From 8f267477559a8b667aab3ca95db80162a6878b20 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Sat, 16 Nov 2019 07:44:50 +0100 Subject: [PATCH] Added vpn.usr (cvm -> vhost migration, Fedora 31 upgrade). --- sources/vpn.usr/config | 23 ++ sources/vpn.usr/envvars | 4 + .../vpn.usr/firstboot/01_setupnetworking.sh | 55 +++ sources/vpn.usr/firstboot/02_settimezone.sh | 21 ++ sources/vpn.usr/firstboot/03_displayvpndoc.sh | 6 + sources/vpn.usr/firstboot/99_cleanup.sh | 6 + sources/vpn.usr/hooks/autodev | 6 + .../vpn.usr/postinstall/01_setownership.sh | 7 + .../vpn.usr/postinstall/02_setpermissions.sh | 5 + .../vpn.usr/postinstall/03_installfiles.sh | 15 + .../vpn.usr/postinstall/10_setupservices.sh | 7 + sources/vpn.usr/postinstall/99_cleanup.sh | 6 + sources/vpn.usr/postinstall/install/etc/hosts | 4 + .../client-config/client.conf.template | 127 +++++++ .../install/etc/openvpn/server/ccd/qqcs | 1 + .../install/etc/openvpn/server/server.conf | 323 ++++++++++++++++++ .../openvpn/setupscripts/10_setupserver.sh | 55 +++ .../etc/openvpn/setupscripts/20_getuids.sh | 35 ++ .../openvpn/setupscripts/30_create_client.sh | 52 +++ .../setupscripts/40_create_all_clients.sh | 8 + .../etc/openvpn/setupscripts/99_cleanup.sh | 6 + .../etc/openvpn/setupscripts/NAMES.txt | 21 ++ .../etc/openvpn/setupscripts/README.txt | 2 + .../install/etc/sysctl.d/01-ipv4.conf | 2 + 24 files changed, 797 insertions(+) create mode 100644 sources/vpn.usr/config create mode 100644 sources/vpn.usr/envvars create mode 100755 sources/vpn.usr/firstboot/01_setupnetworking.sh create mode 100755 sources/vpn.usr/firstboot/02_settimezone.sh create mode 100755 sources/vpn.usr/firstboot/03_displayvpndoc.sh create mode 100755 sources/vpn.usr/firstboot/99_cleanup.sh create mode 100755 sources/vpn.usr/hooks/autodev create mode 100755 sources/vpn.usr/postinstall/01_setownership.sh create mode 100755 sources/vpn.usr/postinstall/02_setpermissions.sh create mode 100755 sources/vpn.usr/postinstall/03_installfiles.sh create mode 100755 sources/vpn.usr/postinstall/10_setupservices.sh create mode 100755 sources/vpn.usr/postinstall/99_cleanup.sh create mode 100644 sources/vpn.usr/postinstall/install/etc/hosts create mode 100644 sources/vpn.usr/postinstall/install/etc/openvpn/client-config/client.conf.template create mode 100644 sources/vpn.usr/postinstall/install/etc/openvpn/server/ccd/qqcs create mode 100644 sources/vpn.usr/postinstall/install/etc/openvpn/server/server.conf create mode 100755 sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/10_setupserver.sh create mode 100755 sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/20_getuids.sh create mode 100755 sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/30_create_client.sh create mode 100755 sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/40_create_all_clients.sh create mode 100755 sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/99_cleanup.sh create mode 100644 sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/NAMES.txt create mode 100644 sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/README.txt create mode 100644 sources/vpn.usr/postinstall/install/etc/sysctl.d/01-ipv4.conf diff --git a/sources/vpn.usr/config b/sources/vpn.usr/config new file mode 100644 index 0000000..018e069 --- /dev/null +++ b/sources/vpn.usr/config @@ -0,0 +1,23 @@ +lxc.include = /usr/share/lxc/config/common.conf + +lxc.arch = x86_64 +lxc.uts.name = vpn.usr.user.hu +lxc.rootfs.path = __CONTAINER_PATH__/rootfs +lxc.mount.auto = proc:rw sys:ro + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.link = bri-dev +lxc.net.0.hwaddr = 02:0c:18:03:6d:ec + +lxc.autodev = 1 +lxc.hook.autodev = __CONTAINER_PATH__/hooks/autodev + +lxc.cgroup.devices.allow = c 10:200 rwm +lxc.cgroup.devices.deny = + +lxc.signal.halt = SIGRTMIN+4 + +lxc.start.auto = 1 +lxc.start.order = 25 +lxc.start.delay = 3 diff --git a/sources/vpn.usr/envvars b/sources/vpn.usr/envvars new file mode 100644 index 0000000..f1681d6 --- /dev/null +++ b/sources/vpn.usr/envvars @@ -0,0 +1,4 @@ +DISTRIBUTION=Fedora +DISTRIBUTION_VERSION=31 +BASE_PACKAGES="NetworkManager hostname initscripts iproute iputils logrotate rootfiles rsyslog tar vim-minimal" +SPEC_PACKAGES="easy-rsa openvpn python3" diff --git a/sources/vpn.usr/firstboot/01_setupnetworking.sh b/sources/vpn.usr/firstboot/01_setupnetworking.sh new file mode 100755 index 0000000..db088cd --- /dev/null +++ b/sources/vpn.usr/firstboot/01_setupnetworking.sh @@ -0,0 +1,55 @@ +#!/bin/sh + + +sleep 1 +systemctl --quiet is-active NetworkManager.service +NM_RC=$? +WAITED=0 +while [ $NM_RC -ne 0 ] +do + echo -n . + sleep 1 + WAITED=1 + systemctl --quiet is-active NetworkManager.service + NM_RC=$? +done +[ $WAITED -eq 1 ] && echo + +CONNECTIONS=$(nmcli --terse connection show | wc -l) +while [ $CONNECTIONS -ne 1 ] +do + echo "Number of connections: $CONNECTIONS" >&2 + sleep 1 + CONNECTIONS=$(nmcli --terse connection show | wc -l) +done + +nmcli --terse connection show | grep ':$' >/dev/null +ALL_CONNECTION_DEVICES_KNOWN=$? +while [ $ALL_CONNECTION_DEVICES_KNOWN -eq 0 ] +do + echo "Not all connection devices are known yet" >&2 + sleep 1 + nmcli --terse connection show | grep ':$' >/dev/null + ALL_CONNECTION_DEVICES_KNOWN=$? +done + +CONNECTION_LINE=$(nmcli --terse connection show) +CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':') +CONNECTION_DEVICE=$(echo $CONNECTION_LINE | cut -f 4 -d ':') + +nmcli connection delete uuid "$CONNECTION_UUID" + +nmcli connection add \ + connection.autoconnect yes \ + connection.id internal \ + connection.interface-name $CONNECTION_DEVICE \ + connection.type 802-3-ethernet \ + ipv4.addresses "10.228.109.236/16" \ + ipv4.dns "10.228.109.104, 10.228.109.253" \ + ipv4.dns-search "usr.user.hu" \ + ipv4.gateway "10.228.109.254" \ + ipv4.method "manual" \ + ipv6.method "auto" \ + save yes + +nmcli connection show diff --git a/sources/vpn.usr/firstboot/02_settimezone.sh b/sources/vpn.usr/firstboot/02_settimezone.sh new file mode 100755 index 0000000..20b2a71 --- /dev/null +++ b/sources/vpn.usr/firstboot/02_settimezone.sh @@ -0,0 +1,21 @@ +#!/bin/sh + + +sleep 1 +systemctl --quiet is-active dbus.service +DBUS_RC=$? +WAITED=0 +while [ $DBUS_RC -ne 0 ] +do + if [ $WAITED -eq 0 ] + then + echo -n "Waiting for dbus.service" + fi + echo -n . + sleep 1 + WAITED=1 + systemctl --quiet is-active dbus.service + DBUS_RC=$? +done +[ $WAITED -ne 0 ] && echo +timedatectl set-timezone Europe/Budapest diff --git a/sources/vpn.usr/firstboot/03_displayvpndoc.sh b/sources/vpn.usr/firstboot/03_displayvpndoc.sh new file mode 100755 index 0000000..e4e8b06 --- /dev/null +++ b/sources/vpn.usr/firstboot/03_displayvpndoc.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +echo "OpenVPN setup scripts can be found in /etc/openvpn/setupscripts" diff --git a/sources/vpn.usr/firstboot/99_cleanup.sh b/sources/vpn.usr/firstboot/99_cleanup.sh new file mode 100755 index 0000000..b87f2f4 --- /dev/null +++ b/sources/vpn.usr/firstboot/99_cleanup.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +echo rm -Rf $REAL_PATH diff --git a/sources/vpn.usr/hooks/autodev b/sources/vpn.usr/hooks/autodev new file mode 100755 index 0000000..313469e --- /dev/null +++ b/sources/vpn.usr/hooks/autodev @@ -0,0 +1,6 @@ +#!/bin/bash + +cd $LXC_ROOTFS_MOUNT/dev +mkdir net +mknod net/tun c 10 200 +chmod 0666 net/tun diff --git a/sources/vpn.usr/postinstall/01_setownership.sh b/sources/vpn.usr/postinstall/01_setownership.sh new file mode 100755 index 0000000..f2e6b94 --- /dev/null +++ b/sources/vpn.usr/postinstall/01_setownership.sh @@ -0,0 +1,7 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) +SOURCE_PATH=$REAL_PATH/install + +chown -R root.root $SOURCE_PATH/* diff --git a/sources/vpn.usr/postinstall/02_setpermissions.sh b/sources/vpn.usr/postinstall/02_setpermissions.sh new file mode 100755 index 0000000..241386a --- /dev/null +++ b/sources/vpn.usr/postinstall/02_setpermissions.sh @@ -0,0 +1,5 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) +SOURCE_PATH=$REAL_PATH/install diff --git a/sources/vpn.usr/postinstall/03_installfiles.sh b/sources/vpn.usr/postinstall/03_installfiles.sh new file mode 100755 index 0000000..f190caf --- /dev/null +++ b/sources/vpn.usr/postinstall/03_installfiles.sh @@ -0,0 +1,15 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +tar --create \ + --directory=$REAL_PATH \ + --to-stdout \ + install \ + | tar --extract \ + --backup \ + --directory=/ \ + --no-overwrite-dir \ + --strip-components=1 \ + --suffix=.orig diff --git a/sources/vpn.usr/postinstall/10_setupservices.sh b/sources/vpn.usr/postinstall/10_setupservices.sh new file mode 100755 index 0000000..7b6a56c --- /dev/null +++ b/sources/vpn.usr/postinstall/10_setupservices.sh @@ -0,0 +1,7 @@ +#!/bin/sh + + +systemctl enable openvpn-server@server.service +systemctl enable NetworkManager-wait-online.service + +systemctl enable logrotate.timer diff --git a/sources/vpn.usr/postinstall/99_cleanup.sh b/sources/vpn.usr/postinstall/99_cleanup.sh new file mode 100755 index 0000000..b87f2f4 --- /dev/null +++ b/sources/vpn.usr/postinstall/99_cleanup.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +echo rm -Rf $REAL_PATH diff --git a/sources/vpn.usr/postinstall/install/etc/hosts b/sources/vpn.usr/postinstall/install/etc/hosts new file mode 100644 index 0000000..219e747 --- /dev/null +++ b/sources/vpn.usr/postinstall/install/etc/hosts @@ -0,0 +1,4 @@ +127.0.0.1 localhost.localdomain localhost localhost4.localdomain4 localhost4 +::1 localhost6.localdomain6 localhost6 + +10.228.109.236 vpn.usr.user.hu vpn diff --git a/sources/vpn.usr/postinstall/install/etc/openvpn/client-config/client.conf.template b/sources/vpn.usr/postinstall/install/etc/openvpn/client-config/client.conf.template new file mode 100644 index 0000000..0498910 --- /dev/null +++ b/sources/vpn.usr/postinstall/install/etc/openvpn/client-config/client.conf.template @@ -0,0 +1,127 @@ +############################################## +# Sample client-side OpenVPN 2.0 config file # +# for connecting to multi-client server. # +# # +# This configuration can be used by multiple # +# clients, however each client should have # +# its own cert and key files. # +# # +# On Windows, you might want to rename this # +# file so it has a .ovpn extension # +############################################## + +# Specify that we are a client and that we +# will be pulling certain config file directives +# from the server. +client + +# Use the same setting as you are using on +# the server. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel +# if you have more than one. On XP SP2, +# you may need to disable the firewall +# for the TAP adapter. +;dev-node MyTap + +# Are we connecting to a TCP or +# UDP server? Use the same setting as +# on the server. +;proto tcp +proto udp + +# The hostname/IP and port of the server. +# You can have multiple remote entries +# to load balance between the servers. +remote vpn.userrendszerhaz.hu 1194 + +# Choose a random host from the remote +# list for load-balancing. Otherwise +# try hosts in the order specified. +;remote-random + +# Keep trying indefinitely to resolve the +# host name of the OpenVPN server. Very useful +# on machines which are not permanently connected +# to the internet such as laptops. +resolv-retry infinite + +# Most clients don't need to bind to +# a specific local port number. +nobind + +# Downgrade privileges after initialization (non-Windows only) +user nobody +group nobody + +# Try to preserve some state across restarts. +persist-key +persist-tun + +# If you are connecting through an +# HTTP proxy to reach the actual OpenVPN +# server, put the proxy server/IP and +# port number here. See the man page +# if your proxy server requires +# authentication. +;http-proxy-retry # retry on connection failures +;http-proxy [proxy server] [proxy port #] + +# Wireless networks often produce a lot +# of duplicate packets. Set this flag +# to silence duplicate packet warnings. +;mute-replay-warnings + +# SSL/TLS parms. +# See the server config file for more +# description. It's best to use +# a separate .crt/.key file pair +# for each client. A single ca +# file can be used for all clients. +;ca ca.crt +;cert client.crt +;key client.key + +# Verify server certificate by checking that the +# certicate has the correct key usage set. +# This is an important precaution to protect against +# a potential attack discussed here: +# http://openvpn.net/howto.html#mitm +# +# To use this feature, you will need to generate +# your server certificates with the keyUsage set to +# digitalSignature, keyEncipherment +# and the extendedKeyUsage to +# serverAuth +# EasyRSA can do this for you. +remote-cert-tls server + +# If a tls-auth key is used on the server +# then every client must also have the key. +;tls-auth ta.key 1 +key-direction 1 + +# Select a cryptographic cipher. +# If the cipher option is used on the server +# then you must also specify it here. +# Note that v2.4 client/server will automatically +# negotiate AES-256-GCM in TLS mode. +# See also the ncp-cipher option in the manpage +cipher AES-256-CBC + +# Enable compression on the VPN link. +# Don't enable this unless it is also +# enabled in the server config file. +#comp-lzo + +# Set log file verbosity. +verb 3 + +# Silence repeating messages +;mute 20 diff --git a/sources/vpn.usr/postinstall/install/etc/openvpn/server/ccd/qqcs b/sources/vpn.usr/postinstall/install/etc/openvpn/server/ccd/qqcs new file mode 100644 index 0000000..7d8e4b8 --- /dev/null +++ b/sources/vpn.usr/postinstall/install/etc/openvpn/server/ccd/qqcs @@ -0,0 +1 @@ +iroute 10.162.104.0 255.255.255.0 diff --git a/sources/vpn.usr/postinstall/install/etc/openvpn/server/server.conf b/sources/vpn.usr/postinstall/install/etc/openvpn/server/server.conf new file mode 100644 index 0000000..e3b8c91 --- /dev/null +++ b/sources/vpn.usr/postinstall/install/etc/openvpn/server/server.conf @@ -0,0 +1,323 @@ +################################################# +# Sample OpenVPN 2.0 config file for # +# multi-client server. # +# # +# This file is for the server side # +# of a many-clients <-> one-server # +# OpenVPN configuration. # +# # +# OpenVPN also supports # +# single-machine <-> single-machine # +# configurations (See the Examples page # +# on the web site for more info). # +# # +# This config should work on Windows # +# or Linux/BSD systems. Remember on # +# Windows to quote pathnames and use # +# double backslashes, e.g.: # +# "C:\\Program Files\\OpenVPN\\config\\foo.key" # +# # +# Comments are preceded with '#' or ';' # +################################################# + +# Which local IP address should OpenVPN +# listen on? (optional) +;local a.b.c.d + +# Which TCP/UDP port should OpenVPN listen on? +# If you want to run multiple OpenVPN instances +# on the same machine, use a different port +# number for each one. You will need to +# open up this port on your firewall. +port 1194 + +# TCP or UDP server? +;proto tcp +proto udp + +# "dev tun" will create a routed IP tunnel, +# "dev tap" will create an ethernet tunnel. +# Use "dev tap0" if you are ethernet bridging +# and have precreated a tap0 virtual interface +# and bridged it with your ethernet interface. +# If you want to control access policies +# over the VPN, you must create firewall +# rules for the the TUN/TAP interface. +# On non-Windows systems, you can give +# an explicit unit number, such as tun0. +# On Windows, use "dev-node" for this. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel if you +# have more than one. On XP SP2 or higher, +# you may need to selectively disable the +# Windows firewall for the TAP adapter. +# Non-Windows systems usually don't need this. +;dev-node MyTap + +# SSL/TLS root certificate (ca), certificate +# (cert), and private key (key). Each client +# and the server must have their own cert and +# key file. The server and all clients will +# use the same ca file. +# +# See the "easy-rsa" directory for a series +# of scripts for generating RSA certificates +# and private keys. Remember to use +# a unique Common Name for the server +# and each of the client certificates. +# +# Any X509 key management system can be used. +# OpenVPN can also use a PKCS #12 formatted key file +# (see "pkcs12" directive in man page). +ca easy-rsa/pki/ca.crt +cert easy-rsa/pki/issued/server.crt +key easy-rsa/pki/private/server.key # This file should be kept secret +crl-verify easy-rsa/pki/crl.pem + +# Diffie hellman parameters. +# Generate your own with: +# openssl dhparam -out dh2048.pem 2048 +#dh dh2048.pem +dh easy-rsa/pki/dh.pem + +# Network topology +# Should be subnet (addressing via IP) +# unless Windows clients v2.0.9 and lower have to +# be supported (then net30, i.e. a /30 per client) +# Defaults to net30 (not recommended) +;topology subnet + +# Configure server mode and supply a VPN subnet +# for OpenVPN to draw client addresses from. +# The server will take 10.8.0.1 for itself, +# the rest will be made available to clients. +# Each client will be able to reach the server +# on 10.8.0.1. Comment this line out if you are +# ethernet bridging. See the man page for more info. +server 172.16.223.0 255.255.255.0 + +# Maintain a record of client <-> virtual IP address +# associations in this file. If OpenVPN goes down or +# is restarted, reconnecting clients can be assigned +# the same virtual IP address from the pool that was +# previously assigned. +ifconfig-pool-persist ipp.txt + +# Configure server mode for ethernet bridging. +# You must first use your OS's bridging capability +# to bridge the TAP interface with the ethernet +# NIC interface. Then you must manually set the +# IP/netmask on the bridge interface, here we +# assume 10.8.0.4/255.255.255.0. Finally we +# must set aside an IP range in this subnet +# (start=10.8.0.50 end=10.8.0.100) to allocate +# to connecting clients. Leave this line commented +# out unless you are ethernet bridging. +;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 + +# Configure server mode for ethernet bridging +# using a DHCP-proxy, where clients talk +# to the OpenVPN server-side DHCP server +# to receive their IP address allocation +# and DNS server addresses. You must first use +# your OS's bridging capability to bridge the TAP +# interface with the ethernet NIC interface. +# Note: this mode only works on clients (such as +# Windows), where the client-side TAP adapter is +# bound to a DHCP client. +;server-bridge + +# Push routes to the client to allow it +# to reach other private subnets behind +# the server. Remember that these +# private subnets will also need +# to know to route the OpenVPN client +# address pool (10.8.0.0/255.255.255.0) +# back to the OpenVPN server. +;push "route 192.168.10.0 255.255.255.0" +;push "route 192.168.20.0 255.255.255.0" +push "route 10.228.0.0 255.255.0.0" +push "route 192.168.42.0 255.255.255.0" +push "route 192.168.43.0 255.255.255.0" + +# To assign specific IP addresses to specific +# clients or if a connecting client has a private +# subnet behind it that should also have VPN access, +# use the subdirectory "ccd" for client-specific +# configuration files (see man page for more info). +client-config-dir ccd +route 10.162.104.0 255.255.255.0 + +# EXAMPLE: Suppose the client +# having the certificate common name "Thelonious" +# also has a small subnet behind his connecting +# machine, such as 192.168.40.128/255.255.255.248. +# First, uncomment out these lines: +;client-config-dir ccd +;route 192.168.40.128 255.255.255.248 +# Then create a file ccd/Thelonious with this line: +# iroute 192.168.40.128 255.255.255.248 +# This will allow Thelonious' private subnet to +# access the VPN. This example will only work +# if you are routing, not bridging, i.e. you are +# using "dev tun" and "server" directives. + +# EXAMPLE: Suppose you want to give +# Thelonious a fixed VPN IP address of 10.9.0.1. +# First uncomment out these lines: +;client-config-dir ccd +;route 10.9.0.0 255.255.255.252 +# Then add this line to ccd/Thelonious: +# ifconfig-push 10.9.0.1 10.9.0.2 + +# Suppose that you want to enable different +# firewall access policies for different groups +# of clients. There are two methods: +# (1) Run multiple OpenVPN daemons, one for each +# group, and firewall the TUN/TAP interface +# for each group/daemon appropriately. +# (2) (Advanced) Create a script to dynamically +# modify the firewall in response to access +# from different clients. See man +# page for more info on learn-address script. +;learn-address ./script + +# If enabled, this directive will configure +# all clients to redirect their default +# network gateway through the VPN, causing +# all IP traffic such as web browsing and +# and DNS lookups to go through the VPN +# (The OpenVPN server machine may need to NAT +# or bridge the TUN/TAP interface to the internet +# in order for this to work properly). +;push "redirect-gateway def1 bypass-dhcp" + +# Certain Windows-specific network settings +# can be pushed to clients, such as DNS +# or WINS server addresses. CAVEAT: +# http://openvpn.net/faq.html#dhcpcaveats +# The addresses below refer to the public +# DNS servers provided by opendns.com. +;push "dhcp-option DNS 208.67.222.222" +;push "dhcp-option DNS 208.67.220.220" +push "dhcp-option DNS 10.228.109.253" + +# Uncomment this directive to allow different +# clients to be able to "see" each other. +# By default, clients will only see the server. +# To force clients to only see the server, you +# will also need to appropriately firewall the +# server's TUN/TAP interface. +;client-to-client + +# Uncomment this directive if multiple clients +# might connect with the same certificate/key +# files or common names. This is recommended +# only for testing purposes. For production use, +# each client should have its own certificate/key +# pair. +# +# IF YOU HAVE NOT GENERATED INDIVIDUAL +# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, +# EACH HAVING ITS OWN UNIQUE "COMMON NAME", +# UNCOMMENT THIS LINE OUT. +;duplicate-cn + +# The keepalive directive causes ping-like +# messages to be sent back and forth over +# the link so that each side knows when +# the other side has gone down. +# Ping every 10 seconds, assume that remote +# peer is down if no ping received during +# a 120 second time period. +keepalive 10 120 + +# For extra security beyond that provided +# by SSL/TLS, create an "HMAC firewall" +# to help block DoS attacks and UDP port flooding. +# +# Generate with: +# openvpn --genkey --secret ta.key +# +# The server and each client must have +# a copy of this key. +# The second parameter should be '0' +# on the server and '1' on the clients. +tls-auth easy-rsa/pki/ta.key 0 # This file is secret + +# Select a cryptographic cipher. +# This config item must be copied to +# the client config file as well. +# Note that 2.4 client/server will automatically +# negotiate AES-256-GCM in TLS mode. +# See also the ncp-cipher option in the manpage +cipher AES-256-CBC + +# Enable compression on the VPN link and push the +# option to the client (2.4+ only, for earlier +# versions see below) +;compress lz4-v2 +;push "compress lz4-v2" + +# For compression compatible with older clients use comp-lzo +# If you enable it here, you must also +# enable it in the client config file. +;comp-lzo + +# The maximum number of concurrently connected +# clients we want to allow. +;max-clients 100 + +# It's a good idea to reduce the OpenVPN +# daemon's privileges after initialization. +# +# You can uncomment this out on +# non-Windows systems. +user nobody +group nobody + +# The persist options will try to avoid +# accessing certain resources on restart +# that may no longer be accessible because +# of the privilege downgrade. +persist-key +persist-tun + +# Output a short status file showing +# current connections, truncated +# and rewritten every minute. +status openvpn-status.log + +# By default, log messages will go to the syslog (or +# on Windows, if running as a service, they will go to +# the "\Program Files\OpenVPN\log" directory). +# Use log or log-append to override this default. +# "log" will truncate the log file on OpenVPN startup, +# while "log-append" will append to it. Use one +# or the other (but not both). +;log openvpn.log +;log-append openvpn.log + +# Set the appropriate level of log +# file verbosity. +# +# 0 is silent, except for fatal errors +# 4 is reasonable for general usage +# 5 and 6 can help to debug connection problems +# 9 is extremely verbose +verb 3 + +# Silence repeating messages. At most 20 +# sequential messages of the same message +# category will be output to the log. +;mute 20 + +# Notify the client that when the server restarts so it +# can automatically reconnect. +explicit-exit-notify 1 diff --git a/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/10_setupserver.sh b/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/10_setupserver.sh new file mode 100755 index 0000000..a931ef1 --- /dev/null +++ b/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/10_setupserver.sh @@ -0,0 +1,55 @@ +#!/bin/sh + + +REAL_PATH=$(realpath $(dirname $0)) +ERSA_PATH=/etc/openvpn/server/easy-rsa +ERSA_VERSION=$(rpm --query --queryformat "%{VERSION}\n" easy-rsa) +PKI_PATH=$ERSA_PATH/pki + + +if [ ! -d $PKI_PATH ] +then + if [ -d $ERSA_PATH ] + then + mv $ERSA_PATH ${ERSA_PATH}.orig + fi + mkdir $ERSA_PATH + cp -a /usr/share/doc/easy-rsa/vars.example $ERSA_PATH/vars + cp -a /usr/share/easy-rsa/$ERSA_VERSION/easyrsa $ERSA_PATH + cp -a /usr/share/easy-rsa/$ERSA_VERSION/openssl-easyrsa.cnf $ERSA_PATH + cp -a /usr/share/easy-rsa/$ERSA_VERSION/x509-types $ERSA_PATH + cd $ERSA_PATH + echo "Edit (review only) $ERSA_PATH/openssl-easyrsa.cnf" + read + vi $ERSA_PATH/openssl-easyrsa.cnf + echo "Edit (set EASYRSA_ALGO to ec) $ERSA_PATH/vars" + echo "Optionally set EASYRSA_CURVE to one of \$(openssl ecparam -list_curves)" + read + vi $ERSA_PATH/vars + + echo "Run ./easyrsa init-pki" + read + ./easyrsa init-pki + echo "Run ./easyrsa build-ca nopass" + read + ./easyrsa build-ca nopass + echo "Run ./easyrsa gen-crl" + read + ./easyrsa gen-crl + echo "Run ./easyrsa gen-req server nopass" + read + ./easyrsa gen-req server nopass + echo "Run ./easyrsa sign-req server server" + read + ./easyrsa sign-req server server + echo "Run ./easyrsa gen-dh" + read + ./easyrsa gen-dh + echo "Run openvpn --genkey --secret pki/ta.key" + read + openvpn --genkey --secret pki/ta.key + echo "Check server.conf" + read + echo "Run ./20_getuids.sh" + echo "Run ./30_create_client.sh for each client" +fi diff --git a/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/20_getuids.sh b/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/20_getuids.sh new file mode 100755 index 0000000..0ac7fa4 --- /dev/null +++ b/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/20_getuids.sh @@ -0,0 +1,35 @@ +#!/bin/sh + + +REAL_PATH=$(realpath $(dirname $0)) + + +>$REAL_PATH/SEED.txt +>$REAL_PATH/UIDS.txt +grep '^[a-z]' $REAL_PATH/NAMES.txt | while read LOGIN_NAME +do + LOGIN_MD5SUM=$(echo $LOGIN_NAME | md5sum | awk '{print $1}') + UID_POSITION=30 + UID_IS_UNIQUE=0 + while [ $UID_IS_UNIQUE -eq 0 ] + do + LOGIN_UID=$(echo $LOGIN_MD5SUM | cut -c ${UID_POSITION}- | cut -c 1-3) + grep $LOGIN_UID $REAL_PATH/SEED.txt >/dev/null 2>&1 + if [ $? -eq 1 ] + then + INT_UID=$(python -c "print(10000 + int('$LOGIN_UID', 16))") + HEX_UID=$(python -c "print(hex($INT_UID))") + echo $LOGIN_NAME $LOGIN_MD5SUM $LOGIN_UID $INT_UID $HEX_UID + echo $LOGIN_UID >>$REAL_PATH/SEED.txt + echo $LOGIN_NAME $INT_UID $HEX_UID >>$REAL_PATH/UIDS.txt + UID_IS_UNIQUE=1 + else + UID_POSITION=$(( $UID_POSITION - 1 )) + if [ $UID_POSITION -eq 0 ] + then + echo "Cannot generate unique uid for $LOGIN_NAME" >&2 + exit 1 + fi + fi + done +done diff --git a/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/30_create_client.sh b/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/30_create_client.sh new file mode 100755 index 0000000..54ed5a9 --- /dev/null +++ b/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/30_create_client.sh @@ -0,0 +1,52 @@ +#!/bin/sh + + +REAL_PATH=$(realpath $(dirname $0)) +OVPN_PATH=/etc/openvpn +ERSA_PATH=$OVPN_PATH/server/easy-rsa +PKI_PATH=$ERSA_PATH/pki +CCFG_PATH=$OVPN_PATH/client-config + + +if [ -z "$1" ] +then + echo "Usage: $(basename $0) clientname" +fi + +NAME=$1 +LINE=$(grep "^$NAME " UIDS.txt) +if [ -z "$LINE" ] +then + echo "$NAME not found." >&2 + exit 1 +fi + +SERIAL=$(echo $LINE | awk '{print $3}' | cut -c 3-6) + +if [ -f $CCFG_PATH/${NAME}.conf ] +then + echo "Configuration for $NAME already exists." +else + echo "Generating configuration for ${NAME}." + cd $ERSA_PATH + echo $SERIAL >${PKI_PATH}/serial + ./easyrsa gen-req $NAME nopass + ./easyrsa sign-req client $NAME + cp -a $CCFG_PATH/client.conf.template $CCFG_PATH/${NAME}.conf + echo >>$CCFG_PATH/${NAME}.conf + echo '' >>$CCFG_PATH/${NAME}.conf + cat $PKI_PATH/ca.crt >>$CCFG_PATH/${NAME}.conf + echo '' >>$CCFG_PATH/${NAME}.conf + echo >>$CCFG_PATH/${NAME}.conf + echo '' >>$CCFG_PATH/${NAME}.conf + cat $PKI_PATH/issued/${NAME}.crt >>$CCFG_PATH/${NAME}.conf + echo '' >>$CCFG_PATH/${NAME}.conf + echo >>$CCFG_PATH/${NAME}.conf + echo '' >>$CCFG_PATH/${NAME}.conf + cat $PKI_PATH/private/${NAME}.key >>$CCFG_PATH/${NAME}.conf + echo '' >>$CCFG_PATH/${NAME}.conf + echo >>$CCFG_PATH/${NAME}.conf + echo '' >>$CCFG_PATH/${NAME}.conf + cat $PKI_PATH/ta.key >>$CCFG_PATH/${NAME}.conf + echo '' >>$CCFG_PATH/${NAME}.conf +fi diff --git a/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/40_create_all_clients.sh b/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/40_create_all_clients.sh new file mode 100755 index 0000000..b37fd02 --- /dev/null +++ b/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/40_create_all_clients.sh @@ -0,0 +1,8 @@ +#!/bin/sh + + +cat UIDS.txt | while read LINE +do + NAME=$(echo $LINE | awk '{print $1}') + ./30_create_client.sh $NAME +done diff --git a/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/99_cleanup.sh b/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/99_cleanup.sh new file mode 100755 index 0000000..b87f2f4 --- /dev/null +++ b/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/99_cleanup.sh @@ -0,0 +1,6 @@ +#!/bin/sh + + +REAL_PATH=$(dirname $(realpath $0)) + +echo rm -Rf $REAL_PATH diff --git a/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/NAMES.txt b/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/NAMES.txt new file mode 100644 index 0000000..0eed557 --- /dev/null +++ b/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/NAMES.txt @@ -0,0 +1,21 @@ +# Regular users +akosztolanyi +azsamboki +bcsoka +csgulyas +cslevai +dhorvath +dvasary +fritter +fschnell +ifabian +khorvath +kkele +mszabo +rrendek +tsuhajda +zbartakovics +zfelleg + +# zfelleg's home network +qqcs diff --git a/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/README.txt b/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/README.txt new file mode 100644 index 0000000..3f768d3 --- /dev/null +++ b/sources/vpn.usr/postinstall/install/etc/openvpn/setupscripts/README.txt @@ -0,0 +1,2 @@ +login name -> uid: 10000+last 3 digits of md5sum(login name) + in case of collision: shift the 3 digits diff --git a/sources/vpn.usr/postinstall/install/etc/sysctl.d/01-ipv4.conf b/sources/vpn.usr/postinstall/install/etc/sysctl.d/01-ipv4.conf new file mode 100644 index 0000000..fb3c483 --- /dev/null +++ b/sources/vpn.usr/postinstall/install/etc/sysctl.d/01-ipv4.conf @@ -0,0 +1,2 @@ +# Enable IPv4 packet forwarding +net.ipv4.ip_forward = 1 -- 2.54.0