221 lines
		
	
	
		
			5.7 KiB
		
	
	
	
		
			Markdown
		
	
	
	
			
		
		
	
	
			221 lines
		
	
	
		
			5.7 KiB
		
	
	
	
		
			Markdown
		
	
	
	
| ## INSTALLATION
 | |
| 
 | |
| Installation CentOS 7 Minimal
 | |
| 
 | |
| Partitionierung (LVM; XFS als Filesystem):
 | |
| ```
 | |
| /boot      500 MB
 | |
| /          50 GB
 | |
| /home      73 GB
 | |
| swap       4 GB
 | |
| ```
 | |
| 
 | |
| Netzwerkkonfiguration:
 | |
| ```
 | |
| Hostname: ryovpn.rych01.rychiger.com
 | |
| DNS:      8.8.8.8
 | |
| NTP:      server 0.centos.pool.ntp.org iburst
 | |
|           server 1.centos.pool.ntp.org iburst
 | |
|           server 2.centos.pool.ntp.org iburst
 | |
|           server 3.centos.pool.ntp.org iburst
 | |
| 
 | |
| TYPE="Ethernet"
 | |
| NAME="enp0s10f0"
 | |
| DEVICE="enp0s10f0"
 | |
| ONBOOT="yes"
 | |
| IPV6INIT=no
 | |
| UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03
 | |
| 
 | |
| TYPE="Ethernet"
 | |
| BOOTPROTO="none"
 | |
| DEFROUTE="yes"
 | |
| IPV4_FAILURE_FATAL="no"
 | |
| IPV6INIT="no"
 | |
| NAME="enp0s10f1"
 | |
| DEVICE="enp0s10f1"
 | |
| ONBOOT="yes"
 | |
| DNS1="8.8.8.8"
 | |
| IPADDR=192.168.99.11
 | |
| PREFIX=24
 | |
| GATEWAY=192.168.99.1
 | |
| UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
 | |
| ```
 | |
| 
 | |
| Anschliessend Installation OpenVPN:
 | |
| ```
 | |
| # yum install epel-release
 | |
| # yum install openvpn -y
 | |
| 
 | |
| Noch ein paar Zusatzpakete:
 | |
| # yum install mailx -y
 | |
| # yum install git -y
 | |
| # yum install net-tools -y
 | |
| # yum install policycoreutils-devel -y
 | |
| # yum install bridge-utils -y
 | |
| # yum install tcpdump -y
 | |
| # yum install chrony -y
 | |
| # yum install py-bcrypt -y
 | |
| ```
 | |
| 
 | |
| Wegen Entropy:
 | |
| ```
 | |
| # yum install haveged
 | |
| # systemctl enable haveged
 | |
| # systemctl start haveget
 | |
| Test:
 | |
| # cat /proc/sys/kernel/random/entropy_avail
 | |
| ```
 | |
| 
 | |
| Wegen Time-Sync Meldungen:
 | |
| ```
 | |
| # cat /etc/rsyslog.d/time_msg.conf
 | |
| :msg, contains, "Time has been changed" ~ 
 | |
| ```
 | |
| 
 | |
| Wegen fehlerhafter HW-Clock:
 | |
| 
 | |
| /etc/cron.d/sync-hw-clock:
 | |
| ```
 | |
| MAILTO=root
 | |
| */10 * * * * root /sbin/hwclock --systohc
 | |
| ```
 | |
| 
 | |
| Installation NGINX (Zugang fuer Statusabfragen):
 | |
| ```
 | |
| # yum install nginx
 | |
| 
 | |
| Konfiguration /etc/nginx/nginx.conf:
 | |
| ...
 | |
|        root         /opt/openvpn/status;
 | |
| ...
 | |
| 
 | |
| SELinux:
 | |
| # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log
 | |
| # semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log
 | |
| # semanage port -a -t ssh_port_t -p tcp 2202
 | |
| # restorecon -v /opt/openvpn/status/openvpnserver-status.log
 | |
| # restorecon -v /opt/openvpn/status/openvpnserver-status-443.log
 | |
| 
 | |
| Link erstellen:
 | |
| # cd /etc/openvpn && ln -s /opt/openvpn/config/server.conf .
 | |
| ```
 | |
| 
 | |
| 
 | |
| Prinzipieller Aufbau:
 | |
| 
 | |
| ```
 | |
| enp0s10f0: Netzwerkinterface Richtung Internet
 | |
| enp0s10f1: Netzwerkinterface Richtung Intranet
 | |
| 
 | |
| enp0s10f0 (192.168.99.11) ==> hier hoert OpenVPN und bildet das Device tap0
 | |
| 
 | |
| Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP)
 | |
| 
 | |
| -- enp0s10f0 => tap0 --+-- br0 (10.3.5.1)
 | |
|                 tap1   |
 | |
| -- enp0s10f1 ----------+
 | |
| ```
 | |
| 
 | |
| OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged)
 | |
| 
 | |
| Hyper-V Integration:
 | |
| 
 | |
| Als Network-Karte muss Legacy gewaehlt werden. Spoofing muss erlaubt sein (wegen Bridge). Zeit Synchronisation muss abgeschaltet sein.
 | |
| 
 | |
| ```
 | |
| # yum install hyperv-daemons
 | |
| # systemctl enable hypervvssd
 | |
| # systemctl enable hypervkvpd
 | |
| ```
 | |
| 
 | |
| Firewall:
 | |
| ```
 | |
| /etc/sysconfig/iptables:
 | |
| # sample configuration for iptables service
 | |
| # you can edit this manually or use system-config-firewall
 | |
| # please do not ask us to add additional ports/services to this default configuration
 | |
| *filter
 | |
| :INPUT ACCEPT [0:0]
 | |
| :FORWARD ACCEPT [0:0]
 | |
| :OUTPUT ACCEPT [0:0]
 | |
| -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 | |
| -A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j LOG --log-prefix "INPUT:DROP-VPN-CLIENT-NET:" -m limit --limit 5/minute --log-level 6
 | |
| -A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j DROP
 | |
| -A INPUT -p icmp -j ACCEPT
 | |
| -A INPUT -i lo -j ACCEPT
 | |
| -I INPUT -i enp0s10f1 -p udp -m udp --dport 1194 -j ACCEPT
 | |
| -I INPUT -i enp0s10f1 -p tcp -m tcp --dport 443 -j ACCEPT
 | |
| -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
 | |
| -A INPUT -p tcp -m state --state NEW -m tcp --dport 2022 -j ACCEPT
 | |
| -A INPUT -p tcp -m state --state NEW -m tcp -s 10.3.5.2 --dport 80 -j ACCEPT
 | |
| -A INPUT -j LOG --log-prefix "INPUT:DROP:" -m limit --limit 5/minute --log-level 6
 | |
| #-A INPUT -j DROP
 | |
| -A FORWARD -j LOG --log-prefix "FORWARD:DROP:" -m limit --limit 5/minute --log-level 6
 | |
| #-A FORWARD -j DROP
 | |
| -A OUTPUT -s 192.168.99.11/32 -j ACCEPT
 | |
| -A OUTPUT -s 10.3.5.1/32 -d 10.3.5.2/32 -j ACCEPT
 | |
| -A OUTPUT -p icmp -j ACCEPT
 | |
| -A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" -m limit --limit 5/minute --log-level 6
 | |
| #-A OUTPUT -j DROP
 | |
| COMMIT
 | |
| ```
 | |
| 
 | |
| ```
 | |
| /etc/sysctl.conf:
 | |
| # System default settings live in /usr/lib/sysctl.d/00-system.conf.
 | |
| # To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
 | |
| #
 | |
| # For more information, see sysctl.conf(5) and sysctl.d(5).
 | |
| #net.ipv4.ip_forward = 1
 | |
| net.ipv6.conf.all.disable_ipv6 = 1
 | |
| net.ipv6.conf.default.disable_ipv6 = 1
 | |
| net.bridge.bridge-nf-call-iptables = 1
 | |
| net.ipv6.conf.default.autoconf = 0
 | |
| net.ipv6.conf.all.autoconf = 0
 | |
| ```
 | |
| 
 | |
| ```
 | |
| /etc/ssh/sshd_config:
 | |
| Port 22
 | |
| Port 2022
 | |
| ...
 | |
| # Ciphers and keying
 | |
| #RekeyLimit default none
 | |
| Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
 | |
| KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
 | |
| ```
 | |
| 
 | |
| 
 | |
| ```
 | |
| /etc/cron.d/reboot-if-ping-fails:
 | |
| MAILTO=root
 | |
| 02 * * * * root /opt/openvpn/scripts/reboot-if-ping-fails.sh
 | |
| ```
 | |
| 
 | |
| ```
 | |
| /etc/hosts:
 | |
| 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
 | |
| #::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
 | |
| 
 | |
| 10.3.5.2     ewonshare
 | |
| ```
 | |
| 
 | |
| Startup mit Systemd einrichten:
 | |
| gemaess /opt/openvpn/systemd/README
 | |
| 
 | |
| Verzeichnis /opt/openvpn/users muss angelegt werden:
 | |
| ```
 | |
| # mkdir /opt/openvpn/users
 | |
| ```
 | |
| 
 | |
| User anlegen:
 | |
| ```
 | |
| # groupadd sysadmin
 | |
| # useradd -m -g sysadmin sysadmin
 | |
| # passwd sysadmin
 | |
| 
 | |
| # groupadd sysoper
 | |
| # useradd -m -g sysoper -s /opt/openvpn/sysoper/sysoper_shell sysoper
 | |
| # passwd sysoper
 | |
| ```
 |