Switch VPN back to UDP, update firewall, make VPN use CRL

2014-04-14 14:24:45 +02:00
parent ddf69d035d
commit f7f1de4bf5
4 changed files with 27 additions and 5 deletions
--- a/openvpn-test/client.conf
+++ b/openvpn-test/client.conf
@@ -33,7 +33,7 @@ dev tun
 # Are we connecting to a TCP or
 # UDP server?  Use the same setting as
 # on the server.
-proto tcp-client
+proto udp
 ;proto udp

 # The hostname/IP and port of the server.
--- a/overlay/etc/firewall.sh
+++ b/overlay/etc/firewall.sh
@@ -92,7 +92,9 @@ iptables -A FORWARD -p icmp --icmp-type 0/0 -j ACCEPT
 iptables -A FORWARD -p icmp --icmp-type 3 -j ACCEPT

 # Allow services such as ssh (can be disabled)
-iptables -A INPUT -p tcp -m multiport --dports ssh,1194 -j ACCEPT -m state --state NEW
+iptables -A INPUT -p tcp --dport ssh -j ACCEPT -m state --state NEW
+
+iptables -A INPUT -p udp --dport 1194 -j ACCEPT -m state --state NEW

 # Allow packets from TUN/TAP devices.
 # When OpenVPN is run in a secure mode,
@@ -177,7 +179,8 @@ ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

 # Allow ssh and openvpn access
-ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p tcp -m multiport --dports ssh,1194 -m state --state NEW -j ACCEPT
+ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p tcp --dport ssh -m state --state NEW -j ACCEPT
+ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p udp --dport 1194 -m state --state NEW -j ACCEPT

 # Allow useful ICMPv6
 ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 128/0   -m state --state NEW  -j ACCEPT
@@ -187,9 +190,15 @@ ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 2  -m state -
 ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 1  -m state --state NEW  -j ACCEPT
 ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 129/0   -m state --state NEW  -j ACCEPT

-# Allow ARPv6
+# Allow NDP
 ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 135/0 -j ACCEPT
 ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 136/0 -j ACCEPT
+ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j ACCEPT
+ip6tables -N NoRouterAdv
+ip6tables -A OUTPUT -o $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j NoRouterAdv # Protect from misconfiguration (we are not a router)
+ip6tables -A FORWARD -o $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j NoRouterAdv
+ip6tables -A NoRouterAdv -j LOG --log-prefix "NORADV6 "
+ip6tables -A NoRouterAdv -j DROP

 ip6tables -A INPUT -j LOG --log-prefix "CATCHALL6 "
 ip6tables -A FORWARD -j LOG --log-prefix "CATCHALL6 "
--- a/overlay/etc/openvpn/crl.pem
+++ b/overlay/etc/openvpn/crl.pem
@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIBsTCBmgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJERTEbMBkGA1UE
+CAwSQmFkZW4tV3VlcnR0ZW1iZXJnMRIwEAYDVQQHDAlLYXJsc3J1aGUxGDAWBgNV
+BAMMD3BhbmRhLmhhZGlrby5kZRcNMTQwNDE0MTIxODM5WhcNMTQwNTE0MTIxODM5
+WqAOMAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEFBQADggEBAHunprmA/Oi8v3LM
+83uYwq8vOVWNTLf9Z9bwBgdgX9NCYlj8bBqWmHi81IMa0Io2W8nk4Rn9/bV4Qu3H
+oeYrMr891RGM2RfSkVlbb3biCj9ulUFn154YAwm0oyGRCaDp2eH7ohziWwRQGIjE
+miQ6Trak4N1g+7m5dInFYAN7RCY1VvOaKaE3rbr0P/t6yNrgi6+KQPRyJc8rbGcj
+NIU6tdaeEl0v2ahp98xMbUFYNa6MkoOidngcl+Lo9Jnzs86mWwqDD9Aw3nfBSL6+
+viPq4W9EGwdXL26svdIz/myC0+tVG5VWHfBLP+Ur9BD3PaY3GRcr0iX99GZ81Y0Y
+7MB6CnQ=
+-----END X509 CRL-----
--- a/overlay/etc/openvpn/vpn.conf
+++ b/overlay/etc/openvpn/vpn.conf
@@ -32,7 +32,7 @@
 port 1194

 # TCP or UDP server?
-proto tcp6-server
+proto udp6
 ;proto udp

 # "dev tun" will create a routed IP tunnel,
@@ -78,6 +78,7 @@ dev tun0
 ca ca.crt
 cert panda.crt
 key panda.key  # This file should be kept secret
+crl-verify crl.pem

 # Diffie hellman parameters.
 # Generate your own with: