correct permission of users and ccd dirs

Merge Rocky Linux 9 Version

See merge request drpuur/rych-openvpn!1

.gitignore

@@ -1,3 +1,4 @@
 *.log
 *.pwd
 *.pyc
+ccd/

README.md

@@ -40,6 +40,14 @@ Noch ein paar Zusatzpakete:
 # yum install tcpdump -y
 # yum install python3-bcrypt -y
 # yum install tar -y
+
+
+Firewalld disablen (WICHTIG!!!)
+# systemctl disable --now firewalld
+
+Tiefere Sicherheitsstufe, siehe https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
+
+# update-crypto-policies --set LEGACY
 ```
 
 Wegen Entropy:
@@ -132,11 +140,12 @@ MAILTO=root
 Startup mit Systemd einrichten:
 gemaess /opt/openvpn/systemd/README
 
-Verzeichnis /opt/openvpn/users ccd und status  muss angelegt werden:
+Verzeichnis /opt/openvpn/users ccd, log und status  muss angelegt werden:
 ```
 # mkdir /opt/openvpn/users
 # mkdir /opt/openvpn/ccd
 # mkdir /opt/openvpn/status
+# mkdir /opt/openvpn/log
 ```
 
 User anlegen:
@@ -148,6 +157,13 @@ User anlegen:
 # groupadd sysoper
 # useradd -m -g sysoper -s /opt/openvpn/sysoper/sysoper_shell sysoper
 # passwd sysoper
+
+# chown sysoper:sysoper /opt/openvpn/users /opt/openvpn/ccd
+
+# cat /etc/sudoers.d/sysoper
+sysoper ALL=NOPASSWD: /usr/bin/systemctl start myopenvpn
+sysoper ALL=NOPASSWD: /usr/bin/systemctl stop myopenvpn
+sysoper ALL=NOPASSWD: /usr/bin/systemctl status myopenvpn
 ```
 Git Config:
 ```
@@ -206,3 +222,18 @@ $2b$12$OkJpfcPt7Uk8DMVjBbuStedJ63rahYw05E7vNAg9PQigL97ox18Am
 ccd/testuser
 ::::::::::::::
 ifconfig-push 10.3.6.254 255.255.0.0
+
+
+Einrichten von Aide
+
+```bash
+# dnf install aide
+# aide init
+# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+Zum Testen:
+# aide --check
+
+Zum Updaten:
+# aide --update
+# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+```

config/server-443.conf

@@ -10,6 +10,9 @@ writepid /var/run/openvpn-server/myopenvpn-443.pid
 
 ; ciphers
 tls-cipher "DEFAULT:@SECLEVEL=0"
+tls-version-min 1.0
+providers legacy default
+data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC
 
 ; tunnel configuration
 dev tap1

config/server.conf

@@ -10,6 +10,9 @@ writepid /var/run/openvpn-server/myopenvpn.pid
 
 ; ciphers
 tls-cipher "DEFAULT:@SECLEVEL=0"
+tls-version-min 1.0
+providers legacy default
+data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC
 
 ; tunnel configuration
 dev tap0
@@ -38,8 +41,8 @@ management localhost 6666
 ; certificates and authentication
 dh   /opt/openvpn/private/dh2048.pem
 ca   /opt/openvpn/ca/cacert.pem
-cert /opt/openvpn/certs/hostcert.pem
-key  /opt/openvpn/private/hostkey.pem
+cert /opt/openvpn/certs/ewon.rychiger.com-cert.pem
+key  /opt/openvpn/private/ewon.rychiger.com-key.pem
 verify-client-cert none
 username-as-common-name
 auth-user-pass-verify /opt/openvpn/scripts/openvpn-auth.py via-env

scripts/openvpn-auth.py

@@ -11,7 +11,7 @@ if not password:
 
 file = open('/opt/openvpn/users/'+username+'.pwd', 'r')
 hashed=file.read().rstrip()
-if bcrypt.hashpw(password, hashed) == hashed:
+if bcrypt.hashpw(password.encode('utf-8'), hashed.encode('utf-8')) == hashed.encode('utf-8'):
     sys.exit(0)
 else:
     sys.exit(1)

sysoper/hashme.py

@@ -13,6 +13,6 @@ if not password:
     sys.exit()
 
 # Hash a password for the first time, with a randomly-generated salt
-hashed = bcrypt.hashpw(password, bcrypt.gensalt())
+hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
 
-print "%s" % (hashed)
+print("%s" % (hashed.decode("utf-8")))