jowj/chd
1
0
Fork 0
Code Pull Requests Releases Activity

s2svpn #2

Merged
jowj merged 4 commits from s2svpn into master 2019-10-05 20:50:57 +00:00
Conversation 0 Commits 4 Files Changed 4 +63 -132
4 changed files with 63 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
deployments/mediaServer/docker-compose.yml
View File

@ -72,3 +72,17 @@ services:
- "/Volumes/usenet/audio/:/music"
- "/Volumes/usenet/movies/:/movies"
- "/Volumes/usenet/itunes-synology/iTunes Media/Automatically Add to iTunes.localized/:/itunes"
lazylibrarian:
image: "thraxis/lazylibrarian-calibre"
ports:
- "5299:5299"
restart: unless-stopped
environment:
PUID: 1000
PGID: 1000
TZ: America/Chicago
volumes:
- "/Users/josiah/Documents/apps/lazylibrarian:/config"
- "/Users/josiah/Downloads/usenet-complete/:/downloads"
- "/Volumes/usenet/book-library/books/:/books"
- "/Volumes/usenet/book-library/audiobooks:/audiobooks"

46
deployments/serverBuild/ipsec.conf
View File

@ -1,27 +1,23 @@
# basic configuration
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@vpn.awful.club
leftcert=awful-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=1.1.1.1,1.0.0.1
rightsendcert=never
eap_identity=%identity
# connection to amsterdam datacenter
conn home-to-digitalocean
authby=secret
left=%defaultroute
leftid=165.22.156.25
leftsubnet=10.138.0.0/16
right=0.0.0.0
rightsubnet=192.168.1.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start

9
deployments/serverBuild/ipsec.secrets
View File

@ -1,9 +0,0 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA "awful-server-key.pem"
jowj : EAP "fake-password"
# get secrets from other files
include ipsec.*.secrets

124
deployments/serverBuild/vpnBuild.yml
View File

@ -6,6 +6,8 @@
become: yes
vars:
vpn_packages: [ 'strongswan','strongswan-pki','ufw' ]
remote_host: 165.22.156.25
local_host: 0.0.0.0
tasks:
- name: Update apt
@ -14,31 +16,23 @@
- name: Install required system packages
apt: name={{ vpn_packages }} state=latest
- name: Build temp pki dir structure - cacerts
shell: mkdir -p ~/pki/cacerts
- name: Build temp pki dir structure - certs
shell: mkdir -p ~/pki/certs
- name: Build temp pki dir structure - private and set perms
shell: mkdir -p ~/pki/private && chmod 700 ~/pki
- name: set kernel params
shell: |
cat >> /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
EOF
- name: Generate root key 4096 bit RSA
shell: ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/awful-ca-key.pem
- name: save kernel params
shell: sysctl -p /etc/sysctl.conf
- name: Create root cert authority & sign with root key
become_method: sudo
shell: ipsec pki --self --ca --lifetime 3650 --in ~/pki/private/awful-ca-key.pem --type rsa --dn "CN=vpn.awful.club" --outform pem > ~/pki/cacerts/awful-ca-cert.pem
- name: Generate preshared key
shell: openssl rand -hex 32
register: awful_psk
- name: Generate cert for the VPN host
shell: ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/awful-server-key.pem
- name: Create & sign VPN server cert with CA cert.
shell: ipsec pki --pub --in ~/pki/private/awful-server-key.pem --type rsa | ipsec pki --issue --lifetime 1825 --cacert ~/pki/cacerts/awful-ca-cert.pem --cakey ~/pki/private/awful-ca-key.pem --dn "CN=vpn.awful.club" --san "vpn.awful.club" --flag serverAuth --flag ikeIntermediate --outform pem > ~/pki/certs/awful-server-cert.pem
- name: move temp pki dir structure to proper /etc/ipsec.d/ dir
shell: sudo cp -r ~/pki/* /etc/ipsec.d/
- name: make backup of default sswan conf file
shell: sudo mv /etc/ipsec.conf /etc/ipsec.conf.original
- debug:
msg: got this key {{ awful_psk }}
- name: Copy my ipsec.conf file to the VPN host
# this file does a lot. view more info in the readme.md
@ -48,81 +42,17 @@
owner: root
group: root
- name: Copy my ipsec.secrets file to the VPN host
# this file does a lot. view more info in the readme.md
copy:
src: ipsec.secrets
dest: /etc/ipsec.secrets
owner: root
group: root
- name: remove existing ipsec.secerts
shell: rm /etc/ipsec.secrets
- name: restart strongswan
shell: systemctl restart strongswan
- name: create ipsec.secrets with psk info
shell: |
cat >> /etc/ipsec.secrets << EOF
{{ remote_host }} {{local_host}}: PSK "{{awful_psk.stdout}}"
EOF
- name: allow SSH connections
ufw:
rule: allow
name: OpenSSH
- name: update route rules
shell: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.138.0.0/16 -j MASQUERADE
- name: Deny everything and enable UFW
ufw:
state: enabled
policy: deny
- name: rate limit ssh connections
ufw:
rule: limit
port: ssh
proto: tcp
- name: Allow all access from RFC1918 networks to this host
ufw:
rule: allow
src: '{{ item }}'
loop:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- name: Allow tcp ipsec ports
ufw:
rule: allow
port: 500
port: 4500
proto: tcp
- name: Allow udp ipsec ports
ufw:
rule: allow
port: 4500
port: 500
proto: udp
- name: copy local before.rules to vpn host
copy:
src: before.rules
dest: /etc/ufw/before.rules
owner: root
group: root
- name: copy local sysctl.conf to vpn host
copy:
src: sysctl.conf
dest: /etc/ufw/sysctl.conf
owner: root
group: root
- name: disable ufw to save config
ufw:
state: disabled
- name: reload ufw to activate changes
ufw:
state: enabled
- name: Copy ca-cert down to local machine
fetch:
src: /etc/ipsec.d/cacerts/awful-ca-cert.pem
dest: awful-ca-cert.pem
flat: yes
# - name: copy psk down to local machine
# local_action: copy_content={{ awful_psk }} dest=psk.txt