Scribd Logo
Upload

Welcome to Scribd!

  • 3 views

    6-CA OpenVPN

    Uploaded by

    Paula Rodriguez
    This document outlines the configuration of several security services on a server including a certificate authority (CA), HTTPS, FTPs, secure email (SMTP/IMAP), and OpenVPN. It describes installing EasyRSA to set up the CA and generate certificates. It then configures the web server, FTP server, email servers, and OpenVPN to use the certificates to enable encrypted connections and authentication with the CA. Firewall rules are added and services are configured to use SSL/TLS and the certificates. The CA certificate is also distributed to clients to validate server certificates.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    6-CA OpenVPN

    Uploaded by

    Paula Rodriguez
    3 views4 pages
    This document outlines the configuration of several security services on a server including a certificate authority (CA), HTTPS, FTPs, secure email (SMTP/IMAP), and OpenVPN. It describes installing EasyRSA to set up the CA and generate certificates. It then configures the web server, FTP server, email servers, and OpenVPN to use the certificates to enable encrypted connections and authentication with the CA. Firewall rules are added and services are configured to use SSL/TLS and the certificates. The CA certificate is also distributed to clients to validate server certificates.

    Original Description:

    ll

    Original Title

    6-CA_OpenVPN

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines the configuration of several security services on a server including a certificate authority (CA), HTTPS, FTPs, secure email (SMTP/IMAP), and OpenVPN. It describes installing EasyRSA to set up the CA and generate certificates. It then configures the web server, FTP server, email servers, and OpenVPN to use the certificates to enable encrypted connections and authentication with the CA. Firewall rules are added and services are configured to use SSL/TLS and the certificates. The CA certificate is also distributed to clients to validate server certificates.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    3 views4 pages

    6-CA OpenVPN

    Uploaded by

    Paula Rodriguez
    This document outlines the configuration of several security services on a server including a certificate authority (CA), HTTPS, FTPs, secure email (SMTP/IMAP), and OpenVPN. It describes installing EasyRSA to set up the CA and generate certificates. It then configures the web server, FTP server, email servers, and OpenVPN to use the certificates to enable encrypted connections and authentication with the CA. Firewall rules are added and services are configured to use SSL/TLS and the certificates. The CA certificate is also distributed to clients to validate server certificates.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    of 4

    ## CA ##

    dnf -y install epel*


    dnf -y install easy-rsa

    cp -r /usr/share/easy-rsa/3.0.8/ /CA
    cp /usr/share/doc/easy-rsa/vars.example /CA/vars

    cd /CA
    vim vars
    # Editar y descomentar las lineas de la 95 a la 100, la 87 cambiar de cn_only a org

    # Crear la estructura PKI y la CA

    ./easyrsa init-pki
    ./easyrsa build-ca nopass

    # Generar y Firmar Certificados

    ./easyrsa gen-req www nopass


    ./easyrsa sign-req server www nopass

    ./easyrsa gen-req ftp nopass


    ./easyrsa sign-req server ftp nopass

    ./easyrsa gen-req mail nopass


    ./easyrsa sign-req server mail nopass

    ./easyrsa gen-req server nopass


    ./easyrsa sign-req server server nopass

    ./easyrsa gen-req client nopass


    ./easyrsa sign-req client client nopass

    ## HTTPs ##
    dnf -y install mod_ssl

    cd /etc/httpd/conf.d/
    cat ssl.conf | grep local

    tree /CA
    vim ssl.conf
    # Modificar la ruta de los certificados
    firewall-cmd --add-service=https --permanent
    firewall-cmd --reload
    firewall-cmd --list-services

    systemctl restart httpd

    # En el cliente
    cd /etc/pki/ca-trust/source/anchors/
    pwd

    scp root@192.168.40.254:/CA/pki/ca.crt .
    chmod 744 ca.crt
    update-ca-trust

    ## FTPs ##

    vim /etc/vsftpd/vsftpd.conf
    # Agregar las lineas
    ssl_enable=YES
    rsa_cert_file=/CA/pki/issued/ftp.crt
    rsa_private_key_file=/CA/pki/private/ftp.key
    # También agregar puertos de escucha
    listen_port=990
    pasv_min_port=60001
    pasv_max_port=60010

    firewall-cmd --add-port={990,60001-60010}/tcp --permanent


    firewall-cmd --reload
    firewall-cmd --list-port

    # En el cliente instalar Filezilla


    dnf -y install epel*
    dnf -y install filezilla*
    # En filezilla escoger FTP con certificados explicito e ingresar

    ## Correo Seguro ##

    # Modificar Postfix
    postconf -e "smtp_tls_CApath = /CA/pki/"
    postconf -e "smtp_tls_CAfile = /CA/pki/ca.crt"
    postconf -e "smtpd_tls_cert_file = /CA/pki/issued/mail.crt"
    postconf -e "smtpd_tls_key_file = /CA/pki/private/mail.key"
    postconf -n | grep tls

    # Modificar Dovecot
    vim /etc/dovecot/conf.d/10-auth.conf
    # Modificar a yes --> disable_plaintext_auth = yes

    # Habilitar SSL
    vim /etc/dovecot/conf.d/10-ssl.conf
    # Modificar de ssl = no --> ssl = required
    # Nota: No borrar en las rutas el <
    # Modificar la ruta del certificado a /CA/pki/issued/mail.crt
    # Modificar la ruta de la llave a /CA/pki/private/mail.key
    doveconf -n | egrep "required|mail"

    systemctl restart {postfix,dovecot}

    ## OpenVPN ##

    cd /etc/openvpn/
    tree

    # Copiar Archivos de la CA a OpenVPN


    tree /CA/pki
    cp -p /CA/pki/{issued,private}/server.* server/
    cp -p /CA/pki/{issued,private}/client.* client/
    cp -p /CA/pki/ca.crt server/
    cp -p /CA/pki/ca.crt client/

    cp -p /CA/pki/dh.pem server/dh2048.pem
    cp -p /usr/share/doc/openvpn/sample/sample-config-files/server.conf server/
    cp -p /usr/share/doc/openvpn/sample/sample-config-files/client.conf client/
    tree

    vim server.conf
    # Deshabilitar el tls ta y editar parametros necesarios red, dns, permitidas

    openvpn --config server.conf


    systemctl enable --now openvpn-server@server

    # Desbloquear Firewall y SElinux


    firewall-cmd --permanent --add-port=1194/udp
    firewall-cmd --reload
    firewall-cmd --list-port
    setenforce 0
    # En el cliente
    dnf -y install openvpn NetworkManager-openvpn-gnome dialog

    cd /etc/openvpn/client/
    scp root@200.100.50.1:/etc/openvpn/client/* .
    ll
    chown -R grodriguez: /etc/openvpn/*
    openvpn --config client.conf

    # Iniciar el servicio por CLI automaticamente


    systemctl enable --now openvpn-client@client

    # Inicial el servicio por GUI manual cuando se requiera


    # Colocar Gateway en la WAN siempre que no sea la IP del server ni del cliente
    # Buscar graficamente opcion VPN e importar client.conf

    You might also like