VPN: различия между версиями
Перейти к навигации
Перейти к поиску
Artem (обсуждение | вклад) (→KDE) |
Artem (обсуждение | вклад) (→KDE) |
||
| Строка 172: | Строка 172: | ||
iptables -A OUTPUT -p tcp -m tcp --sport 6881:6999 -j DROP | iptables -A OUTPUT -p tcp -m tcp --sport 6881:6999 -j DROP | ||
</pre> | </pre> | ||
= Shadowsocks = | |||
* https://thematrix.dev/use-openvpn-over-shadowsocks/ | |||
Текущая версия от 03:28, 16 марта 2024
Хорошая статья тут https://baks.dev/article/ubuntu/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
OpenVPN & EasyRSA
cd ~ wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz tar -xzvf EasyRSA-3.0.4.tgz cd EasyRSA-3.0.4 cp vars.example vars nano vars
set_var EASYRSA_REQ_COUNTRY "DE" set_var EASYRSA_REQ_PROVINCE "Berlin" set_var EASYRSA_REQ_CITY "Berlin" set_var EASYRSA_REQ_ORG "Aleksashkin" set_var EASYRSA_REQ_EMAIL "artem@aleksashkin.com" set_var EASYRSA_REQ_OU "Community"
# on openvpn ssh you@yourvpn.com apt update apt install openvpn exit # on easyrsa ./easyrsa init-pki ./easyrsa build-ca ./easyrsa gen-dh scp dh.pem you@yourvpn.com:/etc/openvpn/ # on openvpn ssh you@yourvpn.com cd /etc/openvpn/ openvpn --genkey --secret ta.key exit # on easyrsa ./easyrsa gen-req server1 nopass scp ./pki/private/server1.key you@yourvpn.com:/etc/openvpn/ scp ./pki/reqs/server1.req you@yourvpn.com:/etc/openvpn/ ./easyrsa import-req ./pki/reqs/server1.req server1 ./easyrsa sign-req server server1 scp ./pki/issued/server1.crt you@yourvpn.com:/etc/openvpn/ scp ./pki/ca.crt you@yourvpn.com:/etc/openvpn/ # on openvpn ssh you@yourvpn.com nano /etc/openvpn/server1.conf
port 1194 proto udp dev tun ca ca.crt cert server1.crt key server1.key # This file should be kept secret dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log verb 3 explicit-exit-notify 1 auth SHA256
# on openvpn systemctl start openvpn@server1 systemctl status openvpn@server1 systemctl enable openvpn@server1 # add net.ipv4.ip_forward=1 to /etc/sysctl.conf sysctl -p
Правила для IPTABLES
# on openvpn iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o enp3s0 -j MASQUERADE iptables -A INPUT -p tcp --destination-port 6881:6999 -j DROP iptables -A OUTPUT -p tcp --source-port 6881:6999 -j DROP
Clients
./client.conf
client dev tun proto udp remote <IP> 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC verb 3 auth SHA256 key-direction 1
# on easyrsa mkdir configs nano ./gen_config.sh
#!/bin/bash
./easyrsa gen-req ${1} nopass
./easyrsa import-req ./pki/reqs/${1}.req ${1}
./easyrsa sign-req client ${1}
BASE_CONF=./client.conf
CA_FILE=./pki/issued/ca.crt
TA_FILE=./pki/private/ta.key
CLIENT_CERT=./pki/issued/${1}.crt
CLIENT_KEY=./pki/private/${1}.key
# Test for files
for i in "$BASE_CONF" "$CA_FILE" "$TA_FILE" "$CLIENT_CERT" "$CLIENT_KEY"; do
if [[ ! -f $i ]]; then
echo " The file $i does not exist"
exit 1
fi
if [[ ! -r $i ]]; then
echo " The file $i is not readable."
exit 1
fi
done
# Generate client config
cat > ./configs/${1}.ovpn <<EOF
$(cat ${BASE_CONF})
<key>
$(cat ${CLIENT_KEY})
</key>
<cert>
$(cat ${CLIENT_CERT})
</cert>
<ca>
$(cat ${CA_FILE})
</ca>
<tls-auth>
$(cat ${TA_FILE})
</tls-auth>
EOF
KDE
sudo apt install network-manager-openvpn
https://www.linode.com/community/questions/5513/need-a-iptable-rule-to-disable-bittorrent
iptables -A INPUT -p tcp -m tcp --dport 6881:6999 -j DROP iptables -A OUTPUT -p tcp -m tcp --sport 6881:6999 -j DROP