- OpvenVPN Server Konfiguration (Systemd) unter Debian 8.
- Zertifikatsbasiert mit X.509-Zertifikate über TLS-Protokoll - 4096Bit verschlüsselt
- iptables konfigurieren und Traffic kontrollieren
- VPN optimieren
- gesamten Traffic üner VPN umleiten


#OpenVPN Installation
Code:
apt-get install openvpn


#vars Schlüsseldatei bearbeiten und Eckdaten für Zertifikate angeben

Code:
root@whoami /usr/share/easy-rsa # vi vars 

export KEY_SIZE=4096
export KEY_COUNTRY="DE"
export KEY_PROVINCE="MD"
export KEY_CITY="Magdeburg"
export KEY_ORG="hack2sec"
export KEY_EMAIL="bazzd@posteo.de"
export KEY_OU="Whoami"


#Zertifizierungsstelle erstellen

Code:
root@whoami /usr/share/easy-rsa # ./clean-all 
root@whoami /usr/share/easy-rsa # ./build-ca 
Generating a 4096 bit RSA private  key...............................................................................................................++
...........................................................................................................................................................................................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [MD]:
Locality Name (eg, city) [Magdeburg]:
Organization Name (eg, company) [hack2sec]:
Organizational Unit Name (eg, section) [Whoami]:
Common Name (eg, your name or your server's hostname) [hack2sec CA]:Server
Name [EasyRSA]:
Email Address [bazzd@posteo.de]:
#Server Zertifikat erstellen

Code:
root@whoami /usr/share/easy-rsa # ./build-key-server Server
Generating a 4096 bit RSA private key
.........................++
........................................++
writing new private key to 'Server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [MD]:
Locality Name (eg, city) [Magdeburg]:
Organization Name (eg, company) [hack2sec]:
Organizational Unit Name (eg, section) [Whoami]:
Common Name (eg, your name or your server's hostname) [Server]:
Name [EasyRSA]:
Email Address [bazzd@posteo.de]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'MD'
localityName          :PRINTABLE:'Magdeburg'
organizationName      :PRINTABLE:'hack2sec'
organizationalUnitName:PRINTABLE:'Whoami'
commonName            :PRINTABLE:'Server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'bazzd@posteo.de'
Certificate is to be certified until Oct 18 21:33:39 2026 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#Client Zertifikate erstellen

Code:
root@whoami /usr/share/easy-rsa # ./build-key client1
Generating a 4096 bit RSA private key
......................................++
..++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [MD]:
Locality Name (eg, city) [Magdeburg]:
Organization Name (eg, company) [hack2sec]:
Organizational Unit Name (eg, section) [Whoami]:
Common Name (eg, your name or your server's hostname) [client1]:
Name [EasyRSA]:
Email Address [bazzd@posteo.de]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'MD'
localityName          :PRINTABLE:'Magdeburg'
organizationName      :PRINTABLE:'hack2sec'
organizationalUnitName:PRINTABLE:'Whoami'
commonName            :PRINTABLE:'client1'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'bazzd@posteo.de'
Certificate is to be certified until Oct 18 21:39:17 2026 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#Diffie-Hellman-Parameter generieren

Code:
root@whoami /usr/share/easy-rsa # ./build-dh
#Client Keys nach /etc/openvpn/keys/ zum Client kopieren
Code:
scp -P 'sshPort' 'ServerIP':/usr/share/easy-rsa/keys/client1.key /etc/openvpn/keys/
scp -P 'sshPort' 'ServerIP':/usr/share/easy-rsa/keys/client1.crt /etc/openvpn/keys/
scp -P 'sshPort 'ServerIP:/usr/share/easy-rsa/keys/ca.crt /etc/openvpn/keys/
#ServerKeys von /usr/share/easy-rsa/keys nach /etc/openvpn/keys kopieren
Code:
cp /usr/share/easy-rsa/keys/ca.crt /etc/openvpn/keys/
cp /usr/share/easy-rsa/keys/server.crt /etc/openvpn/keys/
cp /usr/share/easy-rsa/keys/server.key /etc/openvpn/keys/
cp /usr/share/easy-rsa/keys/dh4096.pem /etc/openvpn/keys/


#Server Konfigurationsdatei erstellen
Code:
vi /etc/openvpn/server.conf

#server.conf

Code:
cd /etc/openvpn

tls-server
mode server
server 1.2.3.4 255.255.255.0 (Server IP)

client-to-client

user nobody
group nogroup

#max-clients 7 (Bei Bedarf)

persist-key
persist-tun

proto udp
port 12345 (VPN Port)

ifconfig-pool-persist ipp.txt

dev tun0
tun-mtu 1500
fragment 1300

ca keys/ca.crt
cert keys/Server.crt
key keys/Server.key
dh keys/dh4096.pem

ping-timer-rem
keepalive 60 120

comp-lzo yes
push "comp-lzo yes"

verb 3

status status.log 5
status-version 2


#Client Konfigurationsdatei erstellen:
Code:
vi /etc/openvpn/client.conf
#client.conf
Code:
cd /etc/openvpn

client
tls-client
ns-cert-type server

remote 1.2.3.4 12345

dev tun

proto udp

user nobody
group nogroup

persist-tun
persist-key

tun-mtu 1500
fragment 1300

pull

ca keys/ca.crt
cert keys/client1.crt
key keys/client1.key

comp-lzo yes

verb 3

ping-timer-rem
keepalive 20 120
#OpenVPN starten

Code:
Client: openvpn /etc/openvpn/client.conf
Server: openvpn /etc/openvpn/server.conf


#Dienst unter systemd automatisch starten lassen
#Server VPN Systemd Dienst verknüpfen (automatischer Start)

Code:
ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service
Code:
systemctl -f enable openvpn@server.service
#Client VPN Systemd Dienst verknüpfen (automatischer Start)

Code:
ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@client.service
Code:
systemctl -f enable openvpn@client.service
#Sämtlichen Traffic blockieren
#VPN und SSH erlauben
#Alles Protokollieren
#Firewall mit Systemstart starten
Code:
vi firewallregeln.sh
#firewallregeln.sh
Code:
#!/bin/bash


IPT="/sbin/iptables"
 

$IPT -F
$IPT -t nat -F
$IPT -X
$IPT -Z


$IPT -N MYACCEPT
$IPT -A MYACCEPT -j LOG --log-prefix "FW-MYACCEPT:"
$IPT -A MYACCEPT -j ACCEPT
$IPT -N MYDROP
$IPT -A MYDROP -j LOG --log-prefix "FW-MYDROP:"
$IPT -A MYDROP -j DROP


$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

INT=eth0
VPN=tun0

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -s 127.0.0.1/8 -j DROP

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT

$IPT -A INPUT -i $VPN -j ACCEPT
$IPT -A OUTPUT -o $VPN -j ACCEPT
$IPT -A FORWARD -i $VPN -j ACCEPT


#SSH
$IPT -A INPUT -m state --state NEW -i eth0 -p tcp --dport 12345 -j MYACCEPT

#VPN
$IPT -A INPUT -m state --state NEW -i eth0 -p udp --dport 12345 -j MYACCEPT

$IPT -A INPUT -j LOG --log-prefix "FW-LAST-DROP:"
$IPT -A OUTPUT -j LOG --log-prefix "FW-LAST-DROP:"
$IPT -A FORWARD -j LOG --log-prefix "FW-LAST-DROP:"

exit
#bashdatei ausführbar machen
Code:
chmod 700 firewallregeln.sh


#automatischer start der firewall beim booten

Code:
vi /etc/rc.local
#rc.local
Code:
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

# Firewall
/root/firewallregeln.sh
exit 0
#openVPN Tuning
#in datei /etc/openvpn/server.con:
Code:
sndbuf 562500 
rcvbuf 562500 

push "sndbuf 562500" 
push "rcvbuf 562500"
#eintrag in datei /etc/sysctl.conf (auf server + client)

Code:
net.core.rmem_default = 562500 
net.core.rmem_max = 562500 
net.core.wmem_default = 562500 
net.core.wmem_max = 562500
#sämtlichen traffic nach vpn-einwahl über den server umleiten:

#in datei /etc/openvpn/server.conf

Code:
push "redirect-gateway def1" 
push "dhcp-option DNS 8.8.8.8"

#in datei /etc/sysctl.conf weiterleitung von paketen einschalten

Code:
net.ipv4.ip_forward=1
#in firewallregeln.sh NAT aktivieren

Code:
$IPT -t nat -A POSTROUTING -o eth0 -s 1.2.3.4/24 -j SNAT --to 'ServerIP'
#firewall einsehen
Code:
iptables -nvL
#firewall ausschalten
Code:
vi firewallausschalten.sh
#firewallausschalten.sh
Code:
#!/bin/bash


IPT="/sbin/iptables"
 

$IPT -F
$IPT -t nat -F
$IPT -X
$IPT -Z

$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

exit