docs: update vpn/openvpn/servidor

2022-05-24 14:03:15 +00:00 · 2022-05-24 14:03:15 +00:00 · 06e5e375e3
commit 06e5e375e3
parent 7423fed3f0
1 changed files with 159 additions and 1 deletions
--- a/vpn/openvpn/servidor.md
+++ b/vpn/openvpn/servidor.md
@ -2,7 +2,7 @@
 title: OpenVPN - Servidor
 description: Tutorial de instalación del Servidor OpenVPN
 published: true
-date: 2022-05-24T12:25:13.000Z
+date: 2022-05-24T14:03:11.931Z
 tags: vpn, servidor, debian
 editor: markdown
 dateCreated: 2022-05-18T16:48:57.246Z
@ -553,3 +553,161 @@ sudo ./make_config.sh client1
 ```
 * El fichero resultante, `bastionado-client1.ovpn` deberá entregarse al cliente para que éste pueda conectar a la VPN.
 ## Habilitando el forwarding en nftables
 ```bash
 #!/usr/sbin/nft -f
 flush ruleset
 define vpn_port=1194
 define vpn_if=tun0
 define outside_if=enp0s17
 define vpn_subnet=10.8.0.0/24
 table inet filter {
        chain input {
                # allow generic VPN connections to the Server
                udp dport $vpn_port accept
                # allow OpenVPN
                # udp dport 1194 accept
        }
        chain forward {
                #Drop forwarded packets if they are not matched
                type filter hook forward priority 0; policy drop;
                # allow existing connections
                ct state related,established accept
                # allow packats from vpn interface
                iifname $vpn_if oifname $outside_if accept
        }
        chain output {
                # Security drops
                ct state invalid counter drop
                oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (fin|ack) == fin|ack counter drop
                oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (rst|ack) == rst|ack counter drop
    }
 }
 # create a ipv4 table only for NAT entries (you need both chains even if they're empty)
 table ip nat {
        chain postrouting {
                type nat hook postrouting priority 100;
                # enable NAT for VPN
                iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade
        }
        chain prerouting {
                type nat hook prerouting priority 0;
        }
 }
 ```
 ```bash
 sudo systemctl start nftables.service && sudo systemctl status nftables.service
 sudo systemctl enable nftables.service
 ```
 ## Habilitando tor
 ```bash
 sudo apt install tor
 sudo vim /etc/tor/torrc
  VirtualAddrNetwork 10.192.0.0/10
  AutomapHostsOnResolve 1
  DNSPort 10.8.0.1:53530
  TransPort 10.8.0.1:9040
 sudo systemctl restart tor.service
 sudo netstat -tulpen | grep tor
 ```
 ```bash
 #!/usr/sbin/nft -f
 flush ruleset
 define vpn_port=1194
 define vpn_if=tun0
 define outside_if=enp0s17
 define vpn_subnet=10.8.0.0/24
 table inet filter {
        chain input {
                # allow OpenVPN connections to the Server
                udp dport $vpn_port accept
        }
        chain forward {
                #Drop forwarded packets if they are not matched
                type filter hook forward priority 0; policy drop;
                # allow existing connections
                ct state related,established accept
                # allow packats from vpn interface
                iifname $vpn_if oifname $outside_if accept
        }
        chain output {
            # Security drops
            ct state invalid counter drop
            oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (fin|ack) == fin|ack counter drop
            oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (rst|ack) == rst|ack counter drop
    }
 }
 # create a ipv4 table only for NAT entries (you need both chains even if they're empty)
 table ip nat {
        chain postrouting {
                type nat hook postrouting priority 100;
                # enable NAT for VPN
                iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade
        }
        chain prerouting {
            # Transparent proxy to TOR
            type nat hook prerouting priority 0;
            iifname $vpn_if ip saddr $vpn_subnet udp dport 53 counter dnat to 10.8.0.1:53530
            iifname $vpn_if ip protocol tcp ip saddr $vpn_subnet counter dnat to 10.8.0.1:9040
            iifname $vpn_if ip protocol udp ip saddr $vpn_subnet counter dnat to 10.8.0.1:9040
        }
 }
 ```
 ```bash
 sudo systemctl restart nftables.service && sudo systemctl status nftables.service
 ```
 ```bash
 sudo vim /etc/openvpn/server.conf
 push "dhcp-option DNS 10.8.0.1"
 ```
 ```bash
 sudo systemctl restart openvpn@server.service &&  sudo systemctl status openvpn@server.service
 ```