Danke Danke:  0
Dislikes Dislikes:  0
Ergebnis 1 bis 2 von 2

Thema: OpenVPN Server Konfiguration Debian 8

  1. #1
    Avatar von bazzd
    Registriert seit
    02.01.14
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    6

    Standard OpenVPN Server Konfiguration Debian 8

    Anzeige
    - OpvenVPN Server Konfiguration (Systemd) unter Debian 8.
    - Zertifikatsbasiert mit X.509-Zertifikate über TLS-Protokoll - 4096Bit verschlüsselt
    - iptables konfigurieren und Traffic kontrollieren
    - VPN optimieren
    - gesamten Traffic üner VPN umleiten


    #OpenVPN Installation
    Code:
    apt-get install openvpn


    #vars Schlüsseldatei bearbeiten und Eckdaten für Zertifikate angeben

    Code:
    root@whoami /usr/share/easy-rsa # vi vars 
    
    export KEY_SIZE=4096
    export KEY_COUNTRY="DE"
    export KEY_PROVINCE="MD"
    export KEY_CITY="Magdeburg"
    export KEY_ORG="hack2sec"
    export KEY_EMAIL="bazzd@posteo.de"
    export KEY_OU="Whoami"


    #Zertifizierungsstelle erstellen

    Code:
    root@whoami /usr/share/easy-rsa # ./clean-all 
    root@whoami /usr/share/easy-rsa # ./build-ca 
    Generating a 4096 bit RSA private  key...............................................................................................................++
    ...........................................................................................................................................................................................................................................................++
    writing new private key to 'ca.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [DE]:
    State or Province Name (full name) [MD]:
    Locality Name (eg, city) [Magdeburg]:
    Organization Name (eg, company) [hack2sec]:
    Organizational Unit Name (eg, section) [Whoami]:
    Common Name (eg, your name or your server's hostname) [hack2sec CA]:Server
    Name [EasyRSA]:
    Email Address [bazzd@posteo.de]:
    #Server Zertifikat erstellen

    Code:
    root@whoami /usr/share/easy-rsa # ./build-key-server Server
    Generating a 4096 bit RSA private key
    .........................++
    ........................................++
    writing new private key to 'Server.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [DE]:
    State or Province Name (full name) [MD]:
    Locality Name (eg, city) [Magdeburg]:
    Organization Name (eg, company) [hack2sec]:
    Organizational Unit Name (eg, section) [Whoami]:
    Common Name (eg, your name or your server's hostname) [Server]:
    Name [EasyRSA]:
    Email Address [bazzd@posteo.de]:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Using configuration from /usr/share/easy-rsa/openssl-1.0.0.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'DE'
    stateOrProvinceName   :PRINTABLE:'MD'
    localityName          :PRINTABLE:'Magdeburg'
    organizationName      :PRINTABLE:'hack2sec'
    organizationalUnitName:PRINTABLE:'Whoami'
    commonName            :PRINTABLE:'Server'
    name                  :PRINTABLE:'EasyRSA'
    emailAddress          :IA5STRING:'bazzd@posteo.de'
    Certificate is to be certified until Oct 18 21:33:39 2026 GMT (3650 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    #Client Zertifikate erstellen

    Code:
    root@whoami /usr/share/easy-rsa # ./build-key client1
    Generating a 4096 bit RSA private key
    ......................................++
    ..++
    writing new private key to 'client1.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [DE]:
    State or Province Name (full name) [MD]:
    Locality Name (eg, city) [Magdeburg]:
    Organization Name (eg, company) [hack2sec]:
    Organizational Unit Name (eg, section) [Whoami]:
    Common Name (eg, your name or your server's hostname) [client1]:
    Name [EasyRSA]:
    Email Address [bazzd@posteo.de]:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Using configuration from /usr/share/easy-rsa/openssl-1.0.0.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'DE'
    stateOrProvinceName   :PRINTABLE:'MD'
    localityName          :PRINTABLE:'Magdeburg'
    organizationName      :PRINTABLE:'hack2sec'
    organizationalUnitName:PRINTABLE:'Whoami'
    commonName            :PRINTABLE:'client1'
    name                  :PRINTABLE:'EasyRSA'
    emailAddress          :IA5STRING:'bazzd@posteo.de'
    Certificate is to be certified until Oct 18 21:39:17 2026 GMT (3650 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    #Diffie-Hellman-Parameter generieren

    Code:
    root@whoami /usr/share/easy-rsa # ./build-dh
    #Client Keys nach /etc/openvpn/keys/ zum Client kopieren
    Code:
    scp -P 'sshPort' 'ServerIP':/usr/share/easy-rsa/keys/client1.key /etc/openvpn/keys/
    scp -P 'sshPort' 'ServerIP':/usr/share/easy-rsa/keys/client1.crt /etc/openvpn/keys/
    scp -P 'sshPort 'ServerIP:/usr/share/easy-rsa/keys/ca.crt /etc/openvpn/keys/
    #ServerKeys von /usr/share/easy-rsa/keys nach /etc/openvpn/keys kopieren
    Code:
    cp /usr/share/easy-rsa/keys/ca.crt /etc/openvpn/keys/
    cp /usr/share/easy-rsa/keys/server.crt /etc/openvpn/keys/
    cp /usr/share/easy-rsa/keys/server.key /etc/openvpn/keys/
    cp /usr/share/easy-rsa/keys/dh4096.pem /etc/openvpn/keys/


    #Server Konfigurationsdatei erstellen
    Code:
    vi /etc/openvpn/server.conf

    #server.conf

    Code:
    cd /etc/openvpn
    
    tls-server
    mode server
    server 1.2.3.4 255.255.255.0 (Server IP)
    
    client-to-client
    
    user nobody
    group nogroup
    
    #max-clients 7 (Bei Bedarf)
    
    persist-key
    persist-tun
    
    proto udp
    port 12345 (VPN Port)
    
    ifconfig-pool-persist ipp.txt
    
    dev tun0
    tun-mtu 1500
    fragment 1300
    
    ca keys/ca.crt
    cert keys/Server.crt
    key keys/Server.key
    dh keys/dh4096.pem
    
    ping-timer-rem
    keepalive 60 120
    
    comp-lzo yes
    push "comp-lzo yes"
    
    verb 3
    
    status status.log 5
    status-version 2


    #Client Konfigurationsdatei erstellen:
    Code:
    vi /etc/openvpn/client.conf
    #client.conf
    Code:
    cd /etc/openvpn
    
    client
    tls-client
    ns-cert-type server
    
    remote 1.2.3.4 12345
    
    dev tun
    
    proto udp
    
    user nobody
    group nogroup
    
    persist-tun
    persist-key
    
    tun-mtu 1500
    fragment 1300
    
    pull
    
    ca keys/ca.crt
    cert keys/client1.crt
    key keys/client1.key
    
    comp-lzo yes
    
    verb 3
    
    ping-timer-rem
    keepalive 20 120
    #OpenVPN starten

    Code:
    Client: openvpn /etc/openvpn/client.conf
    Server: openvpn /etc/openvpn/server.conf


    #Dienst unter systemd automatisch starten lassen
    #Server VPN Systemd Dienst verknüpfen (automatischer Start)

    Code:
    ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service
    Code:
    systemctl -f enable openvpn@server.service
    #Client VPN Systemd Dienst verknüpfen (automatischer Start)

    Code:
    ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@client.service
    Code:
    systemctl -f enable openvpn@client.service
    #Sämtlichen Traffic blockieren
    #VPN und SSH erlauben
    #Alles Protokollieren
    #Firewall mit Systemstart starten
    Code:
    vi firewallregeln.sh
    #firewallregeln.sh
    Code:
    #!/bin/bash
    
    
    IPT="/sbin/iptables"
     
    
    $IPT -F
    $IPT -t nat -F
    $IPT -X
    $IPT -Z
    
    
    $IPT -N MYACCEPT
    $IPT -A MYACCEPT -j LOG --log-prefix "FW-MYACCEPT:"
    $IPT -A MYACCEPT -j ACCEPT
    $IPT -N MYDROP
    $IPT -A MYDROP -j LOG --log-prefix "FW-MYDROP:"
    $IPT -A MYDROP -j DROP
    
    
    $IPT -P INPUT DROP
    $IPT -P OUTPUT DROP
    $IPT -P FORWARD DROP
    
    INT=eth0
    VPN=tun0
    
    $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    $IPT -A FORWARD -s 127.0.0.1/8 -j DROP
    
    $IPT -A INPUT -i lo -j ACCEPT
    $IPT -A OUTPUT -o lo -j ACCEPT
    $IPT -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
    
    $IPT -A INPUT -i $VPN -j ACCEPT
    $IPT -A OUTPUT -o $VPN -j ACCEPT
    $IPT -A FORWARD -i $VPN -j ACCEPT
    
    
    #SSH
    $IPT -A INPUT -m state --state NEW -i eth0 -p tcp --dport 12345 -j MYACCEPT
    
    #VPN
    $IPT -A INPUT -m state --state NEW -i eth0 -p udp --dport 12345 -j MYACCEPT
    
    $IPT -A INPUT -j LOG --log-prefix "FW-LAST-DROP:"
    $IPT -A OUTPUT -j LOG --log-prefix "FW-LAST-DROP:"
    $IPT -A FORWARD -j LOG --log-prefix "FW-LAST-DROP:"
    
    exit
    #bashdatei ausführbar machen
    Code:
    chmod 700 firewallregeln.sh


    #automatischer start der firewall beim booten

    Code:
    vi /etc/rc.local
    #rc.local
    Code:
    #!/bin/sh -e
    #
    # rc.local
    #
    # This script is executed at the end of each multiuser runlevel.
    # Make sure that the script will "exit 0" on success or any other
    # value on error.
    #
    # In order to enable or disable this script just change the execution
    # bits.
    #
    # By default this script does nothing.
    
    # Firewall
    /root/firewallregeln.sh
    exit 0
    #openVPN Tuning
    #in datei /etc/openvpn/server.con:
    Code:
    sndbuf 562500 
    rcvbuf 562500 
    
    push "sndbuf 562500" 
    push "rcvbuf 562500"
    #eintrag in datei /etc/sysctl.conf (auf server + client)

    Code:
    net.core.rmem_default = 562500 
    net.core.rmem_max = 562500 
    net.core.wmem_default = 562500 
    net.core.wmem_max = 562500
    #sämtlichen traffic nach vpn-einwahl über den server umleiten:

    #in datei /etc/openvpn/server.conf

    Code:
    push "redirect-gateway def1" 
    push "dhcp-option DNS 8.8.8.8"

    #in datei /etc/sysctl.conf weiterleitung von paketen einschalten

    Code:
    net.ipv4.ip_forward=1
    #in firewallregeln.sh NAT aktivieren

    Code:
    $IPT -t nat -A POSTROUTING -o eth0 -s 1.2.3.4/24 -j SNAT --to 'ServerIP'
    #firewall einsehen
    Code:
    iptables -nvL
    #firewall ausschalten
    Code:
    vi firewallausschalten.sh
    #firewallausschalten.sh
    Code:
    #!/bin/bash
    
    
    IPT="/sbin/iptables"
     
    
    $IPT -F
    $IPT -t nat -F
    $IPT -X
    $IPT -Z
    
    $IPT -P INPUT ACCEPT
    $IPT -P OUTPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    
    exit
    Memento Mori

  2. Gefällt mir Thunder™ liked this post
  3. #2

    Registriert seit
    01.09.10
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    0

    Standard

    Anzeige
    Der Thread ist schon sehr alt aber wer sich das ganze nicht antun will mit der Installation, derjenige kann sich ja mal das hier anschauen.

    GitHub - Nyr/openvpn-install: OpenVPN road warrior installer for Debian, Ubuntu and CentOS

    Damit bekommt wirklich jeder, OpenVpn auf seinem Server eingerichtet und das Script erledigt alles von allein.

    Code ist natürlich Open und für jeden einsehbar.

    Funktioniert unter Debian, Ubuntu und CentOS.

    mfg

Ähnliche Themen

  1. SIP-Server Konfiguration
    Von Fluffy im Forum Internet Allgemein
    Antworten: 0
    Letzter Beitrag: 04.01.15, 14:59
  2. Proxy Konfiguration Debian 5.2.0a Lenny
    Von gelöscht im Forum Linux/UNIX
    Antworten: 2
    Letzter Beitrag: 07.09.09, 15:01
  3. openVPN unter Debian 4.0
    Von jemo. im Forum Network · LAN, WAN, Firewalls
    Antworten: 0
    Letzter Beitrag: 05.06.09, 14:50
  4. Server Konfiguration
    Von stone.dr im Forum (Web-) Design und webbasierte Sprachen
    Antworten: 7
    Letzter Beitrag: 24.03.07, 15:00
  5. X-Server Konfiguration (Debian)
    Von Chris im Forum Linux/UNIX
    Antworten: 11
    Letzter Beitrag: 03.10.04, 21:14

Stichworte

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •