From c3d66da7c162508a7fdfddbf4aaaf2adfc4f7a58 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 6 Nov 2020 11:00:33 -0300 Subject: Feat: WIP: ipredator/njalla migration --- share/provision/files/ipredator/etc/ferm/ferm.conf | 181 --------------------- .../files/ipredator/etc/openvpn/ipredator.conf | 94 ----------- .../etc/udev/rules.d/81-vpn-firewall.rules | 2 - .../files/ipredator/usr/local/bin/fermreload.sh | 39 ----- share/provision/files/njalla/etc/ferm/ferm.conf | 181 +++++++++++++++++++++ .../files/njalla/etc/openvpn/ipredator.conf | 94 +++++++++++ .../njalla/etc/udev/rules.d/81-vpn-firewall.rules | 2 + .../files/njalla/usr/local/bin/fermreload.sh | 39 +++++ share/provision/ipredator | 50 ------ share/provision/njalla | 49 ++++++ 10 files changed, 365 insertions(+), 366 deletions(-) delete mode 100644 share/provision/files/ipredator/etc/ferm/ferm.conf delete mode 100644 share/provision/files/ipredator/etc/openvpn/ipredator.conf delete mode 100644 share/provision/files/ipredator/etc/udev/rules.d/81-vpn-firewall.rules delete mode 100755 share/provision/files/ipredator/usr/local/bin/fermreload.sh create mode 100644 share/provision/files/njalla/etc/ferm/ferm.conf create mode 100644 share/provision/files/njalla/etc/openvpn/ipredator.conf create mode 100644 share/provision/files/njalla/etc/udev/rules.d/81-vpn-firewall.rules create mode 100755 share/provision/files/njalla/usr/local/bin/fermreload.sh delete mode 100755 share/provision/ipredator create mode 100755 share/provision/njalla (limited to 'share') diff --git a/share/provision/files/ipredator/etc/ferm/ferm.conf b/share/provision/files/ipredator/etc/ferm/ferm.conf deleted file mode 100644 index a25a3d2..0000000 --- a/share/provision/files/ipredator/etc/ferm/ferm.conf +++ /dev/null @@ -1,181 +0,0 @@ -# -*- shell-script -*- -# -# Configuration file for ferm(1). -# -# V: 0.1 -# -# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html -# Blog post: https://blog.ipredator.se/linux-firewall-howto.html -# - -# Really make sure that these modules exist and are loaded. -@hook pre "/sbin/modprobe nf_conntrack_ftp"; -@hook pre "/sbin/modprobe nfnetlink_log"; - -# Network interfaces. -#@def $DEV_LAN = eth0; -@def $DEV_LAN = ens3; -@def $DEV_LOOPBACK = lo0; -@def $DEV_VPN = tun0; - -# Network definition for the loopback device. This is needed to allow -# DNS resolution on Ubuntu Linux where the local resolver is bound -# to 127.0.1.1 - as opposed to the default 127.0.0.1. -@def $NET_LOOPBACK = 127.0.0.0/8; - -# Common application ports. -@def $PORT_DNS = 53; -@def $PORT_FTP = ( 20 21 ); -@def $PORT_NTP = 123; -@def $PORT_SSH = 22; -@def $PORT_WEB = ( 80 443 ); - -# The ports we allow OpenVPN to connect to. IPredator allows you -# to connect on _any_ port. Simply add more ports if desired but -# stick to only those that you really need. -@def $PORT_OPENVPN = (1194 1234 1337 2342 5060); - -# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html -# Ports Transmission is allowed to use. -@def $PORT_TRANSMISSION = 16384:65535; - -# Public DNS servers and those that are only reachable via VPN. -# DNS servers are specified in the outbound DNS rules to prevent DNS leaks -# (https://www.dnsleaktest.com/). The public DNS servers configured on your -# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns), -# but you need to verify this. -# -@def $IP_DNS_IPR_PUBLIC = (194.132.32.32/32 46.246.46.246/32); - -# Add your ISP name server to this object if you want to restrict -# which DNS servers can be queried. -@def $IP_DNS_PUBLIC = 0.0.0.0/0; - -# DNS server available within the VPN. -@def $IP_DNS_VPN = ( 46.246.46.46/32 194.132.32.23/32 ); - -# Make sure to use the proper VPN interface (e.g. tun0 in this case). -# Note: You cannot reference $DEV_VPN here, substition does not take -# place for commands passed to a sub shell. -@def $VPN_ACTIVE = `ip link show tun0 >/dev/null 2>/dev/null && echo 1 || echo`; - -# VPN interface conditional. If true the following rules are loaded. -@if $VPN_ACTIVE { - domain ip { - table filter { - chain INPUT { - interface $DEV_VPN { - proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT; - } - } - chain OUTPUT { - # Default allowed outbound services on the VPN interface. - # If you need more simply add your rules here. - outerface $DEV_VPN { - proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT; - proto tcp dport $PORT_FTP ACCEPT; - proto udp dport $PORT_NTP ACCEPT; - proto tcp dport $PORT_SSH ACCEPT; - proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT; - proto tcp dport $PORT_WEB ACCEPT; - } - } - } - } -} - -# The main IPv4 rule set. -domain ip { - table filter { - chain INPUT { - # The default policy for the chain. Usually ACCEPT or DROP or REJECT. - policy DROP; - - # Connection tracking. - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # Allow local traffic to loopback interface. - daddr $NET_LOOPBACK ACCEPT; - - # Allow inbound SSH on your LAN interface _only_. - interface $DEV_LAN { - proto tcp dport $PORT_SSH ACCEPT; - } - - # Respond to ping ... makes debugging easier. - proto icmp icmp-type echo-request ACCEPT; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - - chain OUTPUT { - policy DROP; - - # Connection tracking. - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # Allow local traffic from the loopback interface. - saddr $NET_LOOPBACK ACCEPT; - - # Respond to ping. - proto icmp icmp-type echo-request ACCEPT; - - # Allowed services on the LAN interface. - outerface $DEV_LAN { - proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT; - proto udp dport $PORT_NTP ACCEPT; - proto (tcp udp) dport $PORT_OPENVPN ACCEPT; - proto tcp dport $PORT_SSH ACCEPT; - } - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - - chain FORWARD { - policy DROP; - - # If you use your machine to route traffic eg. - # from a VM you have to add rules here! - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - } -} - -# IPv6 is generally disabled, communication on the loopback device is allowed. -domain ip6 { - table filter { - chain INPUT { - policy DROP; - - # Allow local traffic. - interface $DEV_LOOPBACK ACCEPT; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - chain OUTPUT { - policy DROP; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - chain FORWARD { - policy DROP; - - # Log dropped packets. - NFLOG nflog-group 1; - DROP; - } - } -} diff --git a/share/provision/files/ipredator/etc/openvpn/ipredator.conf b/share/provision/files/ipredator/etc/openvpn/ipredator.conf deleted file mode 100644 index 439f31b..0000000 --- a/share/provision/files/ipredator/etc/openvpn/ipredator.conf +++ /dev/null @@ -1,94 +0,0 @@ -# VER: 0.25 -client -dev tun0 -proto udp -remote pw.openvpn.ipredator.se 1194 -remote pw.openvpn.ipredator.me 1194 -remote pw.openvpn.ipredator.es 1194 -resolv-retry infinite -nobind - -#auth-user-pass /etc/openvpn/IPredator.auth -auth-user-pass /etc/openvpn/ipredator.auth -auth-retry nointeract - -ca [inline] - -tls-client -tls-auth [inline] -ns-cert-type server -remote-cert-tls server -remote-cert-ku 0x00e0 - -keepalive 10 30 -cipher AES-256-CBC -persist-key -comp-lzo -tun-mtu 1500 -mssfix 1200 -passtos -verb 3 -replay-window 512 60 -mute-replay-warnings -ifconfig-nowarn - -script-security 2 -up /etc/openvpn/update-resolv-conf -down /etc/openvpn/update-resolv-conf - -# Disable this if your system does not support it! -tls-version-min 1.2 - - ------BEGIN CERTIFICATE----- -MIIFJzCCBA+gAwIBAgIJAKee4ZMMpvhzMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD -VQQGEwJTRTESMBAGA1UECBMJQnJ5Z2dsYW5kMQ8wDQYDVQQHEwZPZWxkYWwxJDAi -BgNVBAoTG1JveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbjESMBAGA1UECxMJSW50 -ZXJuZXR6MScwJQYDVQQDEx5Sb3lhbCBTd2VkaXNoIEJlZXIgU3F1YWRyb24gQ0Ex -JjAkBgkqhkiG9w0BCQEWF2hvc3RtYXN0ZXJAaXByZWRhdG9yLnNlMB4XDTEyMDgw -NDIxMTAyNVoXDTIyMDgwMjIxMTAyNVowgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQI -EwlCcnlnZ2xhbmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dl -ZGlzaCBCZWVyIFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMT -HlJveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYX -aG9zdG1hc3RlckBpcHJlZGF0b3Iuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQCp5M22fZtwtIh6Mu9IwC3N2tEFqyNTEP1YyXasjf+7VNISqSpFy+tf -DsHAkiE9Wbv8KFM9bOoVK1JjdDsetxArm/RNsUWm/SNyVbmY+5ezX/n95S7gQdMi -bA74/ID2+KsCXUY+HNNUQqFpyK67S09A6r0ZwPNUDbLgGnmCZRMDBPCHCbiK6e68 -d75v6f/0nY4AyAAAyqwAELIAn6sy4rzoPbalxcO33eW0fUG/ir41qqo8BQrWKyEd -Q9gy8tGEqbLQ+B30bhIvBh10YtWq6fgFZJzWP6K8bBJGRvioFOyQHCaVH98UjwOm -/AqMTg7LwNrpRJGcKLHzUf3gNSHQGHfzAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU -pRqJxaYdvv3XGEECUqj7DJJ8ptswgfIGA1UdIwSB6jCB54AUpRqJxaYdvv3XGEEC -Uqj7DJJ8ptuhgcOkgcAwgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlCcnlnZ2xh -bmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dlZGlzaCBCZWVy -IFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMTHlJveWFsIFN3 -ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYXaG9zdG1hc3Rl -ckBpcHJlZGF0b3Iuc2WCCQCnnuGTDKb4czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 -DQEBBQUAA4IBAQB8nxZJaTvMMoSG47jD2w31zt9o6nSx8XJKop/0rMMHKBe1QBUw -/n3clGwYxBW8mTnrXHhmJkwJzA0Vh525+dkF28E0I+DSigKUXEewIZtKjADYSxaG -M+4272enbJ86JeXUhN8oF9TT+LKgMBgtt9yX5o63Ek6QOKwovH5kemDOVJmwae9p -tXQEWfCPDFMc7VfSxS4BDBVinRWeMWZs+2AWeWu2CMsjcx7+B+kPbBCzfANanFDD -CZEQON4pEpfK2XErhOudKEJGCl7psH+9Ex//pqsUS43nVN/4sqydiwbi+wQuUI3P -BYtvqPnWdjIdf2ayAQQCWliAx9+P03vbef6y ------END CERTIFICATE----- - - - ------BEGIN OpenVPN Static key V1----- -03f7b2056b9dc67aa79c59852cb6b35a -a3a15c0ca685ca76890bbb169e298837 -2bdc904116f5b66d8f7b3ea6a5ff05cb -fc4f4889d702d394710e48164b28094f -a0e1c7888d471da39918d747ca4bbc2f -285f676763b5b8bee9bc08e4b5a69315 -d2ff6b9f4b38e6e2e8bcd05c8ac33c5c -56c4c44dbca35041b67e2374788f8977 -7ad4ab8e06cd59e7164200dfbadb942a -351a4171ab212c23bee1920120f81205 -efabaa5e34619f13adbe58b6c83536d3 -0d34e6466feabdd0e63b39ad9bb1116b -37fafb95759ab9a15572842f70e7cba9 -69700972a01b21229eba487745c091dd -5cd6d77bdc7a54a756ffe440789fd39e -97aa9abe2749732b7262f82e4097bee3 ------END OpenVPN Static key V1----- - diff --git a/share/provision/files/ipredator/etc/udev/rules.d/81-vpn-firewall.rules b/share/provision/files/ipredator/etc/udev/rules.d/81-vpn-firewall.rules deleted file mode 100644 index 64d8bd1..0000000 --- a/share/provision/files/ipredator/etc/udev/rules.d/81-vpn-firewall.rules +++ /dev/null @@ -1,2 +0,0 @@ -KERNEL=="tun0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add" -KERNEL=="tun0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove" diff --git a/share/provision/files/ipredator/usr/local/bin/fermreload.sh b/share/provision/files/ipredator/usr/local/bin/fermreload.sh deleted file mode 100755 index cebf7cc..0000000 --- a/share/provision/files/ipredator/usr/local/bin/fermreload.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash -# -# fermreload.sh -# V: 0.1 -# -# Reloads the ferm firewall ruleset and is invoked by -# the udev via /etc/udev/rules.d/81-vpn-firewall.rules. -# -# IPredator 2014 -# Released under the Kopimi license. -# -# Blog post: https://blog.ipredator.se/linux-firewall-howto.html -# - -LOGGER=/usr/bin/logger -LOGGER_TAG=$0 - -UDEV_ACTION=$1 - -FERM=/usr/sbin/ferm -FERM_CONF=/etc/ferm/ferm.conf - -MSG_FW_RULE_ADD="Adding VPN firewall rules." -MSG_FW_RULE_REMOVE="Removing VPN firewall rules." -MSG_UDEV_ACTION_UNKNOWN="Unknown udev action." - -case "$UDEV_ACTION" in - add) - $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD - $FERM $FERM_CONF - ;; - remove) - $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE - $FERM $FERM_CONF - ;; - *) - $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN - exit 1 -esac diff --git a/share/provision/files/njalla/etc/ferm/ferm.conf b/share/provision/files/njalla/etc/ferm/ferm.conf new file mode 100644 index 0000000..a25a3d2 --- /dev/null +++ b/share/provision/files/njalla/etc/ferm/ferm.conf @@ -0,0 +1,181 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# +# V: 0.1 +# +# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html +# Blog post: https://blog.ipredator.se/linux-firewall-howto.html +# + +# Really make sure that these modules exist and are loaded. +@hook pre "/sbin/modprobe nf_conntrack_ftp"; +@hook pre "/sbin/modprobe nfnetlink_log"; + +# Network interfaces. +#@def $DEV_LAN = eth0; +@def $DEV_LAN = ens3; +@def $DEV_LOOPBACK = lo0; +@def $DEV_VPN = tun0; + +# Network definition for the loopback device. This is needed to allow +# DNS resolution on Ubuntu Linux where the local resolver is bound +# to 127.0.1.1 - as opposed to the default 127.0.0.1. +@def $NET_LOOPBACK = 127.0.0.0/8; + +# Common application ports. +@def $PORT_DNS = 53; +@def $PORT_FTP = ( 20 21 ); +@def $PORT_NTP = 123; +@def $PORT_SSH = 22; +@def $PORT_WEB = ( 80 443 ); + +# The ports we allow OpenVPN to connect to. IPredator allows you +# to connect on _any_ port. Simply add more ports if desired but +# stick to only those that you really need. +@def $PORT_OPENVPN = (1194 1234 1337 2342 5060); + +# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html +# Ports Transmission is allowed to use. +@def $PORT_TRANSMISSION = 16384:65535; + +# Public DNS servers and those that are only reachable via VPN. +# DNS servers are specified in the outbound DNS rules to prevent DNS leaks +# (https://www.dnsleaktest.com/). The public DNS servers configured on your +# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns), +# but you need to verify this. +# +@def $IP_DNS_IPR_PUBLIC = (194.132.32.32/32 46.246.46.246/32); + +# Add your ISP name server to this object if you want to restrict +# which DNS servers can be queried. +@def $IP_DNS_PUBLIC = 0.0.0.0/0; + +# DNS server available within the VPN. +@def $IP_DNS_VPN = ( 46.246.46.46/32 194.132.32.23/32 ); + +# Make sure to use the proper VPN interface (e.g. tun0 in this case). +# Note: You cannot reference $DEV_VPN here, substition does not take +# place for commands passed to a sub shell. +@def $VPN_ACTIVE = `ip link show tun0 >/dev/null 2>/dev/null && echo 1 || echo`; + +# VPN interface conditional. If true the following rules are loaded. +@if $VPN_ACTIVE { + domain ip { + table filter { + chain INPUT { + interface $DEV_VPN { + proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT; + } + } + chain OUTPUT { + # Default allowed outbound services on the VPN interface. + # If you need more simply add your rules here. + outerface $DEV_VPN { + proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT; + proto tcp dport $PORT_FTP ACCEPT; + proto udp dport $PORT_NTP ACCEPT; + proto tcp dport $PORT_SSH ACCEPT; + proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT; + proto tcp dport $PORT_WEB ACCEPT; + } + } + } + } +} + +# The main IPv4 rule set. +domain ip { + table filter { + chain INPUT { + # The default policy for the chain. Usually ACCEPT or DROP or REJECT. + policy DROP; + + # Connection tracking. + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # Allow local traffic to loopback interface. + daddr $NET_LOOPBACK ACCEPT; + + # Allow inbound SSH on your LAN interface _only_. + interface $DEV_LAN { + proto tcp dport $PORT_SSH ACCEPT; + } + + # Respond to ping ... makes debugging easier. + proto icmp icmp-type echo-request ACCEPT; + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + + chain OUTPUT { + policy DROP; + + # Connection tracking. + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # Allow local traffic from the loopback interface. + saddr $NET_LOOPBACK ACCEPT; + + # Respond to ping. + proto icmp icmp-type echo-request ACCEPT; + + # Allowed services on the LAN interface. + outerface $DEV_LAN { + proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT; + proto udp dport $PORT_NTP ACCEPT; + proto (tcp udp) dport $PORT_OPENVPN ACCEPT; + proto tcp dport $PORT_SSH ACCEPT; + } + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + + chain FORWARD { + policy DROP; + + # If you use your machine to route traffic eg. + # from a VM you have to add rules here! + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + } +} + +# IPv6 is generally disabled, communication on the loopback device is allowed. +domain ip6 { + table filter { + chain INPUT { + policy DROP; + + # Allow local traffic. + interface $DEV_LOOPBACK ACCEPT; + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + chain OUTPUT { + policy DROP; + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + chain FORWARD { + policy DROP; + + # Log dropped packets. + NFLOG nflog-group 1; + DROP; + } + } +} diff --git a/share/provision/files/njalla/etc/openvpn/ipredator.conf b/share/provision/files/njalla/etc/openvpn/ipredator.conf new file mode 100644 index 0000000..439f31b --- /dev/null +++ b/share/provision/files/njalla/etc/openvpn/ipredator.conf @@ -0,0 +1,94 @@ +# VER: 0.25 +client +dev tun0 +proto udp +remote pw.openvpn.ipredator.se 1194 +remote pw.openvpn.ipredator.me 1194 +remote pw.openvpn.ipredator.es 1194 +resolv-retry infinite +nobind + +#auth-user-pass /etc/openvpn/IPredator.auth +auth-user-pass /etc/openvpn/ipredator.auth +auth-retry nointeract + +ca [inline] + +tls-client +tls-auth [inline] +ns-cert-type server +remote-cert-tls server +remote-cert-ku 0x00e0 + +keepalive 10 30 +cipher AES-256-CBC +persist-key +comp-lzo +tun-mtu 1500 +mssfix 1200 +passtos +verb 3 +replay-window 512 60 +mute-replay-warnings +ifconfig-nowarn + +script-security 2 +up /etc/openvpn/update-resolv-conf +down /etc/openvpn/update-resolv-conf + +# Disable this if your system does not support it! +tls-version-min 1.2 + + +-----BEGIN CERTIFICATE----- +MIIFJzCCBA+gAwIBAgIJAKee4ZMMpvhzMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD +VQQGEwJTRTESMBAGA1UECBMJQnJ5Z2dsYW5kMQ8wDQYDVQQHEwZPZWxkYWwxJDAi +BgNVBAoTG1JveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbjESMBAGA1UECxMJSW50 +ZXJuZXR6MScwJQYDVQQDEx5Sb3lhbCBTd2VkaXNoIEJlZXIgU3F1YWRyb24gQ0Ex +JjAkBgkqhkiG9w0BCQEWF2hvc3RtYXN0ZXJAaXByZWRhdG9yLnNlMB4XDTEyMDgw +NDIxMTAyNVoXDTIyMDgwMjIxMTAyNVowgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQI +EwlCcnlnZ2xhbmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dl +ZGlzaCBCZWVyIFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMT +HlJveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYX +aG9zdG1hc3RlckBpcHJlZGF0b3Iuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCp5M22fZtwtIh6Mu9IwC3N2tEFqyNTEP1YyXasjf+7VNISqSpFy+tf +DsHAkiE9Wbv8KFM9bOoVK1JjdDsetxArm/RNsUWm/SNyVbmY+5ezX/n95S7gQdMi +bA74/ID2+KsCXUY+HNNUQqFpyK67S09A6r0ZwPNUDbLgGnmCZRMDBPCHCbiK6e68 +d75v6f/0nY4AyAAAyqwAELIAn6sy4rzoPbalxcO33eW0fUG/ir41qqo8BQrWKyEd +Q9gy8tGEqbLQ+B30bhIvBh10YtWq6fgFZJzWP6K8bBJGRvioFOyQHCaVH98UjwOm +/AqMTg7LwNrpRJGcKLHzUf3gNSHQGHfzAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU +pRqJxaYdvv3XGEECUqj7DJJ8ptswgfIGA1UdIwSB6jCB54AUpRqJxaYdvv3XGEEC +Uqj7DJJ8ptuhgcOkgcAwgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlCcnlnZ2xh +bmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dlZGlzaCBCZWVy +IFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMTHlJveWFsIFN3 +ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYXaG9zdG1hc3Rl +ckBpcHJlZGF0b3Iuc2WCCQCnnuGTDKb4czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 +DQEBBQUAA4IBAQB8nxZJaTvMMoSG47jD2w31zt9o6nSx8XJKop/0rMMHKBe1QBUw +/n3clGwYxBW8mTnrXHhmJkwJzA0Vh525+dkF28E0I+DSigKUXEewIZtKjADYSxaG +M+4272enbJ86JeXUhN8oF9TT+LKgMBgtt9yX5o63Ek6QOKwovH5kemDOVJmwae9p +tXQEWfCPDFMc7VfSxS4BDBVinRWeMWZs+2AWeWu2CMsjcx7+B+kPbBCzfANanFDD +CZEQON4pEpfK2XErhOudKEJGCl7psH+9Ex//pqsUS43nVN/4sqydiwbi+wQuUI3P +BYtvqPnWdjIdf2ayAQQCWliAx9+P03vbef6y +-----END CERTIFICATE----- + + + +-----BEGIN OpenVPN Static key V1----- +03f7b2056b9dc67aa79c59852cb6b35a +a3a15c0ca685ca76890bbb169e298837 +2bdc904116f5b66d8f7b3ea6a5ff05cb +fc4f4889d702d394710e48164b28094f +a0e1c7888d471da39918d747ca4bbc2f +285f676763b5b8bee9bc08e4b5a69315 +d2ff6b9f4b38e6e2e8bcd05c8ac33c5c +56c4c44dbca35041b67e2374788f8977 +7ad4ab8e06cd59e7164200dfbadb942a +351a4171ab212c23bee1920120f81205 +efabaa5e34619f13adbe58b6c83536d3 +0d34e6466feabdd0e63b39ad9bb1116b +37fafb95759ab9a15572842f70e7cba9 +69700972a01b21229eba487745c091dd +5cd6d77bdc7a54a756ffe440789fd39e +97aa9abe2749732b7262f82e4097bee3 +-----END OpenVPN Static key V1----- + diff --git a/share/provision/files/njalla/etc/udev/rules.d/81-vpn-firewall.rules b/share/provision/files/njalla/etc/udev/rules.d/81-vpn-firewall.rules new file mode 100644 index 0000000..64d8bd1 --- /dev/null +++ b/share/provision/files/njalla/etc/udev/rules.d/81-vpn-firewall.rules @@ -0,0 +1,2 @@ +KERNEL=="tun0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add" +KERNEL=="tun0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove" diff --git a/share/provision/files/njalla/usr/local/bin/fermreload.sh b/share/provision/files/njalla/usr/local/bin/fermreload.sh new file mode 100755 index 0000000..cebf7cc --- /dev/null +++ b/share/provision/files/njalla/usr/local/bin/fermreload.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# +# fermreload.sh +# V: 0.1 +# +# Reloads the ferm firewall ruleset and is invoked by +# the udev via /etc/udev/rules.d/81-vpn-firewall.rules. +# +# IPredator 2014 +# Released under the Kopimi license. +# +# Blog post: https://blog.ipredator.se/linux-firewall-howto.html +# + +LOGGER=/usr/bin/logger +LOGGER_TAG=$0 + +UDEV_ACTION=$1 + +FERM=/usr/sbin/ferm +FERM_CONF=/etc/ferm/ferm.conf + +MSG_FW_RULE_ADD="Adding VPN firewall rules." +MSG_FW_RULE_REMOVE="Removing VPN firewall rules." +MSG_UDEV_ACTION_UNKNOWN="Unknown udev action." + +case "$UDEV_ACTION" in + add) + $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD + $FERM $FERM_CONF + ;; + remove) + $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE + $FERM $FERM_CONF + ;; + *) + $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN + exit 1 +esac diff --git a/share/provision/ipredator b/share/provision/ipredator deleted file mode 100755 index ca762c9..0000000 --- a/share/provision/ipredator +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/env bash -# -# Full desktop provision example -# -# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published -# by the Free Software Foundation, either version 3 of the License, -# or any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# - -# Parameters -DIRNAME="`dirname $0`" -BASENAME="`basename $0`" -HOSTNAME="$1" -DOMAIN="$2" -MIRROR="$3" -APT_INSTALL="sudo LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y" - -# Provision the basic stuff -$DIRNAME/vpn $HOSTNAME $DOMAIN $MIRROR - -# Firewall -# See https://blog.ipredator.se/linux-firewall-howto.html -$APT_INSTALL ferm ulogd2 ulogd2-pcap -sudo cp $DIRNAME/files/ipredator/etc/ferm/ferm.conf /etc/ferm -sudo cp $DIRNAME/files/ipredator/etc/udev/rules.d/81-vpn-firewall.rules /etc/udev/rules.d -sudo cp $DIRNAME/files/ipredator/usr/local/bin/fermreload.sh /usr/local/bin -sudo chmod 555 /usr/local/bin/fermreload.sh -sudo sed -i -e 's/^ENABLED=.*$/ENABLED="yes"/' /etc/default/ferm -sudo service ferm restart - -# IPredator -# See https://www.ipredator.se/guide/openvpn/debian/native -sudo cp $DIRNAME/files/ipredator/etc/openvpn/ipredator.conf /etc/openvpn -sudo touch /etc/openvpn/ipredator.auth -sudo chown root:root /etc/openvpn/ipredator.conf -sudo chown root:root /etc/openvpn/ipredator.auth -sudo chmod 400 /etc/openvpn/ipredator.conf -sudo chmod 400 /etc/openvpn/ipredator.auth -echo "Please set user/password at /etc/openvpn/ipredator.auth" diff --git a/share/provision/njalla b/share/provision/njalla new file mode 100755 index 0000000..9598d8c --- /dev/null +++ b/share/provision/njalla @@ -0,0 +1,49 @@ +#!/usr/bin/env bash +# +# Full desktop provision example +# +# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published +# by the Free Software Foundation, either version 3 of the License, +# or any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +# Parameters +DIRNAME="`dirname $0`" +BASENAME="`basename $0`" +HOSTNAME="$1" +DOMAIN="$2" +MIRROR="$3" +APT_INSTALL="sudo LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y" + +# Provision the basic stuff +$DIRNAME/vpn $HOSTNAME $DOMAIN $MIRROR + +# Firewall +$APT_INSTALL ferm ulogd2 ulogd2-pcap +sudo cp $DIRNAME/files/njalla/etc/ferm/ferm.conf /etc/ferm +sudo cp $DIRNAME/files/njalla/etc/udev/rules.d/81-vpn-firewall.rules /etc/udev/rules.d +sudo cp $DIRNAME/files/njalla/usr/local/bin/fermreload.sh /usr/local/bin +sudo chmod 555 /usr/local/bin/fermreload.sh +sudo sed -i -e 's/^ENABLED=.*$/ENABLED="yes"/' /etc/default/ferm +sudo service ferm restart + +# Njalla +#sudo cp $DIRNAME/files/njalla/etc/openvpn/njalla.conf /etc/openvpn +#sudo touch /etc/openvpn/njalla.auth +#sudo chown root:root /etc/openvpn/njalla.conf +#sudo chown root:root /etc/openvpn/njalla.auth +#sudo chmod 400 /etc/openvpn/njalla.conf +#sudo chmod 400 /etc/openvpn/njalla.auth +#echo "Please set user/password at /etc/openvpn/njalla.auth" +echo "Please configure /etc/openvpn/njalla.conf" -- cgit v1.2.3