From 21a4fb5d08d3be2925d22bcea69be2cee24c396f Mon Sep 17 00:00:00 2001 From: Vasco Date: Tue, 21 Apr 2026 23:06:47 +0100 Subject: [PATCH] hmm3 --- VM_VPN_GATEWAY.sh | 11 ++++++----- conf/client.conf | 1 - conf/ocsp-verify.sh | 25 +++++++++++++++++++++++++ conf/totp | 4 ++-- conf/vpn.conf | 6 +++++- 5 files changed, 38 insertions(+), 9 deletions(-) create mode 100755 conf/ocsp-verify.sh diff --git a/VM_VPN_GATEWAY.sh b/VM_VPN_GATEWAY.sh index 8161952..9d43f9d 100644 --- a/VM_VPN_GATEWAY.sh +++ b/VM_VPN_GATEWAY.sh @@ -25,11 +25,11 @@ ifconfig $if_dentro $ip_dentro netmask 255.255.255.0 echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sysctl -p /etc/sysctl.conf -iptables -A INPUT -p udp --dport 1194 -j ACCEPT # :O -iptables -A FORWARD -i $mega_tunel -o $if_dentro -j ACCEPT # :P -iptables -A FORWARD -i $if_dentro -o $mega_tunel -j ACCEPT # ;) -iptables -A FORWARD -i $mega_tunel -o $if_fora -j ACCEPT # faltava isto ? -iptables -A FORWARD -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT # faltava isto ? +iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT # :O +iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT # :P +iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT # ;) +iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT # faltava isto ? +iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT # faltava isto ? iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE # :D iptables-save > /etc/sysconfig/iptables # :3 @@ -41,5 +41,6 @@ cp ca/vpn.key $vpn_dir cp ca/vpn.crt $vpn_dir cp ca/dh2048.pem $vpn_dir cp conf/vpn.conf $vpn_dir +cp conf/ocsp-verify.sh $vpn_dir cp conf/totp /etc/pam.d/ systemctl enable --now openvpn-server@vpn.service diff --git a/conf/client.conf b/conf/client.conf index 7eafab4..6620368 100644 --- a/conf/client.conf +++ b/conf/client.conf @@ -18,5 +18,4 @@ auth-user-pass tls-auth /etc/openvpn/client/ta.key 1 remote-cert-tls server -static-challenge "Enter TOTP: " 1 reneg-sec 0 diff --git a/conf/ocsp-verify.sh b/conf/ocsp-verify.sh new file mode 100755 index 0000000..ead7093 --- /dev/null +++ b/conf/ocsp-verify.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# OpenVPN passes cert depth as $1 +depth=$1 + +# Only check client certificate (depth 0) +if [ "$depth" -eq 0 ]; then + if [ -n "$tls_serial_0" ] && [ -n "$peer_cert" ]; then + # Check OCSP against the CA + # Assuming OpenSSL server runs on 10.60.0.1:8888 for OCSP + status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -cert "$peer_cert" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null) + + if echo "$status" | grep -q "cert: revoked"; then + exit 1 + fi + + if echo "$status" | grep -q "cert: good"; then + exit 0 + fi + + # If unknown or error, fail safe + exit 1 + fi +fi + +exit 0 diff --git a/conf/totp b/conf/totp index 9e89fee..10fa5ab 100644 --- a/conf/totp +++ b/conf/totp @@ -1,3 +1,3 @@ -auth required pam_unix.so workaround_procrastination -auth required pam_google_authenticator.so +auth required pam_google_authenticator.so forward_pass +auth required pam_unix.so use_first_pass account required pam_unix.so diff --git a/conf/vpn.conf b/conf/vpn.conf index e65080b..e00d471 100644 --- a/conf/vpn.conf +++ b/conf/vpn.conf @@ -13,7 +13,11 @@ server 10.8.0.0 255.255.255.0 verb 4 topology subnet +push "route 10.60.0.0 255.255.255.0" +# OCSP and Revocation +script-security 2 +tls-verify /etc/openvpn/server/ocsp-verify.sh # auth cipher AES-256-GCM auth SHA256 @@ -22,4 +26,4 @@ auth SHA256 plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp tls-auth /etc/openvpn/server/ta.key 0 -static-challenge "Enter TOTP: " 1 +