zeus 4 years ago
parent
commit
812b9570c0
  1. 173
      labs/sec/ex-5_iptables.adoc
  2. 168
      labs/sec/ex-5_iptables.adoc.html
  3. 1894
      labs/sec/ex-5_iptables.adoc.pdf

173
labs/sec/ex-5_iptables.adoc

@ -57,53 +57,48 @@ https://en.wikipedia.org/wiki/OpenVPN[More: wikipedia]
[source,bash]
----
#!/bin/bash
IP=192.168.89.5 # Server IP
IP=127.0.0.1 # Server IP
P=1194 # Server Port
OVPN_SERVER='10.80.0.0/16' # VPN Network
vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/ # Dir to save data ** this must exist **
#vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/ # Dir to save data ** this must exist **
vpn_data=$PWD/openvpn-services/
if [ ! -d $vpn_data ]; then
mkdir -p $vpn_data
fi
NAME=swarmlab-vpn-services # name of docker service
DOCKERnetwork=swarmlab-vpn-services-network # docker network
docker=registry.vlabs.uniwa.gr:5080/myownvpn # docker image
docker stop $NAME #stop container
sleep 3
sleep 1
docker container rm $NAME #rm container
# rm config files
sudo rm -f $vpn_data/openvpn.conf.*.bak
sudo rm -f $vpn_data/openvpn.conf
sudo rm -f $vpn_data/ovpn_env.sh.*.bak
sudo rm -f $vpn_data/ovpn_env.sh
rm -f $vpn_data/openvpn.conf.*.bak
rm -f $vpn_data/openvpn.conf
rm -f $vpn_data/ovpn_env.sh.*.bak
rm -f $vpn_data/ovpn_env.sh
# create network
sleep 2
sleep 1
docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork
read -d '' MULTILINE_EXTRA_SERVER_CONF << EOF
duplicate-cn
max-clients 35000
topology subnet
EOF
#run container
sleep 3
docker run --net=none -it -v $vpn_data:/etc/openvpn --rm $docker ovpn_genconfig -u udp://$IP:1194 \
#run container see ovpn_genconfig
docker run --net=none -it -v $vpn_data:/etc/openvpn -p 1194:1194 --rm $docker ovpn_genconfig -u udp://$IP:1194 \
-N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER
# create pki
sleep 3
echo "new pki is disabled"
# create pki see ovpn_initpki
docker run --net=none -v $vpn_data:/etc/openvpn --rm -it $docker ovpn_initpki
#sleep 3
# see ovpn_copy_server_files
#docker run --net=none -v $vpn_data:/etc/openvpn --rm $docker ovpn_copy_server_files
#create vpn
sleep 3
#create vpn see --cap-add=NET_ADMIN
sleep 1
docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker
sleep 5
sudo sysctl -w net.ipv4.ip_forward=1
#show created
@ -113,122 +108,58 @@ docker ps
== Create user
.config
.create-user.sh
[source,bash]
----
#!/bin/bash
IP=83.212.114.14
P=5194
vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/
NAME=swarmlab-vpn-services
DOCKERnetwork=swarmlab-vpn-services-network
USERNAME=test1
vpn_data=$PWD/openvpn-services/
docker=registry.vlabs.uniwa.gr:5080/myownvpn
PATHNAME=/var/lib/swarmlab/openvpn/etc/vpn-data_user_config
vpn_data_user_config=$PATHNAME
vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/
vpn_data_user_config=/var/lib/swarmlab/openvpn/etc/vpn-data_user_config
NAME=swarmlab-vpn-services
MANAGER=/var/lib/swarmlab/openvpn/etc/managers
WORKER=/var/lib/swarmlab/openvpn/etc/workers
MANAGERkeys=/var/lib/swarmlab/openvpn/etc/managers_keys
docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $USERNAME nopass
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $USERNAME > $USERNAME.ovpn
----
.create-user.sh
[source,bash]
.add to $USERNAME.ovpn file
----
#!/bin/bash
. ./config
sudo mkdir -p $vpn_data
sudo mkdir -p $vpn_data_user_config
sudo mkdir -p $MANAGERkeys
docker=registry.vlabs.uniwa.gr:5080/myownvpn
echo $vpnip
echo $#
docker=registry.vlabs.uniwa.gr:5080/myownvpn
echo $vpnip
echo $#
if [ $# -eq 1 ]; then
CLIENTNAME=$1
U=$CLIENTNAME
mkdir users
docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $CLIENTNAME nopass
sleep 3
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $CLIENTNAME > users/$CLIENTNAME.ovpn
file="users/$CLIENTNAME.ovpn"
ps='remote '
pi="remote $IP $P udp"
grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "5a $pi" $file
ps='comp-lzo'
pi='comp-lzo no'
grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "6a $pi" $file
ps='resolv-retry'
pi='resolv-retry infinite'
grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "7a $pi" $file
ps='persist-key'
pi='persist-key'
grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "8a $pi" $file
ps='persist-tun'
pi='persist-tun'
grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "9a $pi" $file
ps='keepalive'
pi='keepalive 15 60'
grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "10a $pi" $file
else
echo "no clientname"
fi
client
nobind
dev tun
comp-lzo
resolv-retry infinite
keepalive 15 60
remote-cert-tls server
remote 192.168.1.5 1194 udp
----
== rm vpn user
.rm-user.sh
[source,bash]
----
#!/bin/bash
. ./config
CLIENTNAME=$1
CLIENTNAME=test1
U=$CLIENTNAME
if [ $# -eq 1 ]; then
sudo rm -f $vpn_data/pki/reqs/$CLIENTNAME.req
sudo rm -f $vpn_data/pki/private/$CLIENTNAME.key
sudo rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
sudo rm -f $vpn_data/server/ccd/$CLIENTNAME
sudo rm -f $vpn_data/ccd/$CLIENTNAME
vpn_data=$PWD/openvpn-services/
docker=registry.vlabs.uniwa.gr:5080/myownvpn
rm -f $vpn_data/pki/reqs/$CLIENTNAME.req
rm -f $vpn_data/pki/private/$CLIENTNAME.key
rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
rm -f $vpn_data/server/ccd/$CLIENTNAME
rm -f $vpn_data/ccd/$CLIENTNAME
pem=$(sudo grep "CN=$U$" $vpn_data/pki/index.txt | cut -f4)
#/var/lab/gswarm/vpn-data/pki/certs_by_serial/BACA61827E65D0E5F695245519410952.pem
sudo rm -f $vpn_data/pki/certs_by_serial/$pem.pem
sudo sed -i "/CN=$U$/d" $vpn_data/pki/index.txt
rm -f $vpn_data/pki/certs_by_serial/$pem.pem
sed -i "/CN=$U$/d" $vpn_data/pki/index.txt
echo $pem
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient $CLIENTNAME remove
sudo rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
sudo rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn
else
echo "no client"
fi
rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn
----
== show all vpn users
@ -236,8 +167,7 @@ fi
.show-user.sh
[source,bash]
----
. ./config
NAME=swarmlab-vpn-services # name of docker service
docker exec -it $NAME ovpn_listclients
----
@ -246,8 +176,7 @@ docker exec -it $NAME ovpn_listclients
.show-conn-user.sh
[source,bash]
----
. ./config
NAME=swarmlab-vpn-services # name of docker service
docker exec -it $NAME cat /tmp/openvpn-status.log
----

168
labs/sec/ex-5_iptables.adoc.html

@ -531,53 +531,48 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
<div class="title">create-vpn.sh</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#!/bin/bash
IP=192.168.89.5 # Server IP
IP=127.0.0.1 # Server IP
P=1194 # Server Port
OVPN_SERVER='10.80.0.0/16' # VPN Network
vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/ # Dir to save data ** this must exist **
#vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/ # Dir to save data ** this must exist **
vpn_data=$PWD/openvpn-services/
if [ ! -d $vpn_data ]; then
mkdir -p $vpn_data
fi
NAME=swarmlab-vpn-services # name of docker service
DOCKERnetwork=swarmlab-vpn-services-network # docker network
docker=registry.vlabs.uniwa.gr:5080/myownvpn # docker image
docker stop $NAME #stop container
sleep 3
sleep 1
docker container rm $NAME #rm container
# rm config files
sudo rm -f $vpn_data/openvpn.conf.*.bak
sudo rm -f $vpn_data/openvpn.conf
sudo rm -f $vpn_data/ovpn_env.sh.*.bak
sudo rm -f $vpn_data/ovpn_env.sh
rm -f $vpn_data/openvpn.conf.*.bak
rm -f $vpn_data/openvpn.conf
rm -f $vpn_data/ovpn_env.sh.*.bak
rm -f $vpn_data/ovpn_env.sh
# create network
sleep 2
sleep 1
docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork
read -d '' MULTILINE_EXTRA_SERVER_CONF &lt;&lt; EOF
duplicate-cn
max-clients 35000
topology subnet
EOF
#run container
sleep 3
docker run --net=none -it -v $vpn_data:/etc/openvpn --rm $docker ovpn_genconfig -u udp://$IP:1194 \
#run container see ovpn_genconfig
docker run --net=none -it -v $vpn_data:/etc/openvpn -p 1194:1194 --rm $docker ovpn_genconfig -u udp://$IP:1194 \
-N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER
# create pki
sleep 3
echo "new pki is disabled"
# create pki see ovpn_initpki
docker run --net=none -v $vpn_data:/etc/openvpn --rm -it $docker ovpn_initpki
#sleep 3
# see ovpn_copy_server_files
#docker run --net=none -v $vpn_data:/etc/openvpn --rm $docker ovpn_copy_server_files
#create vpn
sleep 3
#create vpn see --cap-add=NET_ADMIN
sleep 1
docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker
sleep 5
sudo sysctl -w net.ipv4.ip_forward=1
#show created
@ -590,84 +585,28 @@ docker ps</code></pre>
<h2 id="_create_user">4. Create user</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="title">config</div>
<div class="title">create-user.sh</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#!/bin/bash
IP=83.212.114.14
P=5194
vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/
NAME=swarmlab-vpn-services
DOCKERnetwork=swarmlab-vpn-services-network
<pre class="highlight"><code class="language-bash" data-lang="bash">USERNAME=test1
vpn_data=$PWD/openvpn-services/
docker=registry.vlabs.uniwa.gr:5080/myownvpn
PATHNAME=/var/lib/swarmlab/openvpn/etc/vpn-data_user_config
vpn_data_user_config=$PATHNAME
vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/
vpn_data_user_config=/var/lib/swarmlab/openvpn/etc/vpn-data_user_config
NAME=swarmlab-vpn-services
MANAGER=/var/lib/swarmlab/openvpn/etc/managers
WORKER=/var/lib/swarmlab/openvpn/etc/workers
MANAGERkeys=/var/lib/swarmlab/openvpn/etc/managers_keys</code></pre>
docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $USERNAME nopass
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $USERNAME &gt; $USERNAME.ovpn</code></pre>
</div>
</div>
<div class="listingblock">
<div class="title">create-user.sh</div>
<div class="title">add to $USERNAME.ovpn file</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#!/bin/bash
. ./config
sudo mkdir -p $vpn_data
sudo mkdir -p $vpn_data_user_config
sudo mkdir -p $MANAGERkeys
docker=registry.vlabs.uniwa.gr:5080/myownvpn
echo $vpnip
echo $#
docker=registry.vlabs.uniwa.gr:5080/myownvpn
echo $vpnip
echo $#
<pre class="highlight"><code class="language-bash" data-lang="bash">client
nobind
dev tun
comp-lzo
resolv-retry infinite
keepalive 15 60
if [ $# -eq 1 ]; then
CLIENTNAME=$1
U=$CLIENTNAME
mkdir users
docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $CLIENTNAME nopass
sleep 3
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $CLIENTNAME &gt; users/$CLIENTNAME.ovpn
file="users/$CLIENTNAME.ovpn"
ps='remote '
pi="remote $IP $P udp"
grep -q "^$ps" $file &amp;&amp; sed -i "s/^$ps.*/$pi/" $file || sed -i "5a $pi" $file
ps='comp-lzo'
pi='comp-lzo no'
grep -q "^$ps" $file &amp;&amp; sed -i "s/^$ps.*/$pi/" $file || sed -i "6a $pi" $file
ps='resolv-retry'
pi='resolv-retry infinite'
grep -q "^$ps" $file &amp;&amp; sed -i "s/^$ps.*/$pi/" $file || sed -i "7a $pi" $file
ps='persist-key'
pi='persist-key'
grep -q "^$ps" $file &amp;&amp; sed -i "s/^$ps.*/$pi/" $file || sed -i "8a $pi" $file
ps='persist-tun'
pi='persist-tun'
grep -q "^$ps" $file &amp;&amp; sed -i "s/^$ps.*/$pi/" $file || sed -i "9a $pi" $file
ps='keepalive'
pi='keepalive 15 60'
grep -q "^$ps" $file &amp;&amp; sed -i "s/^$ps.*/$pi/" $file || sed -i "10a $pi" $file
else
echo "no clientname"
fi</code></pre>
remote-cert-tls server
remote 192.168.1.5 1194 udp</code></pre>
</div>
</div>
</div>
@ -679,30 +618,27 @@ fi</code></pre>
<div class="title">rm-user.sh</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#!/bin/bash
. ./config
CLIENTNAME=$1
CLIENTNAME=test1
U=$CLIENTNAME
if [ $# -eq 1 ]; then
sudo rm -f $vpn_data/pki/reqs/$CLIENTNAME.req
sudo rm -f $vpn_data/pki/private/$CLIENTNAME.key
sudo rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
sudo rm -f $vpn_data/server/ccd/$CLIENTNAME
sudo rm -f $vpn_data/ccd/$CLIENTNAME
vpn_data=$PWD/openvpn-services/
docker=registry.vlabs.uniwa.gr:5080/myownvpn
rm -f $vpn_data/pki/reqs/$CLIENTNAME.req
rm -f $vpn_data/pki/private/$CLIENTNAME.key
rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
rm -f $vpn_data/server/ccd/$CLIENTNAME
rm -f $vpn_data/ccd/$CLIENTNAME
pem=$(sudo grep "CN=$U$" $vpn_data/pki/index.txt | cut -f4)
#/var/lab/gswarm/vpn-data/pki/certs_by_serial/BACA61827E65D0E5F695245519410952.pem
sudo rm -f $vpn_data/pki/certs_by_serial/$pem.pem
sudo sed -i "/CN=$U$/d" $vpn_data/pki/index.txt
rm -f $vpn_data/pki/certs_by_serial/$pem.pem
sed -i "/CN=$U$/d" $vpn_data/pki/index.txt
echo $pem
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient $CLIENTNAME remove
sudo rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
sudo rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn
else
echo "no client"
fi</code></pre>
rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn</code></pre>
</div>
</div>
</div>
@ -713,8 +649,7 @@ fi</code></pre>
<div class="listingblock">
<div class="title">show-user.sh</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">. ./config
<pre class="highlight"><code class="language-bash" data-lang="bash">NAME=swarmlab-vpn-services # name of docker service
docker exec -it $NAME ovpn_listclients</code></pre>
</div>
</div>
@ -726,8 +661,7 @@ docker exec -it $NAME ovpn_listclients</code></pre>
<div class="listingblock">
<div class="title">show-conn-user.sh</div>
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">. ./config
<pre class="highlight"><code class="language-bash" data-lang="bash">NAME=swarmlab-vpn-services # name of docker service
docker exec -it $NAME cat /tmp/openvpn-status.log</code></pre>
</div>
</div>
@ -765,7 +699,7 @@ the path is made by walking.</p>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2020-10-21 10:03:40 UTC
Last updated 2020-12-08 20:34:28 UTC
</div>
</div>
</body>

1894
labs/sec/ex-5_iptables.adoc.pdf

File diff suppressed because it is too large
Loading…
Cancel
Save