Document strongswan setup

Signed-off-by: Egor Savkin <es@m-labs.hk>
This commit is contained in:
Egor Savkin 2024-09-05 16:37:48 +08:00
parent 7803b0a97c
commit dda6a06454
10 changed files with 146 additions and 202 deletions

View File

@ -0,0 +1,18 @@
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- 5.78.86.156/32
- 2a01:4ff:1f0:83de::2/64
- 2a01:4ff:1f0:83de::3/64
- 2a01:4ff:1f0:83de::4/64
tunnels:
gre1:
mode: gre
local: 5.78.86.156
remote: 94.190.212.123
addresses:
- 10.47.3.0/31

View File

@ -0,0 +1,14 @@
[Unit]
Description=GRE tunnel to the main host
After=network.target
[Service]
Type=simple
User=root
ExecStart=/root/gretun.sh
ExecStop=/root/gretun_down.sh
Restart=on-failure
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

12
m-labs-intl/gretun.sh Executable file
View File

@ -0,0 +1,12 @@
#!/bin/bash
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
/usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/usr/sbin/ufw route allow in on gre1 out on eth0

12
m-labs-intl/gretun_down.sh Executable file
View File

@ -0,0 +1,12 @@
#!/bin/bash
/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
/usr/sbin/iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
/usr/sbin/ufw delete route allow in on gre1 out on eth0

View File

@ -0,0 +1,34 @@
connections {
m_labs {
version = 2
encap = no
mobike = no
send_certreq = no
proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
local_addrs = 5.78.86.156
remote_addrs = 94.190.212.123
local {
auth = pubkey
id = fqdn:m-labs-intl.com
pubkeys = m-labs-intl.com
}
remote {
auth = pubkey
id = fqdn:m-labs.hk
pubkeys = m-labs.hk
}
children {
con1 {
mode = transport
ah_proposals = sha256-curve25519,sha256-ecp256
esp_proposals =
local_ts = 5.78.86.156[gre]
remote_ts = 94.190.212.123[gre]
start_action = start
close_action = none
}
}
}
}

View File

@ -1,63 +0,0 @@
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.m-labs-intl.com
mydomain = m-labs-intl.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
#mydestination = $myhostname, m-labs-intl.com, localhost.localdomain, localhost
mydestination =
relayhost = mail.m-labs.hk
#relay_domains = $mydomain
local_transport = error:local delivery disabled
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains = $mydomain m-labs.hk
# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

View File

@ -63,28 +63,3 @@ http {
include /etc/nginx/sites-enabled/*;
}
stream {
# Upstream mail servers
upstream smtp_backend {
server mail.m-labs.hk:25;
}
upstream submission_backend {
server mail.m-labs.hk:587;
}
# SMTP
server {
listen 25;
proxy_protocol on;
proxy_pass smtp_backend;
}
# Submission (Authenticated SMTP)
server {
listen 587;
proxy_protocol on;
proxy_pass submission_backend;
}
}

View File

@ -1,32 +0,0 @@
# NOTE: This is a legacy configuration file. It is not used by the opendkim
# systemd service. Please use the corresponding configuration parameters in
# /etc/opendkim.conf instead.
#
# Previously, one would edit the default settings here, and then execute
# /lib/opendkim/opendkim.service.generate to generate systemd override files at
# /etc/systemd/system/opendkim.service.d/override.conf and
# /etc/tmpfiles.d/opendkim.conf. While this is still possible, it is now
# recommended to adjust the settings directly in /etc/opendkim.conf.
#
#DAEMON_OPTS=""
# Change to /var/spool/postfix/run/opendkim to use a Unix socket with
# postfix in a chroot:
#RUNDIR=/var/spool/postfix/run/opendkim
RUNDIR=/run/opendkim
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
# default:
SOCKET=local:$RUNDIR/opendkim.sock
# listen on all interfaces on port 54321:
#SOCKET=inet:54321
# listen on loopback on port 12345:
#SOCKET=inet:12345@localhost
# listen on 192.0.2.1 on port 12345:
#SOCKET=inet:12345@192.0.2.1
USER=opendkim
GROUP=opendkim
PIDFILE=$RUNDIR/$NAME.pid
EXTRAAFTER=
SOCKET="inet:8891@localhost"

View File

@ -1,57 +0,0 @@
# This is a basic configuration for signing and verifying. It can easily be
# adapted to suit a basic installation. See opendkim.conf(5) and
# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
# documentation of available configuration parameters.
Syslog yes
SyslogSuccess yes
#LogWhy no
# Common signing and verification parameters. In Debian, the "From" header is
# oversigned, because it is often the identity key used by reputation systems
# and thus somewhat security sensitive.
Canonicalization relaxed/simple
#Mode sv
#SubDomains no
OversignHeaders From
# Signing domain, selector, and key (required). For example, perform signing
# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
# using the private key stored in /etc/dkimkeys/example.private. More granular
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
#Domain example.com
#Selector 2020
#KeyFile /etc/dkimkeys/example.private
# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
# using a local socket with MTAs that access the socket as a non-privileged
# user (for example, Postfix). You may need to add user "postfix" to group
# "opendkim" in that case.
UserID opendkim
UMask 007
# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
# it must be ensured that the socket is accessible. In Debian, Postfix runs in
# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
# configured as shown on the last line below.
Socket local:/run/opendkim/opendkim.sock
#Socket inet:8891@localhost
#Socket inet:8891
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
PidFile /run/opendkim/opendkim.pid
# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
# OPERATION section of opendkim(8) for more information.
#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
# by the package dns-root-data.
TrustAnchorFile /usr/share/dns/root.key
#Nameservers 127.0.0.1
Domain m-labs-intl.com
KeyFile /etc/postfix/dkim.key
Selector mail
SOCKET inet:8891@localhost

View File

@ -1,26 +1,42 @@
# Setup m-labs-intl.com server
```shell
apt install git nginx-full python3 python3.12-venv python3-pip
# Install required packages
apt install git nginx-full python3 python3.12-venv python3-pip iptables ufw \
strongswan strongswan-swanctl strongswan-pki strongswan-libcharon
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
useradd -m rfqserver
useradd -m zolaupd
# Set up networks (includes GRE)
cp 60-tunnels.yaml /etc/netplan/
netplan apply
# set up IPsec-AH connection
cp m-labs.hk.conf /etc/swanctl/conf.d/
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
cp m-labs.hk /etc/swanctl/pubkey/m-labs.hk # get pubkey from nixbld
pki --gen --type rsa --size 4096 --outform pem > /etc/swanctl/private/m-labs-intl.com
pki --pub --in /etc/swanctl/private/m-labs-intl.com --outform pem > /etc/swanctl/pubkey/m-labs-intl.com
cp /etc/swanctl/pubkey/m-labs-intl.com m-labs-intl.com # add it to the nixbld
systemctl enable strongswan --now
systemctl restart strongswan
# Set up website
cp m-labs-intl.com /etc/nginx/sites-available/
cp nginx.conf /etc/nginx/
ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
systemctl enable nginx --now
service nginx restart
# Issue SSL certificate - website only, the mail is on the HK side
certbot --nginx
service nginx restart
# Create a user for automatic website deployment from nixbld
useradd -m zolaupd
mkdir -p /var/www/m-labs-intl.com/html
chown -R zolaupd /var/www/m-labs-intl.com/
cp runrfq.sh /home/rfqserver/
cp mail.secret /home/rfqserver/
chown rfqserver /home/rfqserver/runrfq.sh
chmod +x /home/rfqserver/runrfq.sh
chown rfqserver /home/rfqserver/mail.secret
sudo -u zolaupd sh -c '
cd /home/zolaupd;
mkdir /home/zolaupd/.ssh;
@ -30,6 +46,14 @@ sudo -u zolaupd sh -c '
chmod 600 .ssh/authorized_keys
'
# Create a user for RFQ hooks service
useradd -m rfqserver
cp runrfq.sh /home/rfqserver/
cp mail.secret /home/rfqserver/
chown rfqserver /home/rfqserver/runrfq.sh
chmod +x /home/rfqserver/runrfq.sh
chown rfqserver /home/rfqserver/mail.secret
sudo -u rfqserver sh -c '
cd /home/rfqserver;
git clone https://git.m-labs.hk/M-Labs/web2019.git;
@ -38,31 +62,38 @@ sudo -u rfqserver sh -c '
source venv/bin/activate;
pip install -r requirements.txt;
'
cp rfq.service /etc/systemd/system/
# Automate port forwarding rules creation
cp gretun.sh /root/gretun.sh
cp gretun_down.sh /root/gretun_down.sh
chmod u+x /root/gretun.sh
chmod u+x /root/gretun_down.sh
cp gretun.service /etc/systemd/system/
# Enable custom services
systemctl daemon-reload
systemctl enable rfq.service
systemctl start rfq.service
systemctl enable danted.service
service nginx restart
certbot --nginx
service nginx restart
systemctl enable rfq.service --now
systemctl enable gretun.service --now
# Setup basic firewall rules
ufw default deny
ufw default allow outgoing
ufw allow from 94.190.212.123
ufw allow from 2001:470:f891:1:5999:5529:5d:f71d
ufw allow from 2001:470:f891:1::/64
ufw allow from 202.77.7.238
ufw allow from 2001:470:18:390::2
ufw allow "Nginx HTTP"
ufw allow "Nginx HTTPS"
ufw limit OpenSSH
ufw default allow outgoing
ufw limit 25/tcp
ufw limit 587/tcp
ufw allow 25/tcp
ufw allow 587/tcp
ufw limit 500,4500/udp
ufw route allow in on gre1 out on eth0
ufw allow from 10.47.3.0/31
ufw show added
ufw enable
```