docs: update vpn/openvpn/servidor

2022-05-25 23:45:56 +00:00 · 2022-05-25 23:45:56 +00:00 · 5b1905e9bc
commit 5b1905e9bc
parent bb90567abb
1 changed files with 73 additions and 15 deletions
--- a/vpn/openvpn/servidor.md
+++ b/vpn/openvpn/servidor.md
@ -2,7 +2,7 @@
 title: OpenVPN - Servidor
 description: Tutorial de instalación del Servidor OpenVPN
 published: true
-date: 2022-05-25T23:19:11.192Z
+date: 2022-05-25T23:45:52.556Z
 tags: vpn, servidor, debian
 editor: markdown
 dateCreated: 2022-05-18T16:48:57.246Z
@ -647,6 +647,7 @@ cd ~/client-configs
 sudo ./make_config.sh client1
 sudo ./make_config.sh client2
 sudo ./make_config.sh client3
+sudo ./make_config.sh client3
 ```

 * Los fichero resultantes, `bastionado-client{1,2,3}.ovpn` deberán entregarse a los clientes para que éstos puedan conectar a la VPN.
@ -681,7 +682,7 @@ table inet filter {
                # allow existing connections
                ct state related,established accept

-                # allow packats from vpn interface
+                # allow packets from vpn interface
                iifname $vpn_if oifname $outside_if accept

        }
@ -719,17 +720,69 @@ sudo systemctl restart nftables.service && sudo systemctl status nftables.servic
 sudo systemctl enable nftables.service
 ```

+## OpenVPN + TOR
+
+### Configuración de OpenVPN
+
+```bash
+sudo cp /etc/openvpn/server.conf /etc/openvpn/tor.conf
+```
+
+```bash
+sudo vim /etc/openvpn/tor.conf
+```
+
+```bash
+port 6175
+
+dev tun1
+
+server 10.10.20.0 255.255.255.0
+
+ifconfig-pool-persist /var/log/openvpn/ipp-tor.txt
+
+push "dhcp-option DNS 10.10.20.1"
+push "dhcp-option DNS 1.1.1.1"
+
+status /var/log/openvpn/openvpn-status-tor.log
+
+log-append  /var/log/openvpn/openvpn-tor.log
+```
+
+### Puesta en funcionamiento del servicio
+
+* Arrancar y comprobar el estado del servicio OpenVPN
+
+```bash
+sudo systemctl restart openvpn@tor && sudo systemctl status openvpn@tor
+```
+
+* Comprobar la existencia de la intefaz virtual de OpenVPN
+
+```bash
+ip addr show tun1
+```
+
+* Habilitar el arranque automático de OpenVPN
+
+```bash
+sudo systemctl enable openvpn@tor
+```
+
 ## Habilitando tor

 ```bash
-sudo apt install tor
+sudo apt install tor -y

 sudo vim /etc/tor/torrc

-  VirtualAddrNetwork 10.192.0.0/10
-  AutomapHostsOnResolve 1
-  DNSPort 10.8.0.1:53530
-  TransPort 10.8.0.1:9040
+VirtualAddrNetwork 10.192.0.0/10
+AutomapHostsOnResolve 1
+AutomapHostsSuffixes .onion,.exit
+DNSPort 10.10.20.1:53530
+TransPort 10.10.20.1:9040
+ExitNodes {us} 
+StrictNodes 1

 sudo systemctl restart tor.service

@ -740,10 +793,14 @@ sudo netstat -tulpen | grep tor
 #!/usr/sbin/nft -f

 flush ruleset
-define vpn_port=1194
+define vpn_port=6174
 define vpn_if=tun0
 define outside_if=enp0s17
-define vpn_subnet=10.8.0.0/24
+define vpn_subnet=10.10.10.0/24
+
+define vpn_port_tor=6175
+define vpn_if_tor=tun1
+define vpn_subnet_tor=10.10.20.0/24

 table inet filter {

@ -751,6 +808,9 @@ table inet filter {
        chain input {
                # allow OpenVPN connections to the Server
                udp dport $vpn_port accept
+                
+                # allow OpenVPN TOR connections to the Server
+                udp dport $vpn_port_tor accept
        }

        chain forward {
@ -760,9 +820,8 @@ table inet filter {
                # allow existing connections
                ct state related,established accept

-                # allow packats from vpn interface
+                # allow packets from vpn interface
                iifname $vpn_if oifname $outside_if accept
-
        }

        chain output {
@ -781,15 +840,14 @@ table ip nat {

                # enable NAT for VPN
                iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade
-
        }

        chain prerouting {
            # Transparent proxy to TOR
            type nat hook prerouting priority 0;
-            iifname $vpn_if ip saddr $vpn_subnet udp dport 53 counter dnat to 10.8.0.1:53530
-            iifname $vpn_if ip protocol tcp ip saddr $vpn_subnet counter dnat to 10.8.0.1:9040
-            iifname $vpn_if ip protocol udp ip saddr $vpn_subnet counter dnat to 10.8.0.1:9040
+            iifname $vpn_if_tor ip saddr $vpn_subnet udp dport 53 counter dnat to 10.10.20.1:53530
+            iifname $vpn_if_tor ip protocol tcp ip saddr $vpn_subnet_tor counter dnat to 10.10.20.1:9040
+            iifname $vpn_if_tor ip protocol udp ip saddr $vpn_subnet_tor counter dnat to 10.10.20.1:9040
        }

 }