docs: update vpn/openvpn/servidor

assets/files/openvpn-server/default-site-nginx.conf

@@ -0,0 +1,35 @@
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        root /var/www/html;
+
+        index index.html;
+
+        server_name _;
+
+        location /download/client1 {
+                try_files $uri $uri/ =404;
+                        auth_basic "Client Area";
+                        auth_basic_user_file /var/www/.htpasswd1;
+        }
+        
+        location /download/client2 {
+                try_files $uri $uri/ =404;
+                        auth_basic "Client Area";
+                        auth_basic_user_file /var/www/.htpasswd2;
+        }
+        
+        location /download/client3 {
+                try_files $uri $uri/ =404;
+                        auth_basic "Client Area";
+                        auth_basic_user_file /var/www/.htpasswd2;
+        }
+        
+        location /download/client4 {
+                try_files $uri $uri/ =404;
+                        auth_basic "Client Area";
+                        auth_basic_user_file /var/www/.htpasswd4;
+        }
+        
+}

assets/files/openvpn-server/nftables-tor.conf

@@ -0,0 +1,68 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+define vpn_port=6174
+define vpn_if=tun0
+define outside_if=enp0s17
+define vpn_subnet=10.10.10.0/24
+
+define vpn_port_tor=6175
+define vpn_if_tor=tun1
+define vpn_subnet_tor=10.10.20.0/24
+
+table inet filter {
+
+
+        chain input {
+                # allow OpenVPN connections to the Server
+                udp dport $vpn_port accept
+                
+                # allow OpenVPN TOR connections to the Server
+                udp dport $vpn_port_tor accept
+        }
+
+        chain forward {
+                #Drop forwarded packets if they are not matched
+                type filter hook forward priority 0; policy drop;
+
+                # allow existing connections
+                ct state related,established accept
+
+                # allow packets from vpn interface
+                iifname $vpn_if oifname $outside_if accept
+                
+                # allow packets from vpn interface
+                iifname $vpn_if_tor oifname $outside_if accept
+        }
+
+        chain output {
+            ## Transproxy leak blocked:
+            # https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#WARNING
+            ct state invalid counter drop
+            oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (fin|ack) == fin|ack counter drop
+            oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (rst|ack) == rst|ack counter drop
+    }
+
+}
+
+# create a ipv4 table only for NAT entries (you need both chains even if they're empty)
+table ip nat {
+        chain postrouting {
+                type nat hook postrouting priority 100;
+
+                # enable NAT for VPN
+                iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade
+                
+                # enable NAT for TOR VPN
+                iifname $vpn_if_tor oifname $outside_if ip saddr $vpn_subnet_tor masquerade
+        }
+
+        chain prerouting {
+            # Transparent proxy to TOR
+            type nat hook prerouting priority 0;
+            iifname $vpn_if_tor ip saddr $vpn_subnet_tor udp dport 53 counter dnat to 10.10.20.1:53530
+            iifname $vpn_if_tor ip protocol tcp ip saddr $vpn_subnet_tor counter dnat to 10.10.20.1:9040
+            iifname $vpn_if_tor ip protocol udp ip saddr $vpn_subnet_tor counter dnat to 10.10.20.1:9040
+        }
+
+}

assets/files/openvpn-server/nftables.conf

@@ -0,0 +1,53 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+define vpn_port=6174
+define vpn_if=tun0
+define outside_if=enp0s17
+define vpn_subnet=10.10.10.0/24
+
+table inet filter {
+
+
+        chain input {
+                # allow OpenVPN VPN connections to the Server
+                udp dport $vpn_port accept
+        }
+
+        chain forward {
+                #Drop forwarded packets if they are not matched
+                type filter hook forward priority 0; policy drop;
+
+                # allow existing connections
+                ct state related,established accept
+
+                # allow packets from vpn interface
+                iifname $vpn_if oifname $outside_if accept
+
+        }
+
+        chain output {
+                # Security drops
+                ct state invalid counter drop
+                oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (fin|ack) == fin|ack counter drop
+                oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (rst|ack) == rst|ack counter drop
+    }
+
+}
+
+# create a ipv4 table only for NAT entries (you need both chains even if they're empty)
+table ip nat {
+        chain postrouting {
+                type nat hook postrouting priority 100;
+
+                # enable NAT for VPN
+                iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade
+
+        }
+
+        chain prerouting {
+                type nat hook prerouting priority 0;
+
+        }
+
+}

assets/files/openvpn-server/nginx.conf

@@ -0,0 +1,23 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+        worker_connections 768;
+}
+
+http {
+        sendfile on;
+        tcp_nopush on;
+        types_hash_max_size 2048;
+        server_tokens off;
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+        gzip on;
+
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+}

assets/files/openvpn-server/server-crl.conf

@@ -0,0 +1,43 @@
+port 6174
+
+proto udp
+
+dev tun0
+
+ca ca.crt
+cert ovpn.crt
+key ovpn.key
+
+dh dh.pem
+
+server 10.10.10.0 255.255.255.0
+
+ifconfig-pool-persist /var/log/openvpn/ipp.txt
+
+push "redirect-gateway def1 bypass-dhcp"
+
+push "dhcp-option DNS 1.1.1.1"
+push "dhcp-option DNS 1.0.0.1"
+
+keepalive 10 120
+
+tls-auth ta.key 0
+
+cipher AES-256-CBC
+auth SHA512
+
+user nobody
+group nogroup
+
+persist-key
+persist-tun
+
+status /var/log/openvpn/openvpn-status.log
+
+log-append  /var/log/openvpn/openvpn.log
+
+verb 3
+
+explicit-exit-notify 1
+
+crl-verify crl.pem

assets/files/openvpn-server/tor.conf

@@ -0,0 +1,43 @@
+port 6175
+
+proto udp
+
+dev tun1
+
+ca ca.crt
+cert ovpn.crt
+key ovpn.key
+
+dh dh.pem
+
+server 10.10.20.0 255.255.255.0
+
+ifconfig-pool-persist /var/log/openvpn/ipp-tor.txt
+
+push "redirect-gateway def1 bypass-dhcp"
+
+push "dhcp-option DNS 10.10.20.1"
+push "dhcp-option DNS 1.0.0.1"
+
+keepalive 10 120
+
+tls-auth ta.key 0
+
+cipher AES-256-CBC
+auth SHA512
+
+user nobody
+group nogroup
+
+persist-key
+persist-tun
+
+status /var/log/openvpn/openvpn-status-tor.log
+
+log-append  /var/log/openvpn/openvpn-tor.log
+
+verb 3
+
+explicit-exit-notify 1
+
+crl-verify crl.pem