drpuur
/
rych-openvpn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rocky Linux 9 version, cleanups

This commit is contained in:
Joerg Lehmann 2022-10-19 19:21:24 +02:00
parent 67a184fafe
commit d7797e4b1e
21 changed files with 49 additions and 598 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
README.md
View File

@ -1,23 +1,22 @@
## INSTALLATION
Installation CentOS 7 Minimal
Installation Rocky Linux 9 Minimal
Partitionierung (LVM; XFS als Filesystem):
```
/boot 500 MB
/ 50 GB
/home 73 GB
swap 4 GB
/boot 1 GB
/ XXX GB
swap X GB
```
Netzwerkkonfiguration:
```
Hostname: ryovpn.rych01.rychiger.com
Hostname: ryovpn01.rych01.rychiger.com
DNS: 8.8.8.8
NTP: server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
NTP: XXXXXX
XXXXXX
TODO:
TYPE="Ethernet"
NAME="enp0s10f0"
@ -40,6 +39,12 @@ PREFIX=24
GATEWAY=192.168.99.1
UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
```
Installation diverse Pakete
```
# yum install kbd-legacy
# dracut -f
```
Anschliessend Installation OpenVPN:
```
@ -47,14 +52,13 @@ Anschliessend Installation OpenVPN:
# yum install openvpn -y
Noch ein paar Zusatzpakete:
# yum install mailx -y
# yum install s-nail -y
# yum install git -y
# yum install net-tools -y
# yum install policycoreutils-devel -y
# yum install bridge-utils -y
# yum install tcpdump -y
# yum install chrony -y
# yum install py-bcrypt -y
# yum install python3-bcrypt -y
```
Wegen Entropy:
@ -66,29 +70,22 @@ Test:
# cat /proc/sys/kernel/random/entropy_avail
```
Wegen Time-Sync Meldungen:
```
# cat /etc/rsyslog.d/time_msg.conf
:msg, contains, "Time has been changed" ~
```
Wegen fehlerhafter HW-Clock:
/etc/cron.d/sync-hw-clock:
```
MAILTO=root
*/10 * * * * root /sbin/hwclock --systohc
```
Installation NGINX (Zugang fuer Statusabfragen):
```
# yum install nginx
# systemctl enable nginx
Konfiguration /etc/nginx/nginx.conf:
...
root /opt/openvpn/status;
...
Installation von altem Server oder git uebernehmen...
# cd /opt
# git clone https://gitlab.com/drpuur/rych-openvpn.git openvpn # use personal access token in Gitlab
SELinux:
# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log
# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log
@ -107,11 +104,11 @@ Prinzipieller Aufbau:
enp0s10f0: Netzwerkinterface Richtung Internet
enp0s10f1: Netzwerkinterface Richtung Intranet
enp0s10f0 (192.168.99.11) ==> hier hoert OpenVPN und bildet das Device tap0
enp0s10f0 (192.168.99.11/24) ==> hier hoert OpenVPN und bildet das Device tap0
Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP)
-- enp0s10f0 => tap0 --+-- br0 (10.3.5.1)
-- enp0s10f0 => tap0 --+-- br0 (10.3.5.1/16)
tap1 |
-- enp0s10f1 ----------+
```
@ -161,17 +158,9 @@ COMMIT
```
```
/etc/sysctl.conf:
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
#net.ipv4.ip_forward = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.all.autoconf = 0
Disable IPv6:
# nmcli connection modify <Connection Name> ipv6.method "disabled"
```
```
@ -196,8 +185,6 @@ MAILTO=root
/etc/hosts:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.3.5.2 ewonshare
```
Startup mit Systemd einrichten:
@ -218,3 +205,12 @@ User anlegen:
# useradd -m -g sysoper -s /opt/openvpn/sysoper/sysoper_shell sysoper
# passwd sysoper
```
Git Config:
```
# cat .gitconfig
[user]
name = Joerg Lehmann
email = joerg.lehmann@nbit.ch
[http]
sslVerify = false
```

13
bin/shutdown.sh.05jul2016
View File

@ -1,13 +0,0 @@
#!/bin/bash
# Zuerst stoppen wir Openvpn
pkill openvpn
# Dann unmounten wir den CIFS-Share
#/bin/umount /opt/openvpn/status
/bin/systemctl stop opt-openvpn-status.mount
#/bin/sleep 15
# Dann stoppen wir die Bridge mit TAP-Device
/opt/openvpn/scripts/bridge-stop.sh

13
bin/shutdown.sh.13oct2016
View File

@ -1,13 +0,0 @@
#!/bin/bash
# Zuerst stoppen wir Openvpn
/bin/pkill openvpn
# Dann unmounten wir den CIFS-Share
#/bin/umount /opt/openvpn/status
/bin/systemctl stop opt-openvpn-status.mount
#/bin/sleep 15
# Dann stoppen wir die Bridge mit TAP-Device
/opt/openvpn/scripts/bridge-stop.sh

8
bin/shutdown.sh.new
View File

@ -1,8 +0,0 @@
#!/bin/bash
# Zuerst stoppen wir Openvpn
/bin/pkill openvpn
# Dann stoppen wir die Bridge mit TAP-Device
/opt/openvpn/scripts/bridge-stop.sh

12
bin/startup.sh.05jul2016
View File

@ -1,12 +0,0 @@
#!/bin/bash
# Zuerst starten wir die Bridge mit TAP-Device
/opt/openvpn/scripts/bridge-start.sh
# Dann mounten wir den CIFS-Share
# (wird fuer Status-File gebraucht)
#/bin/mount /opt/openvpn/status
/bin/systemctl start opt-openvpn-status.mount
#
# Dann starten wir Openvpn
/sbin/openvpn /opt/openvpn/config/server.conf

15
bin/startup.sh.13oct2016
View File

@ -1,15 +0,0 @@
#!/bin/bash
# Zuerst starten wir die Bridge mit TAP-Device
/opt/openvpn/scripts/bridge-start.sh
# Pause...
sleep 10
# Dann mounten wir den CIFS-Share
# (wird fuer Status-File gebraucht)
#/bin/mount /opt/openvpn/status
/bin/systemctl start opt-openvpn-status.mount
#
# Dann starten wir Openvpn
/sbin/openvpn /opt/openvpn/config/server.conf

12
bin/startup.sh.31aug2016
View File

@ -1,12 +0,0 @@
#!/bin/bash
# Zuerst starten wir die Bridge mit TAP-Device
/opt/openvpn/scripts/bridge-start.sh
# Dann mounten wir den CIFS-Share
# (wird fuer Status-File gebraucht)
#/bin/mount /opt/openvpn/status
/bin/systemctl start opt-openvpn-status.mount
#
# Dann starten wir Openvpn
/sbin/openvpn /opt/openvpn/config/server.conf

25
bin/startup.sh.31aug2016-with-loop
View File

@ -1,25 +0,0 @@
#!/bin/bash
IP_OF_CIFS_SERVER=10.3.5.2
# Zuerst starten wir die Bridge mit TAP-Device
/opt/openvpn/scripts/bridge-start.sh
# Wir warten, bis ein ping erfolgreich ist...
((count = 20)) # Maximum number to try.
while [[ $count -ne 0 ]] ; do
ping -q -c 1 -W 1 $IP_OF_CIFS_SERVER >/dev/null # Try once.
rc=$?
if [[ $rc -eq 0 ]] ; then
((count = 1)) # If okay, flag to exit loop.
fi
((count = count - 1)) # So we don't go forever.
done
# Dann mounten wir den CIFS-Share
# (wird fuer Status-File gebraucht)
#/bin/mount /opt/openvpn/status
/bin/systemctl start opt-openvpn-status.mount
#
# Dann starten wir Openvpn
/sbin/openvpn /opt/openvpn/config/server.conf

4
config/server-443.conf
View File

@ -9,7 +9,7 @@ script-security 3
writepid /var/run/openvpn-server/myopenvpn-443.pid
; ciphers
tls-cipher "DEFAULT"
tls-cipher "DEFAULT:@SECLEVEL=0"
; tunnel configuration
dev tap1
@ -36,7 +36,7 @@ client-disconnect /opt/openvpn/scripts/logoff.sh
management localhost 6667
; certificates and authentication
dh /opt/openvpn/private/dh1024.pem
dh /opt/openvpn/private/dh2048.pem
ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/ewon.rychiger.com-cert.pem
key /opt/openvpn/private/ewon.rychiger.com-key.pem

51
config/server-443.conf.22feb2019
View File

@ -1,51 +0,0 @@
mode server
daemon
tls-server
proto tcp
port 443
local 192.168.99.11
client-config-dir /opt/openvpn/ccd
script-security 3
writepid /var/run/openvpn-server/myopenvpn-443.pid
; ciphers
tls-cipher "DEFAULT"
; tunnel configuration
dev tap1
server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
passtos
comp-lzo
persist-key
persist-tun
persist-local-ip
persist-remote-ip
; loggin and status
ifconfig-pool-persist /opt/openvpn/leases/openvpn-443.leases
status-version 2
status /opt/openvpn/status/openvpnserver-status-443.log 5;
verb 3
client-connect /opt/openvpn/scripts/logon.sh
client-disconnect /opt/openvpn/scripts/logoff.sh
; routing
;push "route 10.3.0.0 255.255.0.0"
; management
management localhost 6667
; certificates and authentication
dh /opt/openvpn/private/dh1024.pem
ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/hostcert.pem
key /opt/openvpn/private/hostkey.pem
verify-client-cert none
username-as-common-name
auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env
;client-to-client
keepalive 10 60
max-clients 50
; explicit exit
push "explicit-exit-notify"

48
config/server-443.conf.5jul2018
View File

@ -1,48 +0,0 @@
mode server
daemon
tls-server
proto tcp
port 443
local 192.168.99.11
client-config-dir /opt/openvpn/ccd
script-security 3
writepid /var/run/openvpn-server/myopenvpn-443.pid
; tunnel configuration
dev tap1
server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
passtos
comp-lzo
persist-key
persist-tun
persist-local-ip
persist-remote-ip
; loggin and status
ifconfig-pool-persist /opt/openvpn/leases/openvpn-443.leases
status-version 2
status /opt/openvpn/status/openvpnserver-status-443.log 5;
verb 3
client-connect /opt/openvpn/scripts/logon.sh
client-disconnect /opt/openvpn/scripts/logoff.sh
; routing
;push "route 10.3.0.0 255.255.0.0"
; management
management localhost 6667
; certificates and authentication
dh /opt/openvpn/private/dh1024.pem
ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/hostcert.pem
key /opt/openvpn/private/hostkey.pem
verify-client-cert none
username-as-common-name
auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env
;client-to-client
keepalive 10 60
max-clients 50
; explicit exit
push "explicit-exit-notify"

4
config/server.conf
View File

@ -9,7 +9,7 @@ script-security 3
writepid /var/run/openvpn-server/myopenvpn.pid
; ciphers
tls-cipher "DEFAULT"
tls-cipher "DEFAULT:@SECLEVEL=0"
; tunnel configuration
dev tap0
@ -36,7 +36,7 @@ client-disconnect /opt/openvpn/scripts/logoff.sh
management localhost 6666
; certificates and authentication
dh /opt/openvpn/private/dh1024.pem
dh /opt/openvpn/private/dh2048.pem
ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/hostcert.pem
key /opt/openvpn/private/hostkey.pem

45
config/server.conf.15sep2016
View File

@ -1,45 +0,0 @@
mode server
daemon
tls-server
proto udp
port 1194
local 192.168.99.11
client-config-dir /opt/openvpn/ccd
script-security 3
writepid /var/run/openvpn/myopenvpn.pid
; tunnel configuration
dev tap0
server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
passtos
comp-lzo
persist-key
persist-tun
persist-local-ip
persist-remote-ip
; loggin and status
ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases
status-version 2
status /opt/openvpn/status/openvpnserver-status.log 30;
verb 3
client-connect /opt/openvpn/scripts/logon.sh
client-disconnect /opt/openvpn/scripts/logoff.sh
; routing
;push "route 10.3.0.0 255.255.0.0"
; management
management localhost 6666
; certificates and authentication
dh /opt/openvpn/private/dh1024.pem
ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/hostcert.pem
key /opt/openvpn/private/hostkey.pem
client-cert-not-required
username-as-common-name
auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env
;client-to-client
keepalive 10 60
max-clients 50

45
config/server.conf.19sep2016
View File

@ -1,45 +0,0 @@
mode server
daemon
tls-server
proto udp
port 1194
local 192.168.99.11
client-config-dir /opt/openvpn/ccd
script-security 3
writepid /var/run/openvpn/myopenvpn.pid
; tunnel configuration
dev tap0
server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
passtos
comp-lzo
persist-key
persist-tun
persist-local-ip
persist-remote-ip
; loggin and status
ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases
status-version 2
status /opt/openvpn/status/openvpnserver-status.log 5;
verb 3
client-connect /opt/openvpn/scripts/logon.sh
client-disconnect /opt/openvpn/scripts/logoff.sh
; routing
;push "route 10.3.0.0 255.255.0.0"
; management
management localhost 6666
; certificates and authentication
dh /opt/openvpn/private/dh1024.pem
ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/hostcert.pem
key /opt/openvpn/private/hostkey.pem
client-cert-not-required
username-as-common-name
auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env
;client-to-client
keepalive 10 60
max-clients 50

44
config/server.conf.2jul2016
View File

@ -1,44 +0,0 @@
mode server
daemon
tls-server
proto udp
port 1194
local 192.168.99.11
client-config-dir /opt/openvpn/ccd
script-security 3
; tunnel configuration
dev tap0
server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
passtos
comp-lzo
persist-key
persist-tun
persist-local-ip
persist-remote-ip
; loggin and status
ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases
status-version 2
status /opt/openvpn/status/openvpnserver-status.log 30;
verb 3
client-connect /opt/openvpn/scripts/logon.sh
client-disconnect /opt/openvpn/scripts/logoff.sh
; routing
;push "route 10.3.0.0 255.255.0.0"
; management
management localhost 6666
; certificates and authentication
dh /opt/openvpn/private/dh1024.pem
ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/hostcert.pem
key /opt/openvpn/private/hostkey.pem
client-cert-not-required
username-as-common-name
auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.sh via-env
;client-to-client
keepalive 10 60
max-clients 50

48
config/server.conf.5jul2018
View File

@ -1,48 +0,0 @@
mode server
daemon
tls-server
proto udp
port 1194
local 192.168.99.11
client-config-dir /opt/openvpn/ccd
script-security 3
writepid /var/run/openvpn-server/myopenvpn.pid
; tunnel configuration
dev tap0
server-bridge 10.3.5.1 255.255.0.0 10.3.6.1 10.3.7.254
passtos
comp-lzo
persist-key
persist-tun
persist-local-ip
persist-remote-ip
; loggin and status
ifconfig-pool-persist /opt/openvpn/leases/openvpn.leases
status-version 2
status /opt/openvpn/status/openvpnserver-status.log 5;
verb 3
client-connect /opt/openvpn/scripts/logon.sh
client-disconnect /opt/openvpn/scripts/logoff.sh
; routing
;push "route 10.3.0.0 255.255.0.0"
; management
management localhost 6666
; certificates and authentication
dh /opt/openvpn/private/dh1024.pem
ca /opt/openvpn/ca/cacert.pem
cert /opt/openvpn/certs/hostcert.pem
key /opt/openvpn/private/hostkey.pem
verify-client-cert none
username-as-common-name
auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env
;client-to-client
keepalive 10 60
max-clients 50
; explicit exit
push "explicit-exit-notify"

5
private/dh1024.pem
View File

@ -1,5 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIGHAoGBAIPEsURCfpqVznQaOYeWUrTyvMBD2N+6V96Saz3VPJ9WfEoPWM/3CkWH
G/wOFuSYCV8pGok9Y+d2N0V45x56CmhJp6CJdD0L9JwHNhXqRdDOxT1emOb43/Kk
CAXggVkAWnA+XFYXol8lYDP9W5XrU7svRfUe33Q/ijHsaY23myqDAgEC
-----END DH PARAMETERS-----

8
private/dh2048.pem Normal file
View File

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAyC5BozEDJWU9xKcMEDRxQTyvTKyJ+VhqqJiyiif/LtU1mjTy40Ss
BGO13FjRsXM0VLgl//J/NPi9kfYK5UPSv/mr3TIxMKDRi+U+y48HU2f68XgFhnCE
ePYVwCpOdymOwnYKxtCIwsF4GvNAoLHUIfIwK40BWtpuwB5AbVIkjSCrBWeP9Gxs
g6M06c5G3+xdE/5RqWVtWjnQNutsUrbKTFrBCEBUzElNpYE3mp2cA/8lePtIa8rI
QUHKGcQyln4eH3R/Pt+RETzSybnzliWNfctyiJ7xj/2qYlUdxhlfPipqZbg9u8Jd
NhpXiGhCh2DAcVoRYMERsOkyTKgC6KbBDwIBAg==
-----END DH PARAMETERS-----

143
sysoper/sysoper_shell.05jul2016
View File

@ -1,143 +0,0 @@
#!/bin/bash
ReadToContinue() {
echo "Return Taste zum fortfahren..."
read
}
AddUser() {
echo -n "Benutzername : "
read username
echo -n "IP Adresse : "
read ip
echo -n "Passwort : "
read pwd
export string_to_hash="${pwd}"
hash="$(/opt/openvpn/sysoper/hashme.py)"
echo "${hash}" > /opt/openvpn/users/${username}.pwd
echo "ifconfig-push ${ip} 255.255.0.0" > /opt/openvpn/ccd/${username}
echo "User ${username} wurde erzeugt"
ReadToContinue
}
ChangePassword() {
echo -n "Benutzername : "
read username
if [ -f /opt/openvpn/users/${username}.pwd ]; then
echo -n "Passwort : "
read pwd
export string_to_hash="${pwd}"
hash="$(/opt/openvpn/sysoper/hashme.py)"
echo "${hash}" > /opt/openvpn/users/${username}.pwd
ReadToContinue
else
echo "User ${username} existiert nicht"
ReadToContinue
fi
}
DeleteUser() {
echo -n "Benutzername : "
read username
if [ -f /opt/openvpn/users/${username}.pwd ]; then
rm /opt/openvpn/users/${username}.pwd
echo "User ${username} wurde geloescht"
# Das CCD-File loeschen wir auch, falls vorhanden
if [ -f /opt/openvpn/ccd/${username} ]; then
rm /opt/openvpn/ccd/${username}
fi
ReadToContinue
else
echo "User ${username} existiert nicht"
ReadToContinue
fi
}
ShowUser() {
echo -n "Benutzername : "
read username
ip=""
if [ -f /opt/openvpn/users/${username}.pwd ]; then
if [ -f /opt/openvpn/ccd/${username} ]; then
ip="$(cat /opt/openvpn/ccd/${username} |awk '{print $2}')"
fi
echo "User ${username} existiert und hat die IP Adresse ${ip}"
echo
echo "Folgendes sind die letzten 20 Logeintraege fuer diesen User:"
echo
if [ -f /opt/openvpn/log/${username}.log ]; then
tail -20 /opt/openvpn/log/${username}.log
else
echo "Es existieren keine Logeintraege"
fi
ReadToContinue
else
echo "User ${username} existiert nicht"
ReadToContinue
fi
}
ListUsers() {
echo
echo "Username IP Adresse"
echo "=================================="
for userfile in $(ls -1 /opt/openvpn/users/*.pwd 2>/dev/null) ; do
user="${userfile##*/}"
user="${user%.pwd}"
ip="N/A"
if [ -f /opt/openvpn/ccd/${user} ]; then
ip="$(cat /opt/openvpn/ccd/${user} |awk '{print $2}')"
fi
printf "%-20s %-15s\n" "$user" "$ip"
done
echo
ReadToContinue
}
ShowLogfile() {
echo "Hinweis: mit Taste G zum Ende des Logs gehen..., Space fuer Seitenweises vorwaertsgehen..."
echo
ReadToContinue
/bin/less /opt/openvpn/log/logon.log
}
character=0
while [ "${character}" != "9" ]; do
clear
echo "Userverwaltung OpenVPN"
echo "======================"
echo "1 - OpenVPN Benutzer hinzufuegen"
echo "2 - OpenVPN Benutzer Passwort setzen"
echo "3 - OpenVPN Benutzer entfernen"
echo "4 - OpenVPN Benutzer anzeigen"
echo "5 - OpenVPN Benutzer auflisten"
echo
echo "7 - Logfile anzeigen"
echo "8 - Passwort von sysoper aendern"
echo
echo "9 - Exit"
echo
echo -n "Bitte Option waehlen > "
read character
case ${character} in
1) AddUser
;;
2) ChangePassword
;;
3) DeleteUser
;;
4) ShowUser
;;
5) ListUsers
;;
7) ShowLogfile
;;
8) passwd sysoper
;;
9) echo Exit...
;;
*) echo "Ungueltige Option..."
read
esac
done
exit 0

13
systemd/myopenvpn.service.05jul2016
View File

@ -1,13 +0,0 @@
[Unit]
Description=My OpenVPN Service
After=network-online.target
[Service]
PrivateTmp=true
Type=forking
ExecStart=/opt/openvpn/bin/startup.sh
ExecStop=/opt/openvpn/bin/shutdown.sh
PIDFile=/var/run/openvpn/myopenvpn.pid
[Install]
WantedBy=multi-user.target

13
systemd/myopenvpn.service.31aug2016
View File

@ -1,13 +0,0 @@
[Unit]
Description=My OpenVPN Service
After=network-online.target
[Service]
PrivateTmp=true
Type=forking
ExecStart=/opt/openvpn/bin/startup.sh
ExecStop=/opt/openvpn/bin/shutdown.sh
PIDFile=/var/run/openvpn/myopenvpn.pid
[Install]
WantedBy=multi-user.target