Add README.md

README.md

@@ -0,0 +1,149 @@
+## INSTALLATION
+
+Installation CentOS 7 Minimal
+
+Partitionierung (LVM; XFS als Filesystem):
+/boot      500 MB
+/          50 GB
+/home      73 GB
+swap       4 GB
+
+Netzwerkkonfiguration:
+```
+TYPE="Ethernet"
+NAME="enp0s10f0"
+DEVICE="enp0s10f0"
+ONBOOT="yes"
+IPV6INIT=no
+UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03
+
+TYPE="Ethernet"
+BOOTPROTO="none"
+DEFROUTE="yes"
+IPV4_FAILURE_FATAL="no"
+IPV6INIT="no"
+NAME="enp0s10f1"
+DEVICE="enp0s10f1"
+ONBOOT="yes"
+DNS1="8.8.8.8"
+IPADDR=192.168.99.11
+PREFIX=24
+GATEWAY=192.168.99.1
+UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
+```
+
+Anschliessend Installation OpenVPN:
+```
+# yum install epel-release
+# yum install openvpn -y
+```
+
+Installation NGINX (Zugang fuer Statusabfragen):
+```
+# yum install nginx
+
+Konfiguration /etc/nginx/nginx.conf:
+...
+       root         /opt/openvpn/status;
+...
+
+SELinux:
+# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log
+# restorecon -v /opt/openvpn/status/openvpnserver-status.log
+
+```
+
+
+Prinzipieller Aufbau:
+
+```
+enp0s10f0: Netzwerkinterface Richtung Internet
+enp0s10f1: Netzwerkinterface Richtung Intranet
+
+enp0s10f0 (192.168.99.11) ==> hier hoert OpenVPN und bildet das Device tap0
+
+-- enp0s10f0 => tap0 --+-- br0 (10.3.5.1)
+                       |
+-- enp0s10f1 ----------+
+```
+
+OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged)
+
+Hyper-V Integration:
+
+Als Network-Karte muss Legacy gewaehlt werden. Spoofing muss erlaubt sein (wegen Bridge). Zeit Synchronisation muss abgeschaltet sein.
+
+```
+# yum install hyperv-daemons
+# systemctl enable hypervvssd
+# systemctl enable hypervkvpd
+```
+
+Firewall:
+```
+/etc/sysconfig/iptables:
+# sample configuration for iptables service
+# you can edit this manually or use system-config-firewall
+# please do not ask us to add additional ports/services to this default configuration
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j LOG --log-prefix "INPUT:DROP-VPN-CLIENT-NET:" -m limit --limit 5/minute --log-level 6
+-A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j DROP
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-I INPUT -i enp0s10f1 -p udp -m udp --dport 1194 -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 2022 -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp -s 10.3.5.2 --dport 80 -j ACCEPT
+-A INPUT -j LOG --log-prefix "INPUT:DROP:" -m limit --limit 5/minute --log-level 6
+#-A INPUT -j DROP
+-A FORWARD -j LOG --log-prefix "FORWARD:DROP:" -m limit --limit 5/minute --log-level 6
+#-A FORWARD -j DROP
+-A OUTPUT -s 192.168.99.11/32 -j ACCEPT
+-A OUTPUT -s 10.3.5.1/32 -d 10.3.5.2/32 -j ACCEPT
+-A OUTPUT -p icmp -j ACCEPT
+-A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" -m limit --limit 5/minute --log-level 6
+#-A OUTPUT -j DROP
+COMMIT
+```
+
+```
+/etc/sysctl.conf:
+# System default settings live in /usr/lib/sysctl.d/00-system.conf.
+# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
+#
+# For more information, see sysctl.conf(5) and sysctl.d(5).
+#net.ipv4.ip_forward = 1
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.default.disable_ipv6 = 1
+net.bridge.bridge-nf-call-iptables = 1
+net.ipv6.conf.default.autoconf = 0
+net.ipv6.conf.all.autoconf = 0
+```
+
+```
+/etc/ssh/sshd_config:
+Port 22
+Port 2022
+```
+
+
+```
+/etc/cron.d/reboot-if-ping-fails:
+MAILTO=root
+02 * * * * root /opt/openvpn/scripts/reboot-if-ping-fails.sh
+```
+
+```
+/etc/hosts:
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+#::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+
+10.3.5.2     ewonshare
+```
+
+Startup mit Systemd einrichten:
+gemaess /opt/openvpn/systemd/README