jowj/chd

History

jowj 9378cc8cdf Include basic information on a few flat files of note.		2019-09-28 17:46:03 -05:00
..
before.rules
hosts.yml
ipsec.conf	Configure files that will be pushed to remote in deploy.	2019-09-28 17:45:32 -05:00
ipsec.secrets	Configure files that will be pushed to remote in deploy.	2019-09-28 17:45:32 -05:00
readme.md	Include basic information on a few flat files of note.	2019-09-28 17:46:03 -05:00
serverbuild.yml
sysctl.conf	Configure files that will be pushed to remote in deploy.	2019-09-28 17:45:32 -05:00
vpnBuild.yml	Build out deploy skeleton for VPN role.	2019-09-28 17:45:47 -05:00

readme.md

serverbuild

this is a mess of a directory right now. sorry about that.

ipsec.conf

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

This tells sswan to log daemon statuses for debugging and allow duplicate connections

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes

This starts the VPN config stanza. Use IKEv2 VPN tunnels and load this config everytime we start up.

    dpdaction=clear
    dpddelay=300s
    rekey=no

This clears any weird connections (i.e. if a client gets unexpectedly dced)

    left=%any
    leftid=@vpn.awful.club
    leftcert=awful-server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0

in strongswan grammer, "left" refers to serverside, apparently. this section is pretty selfexplanatory. The exception to that is %any i've got no fucking clue what that is.

    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=1.1.1.1,1.0.0.1
    rightsendcert=never

"right" side is client side.

    eap_identity=%identity

this tells sswan to always ask for un/pw on connect (eap.) ((also eeeep))

ipsec.secrets

this file contains: secrets, for the love of god change the values.

: RSA "server-key.pem" declares wheere the private key lives and what algo was used your_username : EAP "your_password" is very obvious.