commit 5836e01885ba606550eff59ac855ea0bee2434ab Author: Celestino Rey Date: Wed May 31 12:18:39 2023 +0200 Primer commit con todo funcionando diff --git a/client.conf b/client.conf new file mode 100644 index 0000000..f51cca8 --- /dev/null +++ b/client.conf @@ -0,0 +1,174 @@ +############################################## +# Sample client-side OpenVPN 2.0 config file # +# for connecting to multi-client server. # +# # +# This configuration can be used by multiple # +# clients, however each client should have # +# its own cert and key files. # +# # +# On Windows, you might want to rename this # +# file so it has a .ovpn extension # +############################################## + +# Specify that we are a client and that we +# will be pulling certain config file directives +# from the server. +client + +# Use the same setting as you are using on +# the server. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel +# if you have more than one. On XP SP2, +# you may need to disable the firewall +# for the TAP adapter. +;dev-node MyTap + +# Are we connecting to a TCP or +# UDP server? Use the same setting as +# on the server. +;proto tcp +proto udp + +# The hostname/IP and port of the server. +# You can have multiple remote entries +# to load balance between the servers. +remote reymota.ddns.net 1194 +;remote my-server-2 1194 + +# Choose a random host from the remote +# list for load-balancing. Otherwise +# try hosts in the order specified. +;remote-random + +# Keep trying indefinitely to resolve the +# host name of the OpenVPN server. Very useful +# on machines which are not permanently connected +# to the internet such as laptops. +resolv-retry infinite + +# Most clients don't need to bind to +# a specific local port number. +nobind + +# Downgrade privileges after initialization (non-Windows only) +user nobody +group nobody + +# Try to preserve some state across restarts. +persist-key +persist-tun + +# If you are connecting through an +# HTTP proxy to reach the actual OpenVPN +# server, put the proxy server/IP and +# port number here. See the man page +# if your proxy server requires +# authentication. +;http-proxy-retry # retry on connection failures +;http-proxy [proxy server] [proxy port #] + +# Wireless networks often produce a lot +# of duplicate packets. Set this flag +# to silence duplicate packet warnings. +;mute-replay-warnings + +# SSL/TLS parms. +# See the server config file for more +# description. It's best to use +# a separate .crt/.key file pair +# for each client. A single ca +# file can be used for all clients. +;ca ca.crt +;cert client.crt +;key client.key + +# Verify server certificate by checking that the +# certificate has the correct key usage set. +# This is an important precaution to protect against +# a potential attack discussed here: +# http://openvpn.net/howto.html#mitm +# +# To use this feature, you will need to generate +# your server certificates with the keyUsage set to +# digitalSignature, keyEncipherment +# and the extendedKeyUsage to +# serverAuth +# EasyRSA can do this for you. +remote-cert-tls server + +# If a tls-auth key is used on the server +# then every client must also have the key. +tls-auth ta.key 1 +client +dev tun +proto udp +remote reymota.ddns.net 1194 +resolv-retry infinite +nobind +user nobody +group nobody +persist-key +persist-tun + +# Verify server certificate by checking that the +# certificate has the correct key usage set. +# This is an important precaution to protect against +# a potential attack discussed here: +# http://openvpn.net/howto.html#mitm +# +# To use this feature, you will need to generate +# your server certificates with the keyUsage set to +# digitalSignature, keyEncipherment +# and the extendedKeyUsage to +# serverAuth +# EasyRSA can do this for you. +remote-cert-tls server + +# If a tls-auth key is used on the server +# then every client must also have the key. +tls-auth ta.key 1 + +# Select a cryptographic cipher. +# If the cipher option is used on the server +# then you must also specify it here. +# Note that v2.4 client/server will automatically +# negotiate AES-256-GCM in TLS mode. +# See also the data-ciphers option in the manpage +cipher AES-256-GCM + +# Enable compression on the VPN link. +# Don't enable this unless it is also +# enabled in the server config file. +#comp-lzo + +# Set log file verbosity. +verb 3 + +# Silence repeating messages +;mute 20 + +# Select a cryptographic cipher. +# If the cipher option is used on the server +# then you must also specify it here. +# Note that v2.4 client/server will automatically +# negotiate AES-256-GCM in TLS mode. +# See also the data-ciphers option in the manpage +cipher AES-256-GCM + +# Enable compression on the VPN link. +# Don't enable this unless it is also +# enabled in the server config file. +#comp-lzo + +# Set log file verbosity. +verb 3 + +# Silence repeating messages +;mute 20 diff --git a/generaClavesCliente.sh b/generaClavesCliente.sh new file mode 100755 index 0000000..5b920c7 --- /dev/null +++ b/generaClavesCliente.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +if [ -z "$1" ] +then + echo "Falta nombre del cliente" + exit 1 +fi + +./easyrsa gen-req $1 nopass +./easyrsa sign-req client $1 +cp /etc/openvpn/easy-rsa/pki/issued/$1.crt /etc/openvpn/client/keys +cp /etc/openvpn/easy-rsa/pki/private/$1.key /etc/openvpn/client/keys + diff --git a/make-config.sh b/make-config.sh new file mode 100755 index 0000000..e3d5ce8 --- /dev/null +++ b/make-config.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# primer argumento: Identificador de cliente + +KEY_DIR=/etc/openvpn/client/keys +OUTPUT_DIR=/etc/openvpn/client/files +BASE_CONFIG=/etc/openvpn/client/plantilla.conf + +cat ${BASE_CONFIG} \ + <(echo -e '') \ + ${KEY_DIR}/ca.crt \ + <(echo -e '\n') \ + ${KEY_DIR}/${1}.crt \ + <(echo -e '\n') \ + ${KEY_DIR}/${1}.key \ + <(echo -e '\n') \ + ${KEY_DIR}/ta.key \ + <(echo -e '') \ + > ${OUTPUT_DIR}/${1}.ovpn diff --git a/openvpn-20230517.tar.gz b/openvpn-20230517.tar.gz new file mode 100644 index 0000000..9f02cb7 Binary files /dev/null and b/openvpn-20230517.tar.gz differ diff --git a/openvpnInstrucciones.txt b/openvpnInstrucciones.txt new file mode 100644 index 0000000..562d268 --- /dev/null +++ b/openvpnInstrucciones.txt @@ -0,0 +1,147 @@ +# FUENTE +https://www.youtube.com/watch?v=P7i-oLe2bHk + +# 1. INSTALAR EL SERVIDOR OPENVPN +# ip pública + + +# Actualizar repositorio +sudo apt update + +# instalar OpenVPN y Easy-rsa (para crear la pki) +sudo apt install openvpn easy-rsa -y + +openvpn --help +openvpn --version + +# 2. CREAR LA PKI Y LA AC +# CA = Autoridad de certificación +# PKI = Infraestructura de cable pública +# copiar el directorio easy-rsa en OpenVPN + +sudo cp -r /usr/share/easy-rsa /etc/openvpn + +# Ir al directorio +cd /etc/openvpn/easy-rsa + +# Crear la PKI +sudo ./easyrsa init-pki + +# Crear la CA +sudo ./easyrsa build-ca +# ca.key , ca.cert + +# 3. GENERAR CLAVES DEL SERVIDOR +# generar claves .key .req +sudo ./easyrsa gen-req servidor-reymota nopass + +# firmar el certificado del servidor (.crt) clave mcecdc +sudo ./easyrsa sign-req server servidor-reymota + +# Copiar las claves generadas al directorio de openvpn +sudo cp /etc/openvpn/easy-rsa/pki/issued/servidor-reymota.crt /etc/openvpn/server +sudo cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server +sudo cp /etc/openvpn/easy-rsa/pki/private/servidor-reymota.key /etc/openvpn/server + +# 4. CREA LA CLAVE TLS-CRYPT + +cd /etc/openvpn/server +sudo openvpn --genkey --secret ta.key + +# 5. CREAR CLAVES DEL CLIENTE +# accedemos al directorio +sudo mkdir -p /etc/openvpn/client/keys + +# quitamos privilegios a usuarios y grupos +sudo chmod -R 700 /etc/openvpn/client + +# vamos al directorio +cd /etc/openvpn/easy-rsa + +# generar claves .key .req +sudo ./easyrsa gen-req iphonetino nopass + +# firmar el certificado del cliente (.crt) +sudo ./easyrsa sign-req client iphonetino + +# copiar las claves generadas al directorio de openvpn +sudo cp /etc/openvpn/easy-rsa/pki/issued/iphonetino.crt /etc/openvpn/client/keys +sudo cp /etc/openvpn/easy-rsa/pki/private/iphonetino.key /etc/openvpn/client/keys +sudo cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client/keys +sudo cp /etc/openvpn/server/ta.key /etc/openvpn/client/keys + +# lo anterior se puede hacer usando la script generaClavesCliente.sh + +# 6. CONFIGURAR SERVIDOR (server.conf) +# asegurarse que existe el usuario nobody y el grupo nobody, si no, añadirlos + +sudo cp ./server.conf /etc/openvpn/server/server.conf + +# 7. CONFIGURAR CLIENTE (client.conf) + +sudo cp ./client.conf /etc/openvpn/client/client.conf + +# 8 ABRIR CORTAFUEGOS Y REINICIAR OPENVPN +# Abrir puerto 1194 de la VPS +# permitir el reenvio de paquetes entre interfaces +sudo vi /etc/sysctl.conf + +# buscar estas líneas + + # Uncomment the next line to enable packet forwarding for IPv4 + net.ipv4.ip_forward=1 + +sudo su +echo 1 > /proc/sys/net/ipv4/ip_forward +exit + +root@creylopez-iMac:/etc/openvpn# ip ad +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: enp2s0: mtu 1500 qdisc mq state UP group default qlen 1000 + link/ether c8:2a:14:24:2d:64 brd ff:ff:ff:ff:ff:ff + inet 192.168.1.136/24 brd 192.168.1.255 scope global dynamic noprefixroute enp2s0 + valid_lft 50957sec preferred_lft 50957sec + inet6 fe80::a1f8:2602:3fee:4caf/64 scope link noprefixroute + valid_lft forever preferred_lft forever + +# Añadir reglas al cortafuego +sudo iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o enp2s0 -j MASQUERADE +sudo iptables -I INPUT 1 -i tun0 -j ACCEPT +sudo iptables -I FORWARD 1 -i enp2s0 -o tun0 -j ACCEPT +sudo iptables -I FORWARD 1 -i tun0 -o enp2so -j ACCEPT +sudo iptables -I INPUT 1 -i enp2s0 -p udp --dport 1194 -j ACCEPT + +# para ver si las reglas del cortafuegos están puestas +sudo iptables -L -nv +# para ver las reglas nat +sudo iptables -t nat -L -nv +# Guardar las reglas permanentemente + +sudo apt install iptables-persistent -y +sudo netfilter-persistent save + +# Configurar OpenVPN para que se inicie en el arranque +sudo systemctl -f enable openvpn-server@server.service +# iniciar OpenVPN +service openvpn-server@server start +# comprobar +sudo service openvpn-server@server status + +# 9. CREAR LOS FICHEROS ovpn +# ver la estructura de los ficheros vpn + +# copiar el fichero plantilla.conf +cp ./plantilla.conf /etc/openvpn/client/plantilla.conf +# shell script para crear el ovpn +cp ./make_config.sh /etc/openvpn/client + +# Generar el fichero ovpn +sudo ./make_config.sh iphonetino + + + diff --git a/plantilla.conf b/plantilla.conf new file mode 100644 index 0000000..ded8645 --- /dev/null +++ b/plantilla.conf @@ -0,0 +1,46 @@ +client +dev tun +proto udp +remote reymota.ddns.net 1194 +resolv-retry infinite +nobind +user nobody +group nobody +persist-key +persist-tun + +# Verify server certificate by checking that the +# certificate has the correct key usage set. +# This is an important precaution to protect against +# a potential attack discussed here: +# http://openvpn.net/howto.html#mitm +# +# To use this feature, you will need to generate +# your server certificates with the keyUsage set to +# digitalSignature, keyEncipherment +# and the extendedKeyUsage to +# serverAuth +# EasyRSA can do this for you. +remote-cert-tls server + +# If a tls-auth key is used on the server +# then every client must also have the key. +key-direction 1 +# Select a cryptographic cipher. +# If the cipher option is used on the server +# then you must also specify it here. +# Note that v2.4 client/server will automatically +# negotiate AES-256-GCM in TLS mode. +# See also the data-ciphers option in the manpage +cipher AES-256-GCM + +# Enable compression on the VPN link. +# Don't enable this unless it is also +# enabled in the server config file. +#comp-lzo + +# Set log file verbosity. +verb 3 + +# Silence repeating messages +;mute 20 diff --git a/server.conf b/server.conf new file mode 100644 index 0000000..f380b30 --- /dev/null +++ b/server.conf @@ -0,0 +1,319 @@ +################################################# +# Sample OpenVPN 2.0 config file for # +# multi-client server. # +# # +# This file is for the server side # +# of a many-clients <-> one-server # +# OpenVPN configuration. # +# # +# OpenVPN also supports # +# single-machine <-> single-machine # +# configurations (See the Examples page # +# on the web site for more info). # +# # +# This config should work on Windows # +# or Linux/BSD systems. Remember on # +# Windows to quote pathnames and use # +# double backslashes, e.g.: # +# "C:\\Program Files\\OpenVPN\\config\\foo.key" # +# # +# Comments are preceded with '#' or ';' # +################################################# + +# Which local IP address should OpenVPN +# listen on? (optional) +;local a.b.c.d + +# Which TCP/UDP port should OpenVPN listen on? +# If you want to run multiple OpenVPN instances +# on the same machine, use a different port +# number for each one. You will need to +# open up this port on your firewall. +port 1194 + +# TCP or UDP server? +;proto tcp +proto udp + +# "dev tun" will create a routed IP tunnel, +# "dev tap" will create an ethernet tunnel. +# Use "dev tap0" if you are ethernet bridging +# and have precreated a tap0 virtual interface +# and bridged it with your ethernet interface. +# If you want to control access policies +# over the VPN, you must create firewall +# rules for the the TUN/TAP interface. +# On non-Windows systems, you can give +# an explicit unit number, such as tun0. +# On Windows, use "dev-node" for this. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel if you +# have more than one. On XP SP2 or higher, +# you may need to selectively disable the +# Windows firewall for the TAP adapter. +# Non-Windows systems usually don't need this. +;dev-node MyTap + +# SSL/TLS root certificate (ca), certificate +# (cert), and private key (key). Each client +# and the server must have their own cert and +# key file. The server and all clients will +# use the same ca file. +# +# See the "easy-rsa" directory for a series +# of scripts for generating RSA certificates +# and private keys. Remember to use +# a unique Common Name for the server +# and each of the client certificates. +# +# Any X509 key management system can be used. +# OpenVPN can also use a PKCS #12 formatted key file +# (see "pkcs12" directive in man page). +ca ca.crt +cert reymota.crt +key reymota.key # This file should be kept secret + +# Diffie hellman parameters. +# Generate your own with: +# openssl dhparam -out dh2048.pem 2048 +;dh dh2048.pem +dh none + +# Network topology +# Should be subnet (addressing via IP) +# unless Windows clients v2.0.9 and lower have to +# be supported (then net30, i.e. a /30 per client) +# Defaults to net30 (not recommended) +topology subnet + +# Configure server mode and supply a VPN subnet +# for OpenVPN to draw client addresses from. +# The server will take 10.8.0.1 for itself, +# the rest will be made available to clients. +# Each client will be able to reach the server +# on 10.8.0.1. Comment this line out if you are +# ethernet bridging. See the man page for more info. +server 10.8.0.0 255.255.255.0 + +# Maintain a record of client <-> virtual IP address +# associations in this file. If OpenVPN goes down or +# is restarted, reconnecting clients can be assigned +# the same virtual IP address from the pool that was +# previously assigned. +ifconfig-pool-persist /var/log/openvpn/ipp.txt + +# Configure server mode for ethernet bridging. +# You must first use your OS's bridging capability +# to bridge the TAP interface with the ethernet +# NIC interface. Then you must manually set the +# IP/netmask on the bridge interface, here we +# assume 10.8.0.4/255.255.255.0. Finally we +# must set aside an IP range in this subnet +# (start=10.8.0.50 end=10.8.0.100) to allocate +# to connecting clients. Leave this line commented +# out unless you are ethernet bridging. +;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 + +# Configure server mode for ethernet bridging +# using a DHCP-proxy, where clients talk +# to the OpenVPN server-side DHCP server +# to receive their IP address allocation +# and DNS server addresses. You must first use +# your OS's bridging capability to bridge the TAP +# interface with the ethernet NIC interface. +# Note: this mode only works on clients (such as +# Windows), where the client-side TAP adapter is +# bound to a DHCP client. +;server-bridge + +# Push routes to the client to allow it +# to reach other private subnets behind +# the server. Remember that these +# private subnets will also need +# to know to route the OpenVPN client +# address pool (10.8.0.0/255.255.255.0) +# back to the OpenVPN server. +;push "route 192.168.10.0 255.255.255.0" +;push "route 192.168.20.0 255.255.255.0" + +# To assign specific IP addresses to specific +# clients or if a connecting client has a private +# subnet behind it that should also have VPN access, +# use the subdirectory "ccd" for client-specific +# configuration files (see man page for more info). + +# EXAMPLE: Suppose the client +# having the certificate common name "Thelonious" +# also has a small subnet behind his connecting +# machine, such as 192.168.40.128/255.255.255.248. +# First, uncomment out these lines: +;client-config-dir ccd +;route 192.168.40.128 255.255.255.248 +# Then create a file ccd/Thelonious with this line: +# iroute 192.168.40.128 255.255.255.248 +# This will allow Thelonious' private subnet to +# access the VPN. This example will only work +# if you are routing, not bridging, i.e. you are +# using "dev tun" and "server" directives. + +# EXAMPLE: Suppose you want to give +# Thelonious a fixed VPN IP address of 10.9.0.1. +# First uncomment out these lines: +;client-config-dir ccd +;route 10.9.0.0 255.255.255.252 +# Then add this line to ccd/Thelonious: +# ifconfig-push 10.9.0.1 10.9.0.2 + +# Suppose that you want to enable different +# firewall access policies for different groups +# of clients. There are two methods: +# (1) Run multiple OpenVPN daemons, one for each +# group, and firewall the TUN/TAP interface +# for each group/daemon appropriately. +# (2) (Advanced) Create a script to dynamically +# modify the firewall in response to access +# from different clients. See man +# page for more info on learn-address script. +;learn-address ./script + +# If enabled, this directive will configure +# all clients to redirect their default +# network gateway through the VPN, causing +# all IP traffic such as web browsing and +# and DNS lookups to go through the VPN +# (The OpenVPN server machine may need to NAT +# or bridge the TUN/TAP interface to the internet +# in order for this to work properly). +push "redirect-gateway def1 bypass-dhcp" + +# Certain Windows-specific network settings +# can be pushed to clients, such as DNS +# or WINS server addresses. CAVEAT: +# http://openvpn.net/faq.html#dhcpcaveats +# The addresses below refer to the public +# DNS servers provided by opendns.com. +;push "dhcp-option DNS 208.67.222.222" +;push "dhcp-option DNS 208.67.220.220" + +# Uncomment this directive to allow different +# clients to be able to "see" each other. +# By default, clients will only see the server. +# To force clients to only see the server, you +# will also need to appropriately firewall the +# server's TUN/TAP interface. +;client-to-client + +# Uncomment this directive if multiple clients +# might connect with the same certificate/key +# files or common names. This is recommended +# only for testing purposes. For production use, +# each client should have its own certificate/key +# pair. +# +# IF YOU HAVE NOT GENERATED INDIVIDUAL +# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, +# EACH HAVING ITS OWN UNIQUE "COMMON NAME", +# UNCOMMENT THIS LINE OUT. +;duplicate-cn + +# The keepalive directive causes ping-like +# messages to be sent back and forth over +# the link so that each side knows when +# the other side has gone down. +# Ping every 10 seconds, assume that remote +# peer is down if no ping received during +# a 120 second time period. +keepalive 10 120 + +# For extra security beyond that provided +# by SSL/TLS, create an "HMAC firewall" +# to help block DoS attacks and UDP port flooding. +# +# Generate with: +# openvpn --genkey tls-auth ta.key +# +# The server and each client must have +# a copy of this key. +# The second parameter should be '0' +# on the server and '1' on the clients. +;tls-auth ta.key 0 # This file is secret +tls-crypt tls.key + +# Select a cryptographic cipher. +# This config item must be copied to +# the client config file as well. +# Note that v2.4 client/server will automatically +# negotiate AES-256-GCM in TLS mode. +# See also the ncp-cipher option in the manpage +;cipher AES-256-CBC +cipher AES-256-GCM +auth SHA512 + +# Enable compression on the VPN link and push the +# option to the client (v2.4+ only, for earlier +# versions see below) +;compress lz4-v2 +;push "compress lz4-v2" + +# For compression compatible with older clients use comp-lzo +# If you enable it here, you must also +# enable it in the client config file. +;comp-lzo + +# The maximum number of concurrently connected +# clients we want to allow. +;max-clients 100 + +# It's a good idea to reduce the OpenVPN +# daemon's privileges after initialization. +# +# You can uncomment this out on +# non-Windows systems. +user nobody +group nobody + +# The persist options will try to avoid +# accessing certain resources on restart +# that may no longer be accessible because +# of the privilege downgrade. +persist-key +persist-tun + +# Output a short status file showing +# current connections, truncated +# and rewritten every minute. +status /var/log/openvpn/openvpn-status.log + +# By default, log messages will go to the syslog (or +# on Windows, if running as a service, they will go to +# the "\Program Files\OpenVPN\log" directory). +# Use log or log-append to override this default. +# "log" will truncate the log file on OpenVPN startup, +# while "log-append" will append to it. Use one +# or the other (but not both). +;log /var/log/openvpn/openvpn.log +;log-append /var/log/openvpn/openvpn.log + +# Set the appropriate level of log +# file verbosity. +# +# 0 is silent, except for fatal errors +# 4 is reasonable for general usage +# 5 and 6 can help to debug connection problems +# 9 is extremely verbose +verb 3 + +# Silence repeating messages. At most 20 +# sequential messages of the same message +# category will be output to the log. +;mute 20 + +# Notify the client that when the server restarts so it +# can automatically reconnect. +explicit-exit-notify 1 diff --git a/sysctl.conf b/sysctl.conf new file mode 100644 index 0000000..1fa03b9 --- /dev/null +++ b/sysctl.conf @@ -0,0 +1,68 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +################################################################### +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +################################################################### +# Magic system request Key +# 0=disable, 1=enable all, >1 bitmask of sysrq functions +# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html +# for what other values do +#kernel.sysrq=438 + diff --git a/verEstado.sh b/verEstado.sh new file mode 100644 index 0000000..047a959 --- /dev/null +++ b/verEstado.sh @@ -0,0 +1 @@ +service openvpn-server@server status diff --git a/verLogs.sh b/verLogs.sh new file mode 100644 index 0000000..fc2e41f --- /dev/null +++ b/verLogs.sh @@ -0,0 +1 @@ +journalctl -u openvpn-server@server