VPN

Материал из Artem Aleksashkin's Wiki
Перейти к навигации Перейти к поиску

Хорошая статья тут https://baks.dev/article/ubuntu/how-to-set-up-an-openvpn-server-on-ubuntu-18-04

OpenVPN & EasyRSA

cd ~
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
tar -xzvf EasyRSA-3.0.4.tgz
cd EasyRSA-3.0.4
cp vars.example vars
nano vars
set_var EASYRSA_REQ_COUNTRY    "DE"
set_var EASYRSA_REQ_PROVINCE   "Berlin"
set_var EASYRSA_REQ_CITY       "Berlin"
set_var EASYRSA_REQ_ORG        "Aleksashkin"
set_var EASYRSA_REQ_EMAIL      "artem@aleksashkin.com"
set_var EASYRSA_REQ_OU         "Community"
# on openvpn
ssh you@yourvpn.com
apt update
apt install openvpn 
exit

# on easyrsa
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-dh
scp dh.pem you@yourvpn.com:/etc/openvpn/

# on openvpn
ssh you@yourvpn.com
cd /etc/openvpn/
openvpn --genkey --secret ta.key
exit

# on easyrsa
./easyrsa gen-req server1 nopass 
scp ./pki/private/server1.key you@yourvpn.com:/etc/openvpn/
scp ./pki/reqs/server1.req you@yourvpn.com:/etc/openvpn/
./easyrsa import-req ./pki/reqs/server1.req server1
./easyrsa sign-req server server1
scp ./pki/issued/server1.crt you@yourvpn.com:/etc/openvpn/
scp ./pki/ca.crt you@yourvpn.com:/etc/openvpn/

# on openvpn
ssh you@yourvpn.com
nano /etc/openvpn/server1.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server1.crt
key server1.key  # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
auth SHA256
# on openvpn
systemctl start openvpn@server1
systemctl status openvpn@server1
systemctl enable openvpn@server1

# add net.ipv4.ip_forward=1  to /etc/sysctl.conf
sysctl -p

Правила для IPTABLES

# on openvpn
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o enp3s0 -j MASQUERADE
iptables -A INPUT -p tcp --destination-port 6881:6999 -j DROP
iptables -A OUTPUT -p tcp --source-port 6881:6999 -j DROP

Clients

./client.conf

client
dev tun
proto udp
remote <IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth SHA256
key-direction 1
# on easyrsa
mkdir configs
nano ./gen_config.sh
#!/bin/bash

./easyrsa gen-req ${1} nopass
./easyrsa import-req ./pki/reqs/${1}.req ${1}
./easyrsa sign-req client ${1}

BASE_CONF=./client.conf
CA_FILE=./pki/issued/ca.crt
TA_FILE=./pki/private/ta.key

CLIENT_CERT=./pki/issued/${1}.crt
CLIENT_KEY=./pki/private/${1}.key

# Test for files
for i in "$BASE_CONF" "$CA_FILE" "$TA_FILE" "$CLIENT_CERT" "$CLIENT_KEY"; do
    if [[ ! -f $i ]]; then
        echo " The file $i does not exist"
        exit 1
    fi

    if [[ ! -r $i ]]; then
        echo " The file $i is not readable."
        exit 1
    fi
done

# Generate client config
cat > ./configs/${1}.ovpn <<EOF
$(cat ${BASE_CONF})
<key>
$(cat ${CLIENT_KEY})
</key>
<cert>
$(cat ${CLIENT_CERT})
</cert>
<ca>
$(cat ${CA_FILE})
</ca>
<tls-auth>
$(cat ${TA_FILE})
</tls-auth>
EOF

KDE

sudo apt install network-manager-openvpn

https://www.linode.com/community/questions/5513/need-a-iptable-rule-to-disable-bittorrent

iptables -A INPUT -p tcp -m tcp --dport 6881:6999 -j DROP
iptables -A OUTPUT -p tcp -m tcp --sport 6881:6999 -j DROP

Shadowsocks

SSH socks proxy

ssh -D 12345 -q -C -N <user>@<ip>

Proxy Squad3