Commit 7397bcb9 authored by glucas's avatar glucas

Add OpenVPN stuff.

parent 14a39d7b
For explanations and how-to, see https://wiki.arn-fai.net/technique:vpn (in french, sorry).
# GENERAL
; Drop privileges
user openvpn
group openvpn
; Don't re-read keys at ping-restart (because of dropped privileges)
persist-key
; Don't remove tun interface and call up/down scripts at ping-restart
persist-tun
# SERVER
mode server
port 1194
max-clients 30
# TLS
tls-server
ca /etc/openvpn/crypto/ca.crt
cert /etc/openvpn/crypto/server.crt
key /etc/openvpn/crypto/server.key
dh /etc/openvpn/crypto/dh_4096.pem
; When a client connects, check its certificate hasn't been revoked.
; Must be accessible without root privileges
crl-verify /etc/openvpn/crypto/crl.pem
; Certificates from the clients must have a field guaranteeing they really are client certificates
remote-cert-tls client
# NETWORK
topology subnet
; Notifies the client about the network topology we use
push "topology subnet"
; IPv4
; Yeah, VPN clients are in a /27, not a /26; but this trick is required to use 89.234.141.31 .
; 89.234.141.0 is lost unless a /23 is used here.
ifconfig 89.234.141.1 255.255.255.192
push "route-gateway 89.234.141.1"
; IPv6
; Allow IPv6 usage inside the tunnel
tun-ipv6
ifconfig-ipv6 2a00:5881:8100:0100::1/64 2a00:5881:8100:0100::1
; The user-specific IPv4 and IPv6 configuration is in /etc/openvpn/user/$username
; DHCP emulation ( used by WIndows client and our script for Unix/Linux)
push "dhcp-option DNS 89.234.141.66"
push "dhcp-option DNS 2a00:5881:8100:1000::3"
push "dhcp-option DNS 80.67.169.40"
push "dhcp-option DNS 2001:910:800::40"
# SCRIPTS
; Add routes, notably the delegated prefix
script-security 2
client-connect /etc/openvpn/handler.sh
client-disconnect /etc/openvpn/handler.sh
# DIVERS
; Logs
verb 3
; Don't log more than 10 consecutive messages (in the same category)
mute 10 ; On ne log pas plus de 10 messages consecutif de la meme categorie
; Adaptative tunnel compression
comp-lzo
; The client must signal itself every 10 seconds.
; If it doesn't after 30 seconds, it must restart its session.
; If it doesn't after 60 seconds, the server forgets it.
keepalive 10 30
#!/bin/sh
# Copyright (C) 2014-2016 Lorraine Data Network
# Copyright (C) 2014-2016 Alsace Réseau Neutre
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Debian GNU/Linux: store this in /etc/openvpn/
if [ "$(id -ru)" = "0" ]; then
SUDO=
else
SUDO=sudo
fi
###### Utility
log() {
local level
level="$1"
shift
logger -t"ovpn-script[$$]" -pdaemon."$level" -- "$@"
}
###### Functions
# Load user information from /etc/openvpn/users/$common_name
get_user_info() {
if ! echo "$common_name" | grep '^[a-zA-Z][a-zA-Z0-9_-]*$'; then
log notice "Bad common name $common_name"
return 1
fi
if ! . "/etc/openvpn/users/$common_name" ; then
log notice "No configuration for user $common_name"
return 1
fi
}
# Write user specific OpenVPN configuration to stdout
create_conf() {
if ! [ -z "$IP4" ]; then
echo "ifconfig-push $IP4 $ifconfig_netmask"
fi
if ! [ -z "$IP6" ]; then
echo "ifconfig-ipv6-push $IP6/64 $ifconfig_ipv6_local"
fi
if ! [ -z "$PREFIX" ]; then
# Route the IPv6 delegated prefix:
echo "iroute-ipv6 $PREFIX"
# Set the OPENVPN_DELEGATED_IPV6_PREFIX in the client:
echo "push \"setenv-safe DELEGATED_IPV6_PREFIX $PREFIX\""
fi
if ! [ -z "$PREFIX4" ]; then
# Route the IPv4 delegated prefix:
echo "iroute $PREFIX4" | tr '/' ' '
fi
}
add_route() {
$SUDO ip route replace "$@"
}
# Add the routes for the user in the kernel
add_routes() {
if ! [ -z "$IP4" ]; then
log info "Adding IPv4 $IP4 for $common_name"
add_route $IP4/32 dev $dev protocol static && log info "Adding IPv4 $IP4 for $common_name: OK"
fi
if ! [ -z "$IP6" ]; then
log info "Adding IPv6 $IP6 for $common_name"
add_route $IP6/128 dev $dev protocol static && log info "Adding IPv6 $IP6 for $common_name: OK"
fi
if ! [ -z "$PREFIX" ]; then
log info "Adding IPv6 delegated prefix $PREFIX for $common_name"
add_route $PREFIX via $IP6 dev $dev protocol static && log info "Adding IPv6 delegated prefix $PREFIX for $common_name: OK"
fi
if ! [ -z "$PREFIX4" ]; then
log info "Adding IPv4 delegated prefix $PREFIX4 for $common_name"
add_route $PREFIX4 via $IP4 dev $dev protocol static && log info "Adding IPv4 delegated prefix $PREFIX4 for $common_name: OK"
fi
}
remove_routes() {
if ! [ -z "$PREFIX4" ]; then
$SUDO ip route del $PREFIX4 via $IP4 dev $dev protocol static
fi
if ! [ -z "$IP4" ]; then
$SUDO ip route del $IP4/32 dev $dev protocol static
fi
if ! [ -z "$PREFIX" ]; then
$SUDO ip route del $PREFIX via $IP6 dev $dev protocol static
fi
if ! [ -z "$IP6" ]; then
$SUDO ip route del $IP6/128 dev $dev protocol static
fi
}
set_routes() {
if ! add_routes; then
remove_routes
return 1
fi
}
###### OpenVPN handlers
client_connect() {
conf="$1"
get_user_info || exit 1
create_conf > "$conf"
set_routes
}
client_disconnect() {
get_user_info || exit 1
remove_routes
}
###### Dispatch
log "OpenVPN $script_type $@"
case "$script_type" in
client-connect) client_connect "$@" ;;
client-disconnect) client_disconnect "$@" ;;
esac
# Generated by iptables-save v1.4.14 on Tue Mar 4 20:52:14 2014
*filter
:INPUT ACCEPT [1585:131620]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1232:165316]
COMMIT
# Completed on Tue Mar 4 20:52:14 2014
# Generated by iptables-save v1.4.14 on Tue Mar 4 20:52:14 2014
*nat
:PREROUTING ACCEPT [8:464]
:INPUT ACCEPT [8:464]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 89.234.141.73/32 -p udp -m udp --dport 161 -m comment --comment "SNMP" -j ACCEPT
-A PREROUTING -d 89.234.141.73/32 -p tcp -m tcp --dport 2222 -m comment --comment "SSH" -j ACCEPT
-A PREROUTING -d 89.234.141.73/32 -p tcp -m tcp --dport 9102 -m comment --comment "Bacula" -j ACCEPT
-A PREROUTING -d 89.234.141.73/32 -p udp -j DNAT --to-destination 89.234.141.73:1194
-A PREROUTING -d 89.234.141.73/32 -p tcp -j DNAT --to-destination 89.234.141.73:1194
COMMIT
# Completed on Tue Mar 4 20:52:14 2014
# Generated by ip6tables-save v1.4.21 on Mon Jun 8 07:53:46 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:81]
:POSTROUTING ACCEPT [1:81]
-A PREROUTING -d 2a00:5881:8100:1002::1/128 -p udp -m udp --dport 161 -m comment --comment "SNMP" -j ACCEPT
-A PREROUTING -d 2a00:5881:8100:1002::1/128 -p tcp -m tcp --dport 2222 -m comment --comment "SSH" -j ACCEPT
-A PREROUTING -d 2a00:5881:8100:1002::1/128 -p tcp -m tcp --dport 9102 -m comment --comment "Bacula" -j ACCEPT
-A PREROUTING -d 2a00:5881:8100:1002::1/128 -p udp -j DNAT --to-destination [2a00:5881:8100:1002::1]:1194
-A PREROUTING -d 2a00:5881:8100:1002::1/128 -p tcp -j DNAT --to-destination [2a00:5881:8100:1002::1]:1194
COMMIT
# Completed on Mon Jun 8 07:53:46 2015
# Generated by ip6tables-save v1.4.21 on Mon Jun 8 07:53:46 2015
*filter
:INPUT ACCEPT [60000:68546020]
:FORWARD ACCEPT [2514086:1884025023]
:OUTPUT ACCEPT [41155:3363329]
COMMIT
# Completed on Mon Jun 8 07:53:46 2015
/var/log/openvpn.log {
rotate 52
weekly
missingok
delaycompress
compress
missingok
ifempty
create 0640 root adm
dateext
olddir /var/log/archives/openvpn/
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
if $programname startswith 'ovpn' then /var/log/openvpn.log
& ~
# COMMON CONFIGURATION
config /etc/openvpn/common.conf
# GENERAL
; Become a deamon and log with "ovpn-tcp" ID
daemon ovpn-tcp
# SERVER
; Our server supports IPv4 and IPv6
proto tcp6-server
; Name of the tun network interface
dev tunovpntcp
# NETWORK
; MTU / MSS
; "fragment" and "mssfix" directives cannot be used inside a TCP tunnel, see official OpenVPN documentation
# DIVERS
; Management socket. Useful for example to kill an active client connection.
management /var/run/openvpn_tcp.socket unix
management-client-user root
# COMMON CONFIGURATION
config /etc/openvpn/common.conf
# GENERAL
; Become a deamon and log with "ovpn-tcp" ID
daemon ovpn-udp
# SERVER
; Our server supports IPv4 and IPv6
proto udp6
; Name of the tun network interface
dev tunovpnudp
# NETWORK
; MTU / MSS
; To prevent possible network encapsulations like ADSL, 6in4, GRE...
; and to prevent PMTUD blocking.
fragment 1300
mssfix
# DIVERS
; Management socket. Useful for example to kill an active client connection.
management /var/run/openvpn_udp.socket unix
management-client-user root
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment