Tech:VPN

From Neutrinet
Jump to: navigation, search

IPS

  • v4: 80.67.181.0/24
  • v6: 2001:913:1000::/36

VPS

sudo root access

  • Bram
  • Wannes
  • kload

Packages installed

  • openvpn
  • vnstat : get the usage of nics (currently eth0)
  • auditd : monitoring the acces and modification of /etc

Setup

Firewall

File: /etc/init.d/firewall

We can start, stop and get the status (rules on ip(6)tables) of the firewall with:

  • sudo service firewall {start|stop|status}
Active rules
  • Default policy for INPUT, OUTPUT and FORWARD: DROP
  • accepting ICMP and ICMPv6
  • accepting port 2222 in input (for SSH)
  • accepting port 1194 in UDP/TCP for OpenVPN
  • accept outbound HTTP, HTTPS, SMTP, SSMTP, ICMPv6 and DNS

Routing

Kernel Configuration (done)

Uncomenting the following lines on file /etc/sysctl.conf:

  • #net.ipv6.conf.all.forwarding=1
  • #net.ipv4.ip_forward=1
Specific routing table (Done)

on file: /etc/iproute2/rt_tables append: 200 VPN

Route (todo)

sysadmin

  • root is aliased to wannes and jlbear
  • configured exim to use gandi as smarthost for delivering mail
  • installed cron-apt to check for updates and download them, runs daily and sends email to root if updates are available
  • auditd is configured to monitor system file access and modification

OpenVpn (WIP)

Installed OpenVPN 2.3.2 (wheezy-backports) Managed via the management channel by the ISPng stack

Use of the VPN

Standard situation

When connecting to the VPN, currently following settings are pushed to client:

  • IPv4 default route to our router, thus routing all IPv4 trafic through the VPN
  • IPv6 2000::/3 route to our router, routing the assigned IPv6 address space through the VPN
    • The IPv6 address you receive is the first available address from your subnet, e.g. if you have subnet 2000:1234:5678::/56, your VPN client gets 2000:1234:5678::1/64.
  • IPv4 and IPv6 route for our VPN endpoint, routing our VPN endpoint through your network's router (otherwise your connection would drop)

Server side, we route both your assigned IP space to your connection. Should you have an IPv6 subnet, it is also routed to your assigned IPv6 IP.

If you do not want to route all your IPv4/6 traffic, disable the setting as follows:

curl -i --user username:password -H "Content-Type: application/json" -X POST -d '{"value":"no"}' https://vpn.neutrinet.be:8443/api/user/<username>/setting/routeAllIPv4Traffic

Change IPv4 to IPv6 in the command above the to this for IPv6.

Misc stuff

Self-signed cert for sentry, add to JVM keystore (BAD!)

keytool -import -trustcacerts -keystore /usr/lib/jvm/<JVM>/jre/lib/security/cacerts -storepass changeit -noprompt -alias sentry -file /path/to/sentry.neutrinet.be.crt

Retrieved from "https://mediawiki.neutrinet.be/index.php?title=Tech:VPN&oldid=1052"