VPN: различия между версиями
Перейти к навигации
Перейти к поиску
Artem (обсуждение | вклад) |
Artem (обсуждение | вклад) |
||
Строка 177: | Строка 177: | ||
* https://thematrix.dev/use-openvpn-over-shadowsocks/ | * https://thematrix.dev/use-openvpn-over-shadowsocks/ | ||
* https://computerscot.github.io/openvpn-over-shadowsocks.html | * https://computerscot.github.io/openvpn-over-shadowsocks.html | ||
= SSH socks proxy = | |||
<pre> | |||
ssh -D 12345 -q -C -N <user>@<ip> | |||
</pre> |
Версия от 19:13, 4 сентября 2024
Хорошая статья тут https://baks.dev/article/ubuntu/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
OpenVPN & EasyRSA
cd ~ wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz tar -xzvf EasyRSA-3.0.4.tgz cd EasyRSA-3.0.4 cp vars.example vars nano vars
set_var EASYRSA_REQ_COUNTRY "DE" set_var EASYRSA_REQ_PROVINCE "Berlin" set_var EASYRSA_REQ_CITY "Berlin" set_var EASYRSA_REQ_ORG "Aleksashkin" set_var EASYRSA_REQ_EMAIL "artem@aleksashkin.com" set_var EASYRSA_REQ_OU "Community"
# on openvpn ssh you@yourvpn.com apt update apt install openvpn exit # on easyrsa ./easyrsa init-pki ./easyrsa build-ca ./easyrsa gen-dh scp dh.pem you@yourvpn.com:/etc/openvpn/ # on openvpn ssh you@yourvpn.com cd /etc/openvpn/ openvpn --genkey --secret ta.key exit # on easyrsa ./easyrsa gen-req server1 nopass scp ./pki/private/server1.key you@yourvpn.com:/etc/openvpn/ scp ./pki/reqs/server1.req you@yourvpn.com:/etc/openvpn/ ./easyrsa import-req ./pki/reqs/server1.req server1 ./easyrsa sign-req server server1 scp ./pki/issued/server1.crt you@yourvpn.com:/etc/openvpn/ scp ./pki/ca.crt you@yourvpn.com:/etc/openvpn/ # on openvpn ssh you@yourvpn.com nano /etc/openvpn/server1.conf
port 1194 proto udp dev tun ca ca.crt cert server1.crt key server1.key # This file should be kept secret dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log verb 3 explicit-exit-notify 1 auth SHA256
# on openvpn systemctl start openvpn@server1 systemctl status openvpn@server1 systemctl enable openvpn@server1 # add net.ipv4.ip_forward=1 to /etc/sysctl.conf sysctl -p
Правила для IPTABLES
# on openvpn iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o enp3s0 -j MASQUERADE iptables -A INPUT -p tcp --destination-port 6881:6999 -j DROP iptables -A OUTPUT -p tcp --source-port 6881:6999 -j DROP
Clients
./client.conf
client dev tun proto udp remote <IP> 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC verb 3 auth SHA256 key-direction 1
# on easyrsa mkdir configs nano ./gen_config.sh
#!/bin/bash ./easyrsa gen-req ${1} nopass ./easyrsa import-req ./pki/reqs/${1}.req ${1} ./easyrsa sign-req client ${1} BASE_CONF=./client.conf CA_FILE=./pki/issued/ca.crt TA_FILE=./pki/private/ta.key CLIENT_CERT=./pki/issued/${1}.crt CLIENT_KEY=./pki/private/${1}.key # Test for files for i in "$BASE_CONF" "$CA_FILE" "$TA_FILE" "$CLIENT_CERT" "$CLIENT_KEY"; do if [[ ! -f $i ]]; then echo " The file $i does not exist" exit 1 fi if [[ ! -r $i ]]; then echo " The file $i is not readable." exit 1 fi done # Generate client config cat > ./configs/${1}.ovpn <<EOF $(cat ${BASE_CONF}) <key> $(cat ${CLIENT_KEY}) </key> <cert> $(cat ${CLIENT_CERT}) </cert> <ca> $(cat ${CA_FILE}) </ca> <tls-auth> $(cat ${TA_FILE}) </tls-auth> EOF
KDE
sudo apt install network-manager-openvpn
https://www.linode.com/community/questions/5513/need-a-iptable-rule-to-disable-bittorrent
iptables -A INPUT -p tcp -m tcp --dport 6881:6999 -j DROP iptables -A OUTPUT -p tcp -m tcp --sport 6881:6999 -j DROP
Shadowsocks
- https://thematrix.dev/use-openvpn-over-shadowsocks/
- https://computerscot.github.io/openvpn-over-shadowsocks.html
SSH socks proxy
ssh -D 12345 -q -C -N <user>@<ip>