send feedback to webmaster @ schapiro . orglast modified 2007-09-18 09:28:29
| The Schapiro Center | Personal Schlomo Nadia Boris | Other Sites RKM Links |
| Introduction | Overview | Installation | Usage |
How it works | Extending | Support |
OGB is invoked with the /opt/ogb/ogb.sh script:
ogb.sh [Options]OGB always needs a configuration to operate on. Configurations are subdirectories of[packages ...] OpenVPN Gateway Builder Version 1.6 / 2007-09-18 Build 01afc2c5596510368c2ced98ad3bac97 Copyright (C) 2005-2007 Schlomo Schapiro OpenVPN Gateway Builder comes with ABSOLUTELY NO WARRANTY; for details see the GNU General Public License at http://www.gnu.org/licenses/gpl.html Available Options: -V version information -t Trace OGB scripts -r a.b.c-xx-yy kernel version to use (current: 2.6.16.21-0.8-default) -i create OGB ISO image in default path (/opt/ogb/ISO) -I /some/path/here create OGB ISO image in in specified path Available Packages: crond cron daemon for recurring processes debug Build DEBUG version of OGB with SSH remote access and more tools dhcpcd DHCP Client Daemon support dhcpd DHCP Server support ntpd NTP time synchronisation openvpn OpenVPN tunneling software ppp PPP and PPPOE support serial-console serial console support (kernel + syslog) snmp SNMP agent (net-snmp based) sshd SSH remote access (only via authorized_keys) in runlevel 3 only vmware Support for running OGB as a VMware Virtual Machine Default Packages: openvpn
/opt/ogb/gateways which contain the configuration files for a specific gateway system:
# ls -RF /opt/ogb/gateways/sample /opt/ogb/gateways/sample: ./ authorized_keys modules openvpn/ ssh_host_dsa_key.pub ../ hosts network.sh resolv.conf ssh_host_dsa_key HOSTNAME iptables.conf ntp.conf PACKAGES /opt/ogb/gateways/sample/openvpn: ./ ../ dh1024.pem sample.conf server.crt server.key tmp-ca.crtThe files are mostly the standard configuration files of a Linux system, some are only snippets which are appended to default skeleton configuration file (see below the detailed description)
OGB supports the concept of packages which can be added to a build. The basic OGB will only build a
really small Linux basis which can't do anything (except syslogging to another host). Support
for specific applications like NTP, OpenVPN or SSH is added via packages. Packages can also require more
or other configuration files, for example the package ntpd requires ntp.conf.
Usually, the process to create a new VPN gateway consists of these steps:
cd /opt/ogb ; cp -a gateways/sample gateways/my-configvi gateways/my-config/{HOSTNAME,resolv.conf,hosts,iptables.conf,modules,network.sh}gateways/my-config/openvpn, all
*.conf files will be started automatically. Don't forget to remove the sample
OpenVPN configuration.
ogb.sh my-config debugISO/my-config.iso) onto a CD/DVD and testConsult the sample configuration for examples of the configuration files. All files mentioned here must reside in the gateway configuration directory. If some files are missing, then the functionality they provide will be missing, too (for example without a resolv.conf there won't be DNS). OGB does not do a sanity check of your configuration, that is your job.
| Package | File | Description |
|---|---|---|
| base | HOSTNAME | The fully qualified hostname, e.g. gw1.my.domain |
| hosts | The usual /etc/hosts file. It should contain all relevant entries except
for localhost.
|
|
| modules | List of modules and their options, if needed. The modules and their dependancies are included in the OGB system and loaded with the respective options in the specified order. | |
| iptables.conf | IPTABLES configuration as created by iptables-save. All iptables features
of the build machine will be available on the gateway system.
|
|
| network.sh | Setup networking and everything else. While beeing called network.sh, this script is the only user-supplied script run during the boot of the OGB system. Here one has to setup all networking (like NICs, bridging, VLANs, routing, ...) and do any other required initialization. | |
| resolv.conf | The usual /etc/resolv.conf to configure DNS. |
|
| PACKAGES | Always include these packages. Same as giving the packages on the command line of
ogb.sh. If you put debug here, then you will always
get a debug build ...
|
|
| ssh | authorized_keys | The usual authorized_keys file for root. Put all allowed keys there for remote access. The OGB system will allow remote access only via SSH DSA keys, not with a password (which does not exist on the OGB system). |
| ssh_host_dsa_key ssh_host_dsa_key.pub |
The host SSH keys. If they are not supplied with the configuration, then they will be generated on the first build. | |
| sshd_config | Optionally, the usual /etc/ssh/sshd_config file, in case you don't
like the standard sshd configuration supplied (which is Protocol 2 and
Key authentication only).
|
|
| ntpd | ntp.conf | Addon to /etc/ntp.conf which deals with your time sources. The default
ntp.conf is very restrictive and doesn't allow anything.
|
| openvpn | openvpn/*.conf | OpenVPN configuration files and their required cryptographic material and scripts. Be careful with using scripts, as the OGB system contains only a very limited choice of Unix utilities. |
| snmp | snmpd.conf | The usual /etc/snmpd.conf for the snmpd process. You really should supply
this file and set your own syslocation, syscontatc and read only community and
probably some access rules. The supplied snmpd.conf is just a default one with
rocommunity public and no access restriction.
|
| mibs/* | Additional MIBS, if you need them. The snmp package includes a limited choice of MIBS which seemed most useful for a gateway without overdoing it. Everything needed for network and process monitoring is already included. |
Some intended but untested things: ebtables/arptables binaries and modules are copied if found, but this has not been tested at all. 802.1q VLAN configuration with the vconfig command has not been tested in a production environment, though vconfig and the 8021q kernel module are copied.
send feedback to webmaster @ schapiro . org
