vasco/FSI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hmm3

Browse Source
This commit is contained in:
Vasco
2026-04-21 23:06:47 +01:00
parent 445c99b10e
commit 21a4fb5d08
5 changed files with 38 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
VM_VPN_GATEWAY.sh
View File

@@ -25,11 +25,11 @@ ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf sysctl -p /etc/sysctl.conf
iptables -A INPUT -p udp --dport 1194 -j ACCEPT # :O iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT # :O
iptables -A FORWARD -i $mega_tunel -o $if_dentro -j ACCEPT # :P iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT # :P
iptables -A FORWARD -i $if_dentro -o $mega_tunel -j ACCEPT # ;) iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT # ;)
iptables -A FORWARD -i $mega_tunel -o $if_fora -j ACCEPT # faltava isto ? iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT # faltava isto ?
iptables -A FORWARD -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT # faltava isto ? iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT # faltava isto ?
iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE # :D iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE # :D
iptables-save > /etc/sysconfig/iptables # :3 iptables-save > /etc/sysconfig/iptables # :3
@@ -41,5 +41,6 @@ cp ca/vpn.key $vpn_dir
cp ca/vpn.crt $vpn_dir cp ca/vpn.crt $vpn_dir
cp ca/dh2048.pem $vpn_dir cp ca/dh2048.pem $vpn_dir
cp conf/vpn.conf $vpn_dir cp conf/vpn.conf $vpn_dir
cp conf/ocsp-verify.sh $vpn_dir
cp conf/totp /etc/pam.d/ cp conf/totp /etc/pam.d/
systemctl enable --now openvpn-server@vpn.service systemctl enable --now openvpn-server@vpn.service

1
conf/client.conf
View File

@@ -18,5 +18,4 @@ auth-user-pass
tls-auth /etc/openvpn/client/ta.key 1 tls-auth /etc/openvpn/client/ta.key 1
remote-cert-tls server remote-cert-tls server
static-challenge "Enter TOTP: " 1
reneg-sec 0 reneg-sec 0

25
conf/ocsp-verify.sh Executable file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
# OpenVPN passes cert depth as $1
depth=$1
# Only check client certificate (depth 0)
if [ "$depth" -eq 0 ]; then
if [ -n "$tls_serial_0" ] && [ -n "$peer_cert" ]; then
# Check OCSP against the CA
# Assuming OpenSSL server runs on 10.60.0.1:8888 for OCSP
status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -cert "$peer_cert" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
if echo "$status" | grep -q "cert: revoked"; then
exit 1
fi
if echo "$status" | grep -q "cert: good"; then
exit 0
fi
# If unknown or error, fail safe
exit 1
fi
fi
exit 0

4
conf/totp
View File

@@ -1,3 +1,3 @@
auth required pam_unix.so workaround_procrastination auth required pam_google_authenticator.so forward_pass
auth required pam_google_authenticator.so auth required pam_unix.so use_first_pass
account required pam_unix.so account required pam_unix.so

6
conf/vpn.conf
View File

@@ -13,7 +13,11 @@ server 10.8.0.0 255.255.255.0
verb 4 verb 4
topology subnet topology subnet
push "route 10.60.0.0 255.255.255.0"
# OCSP and Revocation
script-security 2
tls-verify /etc/openvpn/server/ocsp-verify.sh
# auth # auth
cipher AES-256-GCM cipher AES-256-GCM
auth SHA256 auth SHA256
@@ -22,4 +26,4 @@ auth SHA256
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp
tls-auth /etc/openvpn/server/ta.key 0 tls-auth /etc/openvpn/server/ta.key 0
static-challenge "Enter TOTP: " 1