|  | ||
|---|---|---|
| bin | ||
| ca | ||
| ccd | ||
| certs | ||
| config | ||
| leases | ||
| private | ||
| scripts | ||
| sysoper | ||
| systemd | ||
| .gitignore | ||
| README.md | ||
		
			
				
				README.md
			
		
		
			
			
		
	
	INSTALLATION
Installation CentOS 7 Minimal
Partitionierung (LVM; XFS als Filesystem):
/boot      500 MB
/          50 GB
/home      73 GB
swap       4 GB
Netzwerkkonfiguration:
Hostname: ryovpn.rych01.rychiger.com
DNS:      8.8.8.8
NTP:      server 0.centos.pool.ntp.org iburst
          server 1.centos.pool.ntp.org iburst
          server 2.centos.pool.ntp.org iburst
          server 3.centos.pool.ntp.org iburst
TYPE="Ethernet"
NAME="enp0s10f0"
DEVICE="enp0s10f0"
ONBOOT="yes"
IPV6INIT=no
UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03
TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="no"
NAME="enp0s10f1"
DEVICE="enp0s10f1"
ONBOOT="yes"
DNS1="8.8.8.8"
IPADDR=192.168.99.11
PREFIX=24
GATEWAY=192.168.99.1
UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
Anschliessend Installation OpenVPN:
# yum install epel-release
# yum install openvpn -y
Noch ein paar Zusatzpakete:
# yum install mailx -y
# yum install git -y
# yum install net-tools -y
# yum install policycoreutils-devel -y
# yum install bridge-utils -y
# yum install tcpdump -y
# yum install chrony -y
# yum install py-bcrypt -y
Wegen Entropy:
# yum install haveged
# systemctl enable haveged
# systemctl start haveget
Test:
# cat /proc/sys/kernel/random/entropy_avail
Wegen Time-Sync Meldungen:
# cat /etc/rsyslog.d/time_msg.conf
:msg, contains, "Time has been changed" ~ 
Wegen fehlerhafter HW-Clock:
/etc/cron.d/sync-hw-clock:
MAILTO=root
*/10 * * * * root /sbin/hwclock --systohc
Installation NGINX (Zugang fuer Statusabfragen):
# yum install nginx
Konfiguration /etc/nginx/nginx.conf:
...
       root         /opt/openvpn/status;
...
SELinux:
# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log
# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log
# semanage port -a -t ssh_port_t -p tcp 2202
# restorecon -v /opt/openvpn/status/openvpnserver-status.log
# restorecon -v /opt/openvpn/status/openvpnserver-status-443.log
Link erstellen:
# cd /etc/openvpn && ln -s /opt/openvpn/config/server.conf .
Prinzipieller Aufbau:
enp0s10f0: Netzwerkinterface Richtung Internet
enp0s10f1: Netzwerkinterface Richtung Intranet
enp0s10f0 (192.168.99.11) ==> hier hoert OpenVPN und bildet das Device tap0
Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP)
-- enp0s10f0 => tap0 --+-- br0 (10.3.5.1)
                tap1   |
-- enp0s10f1 ----------+
OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged)
Hyper-V Integration:
Als Network-Karte muss Legacy gewaehlt werden. Spoofing muss erlaubt sein (wegen Bridge). Zeit Synchronisation muss abgeschaltet sein.
# yum install hyperv-daemons
# systemctl enable hypervvssd
# systemctl enable hypervkvpd
Firewall:
/etc/sysconfig/iptables:
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j LOG --log-prefix "INPUT:DROP-VPN-CLIENT-NET:" -m limit --limit 5/minute --log-level 6
-A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-I INPUT -i enp0s10f1 -p udp -m udp --dport 1194 -j ACCEPT
-I INPUT -i enp0s10f1 -p tcp -m udp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2022 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -s 10.3.5.2 --dport 80 -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT:DROP:" -m limit --limit 5/minute --log-level 6
#-A INPUT -j DROP
-A FORWARD -j LOG --log-prefix "FORWARD:DROP:" -m limit --limit 5/minute --log-level 6
#-A FORWARD -j DROP
-A OUTPUT -s 192.168.99.11/32 -j ACCEPT
-A OUTPUT -s 10.3.5.1/32 -d 10.3.5.2/32 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" -m limit --limit 5/minute --log-level 6
#-A OUTPUT -j DROP
COMMIT
/etc/sysctl.conf:
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
#net.ipv4.ip_forward = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.all.autoconf = 0
/etc/ssh/sshd_config:
Port 22
Port 2022
/etc/cron.d/reboot-if-ping-fails:
MAILTO=root
02 * * * * root /opt/openvpn/scripts/reboot-if-ping-fails.sh
/etc/hosts:
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.3.5.2     ewonshare
Startup mit Systemd einrichten: gemaess /opt/openvpn/systemd/README
Verzeichnis /opt/openvpn/users muss angelegt werden:
# mkdir /opt/openvpn/users
User anlegen:
# groupadd sysadmin
# useradd -m -g sysadmin sysadmin
# passwd sysadmin
# groupadd sysoper
# useradd -m -g sysoper -s /opt/openvpn/sysoper/sysoper_shell sysoper
# passwd sysoper