Update openvpn config
This commit is contained in:
parent
b213d07da6
commit
3af17b7a66
@ -120,11 +120,11 @@ iface eno1:0 inet6 static
|
||||
gateway 201:638:614:1780::1
|
||||
\end{lstlisting}
|
||||
|
||||
\paragraph{IP-Forwarding einschalten}
|
||||
Da die Benutzer des VPN in der Lage sein sollen, das Netzwerk der Abteilung Informatik zu erreichen, muss IP-Forwarding auf dem VPN-Server aktiviert werden:
|
||||
\paragraph{IP-FORWARD einschalten}
|
||||
Da die Benutzer des VPN in der Lage sein sollen, das Netzwerk der Abteilung Informatik zu erreichen, muss IP-FORWARD auf dem VPN-Server aktiviert werden:
|
||||
\begin{lstlisting}
|
||||
# echo "net.ipv4.conf.all.forwarding = 1" > /etc/sysctl.d/04-enable-ipv4-forwarding.conf
|
||||
# echo "net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/06-enable-ipv6-forwarding.conf
|
||||
# echo "net.ipv4.conf.all.FORWARD = 1" > /etc/sysctl.d/04-enable-ipv4-FORWARD.conf
|
||||
# echo "net.ipv6.conf.all.FORWARD = 1" > /etc/sysctl.d/06-enable-ipv6-FORWARD.conf
|
||||
\end{lstlisting}
|
||||
Anschließend werden die vorgenommenen Einstellungen aktiviert.
|
||||
\begin{lstlisting}
|
||||
@ -180,8 +180,8 @@ ip6tables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
|
||||
|
||||
Vom VPN-Server ausgehende Pakete sind grundsätzlich erlaubt.
|
||||
\begin{lstlisting}
|
||||
iptables -A OUTPUT -m state --state NEW -j ACCEPT
|
||||
ip6tables -A OUTPUT -m state --state NEW -j ACCEPT
|
||||
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
ip6tables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
\end{lstlisting}
|
||||
|
||||
Zum VPN-Server eingehende Pakete sind als Antwort auf ausgehende Pakete erlaubt.
|
||||
@ -197,20 +197,20 @@ iptables -t nat -A POSTROUTING -s 10.2.0.0/16 -j MASQUERADE
|
||||
|
||||
Datenverkehr aus dem VPN zu Hosts in der DMZ ist verboten und wird verworfen.
|
||||
\begin{lstlisting}
|
||||
iptables -A FORWARDING -s 10.2.0.0/16 -d 141.71.38.0/24 -j DROP
|
||||
ip6tables -A FORWARDING -s 2001:638:614:1750::/64 -d 2001:683:614:1780::/64 -j DROP
|
||||
iptables -A FORWARD -s 10.2.0.0/16 -d 141.71.38.0/24 -j DROP
|
||||
ip6tables -A FORWARD -s 2001:638:614:1750::/64 -d 2001:683:614:1780::/64 -j DROP
|
||||
\end{lstlisting}
|
||||
|
||||
Jeglicher weiterer Datenverkehr aus dem VPN ist erlaubt.
|
||||
\begin{lstlisting}
|
||||
iptables -A FORWARDING -s 10.2.0.0/16 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
ip6tables -A FORWARDING -s 2001:638:614:1750::/64 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
iptables -A FORWARD -s 10.2.0.0/16 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
ip6tables -A FORWARD -s 2001:638:614:1750::/64 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
\end{lstlisting}
|
||||
|
||||
In das VPN eingehender Verkehr ist nur als Antwort auf ausgehende Pakete erlaubt.
|
||||
\begin{lstlisting}
|
||||
iptables -A FORWARDING -d 10.2.0.0/16 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
ip6tables -A FORWARDING -d 2001:638:614:1750::/64 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
iptables -A FORWARD -d 10.2.0.0/16 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
ip6tables -A FORWARD -d 2001:638:614:1750::/64 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
\end{lstlisting}
|
||||
|
||||
\paragraph{Persistente Firewallregeln}
|
||||
@ -224,10 +224,6 @@ iptables-save > /etc/iptables/rules.v4
|
||||
ip6tables-save > /etc/iptables/rules.v6
|
||||
\end{lstlisting}
|
||||
|
||||
Zugriffe aus dem VPN in die DMZ sind verboten
|
||||
Zugriffe auf den Server sind nur via UDP/1194 und TCP/22 erlaubt
|
||||
IPv4 NAT für 10.2.0.0/16
|
||||
|
||||
\paragraph{Einstellungen für Routing}
|
||||
\todo{Hier gibt es noch zu tun.}
|
||||
Viel ist es nicht
|
||||
|
@ -11,14 +11,13 @@ proto udp
|
||||
# We're using the layer 3 tunnel device
|
||||
dev tun
|
||||
|
||||
# Specify multiple remotes for dualstack connectivity
|
||||
remote 2003:d7:b70f:e387::5 1194
|
||||
remote 172.16.20.5 1194
|
||||
# Specify vpn server
|
||||
remote vpn-test.inform.hs-hannover.de 1194
|
||||
|
||||
# Certificates
|
||||
ca /etc/openvpn/vpnclient/ca.crt
|
||||
cert /etc/openvpn/vpnclient/vpnclient0.crt
|
||||
key /etc/openvpn/vpnclient/vpnclient0.key
|
||||
cert /etc/openvpn/vpnclient/jan-philipp.timme@hs-hannover.de.crt
|
||||
key /etc/openvpn/vpnclient/jan-philipp.timme@hs-hannover.de.key
|
||||
|
||||
# Make sure the server presents a certificate with "server role"
|
||||
remote-cert-tls server
|
||||
|
@ -8,8 +8,8 @@ dev tun
|
||||
|
||||
# Certificates
|
||||
ca /etc/openvpn/vpnserver/ca.crt
|
||||
cert /etc/openvpn/vpnserver/vpnserver.crt
|
||||
key /etc/openvpn/vpnserver/vpnserver.key
|
||||
cert /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.crt
|
||||
key /etc/openvpn/vpnserver/aither.inform.hs-hannover.de.key
|
||||
dh /etc/openvpn/vpnserver/dh.pem
|
||||
|
||||
# Make sure the client presents a certificate with "client role"
|
||||
@ -20,22 +20,27 @@ remote-cert-tls client
|
||||
|
||||
# net30 is point-to-point, compatible with windows
|
||||
# TODO: Topology subnet is supposed to work with windows just fine. CHECK THIS
|
||||
topology net30
|
||||
# Subnet topology is supposed to be working with windows clients just fine.
|
||||
topology subnet
|
||||
|
||||
# Use this IPv4 range for clients (/16, so we can cope with all possible clients)
|
||||
server 10.183.0.0 255.255.0.0
|
||||
server 10.2.0.0 255.255.0.0
|
||||
|
||||
# Use this IPv6 network for clients
|
||||
server-ipv6 2001:638:614:1750::/64
|
||||
|
||||
# Do we need persistence here?
|
||||
ifconfig-pool-persist /etc/openvpn/vpnserver/ipp.txt
|
||||
# No, not yet.
|
||||
#ifconfig-pool-persist /etc/openvpn/vpnserver/ipp.txt
|
||||
|
||||
# Make sure the client can still reach the OpenVPN server via its default gateway
|
||||
push "route remote_host 255.255.255.255 net_gateway"
|
||||
|
||||
# Push routes for local networks
|
||||
push "route 172.16.20.0 255.255.255.0 vpn_gateway"
|
||||
# Push routes for local IPv4 networks
|
||||
push "route 141.71.30.0 255.255.254.0 vpn_gateway"
|
||||
push "route 192.168.99.0 255.255.255.0 vpn_gateway"
|
||||
push "route 10.3.1.0 255.255.255.0 vpn_gateway"
|
||||
push "route 10.0.0.0 255.255.255.0 vpn_gateway"
|
||||
|
||||
# Push the whole /56 block for IPv6
|
||||
push "route-ipv6 2003:638:614:1700::/56"
|
||||
@ -55,5 +60,5 @@ group nogroup
|
||||
verb 3
|
||||
mute 5
|
||||
|
||||
# Have a status log
|
||||
status /etc/openvpn/vpnserver/status.log
|
||||
# Have a status log if needed.
|
||||
# status /etc/openvpn/vpnserver/status.log
|
||||
|
Loading…
Reference in New Issue
Block a user