VPN: различия между версиями

Материал из Artem Aleksashkin's Wiki
Перейти к навигации Перейти к поиску
Нет описания правки
 
(не показано 15 промежуточных версий этого же участника)
Строка 2: Строка 2:
https://baks.dev/article/ubuntu/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
https://baks.dev/article/ubuntu/how-to-set-up-an-openvpn-server-on-ubuntu-18-04


= OpenVPN & EasyRSA =
<pre>
cd ~
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
tar -xzvf EasyRSA-3.0.4.tgz
cd EasyRSA-3.0.4
cp vars.example vars
nano vars
</pre>
<pre>
set_var EASYRSA_REQ_COUNTRY    "DE"
set_var EASYRSA_REQ_PROVINCE  "Berlin"
set_var EASYRSA_REQ_CITY      "Berlin"
set_var EASYRSA_REQ_ORG        "Aleksashkin"
set_var EASYRSA_REQ_EMAIL      "artem@aleksashkin.com"
set_var EASYRSA_REQ_OU        "Community"
</pre>
<pre>
# on openvpn
ssh you@yourvpn.com
apt update
apt install openvpn
exit
# on easyrsa
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-dh
scp dh.pem you@yourvpn.com:/etc/openvpn/
# on openvpn
ssh you@yourvpn.com
cd /etc/openvpn/
openvpn --genkey --secret ta.key
exit
# on easyrsa
./easyrsa gen-req server1 nopass
scp ./pki/private/server1.key you@yourvpn.com:/etc/openvpn/
scp ./pki/reqs/server1.req you@yourvpn.com:/etc/openvpn/
./easyrsa import-req ./pki/reqs/server1.req server1
./easyrsa sign-req server server1
scp ./pki/issued/server1.crt you@yourvpn.com:/etc/openvpn/
scp ./pki/ca.crt you@yourvpn.com:/etc/openvpn/
# on openvpn
ssh you@yourvpn.com
nano /etc/openvpn/server1.conf
</pre>
<pre>
port 1194
proto udp
dev tun
ca ca.crt
cert server1.crt
key server1.key  # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
auth SHA256
</pre>
<pre>
# on openvpn
systemctl start openvpn@server1
systemctl status openvpn@server1
systemctl enable openvpn@server1
# add net.ipv4.ip_forward=1  to /etc/sysctl.conf
sysctl -p
</pre>
Правила для IPTABLES
Правила для IPTABLES
<pre>
<pre>
# on openvpn
iptables -P FORWARD ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o enp3s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o enp3s0 -j MASQUERADE
Строка 9: Строка 95:
iptables -A OUTPUT -p tcp --source-port 6881:6999 -j DROP
iptables -A OUTPUT -p tcp --source-port 6881:6999 -j DROP
</pre>
</pre>
= Clients =
'''./client.conf'''
<pre>
client
dev tun
proto udp
remote <IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth SHA256
key-direction 1
</pre>
<pre>
# on easyrsa
mkdir configs
nano ./gen_config.sh
</pre>
<pre>
#!/bin/bash
./easyrsa gen-req ${1} nopass
./easyrsa import-req ./pki/reqs/${1}.req ${1}
./easyrsa sign-req client ${1}
BASE_CONF=./client.conf
CA_FILE=./pki/issued/ca.crt
TA_FILE=./pki/private/ta.key
CLIENT_CERT=./pki/issued/${1}.crt
CLIENT_KEY=./pki/private/${1}.key
# Test for files
for i in "$BASE_CONF" "$CA_FILE" "$TA_FILE" "$CLIENT_CERT" "$CLIENT_KEY"; do
    if [[ ! -f $i ]]; then
        echo " The file $i does not exist"
        exit 1
    fi
    if [[ ! -r $i ]]; then
        echo " The file $i is not readable."
        exit 1
    fi
done
# Generate client config
cat > ./configs/${1}.ovpn <<EOF
$(cat ${BASE_CONF})
<key>
$(cat ${CLIENT_KEY})
</key>
<cert>
$(cat ${CLIENT_CERT})
</cert>
<ca>
$(cat ${CA_FILE})
</ca>
<tls-auth>
$(cat ${TA_FILE})
</tls-auth>
EOF
</pre>
= KDE =
<pre>
sudo apt install network-manager-openvpn
</pre>
https://www.linode.com/community/questions/5513/need-a-iptable-rule-to-disable-bittorrent
<pre>
iptables -A INPUT -p tcp -m tcp --dport 6881:6999 -j DROP
iptables -A OUTPUT -p tcp -m tcp --sport 6881:6999 -j DROP
</pre>
= Shadowsocks =
* https://thematrix.dev/use-openvpn-over-shadowsocks/
* https://computerscot.github.io/openvpn-over-shadowsocks.html
* https://github.com/shadowsocks/v2ray-plugin
* https://github.com/shadowsocks/v2ray-plugin/issues/48
= SSH socks proxy  =
<pre>
ssh -D 12345 -q -C -N <user>@<ip>
</pre>
= Proxy Squad3 =

Текущая версия от 01:47, 7 октября 2024

Хорошая статья тут https://baks.dev/article/ubuntu/how-to-set-up-an-openvpn-server-on-ubuntu-18-04

OpenVPN & EasyRSA

cd ~
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
tar -xzvf EasyRSA-3.0.4.tgz
cd EasyRSA-3.0.4
cp vars.example vars
nano vars

set_var EASYRSA_REQ_COUNTRY    "DE"
set_var EASYRSA_REQ_PROVINCE   "Berlin"
set_var EASYRSA_REQ_CITY       "Berlin"
set_var EASYRSA_REQ_ORG        "Aleksashkin"
set_var EASYRSA_REQ_EMAIL      "artem@aleksashkin.com"
set_var EASYRSA_REQ_OU         "Community"

# on openvpn
ssh you@yourvpn.com
apt update
apt install openvpn 
exit

# on easyrsa
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-dh
scp dh.pem you@yourvpn.com:/etc/openvpn/

# on openvpn
ssh you@yourvpn.com
cd /etc/openvpn/
openvpn --genkey --secret ta.key
exit

# on easyrsa
./easyrsa gen-req server1 nopass 
scp ./pki/private/server1.key you@yourvpn.com:/etc/openvpn/
scp ./pki/reqs/server1.req you@yourvpn.com:/etc/openvpn/
./easyrsa import-req ./pki/reqs/server1.req server1
./easyrsa sign-req server server1
scp ./pki/issued/server1.crt you@yourvpn.com:/etc/openvpn/
scp ./pki/ca.crt you@yourvpn.com:/etc/openvpn/

# on openvpn
ssh you@yourvpn.com
nano /etc/openvpn/server1.conf

port 1194
proto udp
dev tun
ca ca.crt
cert server1.crt
key server1.key  # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
auth SHA256

# on openvpn
systemctl start openvpn@server1
systemctl status openvpn@server1
systemctl enable openvpn@server1

# add net.ipv4.ip_forward=1  to /etc/sysctl.conf
sysctl -p

Правила для IPTABLES 

# on openvpn
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o enp3s0 -j MASQUERADE
iptables -A INPUT -p tcp --destination-port 6881:6999 -j DROP
iptables -A OUTPUT -p tcp --source-port 6881:6999 -j DROP

Clients

./client.conf 

client
dev tun
proto udp
remote <IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth SHA256
key-direction 1

# on easyrsa
mkdir configs
nano ./gen_config.sh

#!/bin/bash

./easyrsa gen-req ${1} nopass
./easyrsa import-req ./pki/reqs/${1}.req ${1}
./easyrsa sign-req client ${1}

BASE_CONF=./client.conf
CA_FILE=./pki/issued/ca.crt
TA_FILE=./pki/private/ta.key

CLIENT_CERT=./pki/issued/${1}.crt
CLIENT_KEY=./pki/private/${1}.key

# Test for files
for i in "$BASE_CONF" "$CA_FILE" "$TA_FILE" "$CLIENT_CERT" "$CLIENT_KEY"; do
    if [[ ! -f $i ]]; then
        echo " The file $i does not exist"
        exit 1
    fi

    if [[ ! -r $i ]]; then
        echo " The file $i is not readable."
        exit 1
    fi
done

# Generate client config
cat > ./configs/${1}.ovpn <<EOF
$(cat ${BASE_CONF})
<key>
$(cat ${CLIENT_KEY})
</key>
<cert>
$(cat ${CLIENT_CERT})
</cert>
<ca>
$(cat ${CA_FILE})
</ca>
<tls-auth>
$(cat ${TA_FILE})
</tls-auth>
EOF

KDE

sudo apt install network-manager-openvpn

https://www.linode.com/community/questions/5513/need-a-iptable-rule-to-disable-bittorrent 

iptables -A INPUT -p tcp -m tcp --dport 6881:6999 -j DROP
iptables -A OUTPUT -p tcp -m tcp --sport 6881:6999 -j DROP

Shadowsocks

SSH socks proxy

ssh -D 12345 -q -C -N <user>@<ip>

Proxy Squad3

Источник — http://wiki.aleksashkin.net/index.php?title=VPN&oldid=3066