This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
computing:vpnserver-debian [2023/05/22 02:04] – oemb1905 | computing:vpnserver-debian [2024/02/17 19:43] (current) – created oemb1905 | ||
---|---|---|---|
Line 21: | Line 21: | ||
cp -r / | cp -r / | ||
| | ||
- | Navigate inside of the easy-rsa directory (the one you just made by copying) and start building the server by initializing the pki tool, building your certificate authority, generating diffyhelmen for strong key exchange, and then building sudo ufw allow from 192.168.123.0/24 to any port 22 | + | Navigate inside of the easy-rsa directory (the one you just made by copying) and start building the server by initializing the pki tool, building your certificate authority, generating diffyhelmen for strong key exchange, and then building sudo ufw allow from 192.168.147.0/24 to any port 22 |
the openvpn server itself which will leverage these: | the openvpn server itself which will leverage these: | ||
Line 47: | Line 47: | ||
nano / | nano / | ||
- | < | + | < |
Note that for the above static assignment to work on the client, you must add '' | Note that for the above static assignment to work on the client, you must add '' | ||
Line 61: | Line 61: | ||
Let's make sure the firewall only permits vpn server traffic and ssh from a private subnet as per the design mentioned at the outset: | Let's make sure the firewall only permits vpn server traffic and ssh from a private subnet as per the design mentioned at the outset: | ||
- | ufw allow 1184/udp | + | ufw allow 1194/udp |
- | ufw allow from 192.168.123.0/24 to any port 22 | + | ufw allow from 192.168.147.0/24 to any port 22 |
+ | sudo ufw allow from 73.42.113.16 to any port 22 proto tcp [optional allowance from static external] | ||
| | ||
The server is now setup, so time to build the client files on the server, build a client configuration file and test the connection. Copy all the generated files to a dedicated client directory for safekeeping/ | The server is now setup, so time to build the client files on the server, build a client configuration file and test the connection. Copy all the generated files to a dedicated client directory for safekeeping/ | ||
Line 102: | Line 103: | ||
< | < | ||
<: | <: | ||
- | <-A POSTROUTING -s 192.168.123.0/24 -o enp1s0f0 -j MASQUERADE> | + | <-A POSTROUTING -s 192.168.147.0/24 -o enp1s0f0 -j MASQUERADE> |
< | < | ||
nano / | nano / | ||
Line 112: | Line 113: | ||
redirect-gateway def1 | redirect-gateway def1 | ||
| | ||
- | My next goal is to add some routes to a different subnet on a virtual bridge I use for my VMs, and that's also on the physical host. Then, I can disable public facing ssh on all of VMs theoretically and access them through | + | I wrote some scripts |
- | --- //[[jonathan@haacksnetworking.org|oemb1905]] 2023/05/21 19:58// | + | * [[https:// |
- | | + | |
+ | --- // |