From 5b1905e9bcecc6b445f7286def9e65ee5cc759c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Antonio=20Y=C3=A1=C3=B1ez=20Jim=C3=A9nez?=
 <wiki@codigojose.com>
Date: Wed, 25 May 2022 23:45:56 +0000
Subject: [PATCH] docs: update vpn/openvpn/servidor

---
 vpn/openvpn/servidor.md | 88 ++++++++++++++++++++++++++++++++++-------
 1 file changed, 73 insertions(+), 15 deletions(-)

diff --git a/vpn/openvpn/servidor.md b/vpn/openvpn/servidor.md
index 7e6b15b..00b0a36 100644
--- a/vpn/openvpn/servidor.md
+++ b/vpn/openvpn/servidor.md
@@ -2,7 +2,7 @@
 title: OpenVPN - Servidor
 description: Tutorial de instalación del Servidor OpenVPN
 published: true
-date: 2022-05-25T23:19:11.192Z
+date: 2022-05-25T23:45:52.556Z
 tags: vpn, servidor, debian
 editor: markdown
 dateCreated: 2022-05-18T16:48:57.246Z
@@ -647,6 +647,7 @@ cd ~/client-configs
 sudo ./make_config.sh client1
 sudo ./make_config.sh client2
 sudo ./make_config.sh client3
+sudo ./make_config.sh client3
 ```
 
 * Los fichero resultantes, `bastionado-client{1,2,3}.ovpn` deberán entregarse a los clientes para que éstos puedan conectar a la VPN.
@@ -681,7 +682,7 @@ table inet filter {
                 # allow existing connections
                 ct state related,established accept
 
-                # allow packats from vpn interface
+                # allow packets from vpn interface
                 iifname $vpn_if oifname $outside_if accept
 
         }
@@ -719,17 +720,69 @@ sudo systemctl restart nftables.service && sudo systemctl status nftables.servic
 sudo systemctl enable nftables.service
 ```
 
+## OpenVPN + TOR
+
+### Configuración de OpenVPN
+
+```bash
+sudo cp /etc/openvpn/server.conf /etc/openvpn/tor.conf
+```
+
+```bash
+sudo vim /etc/openvpn/tor.conf
+```
+
+```bash
+port 6175
+
+dev tun1
+
+server 10.10.20.0 255.255.255.0
+
+ifconfig-pool-persist /var/log/openvpn/ipp-tor.txt
+
+push "dhcp-option DNS 10.10.20.1"
+push "dhcp-option DNS 1.1.1.1"
+
+status /var/log/openvpn/openvpn-status-tor.log
+
+log-append  /var/log/openvpn/openvpn-tor.log
+```
+
+### Puesta en funcionamiento del servicio
+
+* Arrancar y comprobar el estado del servicio OpenVPN
+
+```bash
+sudo systemctl restart openvpn@tor && sudo systemctl status openvpn@tor
+```
+
+* Comprobar la existencia de la intefaz virtual de OpenVPN
+
+```bash
+ip addr show tun1
+```
+
+* Habilitar el arranque automático de OpenVPN
+
+```bash
+sudo systemctl enable openvpn@tor
+```
+
 ## Habilitando tor
 
 ```bash
-sudo apt install tor
+sudo apt install tor -y
 
 sudo vim /etc/tor/torrc
 
-  VirtualAddrNetwork 10.192.0.0/10
-  AutomapHostsOnResolve 1
-  DNSPort 10.8.0.1:53530
-  TransPort 10.8.0.1:9040
+VirtualAddrNetwork 10.192.0.0/10
+AutomapHostsOnResolve 1
+AutomapHostsSuffixes .onion,.exit
+DNSPort 10.10.20.1:53530
+TransPort 10.10.20.1:9040
+ExitNodes {us} 
+StrictNodes 1
 
 sudo systemctl restart tor.service
 
@@ -740,10 +793,14 @@ sudo netstat -tulpen | grep tor
 #!/usr/sbin/nft -f
 
 flush ruleset
-define vpn_port=1194
+define vpn_port=6174
 define vpn_if=tun0
 define outside_if=enp0s17
-define vpn_subnet=10.8.0.0/24
+define vpn_subnet=10.10.10.0/24
+
+define vpn_port_tor=6175
+define vpn_if_tor=tun1
+define vpn_subnet_tor=10.10.20.0/24
 
 table inet filter {
 
@@ -751,6 +808,9 @@ table inet filter {
         chain input {
                 # allow OpenVPN connections to the Server
                 udp dport $vpn_port accept
+                
+                # allow OpenVPN TOR connections to the Server
+                udp dport $vpn_port_tor accept
         }
 
         chain forward {
@@ -760,9 +820,8 @@ table inet filter {
                 # allow existing connections
                 ct state related,established accept
 
-                # allow packats from vpn interface
+                # allow packets from vpn interface
                 iifname $vpn_if oifname $outside_if accept
-
         }
 
         chain output {
@@ -781,15 +840,14 @@ table ip nat {
 
                 # enable NAT for VPN
                 iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade
-
         }
 
         chain prerouting {
             # Transparent proxy to TOR
             type nat hook prerouting priority 0;
-            iifname $vpn_if ip saddr $vpn_subnet udp dport 53 counter dnat to 10.8.0.1:53530
-            iifname $vpn_if ip protocol tcp ip saddr $vpn_subnet counter dnat to 10.8.0.1:9040
-            iifname $vpn_if ip protocol udp ip saddr $vpn_subnet counter dnat to 10.8.0.1:9040
+            iifname $vpn_if_tor ip saddr $vpn_subnet udp dport 53 counter dnat to 10.10.20.1:53530
+            iifname $vpn_if_tor ip protocol tcp ip saddr $vpn_subnet_tor counter dnat to 10.10.20.1:9040
+            iifname $vpn_if_tor ip protocol udp ip saddr $vpn_subnet_tor counter dnat to 10.10.20.1:9040
         }
 
 }