From d559c24c87974c400db67309d659f6e92020592f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Antonio=20Y=C3=A1=C3=B1ez=20Jim=C3=A9nez?= Date: Thu, 26 May 2022 00:06:34 +0000 Subject: [PATCH] docs: update vpn/openvpn/servidor --- vpn/openvpn/servidor.md | 57 +++++++++++++++++++++++++++++++---------- 1 file changed, 43 insertions(+), 14 deletions(-) diff --git a/vpn/openvpn/servidor.md b/vpn/openvpn/servidor.md index 00b0a36..fd0cfd5 100644 --- a/vpn/openvpn/servidor.md +++ b/vpn/openvpn/servidor.md @@ -2,7 +2,7 @@ title: OpenVPN - Servidor description: Tutorial de instalación del Servidor OpenVPN published: true -date: 2022-05-25T23:45:52.556Z +date: 2022-05-26T00:06:30.918Z tags: vpn, servidor, debian editor: markdown dateCreated: 2022-05-18T16:48:57.246Z @@ -781,8 +781,7 @@ AutomapHostsOnResolve 1 AutomapHostsSuffixes .onion,.exit DNSPort 10.10.20.1:53530 TransPort 10.10.20.1:9040 -ExitNodes {us} -StrictNodes 1 +ExitNodes {us} StrictNodes 1 sudo systemctl restart tor.service @@ -822,6 +821,9 @@ table inet filter { # allow packets from vpn interface iifname $vpn_if oifname $outside_if accept + + # allow packets from vpn interface + iifname $vpn_if_tor oifname $outside_if accept } chain output { @@ -840,12 +842,15 @@ table ip nat { # enable NAT for VPN iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade + + # enable NAT for TOR VPN + iifname $vpn_if_tor oifname $outside_if ip saddr $vpn_subnet_tor masquerade } chain prerouting { # Transparent proxy to TOR type nat hook prerouting priority 0; - iifname $vpn_if_tor ip saddr $vpn_subnet udp dport 53 counter dnat to 10.10.20.1:53530 + iifname $vpn_if_tor ip saddr $vpn_subnet_tor udp dport 53 counter dnat to 10.10.20.1:53530 iifname $vpn_if_tor ip protocol tcp ip saddr $vpn_subnet_tor counter dnat to 10.10.20.1:9040 iifname $vpn_if_tor ip protocol udp ip saddr $vpn_subnet_tor counter dnat to 10.10.20.1:9040 } @@ -857,16 +862,15 @@ table ip nat { sudo systemctl restart nftables.service && sudo systemctl status nftables.service ``` -```bash -sudo vim /etc/openvpn/server.conf - -push "dhcp-option DNS 10.8.0.1" -``` +### Configuración de script de cliente ```bash -sudo systemctl restart openvpn@server.service && sudo systemctl status openvpn@server.service +cp ~/client-configs/base.conf ~/client-configs/base-tor.conf + +cp ~/client-configs/make_config.sh ~/client-configs/make_config_tor.sh ``` + ## Landing Page para descarga de configuración cliente ```bash @@ -884,7 +888,10 @@ sudo apt install nginx-core nginx-common nginx nginx-full apache2-utils ```bash cd /var/www -sudo htpasswd -c .htpasswd client1 +sudo htpasswd -c .htpasswd1 client1 +sudo htpasswd -c .htpasswd2 client2 +sudo htpasswd -c .htpasswd3 client3 +sudo htpasswd -c .htpasswd4 client4 ``` ```bash @@ -941,11 +948,30 @@ server { server_name _; - location /download { + location /download/client1 { try_files $uri $uri/ =404; auth_basic "Client Area"; - auth_basic_user_file /var/www/.htpasswd; + auth_basic_user_file /var/www/.htpasswd1; } + + location /download/client2 { + try_files $uri $uri/ =404; + auth_basic "Client Area"; + auth_basic_user_file /var/www/.htpasswd2; + } + + location /download/client3 { + try_files $uri $uri/ =404; + auth_basic "Client Area"; + auth_basic_user_file /var/www/.htpasswd2; + } + + location /download/client4 { + try_files $uri $uri/ =404; + auth_basic "Client Area"; + auth_basic_user_file /var/www/.htpasswd4; + } + } ``` @@ -957,7 +983,10 @@ scp -i .\.ssh\id_admin_bastionado .\bastionado-vpn.tar ovpn@ovpn.bastionado.es:/ sudo tar -xvf bastionado-vpn.tar -C /var/www/html -sudo cp /home/ovpn/client-configs/files/bastionado-client1.ovpn /var/www/html/download +sudo cp /home/ovpn/client-configs/files/bastionado-client1.ovpn /var/www/html/download/client1 +sudo cp /home/ovpn/client-configs/files/bastionado-client2.ovpn /var/www/html/download/client2 +sudo cp /home/ovpn/client-configs/files/bastionado-client3.ovpn /var/www/html/download/client3 +sudo cp /home/ovpn/client-configs/files/bastionado-client4.ovpn /var/www/html/download/client4 sudo chown -R www-data:www-data /var/www