Joerg Lehmann
cf4837f5b0
|
||
|---|---|---|
| bin | ||
| ca | ||
| ccd | ||
| certs | ||
| config | ||
| leases | ||
| private | ||
| scripts | ||
| sysoper | ||
| systemd | ||
| .gitignore | ||
| README.md | ||
README.md
INSTALLATION
Installation Rocky Linux 9 Minimal
Partitionierung (LVM; XFS als Filesystem):
/boot 1 GB
/ XXX GB
swap X GB
Netzwerkkonfiguration:
Hostname: ryovpn01.rych01.rychiger.com
DNS: 8.8.8.8
NTP: XXXXXX
XXXXXX
TODO:
TYPE="Ethernet"
NAME="enp0s10f0"
DEVICE="enp0s10f0"
ONBOOT="yes"
IPV6INIT=no
UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03
TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="no"
NAME="enp0s10f1"
DEVICE="enp0s10f1"
ONBOOT="yes"
DNS1="8.8.8.8"
IPADDR=192.168.99.11
PREFIX=24
GATEWAY=192.168.99.1
UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
Installation diverse Pakete
# yum install kbd-legacy
# dracut -f
Anschliessend Installation OpenVPN:
# yum install epel-release
# yum install openvpn -y
Noch ein paar Zusatzpakete:
# yum install s-nail -y
# yum install git -y
# yum install net-tools -y
# yum install policycoreutils-devel -y
# yum install bridge-utils -y
# yum install tcpdump -y
# yum install python3-bcrypt -y
Wegen Entropy:
# yum install haveged
# systemctl enable haveged
# systemctl start haveget
Test:
# cat /proc/sys/kernel/random/entropy_avail
Installation NGINX (Zugang fuer Statusabfragen):
# yum install nginx
# systemctl enable nginx
Konfiguration /etc/nginx/nginx.conf:
...
root /opt/openvpn/status;
...
Installation von altem Server oder git uebernehmen...
# cd /opt
# git clone https://gitlab.com/drpuur/rych-openvpn.git openvpn # use personal access token in Gitlab
SELinux:
# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log
# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log
# semanage port -a -t ssh_port_t -p tcp 2202
# restorecon -v /opt/openvpn/status/openvpnserver-status.log
# restorecon -v /opt/openvpn/status/openvpnserver-status-443.log
Link erstellen:
# cd /etc/openvpn && ln -s /opt/openvpn/config/server.conf .
Prinzipieller Aufbau:
enp0s10f0: Netzwerkinterface Richtung Internet
enp0s10f1: Netzwerkinterface Richtung Intranet
enp0s10f0 (192.168.99.11/24) ==> hier hoert OpenVPN und bildet das Device tap0
Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP)
-- enp0s10f0 => tap0 --+-- br0 (10.3.5.1/16)
tap1 |
-- enp0s10f1 ----------+
OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged)
Hyper-V Integration:
Als Network-Karte muss Legacy gewaehlt werden. Spoofing muss erlaubt sein (wegen Bridge). Zeit Synchronisation muss abgeschaltet sein.
# yum install hyperv-daemons
# systemctl enable hypervvssd
# systemctl enable hypervkvpd
Firewall:
/etc/sysconfig/iptables:
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j LOG --log-prefix "INPUT:DROP-VPN-CLIENT-NET:" -m limit --limit 5/minute --log-level 6
-A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-I INPUT -i enp0s10f1 -p udp -m udp --dport 1194 -j ACCEPT
-I INPUT -i enp0s10f1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2022 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -s 10.3.5.2 --dport 80 -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT:DROP:" -m limit --limit 5/minute --log-level 6
#-A INPUT -j DROP
-A FORWARD -j LOG --log-prefix "FORWARD:DROP:" -m limit --limit 5/minute --log-level 6
#-A FORWARD -j DROP
-A OUTPUT -s 192.168.99.11/32 -j ACCEPT
-A OUTPUT -s 10.3.5.1/32 -d 10.3.5.2/32 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" -m limit --limit 5/minute --log-level 6
#-A OUTPUT -j DROP
COMMIT
Disable IPv6:
# nmcli connection modify <Connection Name> ipv6.method "disabled"
/etc/ssh/sshd_config:
Port 22
Port 2022
...
# Ciphers and keying
#RekeyLimit default none
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
/etc/cron.d/reboot-if-ping-fails:
MAILTO=root
02 * * * * root /opt/openvpn/scripts/reboot-if-ping-fails.sh
/etc/hosts:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
Startup mit Systemd einrichten: gemaess /opt/openvpn/systemd/README
Verzeichnis /opt/openvpn/users muss angelegt werden:
# mkdir /opt/openvpn/users
User anlegen:
# groupadd sysadmin
# useradd -m -g sysadmin sysadmin
# passwd sysadmin
# groupadd sysoper
# useradd -m -g sysoper -s /opt/openvpn/sysoper/sysoper_shell sysoper
# passwd sysoper
Git Config:
# cat .gitconfig
[user]
name = Joerg Lehmann
email = joerg.lehmann@nbit.ch
[http]
sslVerify = false
Testen der Verbindung
[joerg@cinnamon test-openvpn-rychiger]$ sudo openvpn --config ewon.rychiger.com.conf
[joerg@cinnamon test-openvpn-rychiger]$ more ewon.rychiger.com.conf
dev tap1
proto tcp
suppress-timestamps
status-version 2
rport 443
verb 1
mute 10
comp-lzo
persist-key
up-delay
route-delay 0
nobind
client
tls-exit
ca cacert.pem
reneg-sec 86400
keepalive 30 120
hand-window 140
remote ewon.rychiger.com
resolv-retry 60
auth-user-pass
am besten auf Linux:
Testuser erstellt mit
$ string_to_hash="7355+TT" /opt/openvpn/sysoper/hashme.py >/opt/openvpn/users/testuser.pwd
auch CCD-File erstellen, siehe unten
[root@ryovpn openvpn]# more users/testuser.pwd ccd/testuser
::::::::::::::
users/testuser.pwd
::::::::::::::
$2b$12$OkJpfcPt7Uk8DMVjBbuStedJ63rahYw05E7vNAg9PQigL97ox18Am
::::::::::::::
ccd/testuser
::::::::::::::
ifconfig-push 10.3.6.254 255.255.0.0