OpenVPN-Admin
- PHP7.x
- MariaDB 5.5.x
CentOS確認
# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
# getenforce
Disabled
PHP7.3インストール
# sudo yum install epel-release
# sudo rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
# sudo yum install --enablerepo=remi-php73 php php-mysqlnd php-pecl-zip
# php -v
PHP 7.3.14 (cli) (built: Jan 21 2020 09:59:50) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.14, Copyright (c) 1998-2018 Zend Technologies
# sudo yum install openvpn httpd php-mysql mariadb-server php nodejs unzip git wget sed npm
# mysql --version
mysql Ver 15.1 Distrib 5.5.64-MariaDB, for Linux (x86_64) using readline 5.1
# npm -v
3.10.10
# node -v
v6.17.1
# sudo npm install -g bower
# bower --version
1.8.8
MariaDB起動と初期設定
# systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
# systemctl start mariadb
# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
install.sh実行
/homeディレクトリで実行
# cd /home
# git clone https://github.com/Chocobozzz/OpenVPN-Admin openvpn-admin
# cd openvpn-admin
# ./install.sh /var/www apache apache
iptablesエラーになる(CentOS7はfirewalld)
################## Setup firewall ##################
./install.sh: 行 192: route: コマンドが見つかりません
Bad argument `ACCEPT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `MASQUERADE'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `MASQUERADE'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `MASQUERADE'
Try `iptables -h' or 'iptables --help' for more information.
#####################################################
firewallの設定
IPマスカレード trustedゾーンにtunインターフェイスの割り当て
# sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# sudo firewall-cmd --add-service=openvpn --zone=public --permanent
# sudo firewall-cmd --add-service=http --zone=public --permanent
# sudo firewall-cmd --permanent --zone=trusted --add-interface=tun+
# sudo firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
# sudo firewall-cmd --reload
firewallの確認
# sudo firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3 enp0s8
sources:
services: dhcpv6-client http openvpn ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: tun+
sources: 10.8.0.0/24
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
/etc/openvpn/server.confを環境に合わせ修正
## GENERAL ##
# TCP or UDP, port 1194, tunneling
mode server
proto udp
port 1194
dev tun
## KEY, CERTS AND NETWORK CONFIGURATION ##
# Identity
ca ca.crt
# Public key
cert server.crt
# Private key
key server.key
# Symmetric encryption
dh dh.pem
# Improve security (DDOS, port flooding...)
# 0 for the server, 1 for the client
tls-auth ta.key 0
# Encryption protocol
cipher AES-256-CBC
# Network
# Subnetwork, the server will be the 10.8.0.1 and clients will take the other ips
server 10.8.0.0 255.255.255.0
# Redirect all IP network traffic originating on client machines to pass through the OpenVPN server
push "redirect-gateway def1"
# Alternatives DNS (FDN)
push "dhcp-option DNS 80.67.169.12"
push "dhcp-option DNS 80.67.169.40"
# (OpenDNS)
# push "dhcp-option DNS 208.67.222.222"
# push "dhcp-option DNS 208.67.220.220"
# (Google)
# push "dhcp-option DNS 8.8.8.8"
# push "dhcp-option DNS 8.8.4.4"
# Ping every 10 seconds and if after 120 seconds the client doesn't respond we disconnect
keepalive 10 120
# Regenerate key each 5 hours (disconnect the client)
reneg-sec 18000
## SECURITY ##
# Downgrade privileges of the daemon
user nobody
group nobody
# Persist keys (because we are nobody, so we couldn't read them again)
persist-key
# Don't close and re open TUN/TAP device
persist-tun
# Enable compression
comp-lzo
## LOG ##
# Verbosity
# 3/4 for a normal utilisation
verb 3
# Max 20 messages of the same category
mute 20
# Log gile where we put the clients status
status openvpn-status.log
# Log file
log-append /var/log/openvpn.log
# Configuration directory of the clients
client-config-dir ccd
## PASS ##
# Allow running external scripts with password in ENV variables
script-security 3
# Use the authenticated username as the common name, rather than the common name from the client cert
username-as-common-name
# Client certificate is not required
verify-client-cert none
# Use the connection script when a user wants to login
auth-user-pass-verify scripts/login.sh via-env
# Maximum of clients
max-clients 50
# Run this scripts when the client connects/disconnects
client-connect scripts/connect.sh
client-disconnect scripts/disconnect.sh
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1
/etc/httpd/conf/httpd.confの修正
DocumentRoot "/var/www/"
#
# Relax access to content within /var/www.
#
<Directory "/var/www">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/">
httpd起動
# sudo systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
# sudo systemctl start httpd
Openvpn起動
# sudo systemctl start openvpn@server
# sudo systemctl enable openvpn@server
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.