Professional Documents
Culture Documents
6-CA OpenVPN
6-CA OpenVPN
6-CA OpenVPN
cp -r /usr/share/easy-rsa/3.0.8/ /CA
cp /usr/share/doc/easy-rsa/vars.example /CA/vars
cd /CA
vim vars
# Editar y descomentar las lineas de la 95 a la 100, la 87 cambiar de cn_only a org
./easyrsa init-pki
./easyrsa build-ca nopass
## HTTPs ##
dnf -y install mod_ssl
cd /etc/httpd/conf.d/
cat ssl.conf | grep local
tree /CA
vim ssl.conf
# Modificar la ruta de los certificados
firewall-cmd --add-service=https --permanent
firewall-cmd --reload
firewall-cmd --list-services
# En el cliente
cd /etc/pki/ca-trust/source/anchors/
pwd
scp root@192.168.40.254:/CA/pki/ca.crt .
chmod 744 ca.crt
update-ca-trust
## FTPs ##
vim /etc/vsftpd/vsftpd.conf
# Agregar las lineas
ssl_enable=YES
rsa_cert_file=/CA/pki/issued/ftp.crt
rsa_private_key_file=/CA/pki/private/ftp.key
# También agregar puertos de escucha
listen_port=990
pasv_min_port=60001
pasv_max_port=60010
## Correo Seguro ##
# Modificar Postfix
postconf -e "smtp_tls_CApath = /CA/pki/"
postconf -e "smtp_tls_CAfile = /CA/pki/ca.crt"
postconf -e "smtpd_tls_cert_file = /CA/pki/issued/mail.crt"
postconf -e "smtpd_tls_key_file = /CA/pki/private/mail.key"
postconf -n | grep tls
# Modificar Dovecot
vim /etc/dovecot/conf.d/10-auth.conf
# Modificar a yes --> disable_plaintext_auth = yes
# Habilitar SSL
vim /etc/dovecot/conf.d/10-ssl.conf
# Modificar de ssl = no --> ssl = required
# Nota: No borrar en las rutas el <
# Modificar la ruta del certificado a /CA/pki/issued/mail.crt
# Modificar la ruta de la llave a /CA/pki/private/mail.key
doveconf -n | egrep "required|mail"
## OpenVPN ##
cd /etc/openvpn/
tree
cp -p /CA/pki/dh.pem server/dh2048.pem
cp -p /usr/share/doc/openvpn/sample/sample-config-files/server.conf server/
cp -p /usr/share/doc/openvpn/sample/sample-config-files/client.conf client/
tree
vim server.conf
# Deshabilitar el tls ta y editar parametros necesarios red, dns, permitidas
cd /etc/openvpn/client/
scp root@200.100.50.1:/etc/openvpn/client/* .
ll
chown -R grodriguez: /etc/openvpn/*
openvpn --config client.conf