From 213cc8ec8f55d509cfda08fc1ae71e4ba79fa9cd Mon Sep 17 00:00:00 2001 From: jfmartel Date: Sun, 20 Jul 2025 13:34:30 -0400 Subject: [PATCH] Cerfificats KA2501 --- Clickhouse VM/config.xml | 6 +- OpenVPN/Certificates/Certs/stationKA2501.crt | 71 +++++ OpenVPN/Certificates/Certs/stationKA2501.req | 8 + OpenVPN/ka2501.ovpn | 269 +++++++++++++++++++ 4 files changed, 351 insertions(+), 3 deletions(-) create mode 100644 OpenVPN/Certificates/Certs/stationKA2501.crt create mode 100644 OpenVPN/Certificates/Certs/stationKA2501.req create mode 100644 OpenVPN/ka2501.ovpn diff --git a/Clickhouse VM/config.xml b/Clickhouse VM/config.xml index f88cf33..27bc40b 100644 --- a/Clickhouse VM/config.xml +++ b/Clickhouse VM/config.xml @@ -377,7 +377,7 @@ 2 fair_round_robin - + 1000 - + You should not lower this value. (5368709120) --> + diff --git a/OpenVPN/Certificates/Certs/stationKA2501.crt b/OpenVPN/Certificates/Certs/stationKA2501.crt new file mode 100644 index 0000000..a30a654 --- /dev/null +++ b/OpenVPN/Certificates/Certs/stationKA2501.crt @@ -0,0 +1,71 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 09:c8:7d:2d:3b:1f:85:c2:1b:4e:a6:df:24:2b:98:cd + Signature Algorithm: sha512WithRSAEncryption + Issuer: CN=JF_server + Validity + Not Before: May 27 18:51:42 2025 GMT + Not After : May 20 18:51:42 2055 GMT + Subject: CN=stationKA2501 + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:4f:cf:df:9f:3a:ca:37:5b:71:71:5a:50:8c:39: + 73:a7:2f:04:16:c6:66:81:72:70:89:b6:ba:58:06: + 83:54:58:37:19:74:f8:a5:42:70:41:1b:c1:eb:59: + 26:5a:aa:ed:1b:7a:af:0e:c5:2a:3f:26:6e:3d:53: + 28:6d:2e:b6:c6:4e:9c:73:d3:c5:2b:96:10:b4:2e: + f4:e5:06:b7:ca:cd:c7:72:20:b5:07:05:84:17:64: + 4e:cb:f5:4f:51:b3:c7 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 9E:36:BB:6F:4C:C7:DE:80:C4:CB:11:AC:4B:C8:C2:11:26:0B:64:83 + X509v3 Authority Key Identifier: + keyid:8A:78:90:E5:F0:50:E7:8C:75:E4:B8:C0:A1:E8:E9:9B:B2:1A:9D:32 + DirName:/CN=JF_server + serial:5D:ED:FB:93:3D:B2:AA:0C:8B:DB:15:DF:BD:A1:91:CE:5C:FB:CB:06 + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + Signature Algorithm: sha512WithRSAEncryption + Signature Value: + 26:a0:0c:57:fb:39:8b:25:ee:0d:a0:23:f3:c8:67:27:b4:bb: + f9:f1:10:e1:7e:80:a7:04:f6:19:ca:b8:a2:b4:f5:db:d6:64: + 5d:7f:fc:fb:58:6b:02:1a:2c:b4:df:f3:1d:33:bc:c4:8e:f9: + 5c:70:0f:07:e1:51:99:17:62:2e:7d:a2:69:46:c7:ee:d8:d3: + ee:9b:aa:d0:d5:9d:90:ae:3d:26:83:51:30:73:24:4d:6c:67: + 4f:f2:4c:8f:e8:b7:34:94:85:c0:4e:0e:01:5a:16:0c:44:ca: + 29:f9:02:de:e0:93:38:d3:d7:22:04:40:b1:8a:02:2f:33:16: + f8:92:c2:df:b8:33:79:18:75:d0:66:87:10:6b:b1:7d:49:b6: + d1:fc:7a:2c:89:e9:51:0a:8b:38:c5:5a:03:47:93:3a:ed:60: + 81:ef:99:a2:45:6a:97:46:f7:ae:be:4b:e5:4c:e6:5e:01:f4: + c0:9b:9f:f6:0d:3d:80:17:da:91:3a:d2:9e:e7:fe:7d:b8:30: + 31:3c:ad:72:ab:e0:7d:5b:2b:a2:f1:9b:db:8f:09:4a:0e:a1: + a9:5e:a8:3b:fe:9c:4c:36:7b:b6:35:41:54:32:ff:72:22:c5: + 0f:b4:7e:71:c9:78:04:56:fb:1f:81:87:25:b3:3a:78:56:76: + 61:a9:4f:c1 +-----BEGIN CERTIFICATE----- +MIICqzCCAZOgAwIBAgIQCch9LTsfhcIbTqbfJCuYzTANBgkqhkiG9w0BAQ0FADAU +MRIwEAYDVQQDDAlKRl9zZXJ2ZXIwIBcNMjUwNTI3MTg1MTQyWhgPMjA1NTA1MjAx +ODUxNDJaMBgxFjAUBgNVBAMMDXN0YXRpb25LQTI1MDEwdjAQBgcqhkjOPQIBBgUr +gQQAIgNiAARPz9+fOso3W3FxWlCMOXOnLwQWxmaBcnCJtrpYBoNUWDcZdPilQnBB +G8HrWSZaqu0beq8OxSo/Jm49UyhtLrbGTpxz08UrlhC0LvTlBrfKzcdyILUHBYQX +ZE7L9U9Rs8ejgaAwgZ0wCQYDVR0TBAIwADAdBgNVHQ4EFgQUnja7b0zH3oDEyxGs +S8jCESYLZIMwTwYDVR0jBEgwRoAUiniQ5fBQ54x15LjAoejpm7IanTKhGKQWMBQx +EjAQBgNVBAMMCUpGX3NlcnZlcoIUXe37kz2yqgyL2xXfvaGRzlz7ywYwEwYDVR0l +BAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBDQUAA4IBAQAm +oAxX+zmLJe4NoCPzyGcntLv58RDhfoCnBPYZyriitPXb1mRdf/z7WGsCGiy03/Md +M7zEjvlccA8H4VGZF2IufaJpRsfu2NPum6rQ1Z2Qrj0mg1EwcyRNbGdP8kyP6Lc0 +lIXATg4BWhYMRMop+QLe4JM409ciBECxigIvMxb4ksLfuDN5GHXQZocQa7F9SbbR +/HosielRCos4xVoDR5M67WCB75miRWqXRveuvkvlTOZeAfTAm5/2DT2AF9qROtKe +5/59uDAxPK1yq+B9Wyui8ZvbjwlKDqGpXqg7/pxMNnu2NUFUMv9yIsUPtH5xyXgE +VvsfgYclszp4VnZhqU/B +-----END CERTIFICATE----- diff --git a/OpenVPN/Certificates/Certs/stationKA2501.req b/OpenVPN/Certificates/Certs/stationKA2501.req new file mode 100644 index 0000000..d7842a3 --- /dev/null +++ b/OpenVPN/Certificates/Certs/stationKA2501.req @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBDzCBlwIBADAYMRYwFAYDVQQDDA1zdGF0aW9uS0EyNTAxMHYwEAYHKoZIzj0C +AQYFK4EEACIDYgAET8/fnzrKN1txcVpQjDlzpy8EFsZmgXJwiba6WAaDVFg3GXT4 +pUJwQRvB61kmWqrtG3qvDsUqPyZuPVMobS62xk6cc9PFK5YQtC705Qa3ys3HciC1 +BwWEF2ROy/VPUbPHoAAwCgYIKoZIzj0EAwQDZwAwZAIwddJTP6meDC2EyDpH+EXH +HD+JsJuBuPzBwDKCLw56Ltiha0s8hOJuRnXDo2XuugQnAjB1kCBFJ5NVjmiKx2LZ +FlHo5P37lI9IOAfBuh00fIqgXzIWbUCZ9qR/uqBnc1Tk1oc= +-----END CERTIFICATE REQUEST----- diff --git a/OpenVPN/ka2501.ovpn b/OpenVPN/ka2501.ovpn new file mode 100644 index 0000000..87a5ba7 --- /dev/null +++ b/OpenVPN/ka2501.ovpn @@ -0,0 +1,269 @@ +############################################## +# Sample client-side OpenVPN 2.0 config file # +# for connecting to multi-client server. # +# # +# This configuration can be used by multiple # +# clients, however each client should have # +# its own cert and key files. # +# # +# On Windows, you might want to rename this # +# file so it has a .ovpn extension # +############################################## + +# Specify that we are a client and that we +# will be pulling certain config file directives +# from the server. +client + +# Use the same setting as you are using on +# the server. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel +# if you have more than one. On XP SP2, +# you may need to disable the firewall +# for the TAP adapter. +;dev-node MyTap + +# Are we connecting to a TCP or +# UDP server? Use the same setting as +# on the server. +;proto tcp +proto udp + +# The hostname/IP and port of the server. +# You can have multiple remote entries +# to load balance between the servers. +remote vpn.yultek.dev 1194 +;remote 138.197.151.172 1194 +;remote my-server-2 1194 + +# Choose a random host from the remote +# list for load-balancing. Otherwise +# try hosts in the order specified. +;remote-random + +# Keep trying indefinitely to resolve the +# host name of the OpenVPN server. Very useful +# on machines which are not permanently connected +# to the internet such as laptops. +resolv-retry infinite + +# Most clients don't need to bind to +# a specific local port number. +nobind + +# Downgrade privileges after initialization (non-Windows only) +;user nobody +;group nobody + +# Try to preserve some state across restarts. +persist-key +persist-tun + +# If you are connecting through an +# HTTP proxy to reach the actual OpenVPN +# server, put the proxy server/IP and +# port number here. See the man page +# if your proxy server requires +# authentication. +;http-proxy-retry # retry on connection failures +;http-proxy [proxy server] [proxy port #] + +# Wireless networks often produce a lot +# of duplicate packets. Set this flag +# to silence duplicate packet warnings. +;mute-replay-warnings + +# SSL/TLS parms. +# See the server config file for more +# description. It's best to use +# a separate .crt/.key file pair +# for each client. A single ca +# file can be used for all clients. +;ca ca.crt +;cert client.crt +;key client.key + +# Verify server certificate by checking that the +# certificate has the correct key usage set. +# This is an important precaution to protect against +# a potential attack discussed here: +# http://openvpn.net/howto.html#mitm +# +# To use this feature, you will need to generate +# your server certificates with the keyUsage set to +# digitalSignature, keyEncipherment +# and the extendedKeyUsage to +# serverAuth +# EasyRSA can do this for you. +remote-cert-tls server + +# If a tls-auth key is used on the server +# then every client must also have the key. +;tls-auth ta.key 1 + +# Select a cryptographic cipher. +# If the cipher option is used on the server +# then you must also specify it here. +# Note that v2.4 client/server will automatically +# negotiate AES-256-GCM in TLS mode. +# See also the data-ciphers option in the manpage +cipher AES-256-GCM +auth SHA256 + +# Enable compression on the VPN link. +# Don't enable this unless it is also +# enabled in the server config file. +#comp-lzo + +# Set log file verbosity. +verb 3 + +# Silence repeating messages +;mute 20 + +key-direction 1 + + +; script-security 2 +; up /etc/openvpn/update-resolv-conf +; down /etc/openvpn/update-resolv-conf + + +; script-security 2 +; up /etc/openvpn/update-systemd-resolved +; down /etc/openvpn/update-systemd-resolved +; down-pre +; dhcp-option DOMAIN-ROUTE . + +-----BEGIN CERTIFICATE----- +MIIDRTCCAi2gAwIBAgIUXe37kz2yqgyL2xXfvaGRzlz7ywYwDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UEAwwJSkZfc2VydmVyMB4XDTIzMDIyMDIyMDkyMVoXDTMzMDIx +NzIyMDkyMVowFDESMBAGA1UEAwwJSkZfc2VydmVyMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAnLdVAj0W31TtWGxwdBeqsdIHyUdVAEG8bX+CcNZDP3M3 +R/gJOmenjqsqHYBe5gZcky1hkqWaD7l/LNmyzZDZ1lVEWpcAZqxbsUZKiHU30bxq +84L5qtaAOpwTsumidq2hBqoDBMdBmh18e0QEW624mui7ckXTRRG3PA0ccXtXcTYU +ntmhYtQ2oaPauSmfJZIUfZTfVZbB8FkCgu+zJtCx5hq46vIHm8KX0m1zLIeUtGsI +hkly+5v52f3sEMlddyoZZkfjRddETk2co09q3oNaP1LYxN5G+TvZDhpdE+PrDsNT +wO4uU2d9hVIP3T49heLieZ6KVxyp1FsDYzo0CNlIDwIDAQABo4GOMIGLMB0GA1Ud +DgQWBBSKeJDl8FDnjHXkuMCh6OmbshqdMjBPBgNVHSMESDBGgBSKeJDl8FDnjHXk +uMCh6OmbshqdMqEYpBYwFDESMBAGA1UEAwwJSkZfc2VydmVyghRd7fuTPbKqDIvb +Fd+9oZHOXPvLBjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B +AQsFAAOCAQEARIg2x4Tit/6ZydMlle6ku32t75OMCVQoe7fUkRjNe8pCkZjZXLy9 +QIRwoqW3FRT8+mQjctZk3NsyLStF8Rc/fFvpjGY/hiEQ/RV1K2/IZ9hcswp/LRzQ +ElDwXhe4zlcDT10GjHYYx221SR+ijgicZcaXgb9f3uZKIrPgyb8qB4KCQS8gPtCV +1VmPM5/svVCI93G+xT92XBHa47fgV5GEn7Snah2UgFol5h7/KX/Sa2q0pfBlzqmt +CutfEbYcwSxkoLsEUIW8KMoEAIsO+KIsraS6EXlRdT82Ui+UZWVPZABlzifCl+AV +LzBrLwt2OeoEI1h65EyzzE7gDsjrE3JR/Q== +-----END CERTIFICATE----- + + +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 09:c8:7d:2d:3b:1f:85:c2:1b:4e:a6:df:24:2b:98:cd + Signature Algorithm: sha512WithRSAEncryption + Issuer: CN=JF_server + Validity + Not Before: May 27 18:51:42 2025 GMT + Not After : May 20 18:51:42 2055 GMT + Subject: CN=stationKA2501 + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:4f:cf:df:9f:3a:ca:37:5b:71:71:5a:50:8c:39: + 73:a7:2f:04:16:c6:66:81:72:70:89:b6:ba:58:06: + 83:54:58:37:19:74:f8:a5:42:70:41:1b:c1:eb:59: + 26:5a:aa:ed:1b:7a:af:0e:c5:2a:3f:26:6e:3d:53: + 28:6d:2e:b6:c6:4e:9c:73:d3:c5:2b:96:10:b4:2e: + f4:e5:06:b7:ca:cd:c7:72:20:b5:07:05:84:17:64: + 4e:cb:f5:4f:51:b3:c7 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 9E:36:BB:6F:4C:C7:DE:80:C4:CB:11:AC:4B:C8:C2:11:26:0B:64:83 + X509v3 Authority Key Identifier: + keyid:8A:78:90:E5:F0:50:E7:8C:75:E4:B8:C0:A1:E8:E9:9B:B2:1A:9D:32 + DirName:/CN=JF_server + serial:5D:ED:FB:93:3D:B2:AA:0C:8B:DB:15:DF:BD:A1:91:CE:5C:FB:CB:06 + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature + Signature Algorithm: sha512WithRSAEncryption + Signature Value: + 26:a0:0c:57:fb:39:8b:25:ee:0d:a0:23:f3:c8:67:27:b4:bb: + f9:f1:10:e1:7e:80:a7:04:f6:19:ca:b8:a2:b4:f5:db:d6:64: + 5d:7f:fc:fb:58:6b:02:1a:2c:b4:df:f3:1d:33:bc:c4:8e:f9: + 5c:70:0f:07:e1:51:99:17:62:2e:7d:a2:69:46:c7:ee:d8:d3: + ee:9b:aa:d0:d5:9d:90:ae:3d:26:83:51:30:73:24:4d:6c:67: + 4f:f2:4c:8f:e8:b7:34:94:85:c0:4e:0e:01:5a:16:0c:44:ca: + 29:f9:02:de:e0:93:38:d3:d7:22:04:40:b1:8a:02:2f:33:16: + f8:92:c2:df:b8:33:79:18:75:d0:66:87:10:6b:b1:7d:49:b6: + d1:fc:7a:2c:89:e9:51:0a:8b:38:c5:5a:03:47:93:3a:ed:60: + 81:ef:99:a2:45:6a:97:46:f7:ae:be:4b:e5:4c:e6:5e:01:f4: + c0:9b:9f:f6:0d:3d:80:17:da:91:3a:d2:9e:e7:fe:7d:b8:30: + 31:3c:ad:72:ab:e0:7d:5b:2b:a2:f1:9b:db:8f:09:4a:0e:a1: + a9:5e:a8:3b:fe:9c:4c:36:7b:b6:35:41:54:32:ff:72:22:c5: + 0f:b4:7e:71:c9:78:04:56:fb:1f:81:87:25:b3:3a:78:56:76: + 61:a9:4f:c1 +-----BEGIN CERTIFICATE----- +MIICqzCCAZOgAwIBAgIQCch9LTsfhcIbTqbfJCuYzTANBgkqhkiG9w0BAQ0FADAU +MRIwEAYDVQQDDAlKRl9zZXJ2ZXIwIBcNMjUwNTI3MTg1MTQyWhgPMjA1NTA1MjAx +ODUxNDJaMBgxFjAUBgNVBAMMDXN0YXRpb25LQTI1MDEwdjAQBgcqhkjOPQIBBgUr +gQQAIgNiAARPz9+fOso3W3FxWlCMOXOnLwQWxmaBcnCJtrpYBoNUWDcZdPilQnBB +G8HrWSZaqu0beq8OxSo/Jm49UyhtLrbGTpxz08UrlhC0LvTlBrfKzcdyILUHBYQX +ZE7L9U9Rs8ejgaAwgZ0wCQYDVR0TBAIwADAdBgNVHQ4EFgQUnja7b0zH3oDEyxGs +S8jCESYLZIMwTwYDVR0jBEgwRoAUiniQ5fBQ54x15LjAoejpm7IanTKhGKQWMBQx +EjAQBgNVBAMMCUpGX3NlcnZlcoIUXe37kz2yqgyL2xXfvaGRzlz7ywYwEwYDVR0l +BAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBDQUAA4IBAQAm +oAxX+zmLJe4NoCPzyGcntLv58RDhfoCnBPYZyriitPXb1mRdf/z7WGsCGiy03/Md +M7zEjvlccA8H4VGZF2IufaJpRsfu2NPum6rQ1Z2Qrj0mg1EwcyRNbGdP8kyP6Lc0 +lIXATg4BWhYMRMop+QLe4JM409ciBECxigIvMxb4ksLfuDN5GHXQZocQa7F9SbbR +/HosielRCos4xVoDR5M67WCB75miRWqXRveuvkvlTOZeAfTAm5/2DT2AF9qROtKe +5/59uDAxPK1yq+B9Wyui8ZvbjwlKDqGpXqg7/pxMNnu2NUFUMv9yIsUPtH5xyXgE +VvsfgYclszp4VnZhqU/B +-----END CERTIFICATE----- + + +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCT5IR1xQ0c5icEgDpq +ou6eTfKeJ7CrwlCMtgyjvF8VwuGiXSE35Lck/WMLwBeyBGahZANiAARPz9+fOso3 +W3FxWlCMOXOnLwQWxmaBcnCJtrpYBoNUWDcZdPilQnBBG8HrWSZaqu0beq8OxSo/ +Jm49UyhtLrbGTpxz08UrlhC0LvTlBrfKzcdyILUHBYQXZE7L9U9Rs8c= +-----END PRIVATE KEY----- + + +# +# 2048 bit OpenVPN static key +# +-----BEGIN OpenVPN Static key V1----- +4c828cbf0e58f927758e9471c1b6f03b +2e77b2c634bad76df0570dd8f47184d6 +3921e25c6e6cbe4af4b64aad89d12425 +a9fca69ae08802b5ed583632c26678b0 +cc28c481c3831d1b2204dc30cd466395 +ccb8cd82cd2259c956b510c9a56e842a +8693c44dca462f0ab7be3856abe9bbe1 +95a6ffd3b0237225b9497c7a0df05ad8 +2f2e0a8bff97c927d2890906d0105947 +fa3430fc779583772382534fb880add6 +8d5592fa4ff384d3e96c560019b5835f +095da9b2fb33dbfbc1ffce9560908271 +ee96e02ccecc9d51b9dda79a77704a1d +4407d7c805e6950854fe232adee02a12 +b09af2d9bfe04868a9e2e942dc64eb81 +9e062ab9f781e52d263195a58db72ebe +-----END OpenVPN Static key V1----- +