drpuur
/
rych-openvpn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
28 Commits 2 Branches 0 Tags 62 KiB
Shell 88.3%
Python 11.7%
Go to file
Joerg Lehmann 8fe7bf4924 Merge branch 'rockylinux9-based' into 'master' 
Merge Rocky Linux 9 Version

See merge request drpuur/rych-openvpn!1
 		2022-12-12 15:54:32 +00:00
bin Rocky Linux 9 version, cleanups 2022-10-19 19:21:24 +02:00
ca Initial commit 2016-12-17 15:44:44 +01:00
ccd change certs, new ccds 2019-09-20 15:22:49 +02:00
certs change certs, new ccds 2019-09-20 15:22:49 +02:00
config same cipher settings for tls/443 2022-11-09 17:27:58 +01:00
leases Zweite OpenVPN Instanz auf Port 443/tcp 2017-05-29 20:41:13 +02:00
private Rocky Linux 9 version, cleanups 2022-10-19 19:21:24 +02:00
scripts adapt ro new Python version 2022-10-21 15:19:26 +02:00
sysoper adapt ro new Python version 2022-10-21 15:04:26 +02:00
systemd new VM has been built, not tested yet (missing FW-forwarding 2022-10-21 14:27:05 +02:00
.gitignore ignore ccd files in Git 2022-11-28 17:28:42 +01:00
README.md add aide 2022-12-12 16:51:15 +01:00

README.md

INSTALLATION

Installation Rocky Linux 9 Minimal

Partitionierung (LVM; XFS als Filesystem):

/boot      1 GB
/          64 GB
/home      32 GB
swap       4 GB

Netzwerkkonfiguration:

# hostnamectl hostname ryovpn01.rych01.rychiger.com

Hostname: ryovpn01.rych01.rychiger.com
DNS:      8.8.8.8

Installation diverse Pakete

# yum update 
# yum install kbd-legacy
# dracut -f

Anschliessend Installation OpenVPN:

# yum install epel-release
# yum install openvpn -y

Noch ein paar Zusatzpakete:
# yum install s-nail -y
# yum install git -y
# yum install net-tools -y
# yum install policycoreutils-devel -y
# yum install bridge-utils -y
# yum install tcpdump -y
# yum install python3-bcrypt -y
# yum install tar -y


Firewalld disablen (WICHTIG!!!)
# systemctl disable --now firewalld

Tiefere Sicherheitsstufe, siehe https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

# update-crypto-policies --set LEGACY

Wegen Entropy:

# yum install haveged
# systemctl enable haveged
# systemctl start haveget
Test:
# cat /proc/sys/kernel/random/entropy_avail

Installation NGINX (Zugang fuer Statusabfragen):

# yum install nginx
# systemctl enable nginx

Konfiguration /etc/nginx/nginx.conf:
...
       root         /opt/openvpn/status;
...

Installation von altem Server oder git uebernehmen...
# cd /opt
# git clone https://gitlab.com/drpuur/rych-openvpn.git openvpn    # use personal access token in Gitlab
# cd openvpn && git checkout rockylinux9-based

SELinux:
# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log
# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log
# semanage port -a -t ssh_port_t -p tcp 2022
# restorecon -v /opt/openvpn/status/openvpnserver-status.log
# restorecon -v /opt/openvpn/status/openvpnserver-status-443.log

Link erstellen:
# cd /etc/openvpn && ln -s /opt/openvpn/config/server.conf .

Prinzipieller Aufbau:

ens4: Netzwerkinterface Richtung Intranet
ens3: Netzwerkinterface Richtung Internet

ens3 (192.168.99.111/24) ==> hier hoert OpenVPN und bildet das Device tap0

Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP)

-- ens3 => tap0 --+-- br0 (10.3.5.10/16)
           tap1   |
-- ens4 ----------+

OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged)

Disable IPv6:

# nmcli connection modify ens3 ipv6.method "disabled"
# nmcli connection modify ens4 ipv6.method "disabled"

Set end4 to unmanaged:

[root@ryovpn01 ~]# cat /etc/NetworkManager/conf.d/99-unmanaged-devices.conf
[keyfile]
unmanaged-devices=interface-name:ens4

/etc/ssh/sshd_config:
Port 22
Port 2022
...

/etc/cron.d/reboot-if-ping-fails:
MAILTO=root
02 * * * * root /opt/openvpn/scripts/reboot-if-ping-fails.sh

/etc/hosts:
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

Startup mit Systemd einrichten: gemaess /opt/openvpn/systemd/README

Verzeichnis /opt/openvpn/users ccd, log und status muss angelegt werden:

# mkdir /opt/openvpn/users
# mkdir /opt/openvpn/ccd
# mkdir /opt/openvpn/status
# mkdir /opt/openvpn/log

User anlegen:

# groupadd sysadmin
# useradd -m -g sysadmin sysadmin
# passwd sysadmin

# groupadd sysoper
# useradd -m -g sysoper -s /opt/openvpn/sysoper/sysoper_shell sysoper
# passwd sysoper

# cat /etc/sudoers.d/sysoper
sysoper ALL=NOPASSWD: /usr/bin/systemctl start myopenvpn
sysoper ALL=NOPASSWD: /usr/bin/systemctl stop myopenvpn
sysoper ALL=NOPASSWD: /usr/bin/systemctl status myopenvpn

Git Config:

# cat .gitconfig
[user]
	name = Joerg Lehmann
	email = joerg.lehmann@nbit.ch
[http]
	sslVerify = false

Testen der Verbindung

[joerg@cinnamon test-openvpn-rychiger]$ sudo openvpn --config ewon.rychiger.com.conf

[joerg@cinnamon test-openvpn-rychiger]$ more ewon.rychiger.com.conf
dev tap1
proto tcp
suppress-timestamps
status-version 2
rport 443
verb 1
mute 10
comp-lzo
persist-key
up-delay
route-delay 0
nobind
client
tls-exit
ca cacert.pem
reneg-sec 86400
keepalive 30 120
hand-window 140
remote ewon.rychiger.com
resolv-retry 60
auth-user-pass


am besten auf Linux:

Testuser erstellt mit 

$ string_to_hash="7355+TT" /opt/openvpn/sysoper/hashme.py  >/opt/openvpn/users/testuser.pwd

auch CCD-File erstellen, siehe unten

[root@ryovpn openvpn]# more users/testuser.pwd ccd/testuser
::::::::::::::
users/testuser.pwd
::::::::::::::
$2b$12$OkJpfcPt7Uk8DMVjBbuStedJ63rahYw05E7vNAg9PQigL97ox18Am
::::::::::::::
ccd/testuser
::::::::::::::
ifconfig-push 10.3.6.254 255.255.0.0


Einrichten von Aide

```bash
# dnf install aide
# aide init
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Zum Testen:
# aide --check

Zum Updaten:
# aide --update
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz