==== Konfigurcja VPNa na potrzeby zajęć ====
(Dla zainteresowanych i dla mnie, żebym pamiętał co ustawiałem.)
Serwer działa na kontenerze LXC z system devuan (wersja beowulf):
lxc create -n sieci-vpn -t download
Konfiguracja kontenera:
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# Template script checksum (SHA-1): 1ba3a6d6544626d6e64c7b8f1a51f6022c5e5f8f
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64
# Container specific configuration
lxc.rootfs.path = dir:/var/lib/lxc/sieci-vpn/rootfs
lxc.uts.name = sieci-vpn
# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = br0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 02:00:00:00:00:09
# this allows creating taps
lxc.cgroup.devices.allow = c 10:200 rwm
# let graphics work
lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,optional,create=dir
Dodatkowe pliki wewnątrz kontenera:
#! /bin/sh
### BEGIN INIT INFO
# Provides: enable_tuntap
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description:
### END INIT INFO
PATH=/sbin:/usr/sbin:/bin:/usr/bin
. /lib/init/vars.sh
. /lib/lsb/init-functions
do_start() {
if ! [ -c /dev/net/tun ]
then
mkdir -p /dev/net
mknod -m 666 /dev/net/tun c 10 200
fi
}
case "$1" in
start)
do_start
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop|status)
# No-op
exit 0
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto tap0
iface tap0 inet static
address 10.0.9.1
netmask 255.255.255.0
Pakiedy wewnątrz kontenera:
apt update
apt install openvpn
update-rc.d enable_tuntap defaults
wget https://multivnc-linux.surge.sh/multivnc-prerelease.deb
apt install ./multivnc-prerelease.deb
Konfiguracja serwera:
mode server
tls-server
dev tap0
proto udp
port 1194
ping 30
push "ping 30"
ping-exit 180
push "ping-restart 120"
topology subnet
ifconfig 10.0.9.1 255.255.255.0
ifconfig-pool 10.0.9.2 10.0.9.99
client-to-client
log-append /var/log/openvpn-sk2.log
script-security 2
verify-client-cert none
auth-user-pass-verify /etc/openvpn/verify.pl via-file
## self sign:
## openssl genrsa -out sk2.key 4096
## openssl req -new -key sk2.key -out sk2.csr
## openssl x509 -signkey sk2.key -req -in sk2.csr -out sk2.crt
ca /etc/openvpn/sk2.crt
cert /etc/openvpn/sk2.crt
key /etc/openvpn/sk2.key
dh /etc/openvpn/dh2048.pem
Po uruchomieniu kontener startuje VPNa (debianopodobne systemy automatycznie uruchamiają każdy zainstalowany skrypt startowy).
Uruchomienie multivnc na komputerze hosta:
xhost +
LANG= lxc-attach sieci-vpn -- multivnc