- OpvenVPN Server Konfiguration (Systemd) unter Debian 8.
- Zertifikatsbasiert mit X.509-Zertifikate über TLS-Protokoll - 4096Bit verschlüsselt
- iptables konfigurieren und Traffic kontrollieren
- VPN optimieren
- gesamten Traffic üner VPN umleiten
#OpenVPN Installation
#vars Schlüsseldatei bearbeiten und Eckdaten für Zertifikate angeben
#Zertifizierungsstelle erstellen
#Server Zertifikat erstellen
#Client Zertifikate erstellen
#Diffie-Hellman-Parameter generieren
#Client Keys nach /etc/openvpn/keys/ zum Client kopieren
#ServerKeys von /usr/share/easy-rsa/keys nach /etc/openvpn/keys kopieren
#Server Konfigurationsdatei erstellen
#server.conf
#Client Konfigurationsdatei erstellen:
#client.conf
#OpenVPN starten
#Dienst unter systemd automatisch starten lassen
#Server VPN Systemd Dienst verknüpfen (automatischer Start)
#Client VPN Systemd Dienst verknüpfen (automatischer Start)
#Sämtlichen Traffic blockieren
#VPN und SSH erlauben
#Alles Protokollieren
#Firewall mit Systemstart starten
#firewallregeln.sh
#bashdatei ausführbar machen
#automatischer start der firewall beim booten
#rc.local
#openVPN Tuning
#in datei /etc/openvpn/server.con:
#eintrag in datei /etc/sysctl.conf (auf server + client)
#sämtlichen traffic nach vpn-einwahl über den server umleiten:
#in datei /etc/openvpn/server.conf
#in datei /etc/sysctl.conf weiterleitung von paketen einschalten
#in firewallregeln.sh NAT aktivieren
#firewall einsehen
#firewall ausschalten
#firewallausschalten.sh
- Zertifikatsbasiert mit X.509-Zertifikate über TLS-Protokoll - 4096Bit verschlüsselt
- iptables konfigurieren und Traffic kontrollieren
- VPN optimieren
- gesamten Traffic üner VPN umleiten
#OpenVPN Installation
Code:
apt-get install openvpn
#vars Schlüsseldatei bearbeiten und Eckdaten für Zertifikate angeben
Code:
root@whoami /usr/share/easy-rsa # vi vars
export KEY_SIZE=4096
export KEY_COUNTRY="DE"
export KEY_PROVINCE="MD"
export KEY_CITY="Magdeburg"
export KEY_ORG="hack2sec"
export KEY_EMAIL="bazzd@posteo.de"
export KEY_OU="Whoami"
#Zertifizierungsstelle erstellen
Code:
[B]root@whoami /usr/share/easy-rsa # ./clean-all [/B]
[B]root@whoami /usr/share/easy-rsa # ./build-ca [/B]
Generating a 4096 bit RSA private key...............................................................................................................++
...........................................................................................................................................................................................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [MD]:
Locality Name (eg, city) [Magdeburg]:
Organization Name (eg, company) [hack2sec]:
Organizational Unit Name (eg, section) [Whoami]:
Common Name (eg, your name or your server's hostname) [hack2sec CA]:Server
Name [EasyRSA]:
Email Address [bazzd@posteo.de]:
Code:
[B]root@whoami /usr/share/easy-rsa # ./build-key-server Server[/B]
Generating a 4096 bit RSA private key
.........................++
........................................++
writing new private key to 'Server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [MD]:
Locality Name (eg, city) [Magdeburg]:
Organization Name (eg, company) [hack2sec]:
Organizational Unit Name (eg, section) [Whoami]:
Common Name (eg, your name or your server's hostname) [Server]:
Name [EasyRSA]:
Email Address [bazzd@posteo.de]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
stateOrProvinceName :PRINTABLE:'MD'
localityName :PRINTABLE:'Magdeburg'
organizationName :PRINTABLE:'hack2sec'
organizationalUnitName:PRINTABLE:'Whoami'
commonName :PRINTABLE:'Server'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'bazzd@posteo.de'
Certificate is to be certified until Oct 18 21:33:39 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Code:
[B]root@whoami /usr/share/easy-rsa # ./build-key client1[/B]
Generating a 4096 bit RSA private key
......................................++
..++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [MD]:
Locality Name (eg, city) [Magdeburg]:
Organization Name (eg, company) [hack2sec]:
Organizational Unit Name (eg, section) [Whoami]:
Common Name (eg, your name or your server's hostname) [client1]:
Name [EasyRSA]:
Email Address [bazzd@posteo.de]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
stateOrProvinceName :PRINTABLE:'MD'
localityName :PRINTABLE:'Magdeburg'
organizationName :PRINTABLE:'hack2sec'
organizationalUnitName:PRINTABLE:'Whoami'
commonName :PRINTABLE:'client1'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'bazzd@posteo.de'
Certificate is to be certified until Oct 18 21:39:17 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Code:
root@whoami /usr/share/easy-rsa # ./build-dh
Code:
scp -P 'sshPort' 'ServerIP':/usr/share/easy-rsa/keys/client1.key /etc/openvpn/keys/
scp -P 'sshPort' 'ServerIP':/usr/share/easy-rsa/keys/client1.crt /etc/openvpn/keys/
scp -P 'sshPort 'ServerIP:/usr/share/easy-rsa/keys/ca.crt /etc/openvpn/keys/
Code:
cp /usr/share/easy-rsa/keys/ca.crt /etc/openvpn/keys/
cp /usr/share/easy-rsa/keys/server.crt /etc/openvpn/keys/
cp /usr/share/easy-rsa/keys/server.key /etc/openvpn/keys/
cp /usr/share/easy-rsa/keys/dh4096.pem /etc/openvpn/keys/
#Server Konfigurationsdatei erstellen
Code:
vi /etc/openvpn/server.conf
#server.conf
Code:
cd /etc/openvpn
tls-server
mode server
[B]server 1.2.3.4 255.255.255.0 (Server IP)[/B]
client-to-client
user nobody
group nogroup
#max-clients 7 (Bei Bedarf)
persist-key
persist-tun
proto udp
[B]port 12345 (VPN Port)[/B]
ifconfig-pool-persist ipp.txt
dev tun0
tun-mtu 1500
fragment 1300
[B]ca keys/ca.crt
cert keys/Server.crt
key keys/Server.key
dh keys/dh4096.pem[/B]
ping-timer-rem
keepalive 60 120
comp-lzo yes
push "comp-lzo yes"
verb 3
status status.log 5
status-version 2
#Client Konfigurationsdatei erstellen:
Code:
vi /etc/openvpn/client.conf
Code:
cd /etc/openvpn
client
tls-client
ns-cert-type server
[B]remote 1.2.3.4 12345[/B]
dev tun
proto udp
user nobody
group nogroup
[B]persist-tun[/B]
persist-key
tun-mtu 1500
fragment 1300
pull
[B]ca keys/ca.crt
cert keys/client1.crt
key keys/client1.key[/B]
comp-lzo yes
verb 3
ping-timer-rem
keepalive 20 120
Code:
Client: openvpn /etc/openvpn/client.conf
Server: openvpn /etc/openvpn/server.conf
#Dienst unter systemd automatisch starten lassen
#Server VPN Systemd Dienst verknüpfen (automatischer Start)
Code:
ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service
Code:
systemctl -f enable [EMAIL="openvpn@server.service"]openvpn@server.service[/EMAIL]
Code:
ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@client.service
Code:
systemctl -f enable [EMAIL="openvpn@server.service"]openvpn@client.service[/EMAIL]
#VPN und SSH erlauben
#Alles Protokollieren
#Firewall mit Systemstart starten
Code:
vi firewallregeln.sh
Code:
#!/bin/bash
IPT="/sbin/iptables"
$IPT -F
$IPT -t nat -F
$IPT -X
$IPT -Z
$IPT -N MYACCEPT
$IPT -A MYACCEPT -j LOG --log-prefix "FW-MYACCEPT:"
$IPT -A MYACCEPT -j ACCEPT
$IPT -N MYDROP
$IPT -A MYDROP -j LOG --log-prefix "FW-MYDROP:"
$IPT -A MYDROP -j DROP
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
INT=eth0
VPN=tun0
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -s 127.0.0.1/8 -j DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
$IPT -A INPUT -i $VPN -j ACCEPT
$IPT -A OUTPUT -o $VPN -j ACCEPT
$IPT -A FORWARD -i $VPN -j ACCEPT
#SSH
$IPT -A INPUT -m state --state NEW -i eth0 -p tcp --dport 12345 -j MYACCEPT
#VPN
$IPT -A INPUT -m state --state NEW -i eth0 -p udp --dport 12345 -j MYACCEPT
$IPT -A INPUT -j LOG --log-prefix "FW-LAST-DROP:"
$IPT -A OUTPUT -j LOG --log-prefix "FW-LAST-DROP:"
$IPT -A FORWARD -j LOG --log-prefix "FW-LAST-DROP:"
exit
Code:
chmod 700 firewallregeln.sh
#automatischer start der firewall beim booten
Code:
vi /etc/rc.local
Code:
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# Firewall
[B]/root/firewallregeln.sh[/B]
exit 0
#in datei /etc/openvpn/server.con:
Code:
sndbuf 562500
rcvbuf 562500
push "sndbuf 562500"
push "rcvbuf 562500"
Code:
net.core.rmem_default = 562500
net.core.rmem_max = 562500
net.core.wmem_default = 562500
net.core.wmem_max = 562500
#in datei /etc/openvpn/server.conf
Code:
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
#in datei /etc/sysctl.conf weiterleitung von paketen einschalten
Code:
net.ipv4.ip_forward=1
Code:
$IPT -t nat -A POSTROUTING -o eth0 -s 1.2.3.4/24 -j SNAT --to 'ServerIP'
Code:
iptables -nvL
Code:
vi firewallausschalten.sh
Code:
#!/bin/bash
IPT="/sbin/iptables"
$IPT -F
$IPT -t nat -F
$IPT -X
$IPT -Z
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
exit