## INSTALLATION

Installation Rocky Linux 9 Minimal

Partitionierung (LVM; XFS als Filesystem):
```
/boot      1 GB
/          XXX GB
swap       X GB
```

Netzwerkkonfiguration:
```
Hostname: ryovpn01.rych01.rychiger.com
DNS:      8.8.8.8
NTP:      XXXXXX
          XXXXXX

TODO:

TYPE="Ethernet"
NAME="enp0s10f0"
DEVICE="enp0s10f0"
ONBOOT="yes"
IPV6INIT=no
UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03

TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="no"
NAME="enp0s10f1"
DEVICE="enp0s10f1"
ONBOOT="yes"
DNS1="8.8.8.8"
IPADDR=192.168.99.11
PREFIX=24
GATEWAY=192.168.99.1
UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
```
 
Installation diverse Pakete
```
# yum install kbd-legacy
# dracut -f
```

Anschliessend Installation OpenVPN:
```
# yum install epel-release
# yum install openvpn -y

Noch ein paar Zusatzpakete:
# yum install s-nail -y
# yum install git -y
# yum install net-tools -y
# yum install policycoreutils-devel -y
# yum install bridge-utils -y
# yum install tcpdump -y
# yum install python3-bcrypt -y
```

Wegen Entropy:
```
# yum install haveged
# systemctl enable haveged
# systemctl start haveget
Test:
# cat /proc/sys/kernel/random/entropy_avail
```


Installation NGINX (Zugang fuer Statusabfragen):
```
# yum install nginx
# systemctl enable nginx

Konfiguration /etc/nginx/nginx.conf:
...
       root         /opt/openvpn/status;
...

Installation von altem Server oder git uebernehmen...
# cd /opt
# git clone https://gitlab.com/drpuur/rych-openvpn.git openvpn    # use personal access token in Gitlab


SELinux:
# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log
# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log
# semanage port -a -t ssh_port_t -p tcp 2202
# restorecon -v /opt/openvpn/status/openvpnserver-status.log
# restorecon -v /opt/openvpn/status/openvpnserver-status-443.log

Link erstellen:
# cd /etc/openvpn && ln -s /opt/openvpn/config/server.conf .
```


Prinzipieller Aufbau:

```
enp0s10f0: Netzwerkinterface Richtung Internet
enp0s10f1: Netzwerkinterface Richtung Intranet

enp0s10f0 (192.168.99.11/24) ==> hier hoert OpenVPN und bildet das Device tap0

Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP)

-- enp0s10f0 => tap0 --+-- br0 (10.3.5.1/16)
                tap1   |
-- enp0s10f1 ----------+
```

OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged)

Hyper-V Integration:

Als Network-Karte muss Legacy gewaehlt werden. Spoofing muss erlaubt sein (wegen Bridge). Zeit Synchronisation muss abgeschaltet sein.

```
# yum install hyperv-daemons
# systemctl enable hypervvssd
# systemctl enable hypervkvpd
```

Firewall:
```
/etc/sysconfig/iptables:
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j LOG --log-prefix "INPUT:DROP-VPN-CLIENT-NET:" -m limit --limit 5/minute --log-level 6
-A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-I INPUT -i enp0s10f1 -p udp -m udp --dport 1194 -j ACCEPT
-I INPUT -i enp0s10f1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2022 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -s 10.3.5.2 --dport 80 -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT:DROP:" -m limit --limit 5/minute --log-level 6
#-A INPUT -j DROP
-A FORWARD -j LOG --log-prefix "FORWARD:DROP:" -m limit --limit 5/minute --log-level 6
#-A FORWARD -j DROP
-A OUTPUT -s 192.168.99.11/32 -j ACCEPT
-A OUTPUT -s 10.3.5.1/32 -d 10.3.5.2/32 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" -m limit --limit 5/minute --log-level 6
#-A OUTPUT -j DROP
COMMIT
```

```
Disable IPv6:

# nmcli connection modify <Connection Name> ipv6.method "disabled"
```

```
/etc/ssh/sshd_config:
Port 22
Port 2022
...
# Ciphers and keying
#RekeyLimit default none
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
```


```
/etc/cron.d/reboot-if-ping-fails:
MAILTO=root
02 * * * * root /opt/openvpn/scripts/reboot-if-ping-fails.sh
```

```
/etc/hosts:
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
```

Startup mit Systemd einrichten:
gemaess /opt/openvpn/systemd/README

Verzeichnis /opt/openvpn/users muss angelegt werden:
```
# mkdir /opt/openvpn/users
```

User anlegen:
```
# groupadd sysadmin
# useradd -m -g sysadmin sysadmin
# passwd sysadmin

# groupadd sysoper
# useradd -m -g sysoper -s /opt/openvpn/sysoper/sysoper_shell sysoper
# passwd sysoper
```
Git Config:
```
# cat .gitconfig
[user]
	name = Joerg Lehmann
	email = joerg.lehmann@nbit.ch
[http]
	sslVerify = false
```