From 06e5e375e3e939a45baec953371dc2b67770801f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Antonio=20Y=C3=A1=C3=B1ez=20Jim=C3=A9nez?=
 <wiki@codigojose.com>
Date: Tue, 24 May 2022 14:03:15 +0000
Subject: [PATCH] docs: update vpn/openvpn/servidor

---
 vpn/openvpn/servidor.md | 160 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 159 insertions(+), 1 deletion(-)

diff --git a/vpn/openvpn/servidor.md b/vpn/openvpn/servidor.md
index 81b99bc..225b1de 100644
--- a/vpn/openvpn/servidor.md
+++ b/vpn/openvpn/servidor.md
@@ -2,7 +2,7 @@
 title: OpenVPN - Servidor
 description: Tutorial de instalación del Servidor OpenVPN
 published: true
-date: 2022-05-24T12:25:13.000Z
+date: 2022-05-24T14:03:11.931Z
 tags: vpn, servidor, debian
 editor: markdown
 dateCreated: 2022-05-18T16:48:57.246Z
@@ -553,3 +553,161 @@ sudo ./make_config.sh client1
 ```
 
 * El fichero resultante, `bastionado-client1.ovpn` deberá entregarse al cliente para que éste pueda conectar a la VPN.
+
+## Habilitando el forwarding en nftables
+
+```bash
+#!/usr/sbin/nft -f
+
+flush ruleset
+define vpn_port=1194
+define vpn_if=tun0
+define outside_if=enp0s17
+define vpn_subnet=10.8.0.0/24
+
+table inet filter {
+
+
+        chain input {
+                # allow generic VPN connections to the Server
+                udp dport $vpn_port accept
+
+                # allow OpenVPN
+                # udp dport 1194 accept
+
+        }
+
+        chain forward {
+                #Drop forwarded packets if they are not matched
+                type filter hook forward priority 0; policy drop;
+
+                # allow existing connections
+                ct state related,established accept
+
+                # allow packats from vpn interface
+                iifname $vpn_if oifname $outside_if accept
+
+        }
+
+        chain output {
+                # Security drops
+                ct state invalid counter drop
+                oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (fin|ack) == fin|ack counter drop
+                oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (rst|ack) == rst|ack counter drop
+    }
+
+}
+
+# create a ipv4 table only for NAT entries (you need both chains even if they're empty)
+table ip nat {
+        chain postrouting {
+                type nat hook postrouting priority 100;
+
+                # enable NAT for VPN
+                iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade
+
+        }
+
+        chain prerouting {
+                type nat hook prerouting priority 0;
+
+        }
+
+}
+```
+
+```bash
+sudo systemctl start nftables.service && sudo systemctl status nftables.service
+
+sudo systemctl enable nftables.service
+```
+
+## Habilitando tor
+
+```bash
+sudo apt install tor
+
+sudo vim /etc/tor/torrc
+
+  VirtualAddrNetwork 10.192.0.0/10
+  AutomapHostsOnResolve 1
+  DNSPort 10.8.0.1:53530
+  TransPort 10.8.0.1:9040
+
+sudo systemctl restart tor.service
+
+sudo netstat -tulpen | grep tor
+```
+
+```bash
+#!/usr/sbin/nft -f
+
+flush ruleset
+define vpn_port=1194
+define vpn_if=tun0
+define outside_if=enp0s17
+define vpn_subnet=10.8.0.0/24
+
+table inet filter {
+
+
+        chain input {
+                # allow OpenVPN connections to the Server
+                udp dport $vpn_port accept
+        }
+
+        chain forward {
+                #Drop forwarded packets if they are not matched
+                type filter hook forward priority 0; policy drop;
+
+                # allow existing connections
+                ct state related,established accept
+
+                # allow packats from vpn interface
+                iifname $vpn_if oifname $outside_if accept
+
+        }
+
+        chain output {
+            # Security drops
+            ct state invalid counter drop
+            oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (fin|ack) == fin|ack counter drop
+            oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (rst|ack) == rst|ack counter drop
+    }
+
+}
+
+# create a ipv4 table only for NAT entries (you need both chains even if they're empty)
+table ip nat {
+        chain postrouting {
+                type nat hook postrouting priority 100;
+
+                # enable NAT for VPN
+                iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade
+
+        }
+
+        chain prerouting {
+            # Transparent proxy to TOR
+            type nat hook prerouting priority 0;
+            iifname $vpn_if ip saddr $vpn_subnet udp dport 53 counter dnat to 10.8.0.1:53530
+            iifname $vpn_if ip protocol tcp ip saddr $vpn_subnet counter dnat to 10.8.0.1:9040
+            iifname $vpn_if ip protocol udp ip saddr $vpn_subnet counter dnat to 10.8.0.1:9040
+        }
+
+}
+```
+
+```bash
+sudo systemctl restart nftables.service && sudo systemctl status nftables.service
+```
+
+```bash
+sudo vim /etc/openvpn/server.conf
+
+push "dhcp-option DNS 10.8.0.1"
+```
+
+```bash
+sudo systemctl restart openvpn@server.service &&  sudo systemctl status openvpn@server.service
+```