Difference between revisions of "User:Djgera/papucho"

From ArchWiki
Jump to navigation Jump to search
(openvpn (CLIENT))
Line 182: Line 182:
  
 
dh dh2048.pem
 
dh dh2048.pem
 +
 +
remote-cert-tls client
  
 
mode server
 
mode server
Line 192: Line 194:
  
 
keepalive 10 120
 
keepalive 10 120
tls-auth ta.key 0
+
 
 +
tls-auth ta.key
 +
key-direction 0
  
 
comp-lzo
 
comp-lzo
Line 231: Line 235:
  
 
dh dh2048.pem
 
dh dh2048.pem
 +
 +
remote-cert-tls client
  
 
mode server
 
mode server
Line 241: Line 247:
  
 
keepalive 10 120
 
keepalive 10 120
tls-auth ta.key 0
+
 
 +
tls-auth ta.key
 +
key-direction 0
  
 
comp-lzo
 
comp-lzo
Line 251: Line 259:
  
 
push "route 192.168.91.0 255.255.255.240"
 
push "route 192.168.91.0 255.255.255.240"
route 10.101.9.0 255.255.255.0
+
#route 10.101.9.0 255.255.255.0
 
client-config-dir /etc/openvpn/ccd-tcp
 
client-config-dir /etc/openvpn/ccd-tcp
 
</nowiki>}}
 
</nowiki>}}
Line 265: Line 273:
 
|<nowiki>
 
|<nowiki>
 
ifconfig-push 10.6.93.4 255.255.255.240
 
ifconfig-push 10.6.93.4 255.255.255.240
 +
</nowiki>}}
 +
 +
{{hc|
 +
/etc/openvpn/ccd-tcp/djgera-netet28
 +
|<nowiki>
 +
ifconfig-push 10.6.93.8 255.255.255.240
 
iroute 10.101.9.0 255.255.255.0
 
iroute 10.101.9.0 255.255.255.0
 
</nowiki>}}
 
</nowiki>}}
 +
  
 
==== openvpn (CLIENT) ====
 
==== openvpn (CLIENT) ====
Line 287: Line 302:
  
 
remote-cert-tls server
 
remote-cert-tls server
 
key-direction 1
 
  
 
comp-lzo
 
comp-lzo
  
 
tls-auth ta.key
 
tls-auth ta.key
 +
key-direction 1
  
 
ca ca.crt
 
ca ca.crt
Line 316: Line 330:
  
 
remote-cert-tls server
 
remote-cert-tls server
 
key-direction 1
 
  
 
comp-lzo
 
comp-lzo
  
 
tls-auth ta.key
 
tls-auth ta.key
 +
key-direction 1
  
 
ca ca.crt
 
ca ca.crt

Revision as of 23:25, 21 April 2016

Software configuration

iptables

/etc/iptables/iptables.rules
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s 172.16.93.0/28 ! -d 192.168.91.0/28 -o net0 -j SNAT --to-source 192.168.91.3
-A POSTROUTING -s 10.6.93.0/28 ! -d 192.168.91.0/28 -o net0 -j SNAT --to-source 192.168.91.3
-A POSTROUTING -s 10.17.93.0/28 ! -d 192.168.91.0/28 -o net0 -j SNAT --to-source 192.168.91.3

COMMIT


*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

-A INPUT -i net0 -m pkttype --pkt-type multicast -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.91.6/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.91.6/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT


-A INPUT ! -s 192.168.91.0/28 -i net0 -p tcp -m tcp --dport 1194 -j LOG
-A INPUT ! -s 192.168.91.0/28 -i net0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT ! -s 192.168.91.0/28 -i net0 -p udp -m udp --dport 1194 -j LOG
-A INPUT ! -s 192.168.91.0/28 -i net0 -p udp -m udp --dport 1194 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 2049 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 192.168.91.6/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 192.168.91.0/28 -i net0 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 192.168.91.0/28 -i net0 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 192.168.91.6/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT

-A INPUT -d 192.168.91.3/32 -i net0 -p tcp -m tcp --dport 55555 -j ACCEPT
-A INPUT -d 192.168.91.3/32 -i net0 -p udp -m udp --dport 55555 -j ACCEPT


-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 172.16.92.6/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 172.16.92.6/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 172.16.92.6/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 172.16.92.0/28 -i net0 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 172.16.92.0/28 -i net0 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 172.16.92.6/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT


-A INPUT -s 172.16.93.4/32 -i ap1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 172.16.93.6/32 -i ap1 -p tcp -m tcp --dport 22 -j ACCEPT


-A INPUT -i ap1 -m pkttype --pkt-type multicast -j ACCEPT

-A INPUT -i ap1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT

-A INPUT -s 172.16.93.4/32 -i ap1 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 172.16.93.6/32 -i ap1 -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -s 172.16.93.0/28 -i ap1 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 172.16.93.0/28 -i ap1 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 172.16.93.4/32 -i ap1 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 172.16.93.6/32 -i ap1 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 172.16.93.4/32 -i ap1 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 172.16.93.6/32 -i ap1 -p tcp -m tcp --dport 9091 -j ACCEPT


-A INPUT -s 10.6.93.4/32 -i tun6 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.6.93.6/32 -i tun6 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 10.6.93.4/32 -i tun6 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 10.6.93.6/32 -i tun6 -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -s 10.6.93.0/28 -i tun6 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 10.6.93.0/28 -i tun6 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 10.6.93.4/32 -i tun6 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 10.6.93.6/32 -i tun6 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 10.6.93.4/32 -i tun6 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 10.6.93.6/32 -i tun6 -p tcp -m tcp --dport 9091 -j ACCEPT

-A INPUT -s 10.17.93.4/32 -i tun17 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.17.93.6/32 -i tun17 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 10.17.93.4/32 -i tun17 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 10.17.93.6/32 -i tun17 -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -s 10.17.93.0/28 -i tun17 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 10.17.93.0/28 -i tun17 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 10.17.93.4/32 -i tun17 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 10.17.93.6/32 -i tun17 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 10.17.93.4/32 -i tun17 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 10.17.93.6/32 -i tun17 -p tcp -m tcp --dport 9091 -j ACCEPT

-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -s 192.168.91.0/28 -i net0 -o tun6 -j ACCEPT
-A FORWARD -s 192.168.91.0/28 -i net0 -o tun17 -j ACCEPT
-A FORWARD -s 192.168.91.0/28 -i net0 -o ap1 -j ACCEPT

-A FORWARD -s 172.16.93.0/28 -i ap1 -o net0 -j ACCEPT

-A FORWARD -s 10.6.93.0/28 -i tun6 -o net0 -j ACCEPT
-A FORWARD -s 10.17.93.0/28 -i tun17 -o net0 -j ACCEPT

-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -p udp -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-proto-unreachable

-A OUTPUT -o net0 -m owner --uid-owner 1001 -m time --timestart 05:00:00 --timestop 12:00:00 -j DROP

COMMIT

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 192.168.91.3/32 -i net0 -p tcp -m tcp --dport 55555 -j CT --notrack
-A PREROUTING -d 192.168.91.3/32 -i net0 -p udp -m udp --dport 55555 -j CT --notrack
-A OUTPUT -s 192.168.91.3/32 -o net0 -p tcp -m tcp --sport 55555 -j CT --notrack
-A OUTPUT -s 192.168.91.3/32 -o net0 -p udp -m udp --sport 55555 -j CT --notrack
COMMIT

openvpn-udp (SERVER)

/etc/openvpn/djgera-udp.conf
port 1194
proto udp
dev tun17

ca ca.crt
cert djgera.crt
key djgera.key

dh dh2048.pem

remote-cert-tls client

mode server
tls-server
topology subnet
push "topology subnet"
ifconfig 10.17.93.3 255.255.255.240
route-gateway 10.17.93.3
push "route-gateway 10.17.93.3"

keepalive 10 120

tls-auth ta.key
key-direction 0

comp-lzo

persist-key
persist-tun

verb 3

push "route 192.168.91.0 255.255.255.240"
client-config-dir /etc/openvpn/ccd-udp
/etc/openvpn/ccd-udp/djgera-android
ifconfig-push 10.17.93.6 255.255.255.240
/etc/openvpn/ccd-udp/djgera-netbook
ifconfig-push 10.17.93.4 255.255.255.240

openvpn-tcp (SERVER)

/etc/openvpn/djgera-tcp.conf
port 1194
proto tcp-server
dev tun6

ca ca.crt
cert djgera.crt
key djgera.key

dh dh2048.pem

remote-cert-tls client

mode server
tls-server
topology subnet
push "topology subnet"
ifconfig 10.6.93.3 255.255.255.240
route-gateway 10.6.93.3
push "route-gateway 10.6.93.3"

keepalive 10 120

tls-auth ta.key
key-direction 0

comp-lzo

persist-key
persist-tun

verb 3

push "route 192.168.91.0 255.255.255.240"
#route 10.101.9.0 255.255.255.0
client-config-dir /etc/openvpn/ccd-tcp
/etc/openvpn/ccd-tcp/djgera-android
ifconfig-push 10.6.93.6 255.255.255.240
/etc/openvpn/ccd-tcp/djgera-netbook
ifconfig-push 10.6.93.4 255.255.255.240
/etc/openvpn/ccd-tcp/djgera-netet28
ifconfig-push 10.6.93.8 255.255.255.240
iroute 10.101.9.0 255.255.255.0


openvpn (CLIENT)

djgera-netbook-tcp.conf
client

dev tun

proto tcp-client
remote <HOST>
port 2068

nobind

persist-key
persist-tun

remote-cert-tls server

comp-lzo

tls-auth ta.key
key-direction 1

ca ca.crt
cert djgera-netbook.crt
key djgera-netbook.key
djgera-android-udp.conf
client

dev tun

proto udp
remote <HOST>
port 2068

nobind

persist-key
persist-tun

remote-cert-tls server

comp-lzo

tls-auth ta.key
key-direction 1

ca ca.crt
cert djgera-android.crt
key djgera-android.key

easy-rsa

vars
...
export KEY_COUNTRY="AR"
export KEY_PROVINCE="Ciudad de Buenos Aires"
export KEY_CITY="Ciudad de Buenos Aires"
export KEY_ORG="Gerardo Exequiel Pozzi"
export KEY_EMAIL="<USER@HOST>"
export KEY_OU="Gerardo Exequiel Pozzi"
...
$ . ./vars
$ ./clean-all
$ ./build-dh
$ ./pkitool --initca
$ ./pkitool --server djgera
$ ./pkitool --pass djgera-netbook
$ ./pkitool --pass djgera-android
$ openvpn --genkey --secret ta.key