drpuur
/
rych-openvpn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
rych-openvpn/README.md

217 lines
5.3 KiB
Markdown
Raw Blame History

## INSTALLATION
Installation Rocky Linux 9 Minimal
Partitionierung (LVM; XFS als Filesystem):
```
/boot 1 GB
/ XXX GB
swap X GB
```
Netzwerkkonfiguration:
```
Hostname: ryovpn01.rych01.rychiger.com
DNS: 8.8.8.8
NTP: XXXXXX
XXXXXX
TODO:
TYPE="Ethernet"
NAME="enp0s10f0"
DEVICE="enp0s10f0"
ONBOOT="yes"
IPV6INIT=no
UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03
TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="no"
NAME="enp0s10f1"
DEVICE="enp0s10f1"
ONBOOT="yes"
DNS1="8.8.8.8"
IPADDR=192.168.99.11
PREFIX=24
GATEWAY=192.168.99.1
UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
```
Installation diverse Pakete
```
# yum install kbd-legacy
# dracut -f
```
Anschliessend Installation OpenVPN:
```
# yum install epel-release
# yum install openvpn -y
Noch ein paar Zusatzpakete:
# yum install s-nail -y
# yum install git -y
# yum install net-tools -y
# yum install policycoreutils-devel -y
# yum install bridge-utils -y
# yum install tcpdump -y
# yum install python3-bcrypt -y
```
Wegen Entropy:
```
# yum install haveged
# systemctl enable haveged
# systemctl start haveget
Test:
# cat /proc/sys/kernel/random/entropy_avail
```
Installation NGINX (Zugang fuer Statusabfragen):
```
# yum install nginx
# systemctl enable nginx
Konfiguration /etc/nginx/nginx.conf:
...
root /opt/openvpn/status;
...
Installation von altem Server oder git uebernehmen...
# cd /opt
# git clone https://gitlab.com/drpuur/rych-openvpn.git openvpn # use personal access token in Gitlab
SELinux:
# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status.log
# semanage fcontext -a -t httpd_sys_content_t /opt/openvpn/status/openvpnserver-status-443.log
# semanage port -a -t ssh_port_t -p tcp 2202
# restorecon -v /opt/openvpn/status/openvpnserver-status.log
# restorecon -v /opt/openvpn/status/openvpnserver-status-443.log
Link erstellen:
# cd /etc/openvpn && ln -s /opt/openvpn/config/server.conf .
```
Prinzipieller Aufbau:
```
enp0s10f0: Netzwerkinterface Richtung Internet
enp0s10f1: Netzwerkinterface Richtung Intranet
enp0s10f0 (192.168.99.11/24) ==> hier hoert OpenVPN und bildet das Device tap0
Eine zweite OpenVPN Instanz bildet das Device tap1 (443/TCP)
-- enp0s10f0 => tap0 --+-- br0 (10.3.5.1/16)
tap1 |
-- enp0s10f1 ----------+
```
OpenVPN Client Range: 10.3.6.1 bis 10.3.7.254 (mit PUSH gemanaged)
Hyper-V Integration:
Als Network-Karte muss Legacy gewaehlt werden. Spoofing muss erlaubt sein (wegen Bridge). Zeit Synchronisation muss abgeschaltet sein.
```
# yum install hyperv-daemons
# systemctl enable hypervvssd
# systemctl enable hypervkvpd
```
Firewall:
```
/etc/sysconfig/iptables:
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j LOG --log-prefix "INPUT:DROP-VPN-CLIENT-NET:" -m limit --limit 5/minute --log-level 6
-A INPUT -m state --state NEW -s 10.3.6.0/23,10.1.4.0/24 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-I INPUT -i enp0s10f1 -p udp -m udp --dport 1194 -j ACCEPT
-I INPUT -i enp0s10f1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2022 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -s 10.3.5.2 --dport 80 -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT:DROP:" -m limit --limit 5/minute --log-level 6
#-A INPUT -j DROP
-A FORWARD -j LOG --log-prefix "FORWARD:DROP:" -m limit --limit 5/minute --log-level 6
#-A FORWARD -j DROP
-A OUTPUT -s 192.168.99.11/32 -j ACCEPT
-A OUTPUT -s 10.3.5.1/32 -d 10.3.5.2/32 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" -m limit --limit 5/minute --log-level 6
#-A OUTPUT -j DROP
COMMIT
```
```
Disable IPv6:
# nmcli connection modify <Connection Name> ipv6.method "disabled"
```
```
/etc/ssh/sshd_config:
Port 22
Port 2022
...
# Ciphers and keying
#RekeyLimit default none
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
```
```
/etc/cron.d/reboot-if-ping-fails:
MAILTO=root
02 * * * * root /opt/openvpn/scripts/reboot-if-ping-fails.sh
```
```
/etc/hosts:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
```
Startup mit Systemd einrichten:
gemaess /opt/openvpn/systemd/README
Verzeichnis /opt/openvpn/users muss angelegt werden:
```
# mkdir /opt/openvpn/users
```
User anlegen:
```
# groupadd sysadmin
# useradd -m -g sysadmin sysadmin
# passwd sysadmin
# groupadd sysoper
# useradd -m -g sysoper -s /opt/openvpn/sysoper/sysoper_shell sysoper
# passwd sysoper
```
Git Config:
```
# cat .gitconfig
[user]
name = Joerg Lehmann
email = joerg.lehmann@nbit.ch
[http]
sslVerify = false
```
Reference in New Issue View Git Blame Copy Permalink