Al jaren draai ik thuis een servertje, vroeger was dat nogal uitgebreid met diverse netwerk-segmenten waarvoor 't ding router was en had ik mijn eigen mailserver en wat niet meer draaien. Tegenwoordig is het vooral een veredelde NAS, maar wel op een echte server die energiezuinig is met z'n SSD's en een echte distributie erop:
Met Let's Encrypt certificaat:
Hiervoor gebruik ik een handig scrippie: https://github.com/angristan/openvpn-install Download het geval en maak het executable:
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh chmod +x openvpn-install.sh
Voer het uit en gebruik het meest de defaults:
michelle@roer:~/bin$ sudo ./openvpn-install.sh install [INFO] === OpenVPN Non-Interactive Install === [INFO] Running in non-interactive mode with the following settings: [INFO] ENDPOINT=77.171.80.214 [INFO] ENDPOINT_TYPE=4 [INFO] CLIENT_IPV4=y [INFO] CLIENT_IPV6=n [INFO] VPN_SUBNET_IPV4=10.8.0.0 [INFO] VPN_SUBNET_IPV6=fd42:42:42:42:: [INFO] PORT=1194 [INFO] PROTOCOL=udp [INFO] DNS=cloudflare [INFO] MULTI_CLIENT=n [INFO] AUTH_MODE=pki [INFO] CLIENT=client [INFO] CLIENT_CERT_DURATION_DAYS=3650 [INFO] SERVER_CERT_DURATION_DAYS=3650 [INFO] Setting up official OpenVPN repository... > apt-get update > apt-get install -y ca-certificates curl > mkdir -p /etc/apt/keyrings > curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg -o /etc/apt/keyrings/openvpn-repo-public.asc [INFO] Updating package lists with new repository... > apt-get update [INFO] OpenVPN official repository configured [INFO] Installing OpenVPN and dependencies... > apt-get install -y openvpn iptables openssl curl ca-certificates tar dnsutils socat [INFO] Data Channel Offload (DCO) is not available (requires OpenVPN 2.6+ and kernel support) > mkdir -p /etc/openvpn/server > curl -fL --retry 5 -o /tmp/easy-rsa.gsLkP3.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.6/EasyRSA-3.2.6.tgz [INFO] Verifying Easy-RSA checksum... > mkdir -p /etc/openvpn/server/easy-rsa > tar xzf /tmp/easy-rsa.gsLkP3.tgz --strip-components=1 --no-same-owner --directory /etc/openvpn/server/easy-rsa > rm -f /tmp/easy-rsa.gsLkP3.tgz [INFO] Initializing PKI... > ./easyrsa init-pki [INFO] Building CA... > ./easyrsa --batch --req-cn=cn_jPf4c13rKvpdCoX7 build-ca nopass [INFO] Building server certificate... > ./easyrsa --batch build-server-full server_JtWaiX0iDcYANtAt nopass > ./easyrsa gen-crl [INFO] Generating TLS key... > openvpn --genkey tls-crypt-v2-server /etc/openvpn/server/tls-crypt-v2.key [INFO] Copying certificates... > cp pki/ca.crt pki/private/ca.key pki/issued/server_JtWaiX0iDcYANtAt.crt pki/private/server_JtWaiX0iDcYANtAt.key /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server > chmod 644 /etc/openvpn/server/crl.pem [INFO] Generating server configuration... > mkdir -p /etc/openvpn/server/ccd > mkdir -p /var/log/openvpn [INFO] Enabling IP forwarding... > mkdir -p /etc/sysctl.d > sysctl --system [INFO] Configuring OpenVPN service... > cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service > sed -i s|LimitNPROC|#LimitNPROC| /etc/systemd/system/openvpn-server@.service > sed -i /\[Service\]/a RuntimeDirectory=openvpn-server /etc/systemd/system/openvpn-server@.service > systemctl daemon-reload > systemctl enable openvpn-server@server > systemctl restart openvpn-server@server [INFO] Configuring firewall rules... > mkdir -p /etc/iptables > chmod +x /etc/iptables/add-openvpn-rules.sh > chmod +x /etc/iptables/rm-openvpn-rules.sh > systemctl daemon-reload > systemctl enable iptables-openvpn > systemctl start iptables-openvpn [INFO] Creating client template... [INFO] Generating first client certificate... [INFO] Generating client certificate... > ./easyrsa --batch build-client-full client nopass [OK] Client client added and is valid for 3650 days. > cp /etc/openvpn/server/client-template.txt /home/michelle/client.ovpn [OK] The configuration file has been written to /home/michelle/client.ovpn. [INFO] Download the .ovpn file and import it in your OpenVPN client. [OK] If you want to add more clients, you simply need to run this script another time!
Vervolgens moet ik op mijn Fritz!Box wel deze poort openen natuurlijk!
Daarna nog wat eigen aanpassingen gedaan aan de server config:
michelle@roer:~$ sudo egrep '^server|^push|^\#\#' /etc/openvpn/server.conf ##server 10.8.0.0 255.255.255.0 server 192.168.3.0 255.255.255.0 push "dhcp-option DNS 192.168.1.1" push "route 192.168.1.0 255.255.255.0" ##push "redirect-gateway def1 bypass-dhcp"
michelle@roer:~/bin$ sudo ./openvpn-install.sh client add MichelleJanse === New Client Setup === [INFO] Generating client certificate... > ./easyrsa --batch build-client-full MichelleJanse nopass [OK] Client MichelleJanse added and is valid for 3650 days. > cp /etc/openvpn/server/client-template.txt /home/michelle/MichelleJanse.ovpn [OK] The configuration file has been written to /home/michelle/MichelleJanse.ovpn. [INFO] Download the .ovpn file and import it in your OpenVPN client.
En klaar is Kees. Oh nee: klaar is de oudste dochter van Kees!!
Nadat de functionaliteit erin zit mag er ook nog wel aan de veiligheid gedaan worden. Want Debian GNU/Linux is out-of-the-box wel aardig in elkaar gestoken maar het kan nog altijd beter!
Een tooltje om de hardening van het systeem te scannen en met adviezen te komen. Geen daemon maar een check van mijn systeem: kan er qua veiligheid nog wat verbeterd worden? De versie in Debian GNU/Linux loopt achter dus een aparte repo toegevoegd, zoals beschreven op https://packages.cisofy.com/community/
root@roer:~# curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg root@roer:~# echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main
Daarna een scan draaien:
root@roer:~# sudo lynis audit system
Een malware scanner had ik nog niet, dus…..
root@roer:~# sudo apt install rkhunter apt-show-versions debsums
sudo chmod o-rwx /home/*
en in
/etc/login.defs
de UMASK op 027 gezet.
michelle@lummel:~$ sudo cat /etc/modprobe.d/lynis-blacklist.conf install dccp /bin/true install sctp /bin/true install rds /bin/true install tipc /bin/true
Er slingeren soms nog configuratie-bestanden en andere cruft rond van packages die allang niet meer op het systeem staan. Die herken je in de output van `dpkg -l` doordat ze beginnen met rc. Mik deze weg:
michelle@roer:~$ dpkg -l | grep ^rc | awk '{ print $2 }' | xargs echo " " libpython3.10-minimal:amd64 linux-image-6.0.0-5-amd64 linux-image-6.0.0-6-amd64 linux-image-6.1.0-1-amd64 linux-image-6.1.0-10-amd64 linux-image-6.1.0-11-amd64 linux-image-6.1.0-12-amd64 linux-image-6.1.0-13-amd64 linux-image-6.1.0-14-amd64 linux-image-6.1.0-15-amd64 linux-image-6.1.0-16-amd64 linux-image-6.1.0-17-amd64 linux-image-6.1.0-18-amd64 linux-image-6.1.0-2-amd64 linux-image-6.1.0-20-amd64 linux-image-6.1.0-21-amd64 linux-image-6.1.0-22-amd64 linux-image-6.1.0-23-amd64 linux-image-6.1.0-25-amd64 linux-image-6.1.0-26-amd64 linux-image-6.1.0-27-amd64 linux-image-6.1.0-28-amd64 linux-image-6.1.0-29-amd64 linux-image-6.1.0-3-amd64 linux-image-6.1.0-30-amd64 linux-image-6.1.0-31-amd64 linux-image-6.1.0-32-amd64 linux-image-6.1.0-33-amd64 linux-image-6.1.0-34-amd64 linux-image-6.1.0-5-amd64 linux-image-6.1.0-6-amd64 linux-image-6.1.0-7-amd64 linux-image-6.1.0-9-amd64 python3.10-minimal
ToDo