VPN: различия между версиями
Перейти к навигации
Перейти к поиску
Artem (обсуждение | вклад) Нет описания правки |
Artem (обсуждение | вклад) Нет описания правки |
||
| Строка 2: | Строка 2: | ||
https://baks.dev/article/ubuntu/how-to-set-up-an-openvpn-server-on-ubuntu-18-04 | https://baks.dev/article/ubuntu/how-to-set-up-an-openvpn-server-on-ubuntu-18-04 | ||
= EasyRSA = | |||
<pre> | |||
cd ~ | |||
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz | |||
tar -xzvf EasyRSA-3.0.4.tgz | |||
cd EasyRSA-3.0.4 | |||
cp vars.example vars | |||
nano vars | |||
</pre> | |||
<pre> | |||
set_var EASYRSA_REQ_COUNTRY "DE" | |||
set_var EASYRSA_REQ_PROVINCE "Berlin" | |||
set_var EASYRSA_REQ_CITY "Berlin" | |||
set_var EASYRSA_REQ_ORG "Aleksashkin" | |||
set_var EASYRSA_REQ_EMAIL "artem@aleksashkin.com" | |||
set_var EASYRSA_REQ_OU "Community" | |||
</pre> | |||
<pre> | |||
./easyrsa init-pki | |||
./easyrsa build-ca | |||
./easyrsa gen-dh | |||
scp dh.pem you@yoropebvpn.com:/etc/openvpn/ | |||
ssh you@yoropebvpn.com | |||
# on openvpn | |||
apt update | |||
apt install openvpn | |||
cd /etc/openvpn/ | |||
openvpn --genkey --secret ta.key | |||
exit | |||
# on easyrsa | |||
./easyrsa gen-req server1 nopass | |||
scp ./pki/private/server1.key you@yoropebvpn.com:/etc/openvpn/ | |||
scp ./pki/reqs/server1.req you@yoropebvpn.com:/etc/openvpn/ | |||
./easyrsa import-req ./pki/reqs/server1.req server1 | |||
./easyrsa sign-req server server1 | |||
scp ./pki/issued/server1.crt you@yoropebvpn.com:/etc/openvpn/ | |||
scp ./pki/ca.crt you@yoropebvpn.com:/etc/openvpn/ | |||
ssh you@yoropebvpn.com | |||
# on openvpn | |||
nano /etc/openvpn/server1.conf | |||
</pre> | |||
<pre> | |||
port 1194 | |||
proto udp | |||
dev tun | |||
ca ca.crt | |||
cert server1.crt | |||
key server1.key # This file should be kept secret | |||
dh dh.pem | |||
server 10.8.0.0 255.255.255.0 | |||
ifconfig-pool-persist /var/log/openvpn/ipp.txt | |||
push "redirect-gateway def1 bypass-dhcp" | |||
push "dhcp-option DNS 8.8.8.8" | |||
push "dhcp-option DNS 8.8.4.4" | |||
keepalive 10 120 | |||
tls-auth ta.key 0 # This file is secret | |||
cipher AES-256-CBC | |||
user nobody | |||
group nogroup | |||
persist-key | |||
persist-tun | |||
status /var/log/openvpn/openvpn-status.log | |||
verb 3 | |||
explicit-exit-notify 1 | |||
auth SHA256 | |||
</pre> | |||
<pre> | |||
# on openvpn | |||
systemctl start openvpn@server1 | |||
systemctl status openvpn@server1 | |||
systemctl enable openvpn@server1 | |||
# add net.ipv4.ip_forward=1 to /etc/sysctl.conf | |||
sysctl -p | |||
</pre> | |||
Правила для IPTABLES | Правила для IPTABLES | ||
<pre> | <pre> | ||
# on openvpn | |||
iptables -P FORWARD ACCEPT | iptables -P FORWARD ACCEPT | ||
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o enp3s0 -j MASQUERADE | iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o enp3s0 -j MASQUERADE | ||
iptables -A INPUT -p tcp --destination-port 6881:6999 -j DROP | iptables -A INPUT -p tcp --destination-port 6881:6999 -j DROP | ||
iptables -A OUTPUT -p tcp --source-port 6881:6999 -j DROP | iptables -A OUTPUT -p tcp --source-port 6881:6999 -j DROP | ||
</pre> | |||
<pre> | |||
</pre> | </pre> | ||
https://www.linode.com/community/questions/5513/need-a-iptable-rule-to-disable-bittorrent | https://www.linode.com/community/questions/5513/need-a-iptable-rule-to-disable-bittorrent | ||
Версия от 02:37, 1 ноября 2022
Хорошая статья тут https://baks.dev/article/ubuntu/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
EasyRSA
cd ~ wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz tar -xzvf EasyRSA-3.0.4.tgz cd EasyRSA-3.0.4 cp vars.example vars nano vars
set_var EASYRSA_REQ_COUNTRY "DE" set_var EASYRSA_REQ_PROVINCE "Berlin" set_var EASYRSA_REQ_CITY "Berlin" set_var EASYRSA_REQ_ORG "Aleksashkin" set_var EASYRSA_REQ_EMAIL "artem@aleksashkin.com" set_var EASYRSA_REQ_OU "Community"
./easyrsa init-pki ./easyrsa build-ca ./easyrsa gen-dh scp dh.pem you@yoropebvpn.com:/etc/openvpn/ ssh you@yoropebvpn.com # on openvpn apt update apt install openvpn cd /etc/openvpn/ openvpn --genkey --secret ta.key exit # on easyrsa ./easyrsa gen-req server1 nopass scp ./pki/private/server1.key you@yoropebvpn.com:/etc/openvpn/ scp ./pki/reqs/server1.req you@yoropebvpn.com:/etc/openvpn/ ./easyrsa import-req ./pki/reqs/server1.req server1 ./easyrsa sign-req server server1 scp ./pki/issued/server1.crt you@yoropebvpn.com:/etc/openvpn/ scp ./pki/ca.crt you@yoropebvpn.com:/etc/openvpn/ ssh you@yoropebvpn.com # on openvpn nano /etc/openvpn/server1.conf
port 1194 proto udp dev tun ca ca.crt cert server1.crt key server1.key # This file should be kept secret dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log verb 3 explicit-exit-notify 1 auth SHA256
# on openvpn systemctl start openvpn@server1 systemctl status openvpn@server1 systemctl enable openvpn@server1 # add net.ipv4.ip_forward=1 to /etc/sysctl.conf sysctl -p
Правила для IPTABLES
# on openvpn iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o enp3s0 -j MASQUERADE iptables -A INPUT -p tcp --destination-port 6881:6999 -j DROP iptables -A OUTPUT -p tcp --source-port 6881:6999 -j DROP
https://www.linode.com/community/questions/5513/need-a-iptable-rule-to-disable-bittorrent