Haack's Wiki

User Tools

Site Tools

Trace:
computing:vpnserver-debian11

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
Last revisionBoth sides next revision
computing:vpnserver-debian11 [2023/05/22 02:17] – created oemb1905computing:vpnserver-debian11 [2024/02/17 19:43] oemb1905
Line 61: Line 61:
 Let's make sure the firewall only permits vpn server traffic and ssh from a private subnet as per the design mentioned at the outset: Let's make sure the firewall only permits vpn server traffic and ssh from a private subnet as per the design mentioned at the outset:
  
-  ufw allow 1184/udp+  ufw allow 1194/udp
   ufw allow from 192.168.147.0/24 to any port 22   ufw allow from 192.168.147.0/24 to any port 22
 +  sudo ufw allow from 73.42.113.16 to any port 22 proto tcp [optional allowance from static external]
      
 The server is now setup, so time to build the client files on the server, build a client configuration file and test the connection. Copy all the generated files to a dedicated client directory for safekeeping/backup, and this also makes it easier to ''scp'' them down to a client. The server is now setup, so time to build the client files on the server, build a client configuration file and test the connection. Copy all the generated files to a dedicated client directory for safekeeping/backup, and this also makes it easier to ''scp'' them down to a client.
Line 112: Line 113:
   redirect-gateway def1   redirect-gateway def1
      
-My next goal is to add some routes to a different subnet on a virtual bridge I use for my VMs, and that's also on the physical host. Then, I can disable public facing ssh on all of VMs theoretically and access them through the vpnserver only. Again, even this is overkill since I am already using ssh keypairs, however, I might just do it to learn about pushing routes/subnets over openvpn and less because of it providing added security. Moreover, doing this would cause me to have rewrite my entire backup stack on the backup server (lol) since all the domains would need to change from external to internal addresses. But it would be fun! +I wrote some scripts to automate some of the aspects of server and client generation:
  
- --- //[[jonathan@haacksnetworking.org|oemb1905]] 2023/05/21 19:58//+  * [[https://repo.haacksnetworking.org/haacknet/haackingclub/-/tree/main/scripts/openvpn/openvpn-debian?ref_type=heads|Debian VPN Scripts]] 
 + 
 + --- //[[webmaster@haacksnetworking.org|oemb1905]] 2024/02/17 19:41//

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki