Haack's Wiki

User Tools

Site Tools

Trace:
computing:vpnserver-debian

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
computing:vpnserver-debian [2023/05/21 22:57] oemb1905computing:vpnserver-debian [2023/05/22 02:04] oemb1905
Line 95: Line 95:
   ssh root@192.168.122.1   ssh root@192.168.122.1
      
-NextI need to add routes to a different subnet on a virtual bridge I use for my VMs. Then, I can disable public facing ssh on all of VMs theoretically and access them through the vpnserver only. Again, even this is overkill since I am already using ssh keypairs, however, I might just do it to learn about pushing routes/subnets over openvpn and less because of it providing added security. Moreover, doing this would cause me to have rewrite my entire backup stack on the backup server (lol) since all the domains would need to change from external to internal addresses. But it would be fun!+For traffic redirection, do the following:
  
- --- //[[jonathan@haacksnetworking.org|oemb1905]] 2023/05/21 14:49//+  nano /etc/default/ufw 
 +  <DEFAULT_FORWARD_POLICY="ACCEPT"> 
 +  nano /etc/ufw/before.rules 
 +  <*nat> 
 +  <:POSTROUTING ACCEPT [0:0]> 
 +  <-A POSTROUTING -s 192.168.123.0/24 -o enp1s0f0 -j MASQUERADE> 
 +  <COMMIT> 
 +  nano /etc/sysctl.conf 
 +  <net.ipv4.ip_forward=1> 
 +  sysctl -p   
 + 
 +This enables masquerading, packet forwarding in ufw, and IP forwarding to the client. This will allow you to specify this additional line in the client config for traffic redirection: 
 + 
 +  redirect-gateway def1 
 +   
 +My next goal is to add some routes to a different subnet on a virtual bridge I use for my VMs, and that's also on the physical host. Then, I can disable public facing ssh on all of VMs theoretically and access them through the vpnserver only. Again, even this is overkill since I am already using ssh keypairs, however, I might just do it to learn about pushing routes/subnets over openvpn and less because of it providing added security. Moreover, doing this would cause me to have rewrite my entire backup stack on the backup server (lol) since all the domains would need to change from external to internal addresses. But it would be fun!  
 + 
 + --- //[[jonathan@haacksnetworking.org|oemb1905]] 2023/05/21 19:58//
      
  
computing/vpnserver-debian.txt · Last modified: 2024/02/17 19:43 by oemb1905

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki