## INSTALLATION Installation Rocky Linux 9 Minimal Partitionierung (LVM; XFS als Filesystem): ``` /boot 1 GB / 64 GB /home 32 GB swap 4 GB ``` Netzwerkkonfiguration: ``` # hostnamectl hostname ryovpn01.rych01.rychiger.com Hostname: ryovpn01.rych01.rychiger.com DNS: 8.8.8.8 ``` Installation diverse Pakete ``` # yum update # yum install kbd-legacy # dracut -f ``` Anschliessend Installation OpenVPN: ``` # yum install epel-release # yum install openvpn -y Noch ein paar Zusatzpakete: # yum install s-nail -y # yum install git -y # yum install net-tools -y # yum install policycoreutils-devel -y # yum install bridge-utils -y # yum install tcpdump -y # yum install python3-bcrypt -y # yum install tar -y ``` Wegen Entropy: ``` # yum install haveged # systemctl enable haveged # systemctl start haveget Test: # cat /proc/sys/kernel/random/entropy_avail ``` Installation NGINX (Zugang fuer Statusabfragen): ``` # yum install nginx # systemctl enable nginx Konfiguration /etc/nginx/nginx.conf: ... root /opt/openvpn/status; ... Installation von altem Server oder git uebernehmen... # cd /opt # git clone https://gitlab.com/drpuur/rych-openvpn.git openvpn # use personal access token in Gitlab # cd openvpn && git checkout rockylinux9-based SELinux: # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log # semanage port -a -t ssh_port_t -p tcp 2022 # restorecon -v /opt/openvpn/status/openvpnserver-status.log # restorecon -v /opt/openvpn/status/openvpnserver-status-443.log Link erstellen: # cd /etc/openvpn && ln -s /opt/openvpn/config/server.conf . ``` Prinzipieller Aufbau: ``` ens4: Netzwerkinterface Richtung Intranet ens3: Netzwerkinterface Richtung Internet ens3 (192.168.99.111/24) ==> hier hoert OpenVPN und bildet das Device tap0 Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP) -- ens3 => tap0 --+-- br0 (10.3.5.10/16) tap1 | -- ens4 ----------+ ``` OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged) ``` Disable IPv6: # nmcli connection modify ens3 ipv6.method "disabled" # nmcli connection modify ens4 ipv6.method "disabled" Set end4 to unmanaged: [root@ryovpn01 ~]# cat /etc/NetworkManager/conf.d/99-unmanaged-devices.conf [keyfile] unmanaged-devices=interface-name:ens4 ``` ``` /etc/ssh/sshd_config: Port 22 Port 2022 ... ``` ``` /etc/cron.d/reboot-if-ping-fails: MAILTO=root 02 * * * * root /opt/openvpn/scripts/reboot-if-ping-fails.sh ``` ``` /etc/hosts: 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 #::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 ``` Startup mit Systemd einrichten: gemaess /opt/openvpn/systemd/README Verzeichnis /opt/openvpn/users ccd, log und status muss angelegt werden: ``` # mkdir /opt/openvpn/users # mkdir /opt/openvpn/ccd # mkdir /opt/openvpn/status # mkdir /opt/openvpn/log ``` User anlegen: ``` # groupadd sysadmin # useradd -m -g sysadmin sysadmin # passwd sysadmin # groupadd sysoper # useradd -m -g sysoper -s /opt/openvpn/sysoper/sysoper_shell sysoper # passwd sysoper # cat /etc/sudoers.d/sysoper sysoper ALL=NOPASSWD: /usr/bin/systemctl start myopenvpn sysoper ALL=NOPASSWD: /usr/bin/systemctl stop myopenvpn sysoper ALL=NOPASSWD: /usr/bin/systemctl status myopenvpn ``` Git Config: ``` # cat .gitconfig [user] name = Joerg Lehmann email = joerg.lehmann@nbit.ch [http] sslVerify = false ``` Testen der Verbindung ``` [joerg@cinnamon test-openvpn-rychiger]$ sudo openvpn --config ewon.rychiger.com.conf [joerg@cinnamon test-openvpn-rychiger]$ more ewon.rychiger.com.conf dev tap1 proto tcp suppress-timestamps status-version 2 rport 443 verb 1 mute 10 comp-lzo persist-key up-delay route-delay 0 nobind client tls-exit ca cacert.pem reneg-sec 86400 keepalive 30 120 hand-window 140 remote ewon.rychiger.com resolv-retry 60 auth-user-pass am besten auf Linux: Testuser erstellt mit $ string_to_hash="7355+TT" /opt/openvpn/sysoper/hashme.py >/opt/openvpn/users/testuser.pwd auch CCD-File erstellen, siehe unten [root@ryovpn openvpn]# more users/testuser.pwd ccd/testuser :::::::::::::: users/testuser.pwd :::::::::::::: $2b$12$OkJpfcPt7Uk8DMVjBbuStedJ63rahYw05E7vNAg9PQigL97ox18Am :::::::::::::: ccd/testuser :::::::::::::: ifconfig-push 10.3.6.254 255.255.0.0