Initial import :-D

parents
This diff is collapsed.
# Vincent
```txt
Vincent; Vpn Integration Note and Configuration on gENToo linux
```
This project is note about `OpenVPN` setup on Gentoo Linux (in Linode).
```zsh
# uname -a
Linux <HOSTNAME> 4.8.6-x86_64-linode78 #1 SMP Tue Nov 1 14:51:21 EDT 2016 x86_64 Intel(R) Xeon(R) CPU E5-2697 v4 @ 2.30GHz GenuineIntel GNU/Linux
```
## Note(s)
* [server](doc/server.md)
* [client](doc/client.md)
See also [innocent](
https://gitlab.com/grauwoelfchen/innocent) for general gentoo setup.
## Quick note
### How to add new client
See sample `rsa/john.smith` directory.
```zsh
% cd /path/to/easy-rsa
% ./easyrsa build-client-full <CLIENT>
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
........+++
........+++
writing new private key to '/home/<USER>/easy-rsa/pki/private/<CLIENT>.key.NNN'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /home/<USER>/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /home/<USER>/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'...'
stateOrProvinceName :ASN.1 12:'...'
localityName :ASN.1 12:'...'
organizationName :ASN.1 12:'...'
organizationalUnitName:ASN.1 12:'...'
commonName :ASN.1 12:'<CLIENT>'
emailAddress :IA5STRING:'...'
Certificate is to be certified until Jan 26 10:56:16 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
```
```zsh
% cd /path/to/easy-rsa
% cp -R .master <CLIENT>
% scp <SERVER>:/path/to/easy-rsa/pki/issued/<CLIENT>.key pki/issued
<CLIENT>.cert
% scp <SERVER>:/path/to/easy-rsa/pki/private/<CLIENT>.key pki/private
<CLIENT>.key
```
## Links
* https://openvpn.net/index.php/open-source/documentation.html
## License
Copyright (c) 2017 Yasuhiro Asaka
### Scripts
The scripts into `lib` directory are distributed as
**GNU General Public License** (version 3)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
### Notes
The text files are distributed as **GNU Free Documentation License**.
(version 1.3)
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU
Free Documentation License".
See [LICENSE](LICENSE). (`GFDL-1.3`)
# OpenVPN Client
## Machine
* Handmade machine (CPU 4, 16GB Memory)
* Funtoo Linux
```zsh
% uname -a
Linux <HOSTNAME> 4.10.1-gentoo #21 SMP Thu Mar 2 20:12:29 JST 2017 x86_64 Intel(R) Core(TM) i5-2320 CPU @ 3.00GHz GenuineIntel GNU/Linux
```
## Setup
OpenVPN needs `CONFIG_TUN` option for kernel.
```zsh
% cd /usr/src/linux
% sudo su
: Check kernel configuration
# make menuconfig
```
```zsh
Device Drivers --->
[*] Network device support --->
[*] Network core driver support
<*> Universal TUN/TAP device driver support
```
```zsh
: build kernel as you like
# make && make modules_install
# cp /boot/kernel-4.10.1-gentoo /boot/.back.kernel-4.10.1-gentoo
# cp arch/x86_64/boot/bzImage /boot/kernel-4.10.1-gentoo
: I use lilo for by desktop :)
# lilo
# reboot
```
```zsh
% sudo su
# echo 'net-misc/openvpn iproute2' >> /etc/portage/package.use/openvpn
# exit
% sudo emerge -av openvpn
```
## Make config file
The init script `/etc/init.d/openvpn` supports multiple connections.
```zsh
% sudo ln -s /etc/init.d/openvpn /etc/init.d/openvpn.<NAME>
```
And then, create config file such below.
```zsh
% sudo vim /etc/openvpn/<NAME>.conf
```
## Prepare keys
```zsh
% cd ~/.openvpn
% tree .
.
├── keys
│   └── ta.key
└── pki
├── ca.crt
├── issued
│   └── <USER>.crt
└── private
└── <USER>.key
4 directories, 4 files
```
## Setup logrotate
```txt
/var/log/openvpn/openvpn-XXXXX {
missingok
notifempty
delaycompress
sharedscripts
rotate 4
weekly
postrotate
test -r /run/openvpn.XXXXX.pid && kill -USR1 `cat /run/openvpn.XXXXX.pid`
endscript
```
## Boot openvpn
```zsh
: Don't do this (symlink) :'(
: It boots too many `openvpn` scripts, because it fails
% sudo ln -s /etc/openvpn/up.sh /etc/openvpn/openvpn.XXXXX-up.sh
% sudo ln -s /etc/openvpn/down.sh /etc/openvpn/openvpn.XXXXX-down.sh
```
Just run `sudo service openvpn.XXXXX`.
```zsh
: At server
% ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::8fb0:c2b9:9be:1f84 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
: at client
% ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1400
inet 10.8.0.50 netmask 255.255.255.255 destination 10.8.0.49
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 3468 bytes 1292573 (1.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3828 bytes 469359 (458.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
```
# Vincent
`OpenVPN` Setup Notes on Linode using Gentoo Linux.
## Pages
* [doc/server.md](/doc/server.md)
* [doc/client.md](/doc/client.md)
## Memo
* OpenVPN Client for iOS seems that it does not support `fragment` option.
# OpenVPN Server
## Machine
* Linode 4096 (CPU 2, 4GB Memory)
* Gentoo Linux (gentoo-20170105, with `genkernel`)
```bash
# uname -a
Linux <HOSTNAME> 4.8.6-x86_64-linode78 #1 SMP Tue Nov 1 14:51:21 EDT 2016 x86_64 Intel(R) Xeon(R) CPU E5-2697 v4 @ 2.30GHz GenuineIntel GNU/Linux
```
## Setup
See [Innocent](https://gitlab.com/grauwoelfchen/innocent) for general setup.
## OpenVPN
openvpn ebuild is moved from `net-misc/openvpn` to `net-vpn/openvpn`.
```zsh
% sudo su
# echo 'net-vpn/openvpn iproute2' >> /etc/portage/package.use/openvpn
# exit
% sudo emerge -av openssl openvpn iproute2
```
### Create key
See [Create a public key infrastructer using the easy-rsa scripts](
https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts)
on Gentoo Wiki.
```zsh
% sudo emerge -av app-crypt/easy-rsa
% cd
% cp -a /usr/share/easy-rsa easy-rsa
```
```txt
set_var EASYRSA_DN "org"
set_var EASYRSA_REQ_COUNTRY "..."
set_var EASYRSA_REQ_PROVINCE "..."
set_var EASYRSA_REQ_CITY "..."
set_var EASYRSA_REQ_ORG "..."
set_var EASYRSA_REQ_EMAIL "..."
set_var EASYRSA_REQ_OU "..."
set_var EASYRSA_KEY_SIZE 2048
```
```
% ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/<USER>/easy-rsa/pki
```
### Generate ca cert
```zsh
% ./easyrsa build-ca
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...................................+++
........+++
writing new private key to '/home/<USER>/easy-rsa/pki/private/ca.key.NNNNNNNN'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [...]:
State or Province Name (full name) [...]:
Locality Name (eg, city) [...]:
Organization Name (eg, company) [...]:
Organizational Unit Name (eg, section) [...]:
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
Email Address [...]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/home/<USER>/easy-rsa/pki/ca.crt
```
### Generate server request
```zsh
% ./easyrsa gen-req <SERVER>
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..............+++
..........................................................+++
writing new private key to '/home/<USER>/easy-rsa/pki/private/<SERVER>.key.NNNNNNNN'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [...]:
State or Province Name (full name) [...]:
Locality Name (eg, city) [...]:
Organization Name (eg, company) [...]:
Organizational Unit Name (eg, section) [...]:
Common Name (eg: your user, host, or server name) [...]:
Email Address [...]:
Keypair and certificate request completed. Your files are:
req: /home/<USER>/easy-rsa/pki/reqs/<SERVER>.req
key: /home/<USER>/easy-rsa/pki/private/<SERVER>.key
```
### Generate (sign request) server cert
```zsh
% ./easyrsa sign-req server <SERVER>
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
countryName = ...
stateOrProvinceName = ...
localityName = ...
organizationName = ...
organizationalUnitName = ...
commonName = ...
emailAddress = ...
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /home/<USER>/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /home/<USER>/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'...'
stateOrProvinceName :ASN.1 12:'...'
localityName :ASN.1 12:'...'
organizationName :ASN.1 12:'...'
organizationalUnitName:ASN.1 12:'...'
commonName :ASN.1 12:'...'
emailAddress :IA5STRING:'...'
Certificate is to be certified until Jan 26 11:33:33 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /home/<USER>/easy-rsa/pki/issued/<SERVER>.crt
```
### Generate DH Parameters
```zsh
% ./easyrsa gen-dh
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...
DH parameters of size 2048 created at /home/<USER>/easy-rsa/pki/dh.pem
```
### Generate client cert
```zsh
% ./easyrsa build-client-full <CLIENT>
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
........+++
........+++
writing new private key to '/home/<USER>/easy-rsa/pki/private/<CLIENT>.key.NNNNNNNN'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /home/<USER>/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /home/<USER>/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'...'
stateOrProvinceName :ASN.1 12:'...'
localityName :ASN.1 12:'...'
organizationName :ASN.1 12:'...'
organizationalUnitName:ASN.1 12:'...'
commonName :ASN.1 12:'<CLIENT>'
emailAddress :IA5STRING:'...'
Certificate is to be certified until Jan 26 10:56:16 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
```
### Generate TLS Key
```
% mkdir keys
% sudo openvpn --genkey --secret ta.key
% sudo chown <USER>:<USER> ta.key
```
### Put keys
```zsh
% sudo su
# cd /etc/openvpn/
# mkdir keys
# ln -s /home/<USER>/easy-rsa/pki/ca.crt ca.crt
# ln -s /home/<USER>/easy-rsa/pki/dh.pem dh.pem
# ln -s /home/<USER>/easy-rsa/keys/ta.key ta.key
# ln -s /home/<USER>/easy-rsa/pki/issued/<SERVER>.crt <SERVER>.crt
# ln -s /home/<USER>/easy-rsa/pki/private/<SERVER>.key <SERVER>.key
```
### Prepare
```zsh
% sudo $EDITOR /etc/sysctl.conf
```
```txt
net.net.ipv4.ip_forward=1
```
```zsh
: for current session
# echo 1 > /proc/sys/net/ipv4/ip_forward
```
### Root Passphrase
```zsh
% sudo su
# $EDITOR /root/password.ovpn
# chmod 600 /root/password.ovpn
```
```txt
# append following lines to /etc/openvpn/openvpn.conf
askpass /root/password.ovpn
auth-nocache
```
### Iptables
Create `iptables.sh` for your rules.
```zsh
% sudo su
# echo 'net-firewall/iptables conntrack nftables' >> /etc/portage/package.use/iptables
# exit
% sudo emerge -av iptables
```
```zsh
: create iptables.sh
% $EDITOR ~/iptables.sh
: use your iptables script :)
% sudo sh ./iptables.sh
```
```zsh
% sudo service iptables start
% sudo eselect rc add iptables default
```
Enable OpenVPN packets with `UDP` (e.g. `10.8.0.0/24`)
```txt
# e.g. as 10.8.0.0/24 with <PORT>
echo " * allowing traffic through openvpn (tun0)"
$IPTABLES -A INPUT -i $WAN_IF -p udp --dport <PORT> -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i tun+ -p icmp -j ACCEPT
$IPTABLES -A FORWARD -i tun+ -o $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_IF -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i tun+ -o $WAN_IF -s 10.8.0.0/24 -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_IF -o tun+ -s 10.8.0.0/24 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE
# logging
$IPTABLES -A FORWARD -m limit --limit 5/s -j LOG --log-level=1 --log-prefix '[FORWARD]: '
$IPTABLES -A FORWARD -j DROP
```
### Dnsmasq
```zsh
# echo 'net-dns/dnsmasq conntrack' >> /etc/portage/package.use/dnsmasq
```
### Boot and logrotate
```zsh
% sudo service openvpn start
% sudo eselect rc add openvpn default
```
Set logrotate.
```zsh
# ls /var/log/openvpn/
openvpn.log
```
```zsh
% sudo emerge -av logrotate
```
```txt
/var/log/openvpn* {
missingok
notifempty
delaycompress
sharedscripts
rotate 4
weekly
postrotate
test -r /run/openvpn.pid && kill -USR1 `cat /run/openvpn.pid`
endscript
```
## Links
* https://wiki.gentoo.org/wiki/OpenVPN
* https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts
* http://docs.slackware.com/howtos:network_services:openvpn
* https://www.linode.com/docs/networking/vpn/secure-communications-with-openvpn-on-ubuntu-12-04-precise-and-debian-7
#!/sbin/openrc-run
# Copyright 2017 Yasuhiro Asaka
# Distributed under the terms of the GNU General Public License v3
DAEMON="/opt/linode/longview/Linode/Longview.pl"
PID="/var/run/longview.pid"
depend() {
use logger dns
need net
}
start() {
ebegin "Starting Longview Agent"
start-stop-daemon --start -p $PID --startas $DAEMON 2>/dev/null
eend $?
}
stop() {
ebegin "Stopping Longview Agent"
start-stop-daemon --stop --quiet -p $PID 2>/dev/null
eend $?
}
restart() {
ebegin "Restarting Longview Agent"
start-stop-daemon --stop --quiet --oknodo --retry 30 -p $PID
start-stop-daemon --start -p $PID --startas $DAEMON 2>/dev/null
eend $?
}
reload() {
ebegin "Reloading Longview Agent"
start-stop-daemon --stop --quiet --oknodo --signal HUP -p $PID
eend $?
}
# OpenVPN
THIS IS SAMPLE RSA FILES; Replace important part(s) as you need.
-----
This is your keys and certs to use OpenVPN.
`ta.key` is needed to encrypt using _tls-auth_.
## Settings
This is your credentials and configuration.
```
USER: <USER>
RSA KEY PASSPHRASE: <USER-PASSWORD>
```
```zsh
% tree .
.
├── keys
│   └── ta.key
└── pki
├── ca.crt
├── issued
│   └── <USER>.crt
└── private
└── <USER>.key
4 directories, 4 files
```
```
server: <IP-ADDRESS>
port: <PORT>
protocol: udp
client: <USER>
```
## Note
If you use GNU/Linux as your client machine, then see also following note.
This is client side example configuration of OpenVPN on Gentoo Linux.
* https://gitlab.com/grauwoelfchen/vincent/blob/master/doc/client.md
Otherwise, you may want to download a client software from below: