technische_naslag:sid:roer
Dit is een oude revisie van het document!
Introductie
Al jaren draai ik thuis een servertje, vroeger was dat nogal uitgebreid met diverse netwerk-segmenten waarvoor 't ding router was en had ik mijn eigen mailserver en wat niet meer draaien. Tegenwoordig is het vooral een veredelde NAS, maar wel op een echte server die energiezuinig is met z'n SSD's en een echte distributie erop:
- Hardware: HP Proliant Microserver Gen10+
- Storage: 2x Western Digital Red 2TB SSD
- OS: Debian GNU/Linux 12 (“bookworm”)
Installatie en Configuratie
Webserver: Apache2
Met Let's Encrypt certificaat:
OpenVPN
root@roer:~/bin# ./ubuntu-22.04-lts-vpn-server.sh Welcome to the OpenVPN installer! The git repository is available at: https://github.com/angristan/openvpn-install I need to ask you a few questions before starting the setup. You can leave the default options and just press enter if you are ok with them. I need to know the IPv4 address of the network interface you want OpenVPN listening to. Unless your server is behind NAT, it should be your public IPv4 address. IP address: 192.168.1.2 It seems this server is behind NAT. What is its public IPv4 address or hostname? We need it for the clients to connect to the server. Public IPv4 address or hostname: roer.vlet.net Checking for IPv6 connectivity... Your host appears to have IPv6 connectivity. Do you want to enable IPv6 support (NAT)? [y/n]: y What port do you want OpenVPN to listen to? 1) Default: 1194 2) Custom 3) Random [49152-65535] Port choice [1-3]: 1 What protocol do you want OpenVPN to use? UDP is faster. Unless it is not available, you shouldn't use TCP. 1) UDP 2) TCP Protocol [1-2]: 1 What DNS resolvers do you want to use with the VPN? 1) Current system resolvers (from /etc/resolv.conf) 2) Self-hosted DNS Resolver (Unbound) 3) Cloudflare (Anycast: worldwide) 4) Quad9 (Anycast: worldwide) 5) Quad9 uncensored (Anycast: worldwide) 6) FDN (France) 7) DNS.WATCH (Germany) 8) OpenDNS (Anycast: worldwide) 9) Google (Anycast: worldwide) 10) Yandex Basic (Russia) 11) AdGuard DNS (Anycast: worldwide) 12) NextDNS (Anycast: worldwide) 13) Custom DNS [1-12]: 1 Do you want to use compression? It is not recommended since the VORACLE attack makes use of it. Enable compression? [y/n]: n Do you want to customize encryption settings? Unless you know what you're doing, you should stick with the default parameters provided by the script. Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults) See https://github.com/angristan/openvpn-install#security-and-encryption to learn more. Customize encryption settings? [y/n]: n Okay, that was all I needed. We are ready to setup your OpenVPN server now. You will be able to generate a client at the end of the installation. Press any key to continue... Ophalen:1 http://security.debian.org/debian-security bookworm-security InRelease [48,0 kB] Geraakt:2 http://ftp.nl.debian.org/debian bookworm InRelease Ophalen:3 http://ftp.nl.debian.org/debian bookworm-updates InRelease [55,4 kB] 103 kB opgehaald in 0s (287 kB/s) Pakketlijsten worden ingelezen... Klaar Pakketlijsten worden ingelezen... Klaar Boom van vereisten wordt opgebouwd... Klaar De statusinformatie wordt gelezen... Klaar ca-certificates is reeds de nieuwste versie (20230311). gnupg is reeds de nieuwste versie (2.2.40-1.1). gnupg staat ingesteld op handmatig geïnstalleerd. 0 opgewaardeerd, 0 nieuw geïnstalleerd, 0 te verwijderen en 0 niet opgewaardeerd. Pakketlijsten worden ingelezen... Klaar Boom van vereisten wordt opgebouwd... Klaar De statusinformatie wordt gelezen... Klaar iptables is reeds de nieuwste versie (1.8.9-2). iptables staat ingesteld op handmatig geïnstalleerd. openssl is reeds de nieuwste versie (3.0.16-1~deb12u1). openssl staat ingesteld op handmatig geïnstalleerd. wget is reeds de nieuwste versie (1.21.3-1+deb12u1). ca-certificates is reeds de nieuwste versie (20230311). curl is reeds de nieuwste versie (7.88.1-10+deb12u12). De volgende extra pakketten zullen geïnstalleerd worden: easy-rsa libccid libnl-genl-3-200 libpcsclite1 libpkcs11-helper1 opensc opensc-pkcs11 pcscd Voorgestelde pakketten: pcmciautils resolvconf openvpn-dco-dkms openvpn-systemd-resolved De volgende NIEUWE pakketten zullen geïnstalleerd worden: easy-rsa libccid libnl-genl-3-200 libpcsclite1 libpkcs11-helper1 opensc opensc-pkcs11 openvpn pcscd 0 opgewaardeerd, 9 nieuw geïnstalleerd, 0 te verwijderen en 0 niet opgewaardeerd. Er moeten 2.575 kB aan archieven opgehaald worden. Na deze bewerking zal er 7.776 kB extra schijfruimte gebruikt worden. Ophalen:1 http://ftp.nl.debian.org/debian bookworm/main amd64 libccid amd64 1.5.2-1 [367 kB] Ophalen:2 http://ftp.nl.debian.org/debian bookworm/main amd64 libpcsclite1 amd64 1.9.9-2 [49,7 kB] Ophalen:3 http://ftp.nl.debian.org/debian bookworm/main amd64 pcscd amd64 1.9.9-2 [89,7 kB] Ophalen:4 http://ftp.nl.debian.org/debian bookworm/main amd64 easy-rsa all 3.1.0-1 [54,8 kB] Ophalen:5 http://ftp.nl.debian.org/debian bookworm/main amd64 libnl-genl-3-200 amd64 3.7.0-0.2+b1 [21,6 kB] Ophalen:6 http://ftp.nl.debian.org/debian bookworm/main amd64 libpkcs11-helper1 amd64 1.29.0-1 [51,2 kB] Ophalen:7 http://ftp.nl.debian.org/debian bookworm/main amd64 opensc-pkcs11 amd64 0.23.0-0.3+deb12u2 [917 kB] Ophalen:8 http://ftp.nl.debian.org/debian bookworm/main amd64 opensc amd64 0.23.0-0.3+deb12u2 [372 kB] Ophalen:9 http://ftp.nl.debian.org/debian bookworm/main amd64 openvpn amd64 2.6.3-1+deb12u3 [652 kB] 2.575 kB opgehaald in 0s (9.244 kB/s) Voorconfigureren van pakketten ... Voorheen niet geselecteerd pakket libccid wordt geselecteerd. (Database wordt ingelezen ... 74274 bestanden en mappen momenteel geïnstalleerd.) Uitpakken van .../0-libccid_1.5.2-1_amd64.deb wordt voorbereid... Bezig met uitpakken van libccid (1.5.2-1) ... Voorheen niet geselecteerd pakket libpcsclite1:amd64 wordt geselecteerd. Uitpakken van .../1-libpcsclite1_1.9.9-2_amd64.deb wordt voorbereid... Bezig met uitpakken van libpcsclite1:amd64 (1.9.9-2) ... Voorheen niet geselecteerd pakket pcscd wordt geselecteerd. Uitpakken van .../2-pcscd_1.9.9-2_amd64.deb wordt voorbereid... Bezig met uitpakken van pcscd (1.9.9-2) ... Voorheen niet geselecteerd pakket easy-rsa wordt geselecteerd. Uitpakken van .../3-easy-rsa_3.1.0-1_all.deb wordt voorbereid... Bezig met uitpakken van easy-rsa (3.1.0-1) ... Voorheen niet geselecteerd pakket libnl-genl-3-200:amd64 wordt geselecteerd. Uitpakken van .../4-libnl-genl-3-200_3.7.0-0.2+b1_amd64.deb wordt voorbereid... Bezig met uitpakken van libnl-genl-3-200:amd64 (3.7.0-0.2+b1) ... Voorheen niet geselecteerd pakket libpkcs11-helper1:amd64 wordt geselecteerd. Uitpakken van .../5-libpkcs11-helper1_1.29.0-1_amd64.deb wordt voorbereid... Bezig met uitpakken van libpkcs11-helper1:amd64 (1.29.0-1) ... Voorheen niet geselecteerd pakket opensc-pkcs11:amd64 wordt geselecteerd. Uitpakken van .../6-opensc-pkcs11_0.23.0-0.3+deb12u2_amd64.deb wordt voorbereid... Bezig met uitpakken van opensc-pkcs11:amd64 (0.23.0-0.3+deb12u2) ... Voorheen niet geselecteerd pakket opensc wordt geselecteerd. Uitpakken van .../7-opensc_0.23.0-0.3+deb12u2_amd64.deb wordt voorbereid... Bezig met uitpakken van opensc (0.23.0-0.3+deb12u2) ... Voorheen niet geselecteerd pakket openvpn wordt geselecteerd. Uitpakken van .../8-openvpn_2.6.3-1+deb12u3_amd64.deb wordt voorbereid... Bezig met uitpakken van openvpn (2.6.3-1+deb12u3) ... Instellen van libccid (1.5.2-1) ... Instellen van libpkcs11-helper1:amd64 (1.29.0-1) ... Instellen van opensc-pkcs11:amd64 (0.23.0-0.3+deb12u2) ... Instellen van libpcsclite1:amd64 (1.9.9-2) ... Instellen van libnl-genl-3-200:amd64 (3.7.0-0.2+b1) ... Instellen van easy-rsa (3.1.0-1) ... Instellen van openvpn (2.6.3-1+deb12u3) ... Created symlink /etc/systemd/system/multi-user.target.wants/openvpn.service → /lib/systemd/system/openvpn.service. Instellen van opensc (0.23.0-0.3+deb12u2) ... Instellen van pcscd (1.9.9-2) ... Created symlink /etc/systemd/system/sockets.target.wants/pcscd.socket → /lib/systemd/system/pcscd.socket. pcscd.service is a disabled or a static unit, not starting it. Bezig met afhandelen van triggers voor mailcap (3.70+nmu1) ... Bezig met afhandelen van triggers voor libc-bin (2.36-9+deb12u10) ... Bezig met afhandelen van triggers voor man-db (2.11.2-2) ... Scanning processes... Scanning processor microcode... Scanning linux images... The processor microcode seems to be up-to-date. No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. --2025-05-26 13:38:08-- https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz Herleiden van github.com (github.com)... 140.82.121.4 Verbinding maken met github.com (github.com)|140.82.121.4|:443... verbonden. HTTP-verzoek is verzonden; wachten op antwoord... 302 Found Locatie: https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250526%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250526T113808Z&X-Amz-Expires=300&X-Amz-Signature=56754b42dc77d345fbf5a2f431d1a66ad2e6fd0eb342983428c5daa2a2081d89&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream [volgen...] --2025-05-26 13:38:08-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250526%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250526T113808Z&X-Amz-Expires=300&X-Amz-Signature=56754b42dc77d345fbf5a2f431d1a66ad2e6fd0eb342983428c5daa2a2081d89&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream Herleiden van objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ... Verbinding maken met objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:443... verbonden. HTTP-verzoek is verzonden; wachten op antwoord... 200 OK Lengte: 68984 (67K) [application/octet-stream] Wordt opgeslagen als: ‘/root/easy-rsa.tgz’ /root/easy-rsa.tgz 100%[========================================================================================================================================>] 67,37K --.-KB/s in 0,007s 2025-05-26 13:38:08 (9,07 MB/s) - '‘/root/easy-rsa.tgz’' opgeslagen [68984/68984] Notice ------ 'init-pki' complete; you may now create a CA or requests. Your newly created PKI dir is: * /etc/openvpn/easy-rsa/pki * Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars * The preferred location for 'vars' is within the PKI folder. To silence this message move your 'vars' file to your PKI or declare your 'vars' file with option: --vars=<FILE> * Using x509-types directory: /etc/openvpn/easy-rsa/x509-types * Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025) * Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars * The preferred location for 'vars' is within the PKI folder. To silence this message move your 'vars' file to your PKI or declare your 'vars' file with option: --vars=<FILE> Using configuration from /etc/openvpn/easy-rsa/pki/76b20386/temp.e994fa7e ----- Notice ------ CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt * Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025) * Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars * The preferred location for 'vars' is within the PKI folder. To silence this message move your 'vars' file to your PKI or declare your 'vars' file with option: --vars=<FILE> ----- Notice ------ Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/server_0qKxcCwxJ128Et3H.req key: /etc/openvpn/easy-rsa/pki/private/server_0qKxcCwxJ128Et3H.key Using configuration from /etc/openvpn/easy-rsa/pki/87f87fc8/temp.6779c4b4 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server_0qKxcCwxJ128Et3H' Certificate is to be certified until Aug 29 11:38:09 2027 GMT (825 days) Write out database with 1 new entries Database updated Notice ------ Certificate created at: * /etc/openvpn/easy-rsa/pki/issued/server_0qKxcCwxJ128Et3H.crt Notice ------ Inline file created: * /etc/openvpn/easy-rsa/pki/inline/server_0qKxcCwxJ128Et3H.inline * Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025) * Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars * The preferred location for 'vars' is within the PKI folder. To silence this message move your 'vars' file to your PKI or declare your 'vars' file with option: --vars=<FILE> Using configuration from /etc/openvpn/easy-rsa/pki/81e7987e/temp.40b68fda Notice ------ An updated CRL has been created. CRL file: /etc/openvpn/easy-rsa/pki/crl.pem 2025-05-26 13:38:09 DEPRECATED OPTION: The option --secret is deprecated. 2025-05-26 13:38:09 WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead. * Applying /usr/lib/sysctl.d/50-pid-max.conf ... * Applying /etc/sysctl.d/99-openvpn.conf ... * Applying /usr/lib/sysctl.d/99-protect-links.conf ... * Applying /etc/sysctl.d/99-sysctl.conf ... * Applying /etc/sysctl.conf ... kernel.pid_max = 4194304 net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 fs.protected_fifos = 1 fs.protected_hardlinks = 1 fs.protected_regular = 2 fs.protected_symlinks = 1 Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /etc/systemd/system/openvpn@.service. Created symlink /etc/systemd/system/multi-user.target.wants/iptables-openvpn.service → /etc/systemd/system/iptables-openvpn.service. Tell me a name for the client. The name must consist of alphanumeric character. It may also include an underscore or a dash. Client name: MichelleJanse Do you want to protect the configuration file with a password? (e.g. encrypt the private key with a password) 1) Add a passwordless client 2) Use a password for the client Select an option [1-2]: 1 * Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025) * Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars * The preferred location for 'vars' is within the PKI folder. To silence this message move your 'vars' file to your PKI or declare your 'vars' file with option: --vars=<FILE> ----- Notice ------ Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/MichelleJanse.req key: /etc/openvpn/easy-rsa/pki/private/MichelleJanse.key Using configuration from /etc/openvpn/easy-rsa/pki/8d0039fd/temp.83d1eeb1 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'MichelleJanse' Certificate is to be certified until Aug 29 11:38:16 2027 GMT (825 days) Write out database with 1 new entries Database updated Notice ------ Certificate created at: * /etc/openvpn/easy-rsa/pki/issued/MichelleJanse.crt Notice ------ Inline file created: * /etc/openvpn/easy-rsa/pki/inline/MichelleJanse.inline Client MichelleJanse added. The configuration file has been written to /root/MichelleJanse.ovpn. Download the .ovpn file and import it in your OpenVPN client.
Nog wat eigen aanpassingen:
root@roer:~# egrep '^server|^push|^\#\#' /etc/openvpn/server.conf ##server 10.8.0.0 255.255.255.0 server 192.168.3.0 255.255.255.0 push "dhcp-option DNS 192.168.1.1" push "route 192.168.1.0 255.255.255.0" push "dhcp-option DOMAIN vlet.net" push "dhcp-option DOMAIN-SEARCH vlet.net" ##push "redirect-gateway def1 bypass-dhcp" server-ipv6 fd42:42:42:42::/112 push tun-ipv6 push "route-ipv6 2000::/3" ##push "redirect-gateway ipv6"
technische_naslag/sid/roer.1748259855.txt.gz · Laatst gewijzigd: 2025/05/26 13:44 door michelle