some change in readme
This commit is contained in:
parent
66c0fa4678
commit
27bc41db42
225
README.org
225
README.org
@ -24,12 +24,11 @@ ssh-copy-id <login>@<ip-address server>
|
||||
|
||||
На сервере настраиваем SSH (запрет авторизации по паролю, запрет root по ssh):
|
||||
#+begin_src shell
|
||||
sudo vim /etc/ssh/sshd_config
|
||||
sudo vi /etc/ssh/sshd_config
|
||||
#+end_src
|
||||
|
||||
Добавляем или изменяем строки:
|
||||
#+begin_src conf
|
||||
AllowUsers <login>
|
||||
PermitRootLogin no
|
||||
PasswordAuthentication no
|
||||
#+end_src
|
||||
@ -50,22 +49,16 @@ sudo dnf upgrade --refresh
|
||||
Включаем CRB репозиторий:
|
||||
#+begin_src shell
|
||||
sudo dnf config-manager --set-enabled crb
|
||||
#+end_src
|
||||
|
||||
Далее устанавливаем EPEL. Как я понимаю - это репозиторий Fedora:
|
||||
#+begin_src shell
|
||||
sudo dnf install \
|
||||
https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \
|
||||
https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm
|
||||
sudo dnf install epel-release
|
||||
#+end_src
|
||||
|
||||
Ставим необходимые пакеты:
|
||||
#+begin_src shell
|
||||
sudo dnf install zsh htop nginx git wget vim python3-pip python3-devel gcc -y
|
||||
sudo dnf install zsh vim htop nginx git wget vim python3-pip python3-devel gcc emacs-nox -y
|
||||
sudo pip3 install virtualenv
|
||||
#+end_src
|
||||
|
||||
Устанавливаем [oh-my-zsh](https://github.com/robbyrussell/oh-my-zsh):
|
||||
Устанавливаем [[oh-my-zsh][https://github.com/robbyrussell/oh-my-zsh]]:
|
||||
#+begin_src shell
|
||||
sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
|
||||
#+end_src
|
||||
@ -139,10 +132,8 @@ deactivate
|
||||
|
||||
Разрешаем в firewall порт 5000 и 8000 для тестов:
|
||||
#+begin_src shell
|
||||
sudo firewall-cmd --add-port=5000/tcp --permanent
|
||||
sudo firewall-cmd --add-port=8000/tcp --permanent
|
||||
sudo firewall-cmd --reload
|
||||
|
||||
sudo firewall-cmd --add-port=5000/tcp
|
||||
sudo firewall-cmd --add-port=8000/tcp
|
||||
#+end_src
|
||||
|
||||
Чтобы посмотреть лист открытых портов:
|
||||
@ -150,32 +141,12 @@ sudo firewall-cmd --reload
|
||||
sudo firewall-cmd --list-all
|
||||
#+end_src
|
||||
|
||||
Отключаем ~SELinux~:
|
||||
#+begin_src shell
|
||||
sudo vim /etc/selinux/config
|
||||
#+end_src
|
||||
|
||||
#+begin_src conf
|
||||
SELINUX=disabled #enforcing
|
||||
#+end_src
|
||||
|
||||
Перезагружаемся:
|
||||
#+begin_src shell
|
||||
sudo reboot now
|
||||
#+end_src
|
||||
|
||||
Теперь для ~klintorg-www~ назначаем права:
|
||||
#+begin_src shell
|
||||
sudo chown -R klintorg-www:nginx /home/klintorg-www
|
||||
sudo chmod -R 755 /home/klintorg-www
|
||||
#+end_src
|
||||
|
||||
** Тестим проект
|
||||
|
||||
Можем протестировать проект:
|
||||
#+begin_src shell
|
||||
cd /home/klintorg-www/klintorg
|
||||
source .klintorg/bin/activate
|
||||
python __init__.py
|
||||
#+end_src
|
||||
|
||||
@ -193,6 +164,27 @@ gunicorn --bind 0.0.0.0:8000 wsgi:app
|
||||
deactivate
|
||||
#+end_src
|
||||
|
||||
Теперь для ~klintorg-www~ назначаем права:
|
||||
#+begin_src shell
|
||||
sudo chown -R klintorg-www:nginx /home/klintorg-www
|
||||
sudo chmod -R 755 /home/klintorg-www
|
||||
#+end_src
|
||||
|
||||
Отключаем ~SELinux~:
|
||||
#+begin_src shell
|
||||
sudo vim /etc/selinux/config
|
||||
#+end_src
|
||||
|
||||
#+begin_src conf
|
||||
SELINUX=disabled #enforcing
|
||||
#+end_src
|
||||
|
||||
Перезагружаемся:
|
||||
#+begin_src shell
|
||||
sudo reboot now
|
||||
#+end_src
|
||||
|
||||
|
||||
** Настраиваем Flask Application
|
||||
|
||||
Мы протестировали что наш ~gunicorn~ работает с нашим приложением Flask. Теперь необходимо сделать так, чтобы он загружался при старте системы. Чтобы этого добиться, мы создадим ~systemd service~ и ~socket file~.
|
||||
@ -366,13 +358,9 @@ Address = 10.8.0.1/24
|
||||
ListenPort = 51820
|
||||
PrivateKey = KM12oqlqAxKPyHXuOhL1XXcCeaGzYwAZ2pyYmHM8u2s=
|
||||
|
||||
PostUp = firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i \
|
||||
wg0 -o ens3 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o ens3 -j MASQUERADE; firewall-c\
|
||||
md --add-port=51820/udp
|
||||
PostUp = firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o ens3 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o ens3 -j MASQUERADE; firewall-cmd --add-port=51820/udp
|
||||
|
||||
PostDown = firewall-cmd --zone=public --remove-masquerade; firewall-cmd --direct --remove-rule ipv4 filter FORWA\
|
||||
RD 0 -i wg0 -o ens3 -j ACCEPT; firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o ens3 -j MASQUERADE;\
|
||||
firewall-cmd --remove-port=51820/udp
|
||||
PostDown = firewall-cmd --zone=public --remove-masquerade; firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o ens3 -j ACCEPT; firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o ens3 -j MASQUERADE; firewall-cmd --remove-port=51820/udp
|
||||
|
||||
[Peer]
|
||||
PublicKey = ffLtSBKib0Wi7KnaEZXp7ZSWV+dswaPjPQHDYO1iiSQ=
|
||||
@ -448,3 +436,158 @@ Endpoint = 88.210.3.57:51830
|
||||
AllowedIPs = 0.0.0.0/0
|
||||
PersistentKeepalive = 20
|
||||
#+end_src
|
||||
|
||||
|
||||
** OpenVPN
|
||||
*** Server
|
||||
|
||||
Просто приложу команды:
|
||||
#+begin_src shell
|
||||
sudo -i
|
||||
dnf install openvpn
|
||||
dnf install easy-rsa
|
||||
mkdir /etc/easy-rsa
|
||||
cp -air /usr/share/easy-rsa/3.0.8/* /etc/easy-rsa/ # last ver. 3.0.8
|
||||
cd /etc/easy-rsa/
|
||||
./easyrsa init-pki
|
||||
./easyrsa build-ca
|
||||
./easyrsa gen-dh
|
||||
./easyrsa build-server-full server nopass
|
||||
openvpn --genkey secret /etc/easy-rsa/pki/ta.key
|
||||
./easyrsa gen-crl
|
||||
cp -rp /etc/easy-rsa/pki/{ca.crt,dh.pem,ta.key,crl.pem,issued,private} /etc/openvpn/server/
|
||||
#+end_src
|
||||
|
||||
*** Clients
|
||||
#+begin_src shell
|
||||
./easyrsa build-client-full gentoo nopass # 1 client
|
||||
./easyrsa build-client-full johndoe nopass # 2 client
|
||||
mkdir /etc/openvpn/client/{gentoo,johndoe}
|
||||
cp -rp /etc/easy-rsa/pki/{ca.crt,issued/gentoo.crt,private/gentoo.key} /etc/openvpn/client/gentoo
|
||||
cp -rp /etc/easy-rsa/pki/{ca.crt,issued/johndoe.crt,private/johndoe.key} /etc/openvpn/client/johndoe/
|
||||
cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/
|
||||
emacs /etc/openvpn/server/server.conf
|
||||
#+end_src
|
||||
|
||||
Конфиг сервера:
|
||||
#+begin_src conf
|
||||
port 1194
|
||||
proto udp4
|
||||
dev tun
|
||||
ca ca.crt
|
||||
cert issued/server.crt
|
||||
key private/server.key # This file should be kept secret
|
||||
dh dh.pem
|
||||
topology subnet
|
||||
server 10.8.0.0 255.255.255.0
|
||||
ifconfig-pool-persist ipp.txt
|
||||
push "redirect-gateway def1 bypass-dhcp"
|
||||
push "dhcp-option DNS 208.67.222.222"
|
||||
push "dhcp-option DNS 192.168.10.3"
|
||||
client-to-client
|
||||
keepalive 10 120
|
||||
tls-auth ta.key 0 # This file is secret
|
||||
cipher AES-256-CBC
|
||||
comp-lzo
|
||||
user nobody
|
||||
group nobody
|
||||
persist-key
|
||||
persist-tun
|
||||
status /var/log/openvpn/openvpn-status.log
|
||||
log-append /var/log/openvpn/openvpn.log
|
||||
verb 3
|
||||
explicit-exit-notify 1
|
||||
auth SHA512
|
||||
#+end_src
|
||||
|
||||
#+begin_src shell
|
||||
mkdir /var/log/openvpn/
|
||||
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
|
||||
sysctl --system
|
||||
firewall-cmd --add-port=1194/udp --permanent
|
||||
firewall-cmd --add-masquerade --permanent
|
||||
ip route get 8.8.8.8 # Чтобы посмотреть имя сетевого интерфейса ~ens3~
|
||||
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE
|
||||
firewall-cmd --reload
|
||||
systemctl enable --now openvpn-server@server
|
||||
tail /var/log/openvpn/openvpn.log
|
||||
#+end_src
|
||||
|
||||
Конфиг клиентов ~(client_file.ovpn)~:
|
||||
#+begin_src conf
|
||||
client
|
||||
tls-client
|
||||
pull
|
||||
dev tun
|
||||
proto udp4
|
||||
remote 192.168.60.19 1194
|
||||
resolv-retry infinite
|
||||
nobind
|
||||
#user nobody
|
||||
#group nogroup
|
||||
persist-key
|
||||
persist-tun
|
||||
key-direction 1
|
||||
remote-cert-tls server
|
||||
auth-nocache
|
||||
comp-lzo
|
||||
verb 3
|
||||
auth SHA512
|
||||
tls-auth ta.key 1
|
||||
ca ca.crt
|
||||
cert gentoo.crt
|
||||
key gentoo.key
|
||||
#+end_src
|
||||
|
||||
Работать будет только в том случае, если все сертификаты лежат рядом с файлом .ovpn. Иначе надо сертификаты писать в файл, вот так:
|
||||
#+begin_src conf
|
||||
client
|
||||
tls-client
|
||||
pull
|
||||
dev tun
|
||||
proto udp4
|
||||
remote 192.168.60.19 1194
|
||||
resolv-retry infinite
|
||||
nobind
|
||||
#user nobody
|
||||
#group nogroup
|
||||
persist-key
|
||||
persist-tun
|
||||
key-direction 1
|
||||
remote-cert-tls server
|
||||
auth-nocache
|
||||
comp-lzo
|
||||
verb 3
|
||||
auth SHA512
|
||||
<tls-auth>
|
||||
-----BEGIN OpenVPN Static key V1-----
|
||||
feb1af5407baa247d4e772c76aed6c75
|
||||
...
|
||||
-----END OpenVPN Static key V1-----
|
||||
</tls-auth>
|
||||
<ca>
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDTjCCAjagAwIBAgIUX0VQrHTgLDabUUIOAf7tD9cGp4YwDQYJKoZIhvcNAQEL
|
||||
...
|
||||
WA9BBk2shVWfR849Lmkep+GPyqHpU47dZAz37ARB2Gfu3w==
|
||||
-----END CERTIFICATE-----
|
||||
</ca>
|
||||
<cert>
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number:
|
||||
...
|
||||
/7FvJaeLqmUHnvSs5eBlRZSgtOL19SCFkG0HXdnw3LtBaoHQXxgzOkDPW1+5
|
||||
-----END CERTIFICATE-----
|
||||
</cert>
|
||||
<key>
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+DI7kg6MsRoCs
|
||||
...
|
||||
6WdLcNtWKAcU294xJEZoOA8/
|
||||
-----END PRIVATE KEY-----
|
||||
</key>
|
||||
#+end_src
|
||||
|
||||
После этого добавляем файл в OVPNClient и радуемся)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user