hmm3

2026-04-21 23:06:47 +01:00
parent 445c99b10e
commit 21a4fb5d08
5 changed files with 38 additions and 9 deletions
--- a/VM_VPN_GATEWAY.sh
+++ b/VM_VPN_GATEWAY.sh
@@ -25,11 +25,11 @@ ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
 echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
 sysctl -p /etc/sysctl.conf

-iptables -A INPUT  -p udp --dport 1194 -j ACCEPT # :O
-iptables -A FORWARD -i $mega_tunel -o $if_dentro -j ACCEPT # :P
-iptables -A FORWARD -i $if_dentro -o $mega_tunel -j ACCEPT # ;)
-iptables -A FORWARD -i $mega_tunel -o $if_fora -j ACCEPT # faltava isto ?
-iptables -A FORWARD -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT # faltava isto ?
+iptables -I INPUT 1  -p udp --dport 1194 -j ACCEPT # :O
+iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT # :P
+iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT # ;)
+iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT # faltava isto ?
+iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT # faltava isto ?
 iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE # :D
 iptables-save > /etc/sysconfig/iptables # :3

@@ -41,5 +41,6 @@ cp ca/vpn.key $vpn_dir
 cp ca/vpn.crt $vpn_dir 
 cp ca/dh2048.pem $vpn_dir 
 cp conf/vpn.conf $vpn_dir 
+cp conf/ocsp-verify.sh $vpn_dir
 cp conf/totp /etc/pam.d/
 systemctl enable --now openvpn-server@vpn.service
--- a/conf/client.conf
+++ b/conf/client.conf
@@ -18,5 +18,4 @@ auth-user-pass
 tls-auth /etc/openvpn/client/ta.key 1

 remote-cert-tls server
-static-challenge "Enter TOTP: " 1
 reneg-sec 0
--- a/conf/ocsp-verify.sh
+++ b/conf/ocsp-verify.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# OpenVPN passes cert depth as $1
+depth=$1
+
+# Only check client certificate (depth 0)
+if [ "$depth" -eq 0 ]; then
+    if [ -n "$tls_serial_0" ] && [ -n "$peer_cert" ]; then
+        # Check OCSP against the CA
+        # Assuming OpenSSL server runs on 10.60.0.1:8888 for OCSP
+        status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -cert "$peer_cert" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
+        
+        if echo "$status" | grep -q "cert: revoked"; then
+            exit 1
+        fi
+        
+        if echo "$status" | grep -q "cert: good"; then
+            exit 0
+        fi
+        
+        # If unknown or error, fail safe
+        exit 1
+    fi
+fi
+
+exit 0
--- a/conf/totp
+++ b/conf/totp
@@ -1,3 +1,3 @@
-auth    required    pam_unix.so    workaround_procrastination
-auth    required    pam_google_authenticator.so
+auth    required    pam_google_authenticator.so forward_pass
+auth    required    pam_unix.so use_first_pass
 account required    pam_unix.so
--- a/conf/vpn.conf
+++ b/conf/vpn.conf
@@ -13,7 +13,11 @@ server 10.8.0.0 255.255.255.0
 verb 4

 topology subnet
+push "route 10.60.0.0 255.255.255.0"

+# OCSP and Revocation
+script-security 2
+tls-verify /etc/openvpn/server/ocsp-verify.sh
 # auth
 cipher AES-256-GCM
 auth SHA256
@@ -22,4 +26,4 @@ auth SHA256
 plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp
 tls-auth /etc/openvpn/server/ta.key 0

-static-challenge "Enter TOTP: " 1
+