This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
computing:vpnserver-debian [2023/05/21 21:10] – oemb1905 | computing:vpnserver-debian [2024/02/17 19:43] (current) – created oemb1905 | ||
---|---|---|---|
Line 3: | Line 3: | ||
* **Jonathan Haack** | * **Jonathan Haack** | ||
* **Haack' | * **Haack' | ||
- | * **netcmnd@jonathanhaack.com** | + | * **webmaster@haacksnetworking.org** |
------------------------------------------- | ------------------------------------------- | ||
Line 21: | Line 21: | ||
cp -r / | cp -r / | ||
| | ||
- | Navigate inside of the easy-rsa directory (the one you just made by copying) and start building the server by initializing the pki tool, building your certificate authority, generating diffyhelmen for strong key exchange, and then building sudo ufw allow from 192.168.123.0/24 to any port 22 | + | Navigate inside of the easy-rsa directory (the one you just made by copying) and start building the server by initializing the pki tool, building your certificate authority, generating diffyhelmen for strong key exchange, and then building sudo ufw allow from 192.168.147.0/24 to any port 22 |
the openvpn server itself which will leverage these: | the openvpn server itself which will leverage these: | ||
Line 47: | Line 47: | ||
nano / | nano / | ||
- | < | + | < |
Note that for the above static assignment to work on the client, you must add '' | Note that for the above static assignment to work on the client, you must add '' | ||
Line 61: | Line 61: | ||
Let's make sure the firewall only permits vpn server traffic and ssh from a private subnet as per the design mentioned at the outset: | Let's make sure the firewall only permits vpn server traffic and ssh from a private subnet as per the design mentioned at the outset: | ||
- | ufw allow 1184/udp | + | ufw allow 1194/udp |
- | ufw allow from 192.168.123.0/24 to any port 22 | + | ufw allow from 192.168.147.0/24 to any port 22 |
+ | sudo ufw allow from 73.42.113.16 to any port 22 proto tcp [optional allowance from static external] | ||
| | ||
The server is now setup, so time to build the client files on the server, build a client configuration file and test the connection. Copy all the generated files to a dedicated client directory for safekeeping/ | The server is now setup, so time to build the client files on the server, build a client configuration file and test the connection. Copy all the generated files to a dedicated client directory for safekeeping/ | ||
Line 95: | Line 96: | ||
ssh root@192.168.122.1 | ssh root@192.168.122.1 | ||
| | ||
- | Next, I need to add routes to a different subnet on a virtual bridge I use for my VMs. Then, I can disable public facing ssh on all of VMs theoretically and access them through the vpnserver only. Again, even this is overkill since I am already using ssh keypairs, however, I might just do it to learn about pushing routes/ | + | For traffic redirection, do the following: |
- | --- //[[jonathan@haacksnetworking.org|oemb1905]] 2023/05/21 14:49// | + | nano / |
+ | < | ||
+ | nano /etc/ufw/before.rules | ||
+ | < | ||
+ | <: | ||
+ | <-A POSTROUTING -s 192.168.147.0/24 -o enp1s0f0 -j MASQUERADE> | ||
+ | < | ||
+ | nano /etc/sysctl.conf | ||
+ | < | ||
+ | sysctl -p | ||
+ | |||
+ | This enables masquerading, | ||
+ | |||
+ | redirect-gateway def1 | ||
| | ||
+ | I wrote some scripts to automate some of the aspects of server and client generation: | ||
+ | |||
+ | * [[https:// | ||
+ | --- // |