First Dedibox customisations

This blog aims to detail the day to day changes to my infrastructure. That one is composed of 2 rented servers and 1 PC Engines APU2 for OpenBSD firewall at home. The aim is to have redundant services (if possible) while testing new technologies. The 2 rented servers come with Debian Jessie preinstalled.

Today I configured ipsec + gre tunnels between the 3 boxes and created some routed LAN for kvm on the rented server. I also hardened the server with iptables and added fail2ban.

Fail2ban

• Install fail2ban package

root@db-sc1 28 ~]# apt install fail2ban

• In /etc/fail2ban/jail.conf modify the line ignoreip and increase ban time

ignoreip = 127.0.0.1/8 <openbsd_ip>
# one week ban time
bantime  = 604800

• Restart service

# systemctl restart fail2ban.service

KVM

• Install packages and enable packet forwarding on the box

[root@db-sc1 29 ~]# apt install libvirt-bin libvirt-daemon libvirt-clients
[root@db-sc1 30 ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.d/10-forwarding.conf

• Create a routed network for VM Note: Do not create the network in /etc/network/interfaces. Libvirtd is taking care of creating the interface virbr1 and affecting the IP address.

• Create a file named vmnetwork.xml with the following content:

<network>
  <name>VMNetwork</name>
  <bridge name="virbr1"/>
  <forward mode='route'/>
  <ip address="172.16.3.1" netmask="255.255.255.0">
    <dhcp>
      <range start="172.16.3.100" end="172.16.3.199"/>
    </dhcp>
  </ip>
</network>

• Enable the new network

[root@db-sc1 32 ~]# virsh net-define /root/vmnetwork.xml 
Network VMNetwork defined from /root/vmnetwork.xml

[root@db-sc1 34 ~]# virsh net-autostart VMNetwork
Network VMNetwork marked as autostarted

[root@db-sc1 35 ~]# virsh net-start VMNetwork 
Network VMNetwork started

[root@db-sc1 36 ~]# 

• Create the outgoing rule

[root@db-sc1 529 ~]# iptables -t nat -A POSTROUTING -s '172.16.3.0/24' -o eth0 -j MASQUERADE

• Make the iptables changes persistent by first, creating a file named /etc/network/if-pre-up.d/iptables

[root@db-sc1 529 ~]# cat /etc/iptables.up.rules
*nat
:PREROUTING ACCEPT [204:14725]
:INPUT ACCEPT [60:5991]
:OUTPUT ACCEPT [148:11892]
:POSTROUTING ACCEPT [148:11892]
-A POSTROUTING -s 172.16.3.0/24 -o eth0 -j MASQUERADE
COMMIT
# 

[root@db-sc1 528 ~]# cat /etc/network/if-pre-up.d/iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
[root@db-sc1 529 ~]# chmod a+x /etc/network/if-pre-up.d/iptables

IPSEC and GRE

• Install packages

root@db-sc1 531 ~]# apt install strongswan

• Create the /etc/ipsec.conf file

conn openbsd-cobra
        left=<my_ip>
        leftsubnet=<my_ip>/32
        leftauth=psk
        right=<openbsd_ip>
        rightsubnet=<openbsd_ip>/32
        rightauth=psk
        type=tunnel
        auto=start
	keyexchange = ikev1
        ike=aes256-sha256-modp2048
        ikelifetime = 24h
        esp=aes256-sha256-modp2048
        lifetime = 24h
        dpddelay = 30s
        dpdaction = restart
        keyingtries = %forever
        authby=psk
        closeaction=restart

• Add your passphrase to /etc/ipsec.secrets

<openbsd_ip> %any : PSK "mypsk"

• Create the GRE tunnel interface by adding the file /etc/network/interfaces.d/gre1

auto gre1
iface gre1 inet static
    address 172.16.255.2
    netmask 255.255.255.252
    pre-up ip tunnel add gre1 mode gre local <my_ip> remote <openbsd_ip> ttl 255
    up ifconfig gre1 multicast
    pointopoint 172.16.255.1
    post-down iptunnel del gre1

• Reboot and verify with ipsec status

References for IPSEC:

• install libreswan on debian
• ipsec vpn tunnel on raspbian using strongswan