WIP: openvpn
This commit is contained in:
Maurice
@@ -2,4 +2,5 @@
|
|||||||
|
|
||||||
chronyd takes care of keeping the system clock in sync. When the system boots, chronyd will block start-up until it has resolved the time. This is useful on systems without a hardware clock (to avoid the system booting as 1970-01-01), but annoying for this setup.
|
chronyd takes care of keeping the system clock in sync. When the system boots, chronyd will block start-up until it has resolved the time. This is useful on systems without a hardware clock (to avoid the system booting as 1970-01-01), but annoying for this setup.
|
||||||
|
|
||||||
This behaviour can be disabled by editing /etc/conf.d/chronyd and setting FAST_STARTUP=yes.
|
This behaviour can be disabled by editing /etc/conf.d/chronyd and setting FAST_STARTUP=yes.
|
||||||
|
|
||||||
|
|||||||
@@ -18,5 +18,5 @@ source ./firewall.sh
|
|||||||
|
|
||||||
cd "$base_dir"
|
cd "$base_dir"
|
||||||
|
|
||||||
# Run update script
|
# Run update script with install argument to set up services
|
||||||
source ./update.sh
|
source ./update.sh install
|
||||||
@@ -24,5 +24,6 @@ EOF
|
|||||||
|
|
||||||
chmod +x /etc/local.d/mount-rshared.start
|
chmod +x /etc/local.d/mount-rshared.start
|
||||||
|
|
||||||
# Allow ports >= 53 to be rootless bound
|
# Allow ports >= 53 to be rootless bound, persistent
|
||||||
sysctl net.ipv4.ip_unprivileged_port_start=53
|
echo "net.ipv4.ip_unprivileged_port_start=53" >> /etc/sysctl.d/podman.conf
|
||||||
|
sysctl -p /etc/sysctl.d/podman.conf
|
||||||
@@ -1,11 +1,16 @@
|
|||||||
{
|
{
|
||||||
"description": "Restrict all internet access",
|
"description": "Restrict all internet access",
|
||||||
"variable": { "internet_if": "eth0" },
|
|
||||||
"zone": {
|
"zone": {
|
||||||
"internet": { "iface": "$internet_if" }
|
"WAN": { "iface": "eth0" },
|
||||||
|
"LAN": { "iface": "eth1" },
|
||||||
|
"VPN": { "iface": "tun+" }
|
||||||
},
|
},
|
||||||
"policy": [
|
"policy": [
|
||||||
{ "in": "internet", "action": "drop" },
|
{ "in": "VPN", "action": "accept" },
|
||||||
|
{ "out": "VPN", "action": "accept" },
|
||||||
|
{ "in": "LAN", "action": "accept" },
|
||||||
|
{ "out": "LAN", "action": "accept" },
|
||||||
|
{ "in": "WAN", "action": "drop" },
|
||||||
{ "action": "reject" }
|
{ "action": "reject" }
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
@@ -2,7 +2,8 @@
|
|||||||
"description": "Allow ping-pong",
|
"description": "Allow ping-pong",
|
||||||
"filter": [
|
"filter": [
|
||||||
{
|
{
|
||||||
"in": "internet",
|
"in": "WAN",
|
||||||
|
"out": "_fw",
|
||||||
"service": "ping",
|
"service": "ping",
|
||||||
"action": "accept",
|
"action": "accept",
|
||||||
"flow-limit": { "count": 10, "interval": 6 }
|
"flow-limit": { "count": 10, "interval": 6 }
|
||||||
|
|||||||
@@ -3,7 +3,7 @@
|
|||||||
"filter": [
|
"filter": [
|
||||||
{
|
{
|
||||||
"in": "_fw",
|
"in": "_fw",
|
||||||
"out": "internet",
|
"out": "WAN",
|
||||||
"service": ["http", "https", "dns", "ssh", "ntp", "ping"],
|
"service": ["http", "https", "dns", "ssh", "ntp", "ping"],
|
||||||
"action": "accept"
|
"action": "accept"
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
"description": "Allow incoming http (TCP 80 & 443) ports",
|
"description": "Allow incoming http (TCP 80 & 443) ports",
|
||||||
"filter": [
|
"filter": [
|
||||||
{
|
{
|
||||||
"in": "internet",
|
"in": "WAN",
|
||||||
"out": "_fw",
|
"out": "_fw",
|
||||||
"service": ["http", "https"],
|
"service": ["http", "https"],
|
||||||
"action": "accept"
|
"action": "accept"
|
||||||
|
|||||||
7
services/openvpn/config/openvpn.conf
Normal file
7
services/openvpn/config/openvpn.conf
Normal file
@@ -0,0 +1,7 @@
|
|||||||
|
port 1194
|
||||||
|
proto udp
|
||||||
|
dev tun
|
||||||
|
|
||||||
|
topology subnet
|
||||||
|
|
||||||
|
# TODO
|
||||||
11
services/openvpn/install.sh
Normal file
11
services/openvpn/install.sh
Normal file
@@ -0,0 +1,11 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
echo "Setting up OpenVPN..."
|
||||||
|
apk add openvpn
|
||||||
|
|
||||||
|
rc-update add openvpn
|
||||||
|
modprobe tun
|
||||||
|
echo tun >> /etc/modules-load.d/tun.conf
|
||||||
|
|
||||||
|
# Enable IP forwarding, persistent
|
||||||
|
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf
|
||||||
|
sysctl -p /etc/sysctl.d/ip_forward.conf
|
||||||
14
services/openvpn/openvpn.policy.json
Normal file
14
services/openvpn/openvpn.policy.json
Normal file
@@ -0,0 +1,14 @@
|
|||||||
|
{
|
||||||
|
"description": "Allow OpenVPN server access from the internet",
|
||||||
|
"service": {
|
||||||
|
"openvpn": { "port": 1194, "proto": "udp" }
|
||||||
|
},
|
||||||
|
"filter": [
|
||||||
|
{
|
||||||
|
"in": "WAN",
|
||||||
|
"out": "_fw",
|
||||||
|
"service": "openvpn",
|
||||||
|
"action": "accept"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
2
services/openvpn/update.sh
Normal file
2
services/openvpn/update.sh
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
ln -sf ./config/openvpn.conf /etc/openvpn/openvpn.conf
|
||||||
@@ -2,7 +2,7 @@
|
|||||||
"description": "Allow limited incoming SSH access (TCP/22)",
|
"description": "Allow limited incoming SSH access (TCP/22)",
|
||||||
"filter": [
|
"filter": [
|
||||||
{
|
{
|
||||||
"in": "internet",
|
"in": "WAN",
|
||||||
"out": "_fw",
|
"out": "_fw",
|
||||||
"service": "ssh",
|
"service": "ssh",
|
||||||
"action": "accept",
|
"action": "accept",
|
||||||
|
|||||||
@@ -9,6 +9,11 @@ for service in "./services"/*/; do
|
|||||||
[ -d "$service" ] || continue
|
[ -d "$service" ] || continue
|
||||||
cd "$service" || continue
|
cd "$service" || continue
|
||||||
|
|
||||||
|
# Run install.sh if installing for the first time (if $1 is "install")
|
||||||
|
if [ "$1" = "install" ] && [ -f "install.sh" ]; then
|
||||||
|
source ./install.sh
|
||||||
|
fi
|
||||||
|
|
||||||
# Run update.sh if present
|
# Run update.sh if present
|
||||||
if [ -f "update.sh" ]; then
|
if [ -f "update.sh" ]; then
|
||||||
source ./update.sh
|
source ./update.sh
|
||||||
|
|||||||
Reference in New Issue
Block a user