shorewall

5 years ago · 98a08136d8
3 changed files with 278 additions and 1 deletions
--- a/sec/495px-VPN_overview-en.svg.png
+++ b/sec/495px-VPN_overview-en.svg.png
--- a/sec/ex-4_iptables.adoc
+++ b/sec/ex-4_iptables.adoc
@ -56,7 +56,7 @@ docker network create --driver=bridge --subnet=192.168.0.0/16 net3

 then connect network to container

-.create netowrk frist
+.connect network created to container
 [source,bash]
 ----
 docker network connect net1 master
--- a/sec/ex-5_iptables.adoc
+++ b/sec/ex-5_iptables.adoc
@ -0,0 +1,277 @@
+= VPN!
+Apostolos rootApostolos@swarmlab.io
+// Metadata:
+:description: Intro and Install
+:keywords: sec, tcpdump
+:data-uri:
+:toc: right
+:toc-title: Πίνακας περιεχομένων
+:toclevels: 4
+:source-highlighter: highlight
+:icons: font
+:sectnums: 
+
+include::header.adoc[]
+
+
+{empty} +
+
+
+[[cheat-Docker]]
+== Install swarmlab-sec (Home PC)
+
+HowTo: See http://docs.swarmlab.io/lab/sec/sec.adoc.html
+
+
+.NOTE
+[NOTE]
+====
+Assuming you're already logged in
+====
+
+
+
+== VPN
+
+A ***virtual private network (VPN)*** extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running on a computing device, e.g., a laptop, desktop, smartphone, across a VPN may therefore benefit from the functionality, security, and management of the private network. Encryption is a common, though not an inherent, part of a VPN connection
+
+https://en.wikipedia.org/wiki/Virtual_private_network[More: wikipedia]
+
+image::495px-VPN_overview-en.svg.png[VPN connectivity overview]
+
+.NOTE
+[NOTE]
+====
+**OpenVPN** is an open-source software that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).
+
+https://en.wikipedia.org/wiki/OpenVPN[More: wikipedia]
+====
+
+
+== Create VPN
+
+
+.create-vpn.sh
+[source,bash]
+----
+#!/bin/bash
+IP=192.168.89.5                                         # Server IP
+P=1194                                                  # Server Port
+OVPN_SERVER='10.80.0.0/16'                              # VPN Network
+vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/    # Dir to save data ** this must exist **
+NAME=swarmlab-vpn-services                              # name of docker service
+DOCKERnetwork=swarmlab-vpn-services-network             # docker network
+docker=registry.vlabs.uniwa.gr:5080/myownvpn            # docker image
+
+docker stop  $NAME					#stop container 
+sleep 3
+docker container rm  $NAME				#rm container
+
+# rm config files
+sudo rm -f $vpn_data/openvpn.conf.*.bak
+sudo rm -f $vpn_data/openvpn.conf
+sudo rm -f $vpn_data/ovpn_env.sh.*.bak
+sudo rm -f $vpn_data/ovpn_env.sh
+
+# create network
+sleep 2
+docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork
+
+read -d '' MULTILINE_EXTRA_SERVER_CONF << EOF
+duplicate-cn
+max-clients 35000
+topology subnet
+EOF
+
+#run container
+sleep 3
+docker run --net=none -it -v $vpn_data:/etc/openvpn  --rm $docker ovpn_genconfig  -u udp://$IP:1194 \
+-N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER
+
+
+# create pki
+sleep 3
+echo "new pki is disabled"
+docker run --net=none -v $vpn_data:/etc/openvpn  --rm -it $docker ovpn_initpki
+
+#sleep 3
+#docker run --net=none -v $vpn_data:/etc/openvpn  --rm $docker ovpn_copy_server_files
+
+#create vpn
+sleep 3
+docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker
+
+sleep 5
+sudo sysctl -w net.ipv4.ip_forward=1
+
+#show created
+docker ps
+----
+
+
+== Create user
+
+.config
+[source,bash]
+----
+#!/bin/bash
+IP=83.212.114.14
+P=5194
+vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/
+NAME=swarmlab-vpn-services
+DOCKERnetwork=swarmlab-vpn-services-network
+docker=registry.vlabs.uniwa.gr:5080/myownvpn
+PATHNAME=/var/lib/swarmlab/openvpn/etc/vpn-data_user_config
+vpn_data_user_config=$PATHNAME
+
+vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/
+vpn_data_user_config=/var/lib/swarmlab/openvpn/etc/vpn-data_user_config
+NAME=swarmlab-vpn-services
+
+MANAGER=/var/lib/swarmlab/openvpn/etc/managers
+WORKER=/var/lib/swarmlab/openvpn/etc/workers
+MANAGERkeys=/var/lib/swarmlab/openvpn/etc/managers_keys
+
+----
+
+
+
+.create-user.sh
+[source,bash]
+----
+#!/bin/bash
+
+. ./config
+
+sudo mkdir -p $vpn_data
+sudo mkdir -p $vpn_data_user_config
+sudo mkdir -p $MANAGERkeys
+
+docker=registry.vlabs.uniwa.gr:5080/myownvpn
+echo $vpnip
+echo $#
+
+docker=registry.vlabs.uniwa.gr:5080/myownvpn
+echo $vpnip
+echo $#
+
+if [ $# -eq 1  ]; then
+        CLIENTNAME=$1
+        U=$CLIENTNAME
+        mkdir users
+        docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $CLIENTNAME nopass
+        sleep 3
+        docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $CLIENTNAME  > users/$CLIENTNAME.ovpn
+
+        file="users/$CLIENTNAME.ovpn"
+
+        ps='remote '
+        pi="remote $IP $P udp"
+        grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "5a $pi" $file
+
+        ps='comp-lzo'
+        pi='comp-lzo no'
+        grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "6a $pi" $file
+
+        ps='resolv-retry'
+        pi='resolv-retry infinite'
+        grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "7a $pi" $file
+        ps='persist-key'
+        pi='persist-key'
+        grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "8a $pi" $file
+
+        ps='persist-tun'
+        pi='persist-tun'
+        grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "9a $pi" $file
+
+        ps='keepalive'
+        pi='keepalive 15 60'
+        grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "10a $pi" $file
+
+
+
+else
+        echo "no clientname"
+fi
+----
+
+
+== rm vpn user
+
+.rm-user.sh
+[source,bash]
+----
+#!/bin/bash
+. ./config
+
+CLIENTNAME=$1
+U=$CLIENTNAME
+
+if [ $# -eq 1  ]; then
+        sudo rm -f $vpn_data/pki/reqs/$CLIENTNAME.req
+        sudo rm -f $vpn_data/pki/private/$CLIENTNAME.key
+        sudo rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
+        sudo rm -f $vpn_data/server/ccd/$CLIENTNAME
+        sudo rm -f $vpn_data/ccd/$CLIENTNAME
+        pem=$(sudo grep "CN=$U$"  $vpn_data/pki/index.txt | cut  -f4)
+        #/var/lab/gswarm/vpn-data/pki/certs_by_serial/BACA61827E65D0E5F695245519410952.pem
+        sudo rm -f $vpn_data/pki/certs_by_serial/$pem.pem
+        sudo sed -i "/CN=$U$/d"  $vpn_data/pki/index.txt
+        echo $pem
+        docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient  $CLIENTNAME remove
+
+
+        sudo rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
+        sudo rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn
+else
+        echo "no client"
+fi
+
+----
+
+== show all vpn users
+
+.show-user.sh
+[source,bash]
+----
+. ./config
+
+docker exec -it  $NAME ovpn_listclients
+----
+
+== show all connected vpn users
+
+.show-conn-user.sh
+[source,bash]
+----
+. ./config
+
+docker exec -it  $NAME  cat /tmp/openvpn-status.log
+----
+
+
+
+
+
+:hardbreaks:
+
+{empty} +
+{empty} +
+{empty} 
+
+:!hardbreaks:
+
+'''
+
+.Reminder
+[NOTE]
+====
+:hardbreaks:
+Caminante, no hay camino, 
+se hace camino al andar.
+
+Wanderer, there is no path, 
+the path is made by walking.
+
+*Antonio Machado* Campos de Castilla
+====