diff --git a/README.md b/README.md new file mode 100644 index 0000000..404c874 --- /dev/null +++ b/README.md @@ -0,0 +1,149 @@ +## INSTALLATION + +Installation CentOS 7 Minimal + +Partitionierung (LVM; XFS als Filesystem): +/boot 500 MB +/ 50 GB +/home 73 GB +swap 4 GB + +Netzwerkkonfiguration: +``` +TYPE="Ethernet" +NAME="enp0s10f0" +DEVICE="enp0s10f0" +ONBOOT="yes" +IPV6INIT=no +UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 + +TYPE="Ethernet" +BOOTPROTO="none" +DEFROUTE="yes" +IPV4_FAILURE_FATAL="no" +IPV6INIT="no" +NAME="enp0s10f1" +DEVICE="enp0s10f1" +ONBOOT="yes" +DNS1="8.8.8.8" +IPADDR=192.168.99.11 +PREFIX=24 +GATEWAY=192.168.99.1 +UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04 +``` + +Anschliessend Installation OpenVPN: +``` +# yum install epel-release +# yum install openvpn -y +``` + +Installation NGINX (Zugang fuer Statusabfragen): +``` +# yum install nginx + +Konfiguration /etc/nginx/nginx.conf: +... + root /opt/openvpn/status; +... + +SELinux: +# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log +# restorecon -v /opt/openvpn/status/openvpnserver-status.log + +``` + + +Prinzipieller Aufbau: + +``` +enp0s10f0: Netzwerkinterface Richtung Internet +enp0s10f1: Netzwerkinterface Richtung Intranet + +enp0s10f0 (192.168.99.11) ==> hier hoert OpenVPN und bildet das Device tap0 + +-- enp0s10f0 => tap0 --+-- br0 (10.3.5.1) + | +-- enp0s10f1 ----------+ +``` + +OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged) + +Hyper-V Integration: + +Als Network-Karte muss Legacy gewaehlt werden. Spoofing muss erlaubt sein (wegen Bridge). Zeit Synchronisation muss abgeschaltet sein. + +``` +# yum install hyperv-daemons +# systemctl enable hypervvssd +# systemctl enable hypervkvpd +``` + +Firewall: +``` +/etc/sysconfig/iptables: +# sample configuration for iptables service +# you can edit this manually or use system-config-firewall +# please do not ask us to add additional ports/services to this default configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j LOG --log-prefix "INPUT:DROP-VPN-CLIENT-NET:" -m limit --limit 5/minute --log-level 6 +-A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j DROP +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-I INPUT -i enp0s10f1 -p udp -m udp --dport 1194 -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 2022 -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp -s 10.3.5.2 --dport 80 -j ACCEPT +-A INPUT -j LOG --log-prefix "INPUT:DROP:" -m limit --limit 5/minute --log-level 6 +#-A INPUT -j DROP +-A FORWARD -j LOG --log-prefix "FORWARD:DROP:" -m limit --limit 5/minute --log-level 6 +#-A FORWARD -j DROP +-A OUTPUT -s 192.168.99.11/32 -j ACCEPT +-A OUTPUT -s 10.3.5.1/32 -d 10.3.5.2/32 -j ACCEPT +-A OUTPUT -p icmp -j ACCEPT +-A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" -m limit --limit 5/minute --log-level 6 +#-A OUTPUT -j DROP +COMMIT +``` + +``` +/etc/sysctl.conf: +# System default settings live in /usr/lib/sysctl.d/00-system.conf. +# To override those settings, enter new settings here, or in an /etc/sysctl.d/.conf file +# +# For more information, see sysctl.conf(5) and sysctl.d(5). +#net.ipv4.ip_forward = 1 +net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.default.disable_ipv6 = 1 +net.bridge.bridge-nf-call-iptables = 1 +net.ipv6.conf.default.autoconf = 0 +net.ipv6.conf.all.autoconf = 0 +``` + +``` +/etc/ssh/sshd_config: +Port 22 +Port 2022 +``` + + +``` +/etc/cron.d/reboot-if-ping-fails: +MAILTO=root +02 * * * * root /opt/openvpn/scripts/reboot-if-ping-fails.sh +``` + +``` +/etc/hosts: +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +10.3.5.2 ewonshare +``` + +Startup mit Systemd einrichten: +gemaess /opt/openvpn/systemd/README