Differences

This shows you the differences between two versions of the page.

--- computing:vpnserver-debian [2023/05/21 22:57] – oemb1905
+++ computing:vpnserver-debian [2024/02/17 19:43] (current) – created oemb1905
@@ Line 21: / Line 21: @@
   cp -r /usr/share/easy-rsa /etc/
-Navigate inside of the easy-rsa directory (the one you just made by copying) and start building the server by initializing the pki tool, building your certificate authority, generating diffyhelmen for strong key exchange, and then building sudo ufw allow from 192.168.123.0/24 to any port 22
+Navigate inside of the easy-rsa directory (the one you just made by copying) and start building the server by initializing the pki tool, building your certificate authority, generating diffyhelmen for strong key exchange, and then building sudo ufw allow from 192.168.147.0/24 to any port 22
 the openvpn server itself which will leverage these:
@@ Line 47: / Line 47: @@
   nano /etc/openvpn/ccd/client
-  <ifconfig-push 192.168.123.100 255.255.255.0>
+  <ifconfig-push 192.168.147.100 255.255.255.0>
 Note that for the above static assignment to work on the client, you must add ''client-config-dir /etc/openvpn/ccd'' to the server configuration. To build the server configuration, I used the template provided and some online resources. Here's where you get the provided template and a view of what my config looks like.
@@ Line 61: / Line 61: @@
 Let's make sure the firewall only permits vpn server traffic and ssh from a private subnet as per the design mentioned at the outset:
-  ufw allow 1184/udp
+  ufw allow 1194/udp
-  ufw allow from 192.168.123.0/24 to any port 22
+  ufw allow from 192.168.147.0/24 to any port 22
+  sudo ufw allow from 73.42.113.16 to any port 22 proto tcp [optional allowance from static external]
 The server is now setup, so time to build the client files on the server, build a client configuration file and test the connection. Copy all the generated files to a dedicated client directory for safekeeping/backup, and this also makes it easier to ''scp'' them down to a client.
@@ Line 95: / Line 96: @@
   ssh root@192.168.122.1
-Next, I need to add routes to a different subnet on a virtual bridge I use for my VMs. Then, I can disable public facing ssh on all of VMs theoretically and access them through the vpnserver only. Again, even this is overkill since I am already using ssh keypairs, however, I might just do it to learn about pushing routes/subnets over openvpn and less because of it providing added security. Moreover, doing this would cause me to have rewrite my entire backup stack on the backup server (lol) since all the domains would need to change from external to internal addresses. But it would be fun!
+For traffic redirection, do the following:
- --- //[[jonathan@haacksnetworking.org|oemb1905]] 2023/05/21 14:49//
+  nano /etc/default/ufw
+  <DEFAULT_FORWARD_POLICY="ACCEPT">
+  nano /etc/ufw/before.rules
+  <*nat>
+  <:POSTROUTING ACCEPT [0:0]>
+  <-A POSTROUTING -s 192.168.147.0/24 -o enp1s0f0 -j MASQUERADE>
+  <COMMIT>
+  nano /etc/sysctl.conf
+  <net.ipv4.ip_forward=1>
+  sysctl -p
+This enables masquerading, packet forwarding in ufw, and IP forwarding to the client. This will allow you to specify this additional line in the client config for traffic redirection:
+  redirect-gateway def1
+I wrote some scripts to automate some of the aspects of server and client generation:
+  * [[https://repo.haacksnetworking.org/haacknet/haackingclub/-/tree/main/scripts/openvpn/openvpn-debian?ref_type=heads|Debian VPN Scripts]]
+ --- //[[webmaster@haacksnetworking.org|oemb1905]] 2024/02/17 19:41//

Haack's Wiki

User Tools

Site Tools

Differences

Page Tools