docs: update vpn/openvpn/guide

2022-06-01 22:53:51 +00:00 · 2022-06-01 22:53:51 +00:00 · 19d9c9fe28
commit 19d9c9fe28
parent 9971993a00
1 changed files with 103 additions and 99 deletions
--- a/vpn/openvpn/guide.md
+++ b/vpn/openvpn/guide.md
@ -2,7 +2,7 @@
 title: OpenVPN - Guía de instalación
 description: Guía de instalación utilizada durante la realización de la práctica
 published: true
-date: 2022-06-01T09:43:43.461Z
+date: 2022-06-01T22:53:47.299Z
 tags: vpn, servidor
 editor: markdown
 dateCreated: 2022-05-31T21:04:15.280Z
@ -910,108 +910,13 @@ TransPort 10.10.20.1:9040
 ExitNodes {us} StrictNodes 1
 ```

+## Fin Día 2
+----
+
 ```bash
 clear && cowsay -W 76 -f ovpn 'Configuraremos la resolución de dominios `onion` y `exit` y la resolución DNS y HTTP a la dirección IP que tendrá nuestra futura interfaz `tun`. Por otra parte, solicitaremos que el nodo de salida de TOR sea a través de un servidor de los Estados Unidos.'
 ```

-```bash
-clear && cowsay -W 76 -f ovpn 'Levantamos nuestro servicio, comprobamos que todo funciona correctamente y habilitamos el inicio automático.'
-```
-
-```bash
-sudo systemctl restart tor.service && sudo systemctl status tor.service
-
-sudo netstat -tulpen | grep tor
-
-sudo systemctl enable tor.service 
-```
-
-```bash
-clear && cowsay -W 76 -f ovpn 'Ahora deberemos modificar nuestras Net Filter Tables para que en la cadena de pre enrutamiento el tráfico de nuestra segunda VPN se redirija hacia los nodos TOR, estableciendo así un proxy transparente que redirigirá todo el tráfico de los clientes que conecten en esta modalidad.'
-```
-
-```bash
-sudo dd if=/dev/null of=/etc/nftables.conf && sudo vim /etc/nftables.conf
-```
-
-```bash
-#!/usr/sbin/nft -f
-
-flush ruleset
-define vpn_port=6174
-define vpn_if=tun0
-define outside_if=enp0s17
-define vpn_subnet=10.10.10.0/24
-
-define vpn_port_tor=6175
-define vpn_if_tor=tun1
-define vpn_subnet_tor=10.10.20.0/24
-
-table inet filter {
-
-
-        chain input {
-                # allow OpenVPN connections to the Server
-                udp dport $vpn_port accept
-                
-                # allow OpenVPN TOR connections to the Server
-                udp dport $vpn_port_tor accept
-        }
-
-        chain forward {
-                #Drop forwarded packets if they are not matched
-                type filter hook forward priority 0; policy drop;
-
-                # allow existing connections
-                ct state related,established accept
-
-                # allow packets from vpn interface
-                iifname $vpn_if oifname $outside_if accept
-                
-                # allow packets from vpn interface
-                iifname $vpn_if_tor oifname $outside_if accept
-        }
-
-        chain output {
-						## Transproxy leak blocked:
-    				# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#WARNING
-            ct state invalid counter drop
-            oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (fin|ack) == fin|ack counter drop
-            oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (rst|ack) == rst|ack counter drop
-    }
-
-}
-
-# create a ipv4 table only for NAT entries (you need both chains even if they're empty)
-table ip nat {
-        chain postrouting {
-                type nat hook postrouting priority 100;
-
-                # enable NAT for VPN
-                iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade
-                
-                # enable NAT for TOR VPN
-                iifname $vpn_if_tor oifname $outside_if ip saddr $vpn_subnet_tor masquerade
-        }
-
-        chain prerouting {
-            # Transparent proxy to TOR
-            type nat hook prerouting priority 0;
-            iifname $vpn_if_tor ip saddr $vpn_subnet_tor udp dport 53 counter dnat to 10.10.20.1:53530
-            iifname $vpn_if_tor ip protocol tcp ip saddr $vpn_subnet_tor counter dnat to 10.10.20.1:9040
-            iifname $vpn_if_tor ip protocol udp ip saddr $vpn_subnet_tor counter dnat to 10.10.20.1:9040
-        }
-
-}
-```
-
-```bash
-clear && cowsay -W 76 -f ovpn 'Reiniciamos nuestro servicio y comprobamos que todo funciona correctamente.'
-```
-
-```bash
-sudo systemctl restart nftables.service && sudo systemctl status nftables.service
-```

 ```bash
 clear && cowsay -W 76 -f ovpn 'Crearemos copias de nuestra configuración base para clientes, servidor y del script de generación de configuración y alteraremos los valores para nuestra VPN alternativa.'
@ -1117,6 +1022,105 @@ sudo ./make_config_tor.sh client3
 sudo ./make_config_tor.sh client4
 ```

+```bash
+clear && cowsay -W 76 -f ovpn 'Levantamos nuestro servicio TOR, comprobamos que todo funciona correctamente y habilitamos el inicio automático.'
+```
+
+```bash
+sudo systemctl restart tor.service && sudo systemctl status tor.service
+
+sudo netstat -tulpen | grep tor
+
+sudo systemctl enable tor.service 
+```
+
+```bash
+clear && cowsay -W 76 -f ovpn 'Ahora deberemos modificar nuestras Net Filter Tables para que en la cadena de pre enrutamiento el tráfico de nuestra segunda VPN se redirija hacia los nodos TOR, estableciendo así un proxy transparente que redirigirá todo el tráfico de los clientes que conecten en esta modalidad.'
+```
+
+```bash
+sudo dd if=/dev/null of=/etc/nftables.conf && sudo vim /etc/nftables.conf
+```
+
+```bash
+#!/usr/sbin/nft -f
+
+flush ruleset
+define vpn_port=6174
+define vpn_if=tun0
+define outside_if=enp0s17
+define vpn_subnet=10.10.10.0/24
+
+define vpn_port_tor=6175
+define vpn_if_tor=tun1
+define vpn_subnet_tor=10.10.20.0/24
+
+table inet filter {
+
+
+        chain input {
+                # allow OpenVPN connections to the Server
+                udp dport $vpn_port accept
+                
+                # allow OpenVPN TOR connections to the Server
+                udp dport $vpn_port_tor accept
+        }
+
+        chain forward {
+                #Drop forwarded packets if they are not matched
+                type filter hook forward priority 0; policy drop;
+
+                # allow existing connections
+                ct state related,established accept
+
+                # allow packets from vpn interface
+                iifname $vpn_if oifname $outside_if accept
+                
+                # allow packets from vpn interface
+                iifname $vpn_if_tor oifname $outside_if accept
+        }
+
+        chain output {
+						## Transproxy leak blocked:
+    				# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#WARNING
+            ct state invalid counter drop
+            oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (fin|ack) == fin|ack counter drop
+            oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (rst|ack) == rst|ack counter drop
+    }
+
+}
+
+# create a ipv4 table only for NAT entries (you need both chains even if they're empty)
+table ip nat {
+        chain postrouting {
+                type nat hook postrouting priority 100;
+
+                # enable NAT for VPN
+                iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade
+                
+                # enable NAT for TOR VPN
+                iifname $vpn_if_tor oifname $outside_if ip saddr $vpn_subnet_tor masquerade
+        }
+
+        chain prerouting {
+            # Transparent proxy to TOR
+            type nat hook prerouting priority 0;
+            iifname $vpn_if_tor ip saddr $vpn_subnet_tor udp dport 53 counter dnat to 10.10.20.1:53530
+            iifname $vpn_if_tor ip protocol tcp ip saddr $vpn_subnet_tor counter dnat to 10.10.20.1:9040
+            iifname $vpn_if_tor ip protocol udp ip saddr $vpn_subnet_tor counter dnat to 10.10.20.1:9040
+        }
+
+}
+```
+
+```bash
+clear && cowsay -W 76 -f ovpn 'Reiniciamos nuestro servicio y comprobamos que todo funciona correctamente.'
+```
+
+```bash
+sudo systemctl restart nftables.service && sudo systemctl status nftables.service
+```
+
 # Panel Títulos (⌘1)

 ```bash