @ -3,17 +3,20 @@ daemon | |||
| tls-server | ||||
| proto tcp | ||||
| port  443 | ||||
| local 192.168.99.11 | ||||
| local 192.168.99.111 | ||||
| client-config-dir /opt/openvpn/ccd | ||||
| script-security 3 | ||||
| writepid /var/run/openvpn-server/myopenvpn-443.pid | ||||
| 
 | ||||
| ; ciphers | ||||
| tls-cipher "DEFAULT" | ||||
| tls-cipher "DEFAULT:@SECLEVEL=0" | ||||
| tls-version-min 1.0 | ||||
| providers legacy default | ||||
| data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | ||||
| 
 | ||||
| ; tunnel configuration | ||||
| dev tap1 | ||||
| server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 | ||||
| server-bridge 10.3.5.10 255.255.0.0 10.3.6.1 10.3.7.254 | ||||
| passtos | ||||
| comp-lzo | ||||
| persist-key | ||||
|  | @ -36,7 +39,7 @@ client-disconnect  /opt/openvpn/scripts/logoff.sh | |||
| management localhost 6667 | ||||
| 
 | ||||
| ; certificates and authentication | ||||
| dh   /opt/openvpn/private/dh1024.pem | ||||
| dh   /opt/openvpn/private/dh2048.pem | ||||
| ca   /opt/openvpn/ca/cacert.pem | ||||
| cert /opt/openvpn/certs/ewon.rychiger.com-cert.pem | ||||
| key  /opt/openvpn/private/ewon.rychiger.com-key.pem | ||||
|  |  | |||
|  | @ -1,51 +0,0 @@ | |||
| mode server | ||||
| daemon | ||||
| tls-server | ||||
| proto tcp | ||||
| port  443 | ||||
| local 192.168.99.11 | ||||
| client-config-dir /opt/openvpn/ccd | ||||
| script-security 3 | ||||
| writepid /var/run/openvpn-server/myopenvpn-443.pid | ||||
| 
 | ||||
| ; ciphers | ||||
| tls-cipher "DEFAULT" | ||||
| 
 | ||||
| ; tunnel configuration | ||||
| dev tap1 | ||||
| server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 | ||||
| passtos | ||||
| comp-lzo | ||||
| persist-key | ||||
| persist-tun | ||||
| persist-local-ip | ||||
| persist-remote-ip | ||||
| 
 | ||||
| ; loggin and status | ||||
| ifconfig-pool-persist /opt/openvpn/leases/openvpn-443.leases | ||||
| status-version 2 | ||||
| status /opt/openvpn/status/openvpnserver-status-443.log 5; | ||||
| verb 3 | ||||
| client-connect     /opt/openvpn/scripts/logon.sh | ||||
| client-disconnect  /opt/openvpn/scripts/logoff.sh | ||||
| 
 | ||||
| ; routing | ||||
| ;push "route 10.3.0.0 255.255.0.0" | ||||
| 
 | ||||
| ; management  | ||||
| management localhost 6667 | ||||
| 
 | ||||
| ; certificates and authentication | ||||
| dh   /opt/openvpn/private/dh1024.pem | ||||
| ca   /opt/openvpn/ca/cacert.pem | ||||
| cert /opt/openvpn/certs/hostcert.pem | ||||
| key  /opt/openvpn/private/hostkey.pem | ||||
| verify-client-cert none | ||||
| username-as-common-name | ||||
| auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env | ||||
| ;client-to-client | ||||
| keepalive 10 60 | ||||
| max-clients 50 | ||||
| 
 | ||||
| ; explicit exit | ||||
| push "explicit-exit-notify" | ||||
|  | @ -1,48 +0,0 @@ | |||
| mode server | ||||
| daemon | ||||
| tls-server | ||||
| proto tcp | ||||
| port  443 | ||||
| local 192.168.99.11 | ||||
| client-config-dir /opt/openvpn/ccd | ||||
| script-security 3 | ||||
| writepid /var/run/openvpn-server/myopenvpn-443.pid | ||||
| 
 | ||||
| ; tunnel configuration | ||||
| dev tap1 | ||||
| server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 | ||||
| passtos | ||||
| comp-lzo | ||||
| persist-key | ||||
| persist-tun | ||||
| persist-local-ip | ||||
| persist-remote-ip | ||||
| 
 | ||||
| ; loggin and status | ||||
| ifconfig-pool-persist /opt/openvpn/leases/openvpn-443.leases | ||||
| status-version 2 | ||||
| status /opt/openvpn/status/openvpnserver-status-443.log 5; | ||||
| verb 3 | ||||
| client-connect     /opt/openvpn/scripts/logon.sh | ||||
| client-disconnect  /opt/openvpn/scripts/logoff.sh | ||||
| 
 | ||||
| ; routing | ||||
| ;push "route 10.3.0.0 255.255.0.0" | ||||
| 
 | ||||
| ; management  | ||||
| management localhost 6667 | ||||
| 
 | ||||
| ; certificates and authentication | ||||
| dh   /opt/openvpn/private/dh1024.pem | ||||
| ca   /opt/openvpn/ca/cacert.pem | ||||
| cert /opt/openvpn/certs/hostcert.pem | ||||
| key  /opt/openvpn/private/hostkey.pem | ||||
| verify-client-cert none | ||||
| username-as-common-name | ||||
| auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env | ||||
| ;client-to-client | ||||
| keepalive 10 60 | ||||
| max-clients 50 | ||||
| 
 | ||||
| ; explicit exit | ||||
| push "explicit-exit-notify" | ||||
|  | @ -3,17 +3,20 @@ daemon | |||
| tls-server | ||||
| proto udp | ||||
| port  1194 | ||||
| local 192.168.99.11 | ||||
| local 192.168.99.111 | ||||
| client-config-dir /opt/openvpn/ccd | ||||
| script-security 3 | ||||
| writepid /var/run/openvpn-server/myopenvpn.pid | ||||
| 
 | ||||
| ; ciphers | ||||
| tls-cipher "DEFAULT" | ||||
| tls-cipher "DEFAULT:@SECLEVEL=0" | ||||
| tls-version-min 1.0 | ||||
| providers legacy default | ||||
| data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | ||||
| 
 | ||||
| ; tunnel configuration | ||||
| dev tap0 | ||||
| server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 | ||||
| server-bridge 10.3.5.10 255.255.0.0 10.3.6.1 10.3.7.254 | ||||
| passtos | ||||
| comp-lzo | ||||
| persist-key | ||||
|  | @ -36,10 +39,10 @@ client-disconnect  /opt/openvpn/scripts/logoff.sh | |||
| management localhost 6666 | ||||
| 
 | ||||
| ; certificates and authentication | ||||
| dh   /opt/openvpn/private/dh1024.pem | ||||
| dh   /opt/openvpn/private/dh2048.pem | ||||
| ca   /opt/openvpn/ca/cacert.pem | ||||
| cert /opt/openvpn/certs/hostcert.pem | ||||
| key  /opt/openvpn/private/hostkey.pem | ||||
| cert /opt/openvpn/certs/ewon.rychiger.com-cert.pem | ||||
| key  /opt/openvpn/private/ewon.rychiger.com-key.pem | ||||
| verify-client-cert none | ||||
| username-as-common-name | ||||
| auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env | ||||
|  |  | |||
|  | @ -1,45 +0,0 @@ | |||
| mode server | ||||
| daemon | ||||
| tls-server | ||||
| proto udp | ||||
| port  1194 | ||||
| local 192.168.99.11 | ||||
| client-config-dir /opt/openvpn/ccd | ||||
| script-security 3 | ||||
| writepid /var/run/openvpn/myopenvpn.pid | ||||
| 
 | ||||
| ; tunnel configuration | ||||
| dev tap0 | ||||
| server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 | ||||
| passtos | ||||
| comp-lzo | ||||
| persist-key | ||||
| persist-tun | ||||
| persist-local-ip | ||||
| persist-remote-ip | ||||
| 
 | ||||
| ; loggin and status | ||||
| ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases | ||||
| status-version 2 | ||||
| status /opt/openvpn/status/openvpnserver-status.log 30; | ||||
| verb 3 | ||||
| client-connect     /opt/openvpn/scripts/logon.sh | ||||
| client-disconnect  /opt/openvpn/scripts/logoff.sh | ||||
| 
 | ||||
| ; routing | ||||
| ;push "route 10.3.0.0 255.255.0.0" | ||||
| 
 | ||||
| ; management  | ||||
| management localhost 6666 | ||||
| 
 | ||||
| ; certificates and authentication | ||||
| dh   /opt/openvpn/private/dh1024.pem | ||||
| ca   /opt/openvpn/ca/cacert.pem | ||||
| cert /opt/openvpn/certs/hostcert.pem | ||||
| key  /opt/openvpn/private/hostkey.pem | ||||
| client-cert-not-required | ||||
| username-as-common-name | ||||
| auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env | ||||
| ;client-to-client | ||||
| keepalive 10 60 | ||||
| max-clients 50 | ||||
|  | @ -1,45 +0,0 @@ | |||
| mode server | ||||
| daemon | ||||
| tls-server | ||||
| proto udp | ||||
| port  1194 | ||||
| local 192.168.99.11 | ||||
| client-config-dir /opt/openvpn/ccd | ||||
| script-security 3 | ||||
| writepid /var/run/openvpn/myopenvpn.pid | ||||
| 
 | ||||
| ; tunnel configuration | ||||
| dev tap0 | ||||
| server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 | ||||
| passtos | ||||
| comp-lzo | ||||
| persist-key | ||||
| persist-tun | ||||
| persist-local-ip | ||||
| persist-remote-ip | ||||
| 
 | ||||
| ; loggin and status | ||||
| ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases | ||||
| status-version 2 | ||||
| status /opt/openvpn/status/openvpnserver-status.log 5; | ||||
| verb 3 | ||||
| client-connect     /opt/openvpn/scripts/logon.sh | ||||
| client-disconnect  /opt/openvpn/scripts/logoff.sh | ||||
| 
 | ||||
| ; routing | ||||
| ;push "route 10.3.0.0 255.255.0.0" | ||||
| 
 | ||||
| ; management  | ||||
| management localhost 6666 | ||||
| 
 | ||||
| ; certificates and authentication | ||||
| dh   /opt/openvpn/private/dh1024.pem | ||||
| ca   /opt/openvpn/ca/cacert.pem | ||||
| cert /opt/openvpn/certs/hostcert.pem | ||||
| key  /opt/openvpn/private/hostkey.pem | ||||
| client-cert-not-required | ||||
| username-as-common-name | ||||
| auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env | ||||
| ;client-to-client | ||||
| keepalive 10 60 | ||||
| max-clients 50 | ||||
|  | @ -1,44 +0,0 @@ | |||
| mode server | ||||
| daemon | ||||
| tls-server | ||||
| proto udp | ||||
| port  1194 | ||||
| local 192.168.99.11 | ||||
| client-config-dir /opt/openvpn/ccd | ||||
| script-security 3 | ||||
| 
 | ||||
| ; tunnel configuration | ||||
| dev tap0 | ||||
| server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 | ||||
| passtos | ||||
| comp-lzo | ||||
| persist-key | ||||
| persist-tun | ||||
| persist-local-ip | ||||
| persist-remote-ip | ||||
| 
 | ||||
| ; loggin and status | ||||
| ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases | ||||
| status-version 2 | ||||
| status /opt/openvpn/status/openvpnserver-status.log 30; | ||||
| verb 3 | ||||
| client-connect     /opt/openvpn/scripts/logon.sh | ||||
| client-disconnect  /opt/openvpn/scripts/logoff.sh | ||||
| 
 | ||||
| ; routing | ||||
| ;push "route 10.3.0.0 255.255.0.0" | ||||
| 
 | ||||
| ; management  | ||||
| management localhost 6666 | ||||
| 
 | ||||
| ; certificates and authentication | ||||
| dh   /opt/openvpn/private/dh1024.pem | ||||
| ca   /opt/openvpn/ca/cacert.pem | ||||
| cert /opt/openvpn/certs/hostcert.pem | ||||
| key  /opt/openvpn/private/hostkey.pem | ||||
| client-cert-not-required | ||||
| username-as-common-name | ||||
| auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.sh via-env | ||||
| ;client-to-client | ||||
| keepalive 10 60 | ||||
| max-clients 50 | ||||
|  | @ -1,48 +0,0 @@ | |||
| mode server | ||||
| daemon | ||||
| tls-server | ||||
| proto udp | ||||
| port  1194 | ||||
| local 192.168.99.11 | ||||
| client-config-dir /opt/openvpn/ccd | ||||
| script-security 3 | ||||
| writepid /var/run/openvpn-server/myopenvpn.pid | ||||
| 
 | ||||
| ; tunnel configuration | ||||
| dev tap0 | ||||
| server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254 | ||||
| passtos | ||||
| comp-lzo | ||||
| persist-key | ||||
| persist-tun | ||||
| persist-local-ip | ||||
| persist-remote-ip | ||||
| 
 | ||||
| ; loggin and status | ||||
| ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases | ||||
| status-version 2 | ||||
| status /opt/openvpn/status/openvpnserver-status.log 5; | ||||
| verb 3 | ||||
| client-connect     /opt/openvpn/scripts/logon.sh | ||||
| client-disconnect  /opt/openvpn/scripts/logoff.sh | ||||
| 
 | ||||
| ; routing | ||||
| ;push "route 10.3.0.0 255.255.0.0" | ||||
| 
 | ||||
| ; management  | ||||
| management localhost 6666 | ||||
| 
 | ||||
| ; certificates and authentication | ||||
| dh   /opt/openvpn/private/dh1024.pem | ||||
| ca   /opt/openvpn/ca/cacert.pem | ||||
| cert /opt/openvpn/certs/hostcert.pem | ||||
| key  /opt/openvpn/private/hostkey.pem | ||||
| verify-client-cert none | ||||
| username-as-common-name | ||||
| auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env | ||||
| ;client-to-client | ||||
| keepalive 10 60 | ||||
| max-clients 50 | ||||
| 
 | ||||
| ; explicit exit | ||||
| push "explicit-exit-notify" | ||||
|  | @ -1,5 +0,0 @@ | |||
| -----BEGIN DH PARAMETERS----- | ||||
| MIGHAoGBAIPEsURCfpqVznQaOYeWUrTyvMBD2N+6V96Saz3VPJ9WfEoPWM/3CkWH | ||||
| G/wOFuSYCV8pGok9Y+d2N0V45x56CmhJp6CJdD0L9JwHNhXqRdDOxT1emOb43/Kk | ||||
| CAXggVkAWnA+XFYXol8lYDP9W5XrU7svRfUe33Q/ijHsaY23myqDAgEC | ||||
| -----END DH PARAMETERS----- | ||||
|  | @ -0,0 +1,8 @@ | |||
| -----BEGIN DH PARAMETERS----- | ||||
| MIIBCAKCAQEAyC5BozEDJWU9xKcMEDRxQTyvTKyJ+VhqqJiyiif/LtU1mjTy40Ss | ||||
| BGO13FjRsXM0VLgl//J/NPi9kfYK5UPSv/mr3TIxMKDRi+U+y48HU2f68XgFhnCE | ||||
| ePYVwCpOdymOwnYKxtCIwsF4GvNAoLHUIfIwK40BWtpuwB5AbVIkjSCrBWeP9Gxs | ||||
| g6M06c5G3+xdE/5RqWVtWjnQNutsUrbKTFrBCEBUzElNpYE3mp2cA/8lePtIa8rI | ||||
| QUHKGcQyln4eH3R/Pt+RETzSybnzliWNfctyiJ7xj/2qYlUdxhlfPipqZbg9u8Jd | ||||
| NhpXiGhCh2DAcVoRYMERsOkyTKgC6KbBDwIBAg== | ||||
| -----END DH PARAMETERS----- | ||||
|  | @ -3,8 +3,8 @@ | |||
| br="br0" | ||||
| tap="tap0" | ||||
| tap1="tap1" | ||||
| eth="enp0s10f0" | ||||
| br_ip="10.3.5.1" | ||||
| eth="ens4" | ||||
| br_ip="10.3.5.10" | ||||
| br_netmask="255.255.0.0" | ||||
| br_broadcast="10.3.255.255" | ||||
| # Create the tap adapter | ||||
|  |  | |||
|  | @ -1,7 +1,7 @@ | |||
| #!/bin/bash | ||||
| 
 | ||||
| ifconfig br0 down | ||||
| brctl delif br0 enp0s10f0 | ||||
| brctl delif br0 ens4 | ||||
| brctl delif br0 tap0 | ||||
| brctl delif br0 tap1 | ||||
| brctl delbr br0 | ||||
|  |  | |||
|  | @ -11,7 +11,7 @@ if not password: | |||
| 
 | ||||
| file = open('/opt/openvpn/users/'+username+'.pwd', 'r') | ||||
| hashed=file.read().rstrip() | ||||
| if bcrypt.hashpw(password, hashed) == hashed: | ||||
| if bcrypt.hashpw(password.encode('utf-8'), hashed.encode('utf-8')) == hashed.encode('utf-8'): | ||||
|     sys.exit(0) | ||||
| else: | ||||
|     sys.exit(1) | ||||
|  |  | |||
|  | @ -1,5 +1,5 @@ | |||
| #!/bin/bash | ||||
| DEST="10.3.5.2" | ||||
| DEST="10.3.5.11" | ||||
| 
 | ||||
| ping -c4 ${DEST} > /dev/null | ||||
|   | ||||
|  |  | |||
|  | @ -13,6 +13,6 @@ if not password: | |||
|     sys.exit() | ||||
| 
 | ||||
| # Hash a password for the first time, with a randomly-generated salt | ||||
| hashed = bcrypt.hashpw(password, bcrypt.gensalt()) | ||||
| hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt()) | ||||
| 
 | ||||
| print "%s" % (hashed) | ||||
| print("%s" % (hashed.decode("utf-8"))) | ||||
|  |  | |||
|  | @ -1,143 +0,0 @@ | |||
| #!/bin/bash | ||||
| 
 | ||||
| ReadToContinue() { | ||||
|   echo "Return Taste zum fortfahren..." | ||||
|   read | ||||
| } | ||||
| 
 | ||||
| AddUser() { | ||||
|   echo -n "Benutzername : " | ||||
|   read username | ||||
|   echo -n "IP Adresse   : " | ||||
|   read ip | ||||
|   echo -n "Passwort     : " | ||||
|   read pwd | ||||
|   export string_to_hash="${pwd}" | ||||
|   hash="$(/opt/openvpn/sysoper/hashme.py)" | ||||
|   echo "${hash}"                           > /opt/openvpn/users/${username}.pwd | ||||
|   echo "ifconfig-push ${ip} 255.255.0.0"   > /opt/openvpn/ccd/${username} | ||||
|   echo "User ${username} wurde erzeugt" | ||||
|   ReadToContinue | ||||
| } | ||||
| 
 | ||||
| ChangePassword() { | ||||
|   echo -n "Benutzername : " | ||||
|   read username | ||||
|   if [ -f /opt/openvpn/users/${username}.pwd ]; then | ||||
|     echo -n "Passwort     : " | ||||
|     read pwd | ||||
|     export string_to_hash="${pwd}" | ||||
|     hash="$(/opt/openvpn/sysoper/hashme.py)" | ||||
|     echo "${hash}"                           > /opt/openvpn/users/${username}.pwd | ||||
|     ReadToContinue | ||||
|   else | ||||
|     echo "User ${username} existiert nicht" | ||||
|     ReadToContinue | ||||
|   fi | ||||
| } | ||||
| 
 | ||||
| DeleteUser() { | ||||
|   echo -n "Benutzername : " | ||||
|   read username | ||||
|   if [ -f /opt/openvpn/users/${username}.pwd ]; then | ||||
|     rm /opt/openvpn/users/${username}.pwd  | ||||
|     echo "User ${username} wurde geloescht" | ||||
|     # Das CCD-File loeschen wir auch, falls vorhanden | ||||
|     if [ -f /opt/openvpn/ccd/${username} ]; then | ||||
|       rm /opt/openvpn/ccd/${username} | ||||
|     fi | ||||
|     ReadToContinue | ||||
|   else | ||||
|     echo "User ${username} existiert nicht" | ||||
|     ReadToContinue | ||||
|   fi | ||||
| } | ||||
| 
 | ||||
| ShowUser() { | ||||
|   echo -n "Benutzername : " | ||||
|   read username | ||||
|   ip="" | ||||
|   if [ -f /opt/openvpn/users/${username}.pwd ]; then | ||||
|     if [ -f /opt/openvpn/ccd/${username} ]; then | ||||
|       ip="$(cat /opt/openvpn/ccd/${username} |awk '{print $2}')" | ||||
|     fi    | ||||
|     echo "User ${username} existiert und hat die IP Adresse ${ip}" | ||||
|     echo | ||||
|     echo "Folgendes sind die letzten 20 Logeintraege fuer diesen User:" | ||||
|     echo | ||||
|     if [ -f /opt/openvpn/log/${username}.log ]; then | ||||
|        tail -20 /opt/openvpn/log/${username}.log  | ||||
|     else | ||||
|        echo "Es existieren keine Logeintraege" | ||||
|     fi | ||||
|     ReadToContinue | ||||
|   else | ||||
|     echo "User ${username} existiert nicht" | ||||
|     ReadToContinue | ||||
|   fi | ||||
| } | ||||
| 
 | ||||
| ListUsers() { | ||||
|   echo | ||||
|   echo "Username              IP Adresse" | ||||
|   echo "==================================" | ||||
|   for userfile in $(ls -1 /opt/openvpn/users/*.pwd 2>/dev/null) ; do | ||||
|     user="${userfile##*/}" | ||||
|     user="${user%.pwd}" | ||||
|     ip="N/A" | ||||
|     if [ -f /opt/openvpn/ccd/${user} ]; then | ||||
|       ip="$(cat /opt/openvpn/ccd/${user} |awk '{print $2}')" | ||||
|     fi | ||||
|     printf "%-20s  %-15s\n" "$user" "$ip" | ||||
|   done | ||||
|   echo | ||||
|   ReadToContinue | ||||
| } | ||||
| 
 | ||||
| ShowLogfile() { | ||||
|   echo "Hinweis: mit Taste G zum Ende des Logs gehen..., Space fuer Seitenweises vorwaertsgehen..." | ||||
|   echo | ||||
|   ReadToContinue | ||||
|   /bin/less /opt/openvpn/log/logon.log | ||||
| } | ||||
| 
 | ||||
| character=0 | ||||
| while [ "${character}" != "9" ]; do | ||||
|   clear | ||||
|   echo "Userverwaltung OpenVPN" | ||||
|   echo "======================" | ||||
|   echo "1 - OpenVPN Benutzer hinzufuegen" | ||||
|   echo "2 - OpenVPN Benutzer Passwort setzen" | ||||
|   echo "3 - OpenVPN Benutzer entfernen" | ||||
|   echo "4 - OpenVPN Benutzer anzeigen" | ||||
|   echo "5 - OpenVPN Benutzer auflisten" | ||||
|   echo  | ||||
|   echo "7 - Logfile anzeigen" | ||||
|   echo "8 - Passwort von sysoper aendern" | ||||
|   echo  | ||||
|   echo "9 - Exit" | ||||
|   echo | ||||
|   echo -n "Bitte Option waehlen > " | ||||
|   read  character | ||||
|   case ${character} in  | ||||
|     1) AddUser | ||||
|        ;; | ||||
|     2) ChangePassword | ||||
|        ;; | ||||
|     3) DeleteUser | ||||
|        ;; | ||||
|     4) ShowUser | ||||
|        ;; | ||||
|     5) ListUsers | ||||
|        ;; | ||||
|     7) ShowLogfile  | ||||
|        ;; | ||||
|     8) passwd sysoper | ||||
|        ;; | ||||
|     9) echo Exit... | ||||
|        ;; | ||||
|     *) echo "Ungueltige Option..." | ||||
|        read | ||||
|   esac | ||||
| done | ||||
| exit 0 | ||||
|  | @ -1,6 +1,6 @@ | |||
| [Unit] | ||||
| Description=My OpenVPN Service | ||||
| After=network-online.target network.target remote-fs.target nss-lookup.target | ||||
| After=network-online.target network.target remote-fs.target | ||||
| Requires=network-online.target | ||||
| 
 | ||||
| [Service] | ||||
|  |  | |||
|  | @ -1,13 +0,0 @@ | |||
| [Unit] | ||||
| Description=My OpenVPN Service | ||||
| After=network-online.target | ||||
| 
 | ||||
| [Service] | ||||
| PrivateTmp=true | ||||
| Type=forking | ||||
| ExecStart=/opt/openvpn/bin/startup.sh | ||||
| ExecStop=/opt/openvpn/bin/shutdown.sh | ||||
| PIDFile=/var/run/openvpn/myopenvpn.pid | ||||
| 
 | ||||
| [Install] | ||||
| WantedBy=multi-user.target | ||||
|  | @ -1,13 +0,0 @@ | |||
| [Unit] | ||||
| Description=My OpenVPN Service | ||||
| After=network-online.target | ||||
| 
 | ||||
| [Service] | ||||
| PrivateTmp=true | ||||
| Type=forking | ||||
| ExecStart=/opt/openvpn/bin/startup.sh | ||||
| ExecStop=/opt/openvpn/bin/shutdown.sh | ||||
| PIDFile=/var/run/openvpn/myopenvpn.pid | ||||
| 
 | ||||
| [Install] | ||||
| WantedBy=multi-user.target | ||||
		Loading…
	
		Reference in New Issue