CETI/wiki-bastionado
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: CETI:d99cf31798f227d21f358caed9fd126e57724ae9
Branches Tags
CETI:master
...
compare: CETI:master
Branches Tags
CETI:master

61 Commits
d99cf31798 ... master

Author SHA1 Message Date
José Antonio Yáñez Jiménez
3d1a74ec28 docs: update vpn/openvpn/servidor 2022-06-02 10:21:24 +00:00
José Antonio Yáñez Jiménez
d84e21cfe8 docs: upload assets/files/openvpn-server/default-site-nginx.conf 2022-06-02 10:17:44 +00:00
José Antonio Yáñez Jiménez
281257bf52 docs: upload assets/files/openvpn-server/nginx.conf 2022-06-02 10:15:46 +00:00
José Antonio Yáñez Jiménez
b19cad562e docs: update vpn/openvpn/guide 2022-06-02 10:11:30 +00:00
José Antonio Yáñez Jiménez
52929aac91 docs: update vpn/openvpn/guide 2022-06-02 10:08:54 +00:00
José Antonio Yáñez Jiménez
1e7f9a0ff7 docs: update vpn/openvpn/servidor 2022-06-02 10:08:51 +00:00
José Antonio Yáñez Jiménez
434f39fc2d docs: upload assets/files/openvpn-server/nftables-tor.conf 2022-06-02 09:16:04 +00:00
José Antonio Yáñez Jiménez
af39e2d8b9 docs: upload assets/files/openvpn-server/nftables.conf 2022-06-02 09:16:04 +00:00
José Antonio Yáñez Jiménez
16e6d3521d docs: update vpn/openvpn/guide 2022-06-02 09:08:10 +00:00
José Antonio Yáñez Jiménez
bfcec5da39 docs: update vpn/openvpn/guide 2022-06-02 09:07:39 +00:00
José Antonio Yáñez Jiménez
c5ea1cabd6 docs: update vpn/openvpn/guide 2022-06-02 09:02:03 +00:00
José Antonio Yáñez Jiménez
8b56617c83 docs: upload assets/files/openvpn-server/tor.conf 2022-06-02 08:55:57 +00:00
José Antonio Yáñez Jiménez
6522b3c2e4 docs: upload assets/files/openvpn-server/server-crl.conf 2022-06-02 08:48:14 +00:00
José Antonio Yáñez Jiménez
42956de137 docs: delete assets/files/bastionado-vpn.tar 2022-06-02 08:48:01 +00:00
José Antonio Yáñez Jiménez
66dc90be0a docs: update vpn/openvpn/servidor 2022-06-02 08:46:07 +00:00
José Antonio Yáñez Jiménez
19d9c9fe28 docs: update vpn/openvpn/guide 2022-06-01 22:53:51 +00:00
José Antonio Yáñez Jiménez
9971993a00 docs: update vpn/openvpn/guide 2022-06-01 09:43:47 +00:00
José Antonio Yáñez Jiménez
312b9ce8d1 docs: update vpn/openvpn/guide 2022-06-01 09:43:04 +00:00
José Antonio Yáñez Jiménez
f31d9be677 docs: update vpn/openvpn/guide 2022-06-01 00:55:03 +00:00
José Antonio Yáñez Jiménez
7a1a740ca3 docs: update vpn/openvpn/guide 2022-06-01 00:48:07 +00:00
José Antonio Yáñez Jiménez
acc7194b8b docs: update vpn/openvpn/guide 2022-06-01 00:43:24 +00:00
José Antonio Yáñez Jiménez
0884904c51 docs: update vpn/openvpn/guide 2022-06-01 00:42:07 +00:00
José Antonio Yáñez Jiménez
b14cd676ba docs: update vpn/openvpn/guide 2022-06-01 00:39:18 +00:00
José Antonio Yáñez Jiménez
bd7349ed34 docs: update vpn/openvpn/guide 2022-06-01 00:17:31 +00:00
José Antonio Yáñez Jiménez
c9101cca2e docs: update vpn/openvpn/servidor 2022-06-01 00:14:57 +00:00
José Antonio Yáñez Jiménez
483d12b06b docs: update vpn/openvpn/guide 2022-06-01 00:07:16 +00:00
José Antonio Yáñez Jiménez
1eca69a155 docs: update vpn/openvpn/servidor 2022-05-31 23:59:22 +00:00
José Antonio Yáñez Jiménez
1a2d9f574a docs: update vpn/openvpn/servidor 2022-05-31 23:42:29 +00:00
José Antonio Yáñez Jiménez
64ffccb1b6 docs: update vpn/openvpn/guide 2022-05-31 23:35:32 +00:00
José Antonio Yáñez Jiménez
e29615bc06 docs: update vpn/openvpn/guide 2022-05-31 23:30:11 +00:00
José Antonio Yáñez Jiménez
8ba7535270 docs: update vpn/openvpn/guide 2022-05-31 23:15:02 +00:00
José Antonio Yáñez Jiménez
fd9ef6a0be docs: update vpn/openvpn/guide 2022-05-31 23:10:08 +00:00
José Antonio Yáñez Jiménez
855b540cdd docs: update vpn/openvpn/guide 2022-05-31 22:52:03 +00:00
José Antonio Yáñez Jiménez
b6b33debbd docs: update vpn/openvpn/servidor 2022-05-31 22:01:26 +00:00
José Antonio Yáñez Jiménez
26ecab93ff docs: update vpn/openvpn/guide 2022-05-31 22:01:03 +00:00
José Antonio Yáñez Jiménez
0e122c874f docs: update vpn/openvpn/servidor 2022-05-31 21:58:07 +00:00
José Antonio Yáñez Jiménez
dfdcbc9d48 docs: create vpn/openvpn/guide 2022-05-31 21:04:20 +00:00
José Antonio Yáñez Jiménez
7095f89e7f docs: update vpn/openvpn/servidor 2022-05-31 13:06:26 +00:00
José Antonio Yáñez Jiménez
1c34c65b6f docs: update vpn/openvpn/servidor 2022-05-31 13:05:58 +00:00
José Antonio Yáñez Jiménez
392b80d564 docs: upload assets/files/openvpn-server/bastionado-vpn.tar 2022-05-31 13:05:17 +00:00
José Antonio Yáñez Jiménez
ccfc0d59b0 docs: upload assets/files/bastionado-vpn.tar 2022-05-31 13:05:05 +00:00
José Antonio Yáñez Jiménez
62955f111d docs: delete assets/files/bastionado-vpn.tar 2022-05-31 13:04:39 +00:00
José Antonio Yáñez Jiménez
94b26e02fb docs: update vpn/openvpn/servidor 2022-05-26 14:13:19 +00:00
José Antonio Yáñez Jiménez
b0d43ae8e3 docs: update vpn/openvpn/servidor 2022-05-26 00:18:07 +00:00
José Antonio Yáñez Jiménez
d559c24c87 docs: update vpn/openvpn/servidor 2022-05-26 00:06:34 +00:00
José Antonio Yáñez Jiménez
5b1905e9bc docs: update vpn/openvpn/servidor 2022-05-25 23:45:56 +00:00
José Antonio Yáñez Jiménez
bb90567abb docs: update vpn/openvpn/servidor 2022-05-25 23:19:14 +00:00
José Antonio Yáñez Jiménez
e809cabf7a docs: update vpn/openvpn/servidor 2022-05-25 23:02:45 +00:00
José Antonio Yáñez Jiménez
a9decc3698 docs: delete assets/files/server.conf 2022-05-25 23:01:05 +00:00
José Antonio Yáñez Jiménez
56cb0f24b6 docs: delete assets/files/easyrsa-vars 2022-05-25 23:01:01 +00:00
José Antonio Yáñez Jiménez
ca72161a6f docs: upload assets/files/openvpn-server/server.conf 2022-05-25 23:00:48 +00:00
José Antonio Yáñez Jiménez
34d14f46d6 docs: upload assets/files/openvpn-server/easyrsa-vars 2022-05-25 23:00:48 +00:00
José Antonio Yáñez Jiménez
7a177f0915 docs: upload assets/files/openvpn-server/client.conf 2022-05-25 23:00:30 +00:00
José Antonio Yáñez Jiménez
4f4178d0f4 docs: upload assets/files/server.conf 2022-05-25 22:45:39 +00:00
José Antonio Yáñez Jiménez
74f4b43d6b docs: delete assets/files/server.conf 2022-05-25 22:45:33 +00:00
José Antonio Yáñez Jiménez
600cfeee47 docs: update vpn/openvpn/servidor 2022-05-25 22:44:54 +00:00
José Antonio Yáñez Jiménez
fa09107812 docs: update vpn/openvpn/servidor 2022-05-25 22:41:45 +00:00
José Antonio Yáñez Jiménez
3dc155be4c docs: upload assets/files/server.conf 2022-05-25 22:40:48 +00:00
José Antonio Yáñez Jiménez
6051aea5b1 docs: update vpn/openvpn/servidor 2022-05-25 22:13:19 +00:00
José Antonio Yáñez Jiménez
1a507c8fa2 docs: update vpn/openvpn/servidor 2022-05-25 22:01:20 +00:00
José Antonio Yáñez Jiménez
636687791a docs: update vpn/openvpn/servidor 2022-05-25 21:44:04 +00:00
12 changed files with 2349 additions and 183 deletions
Expand all files Collapse all files

BIN
assets/files/bastionado-vpn.tar → assets/files/openvpn-server/bastionado-vpn.tar
View File

Binary file not shown.

26
assets/files/openvpn-server/client.conf Normal file
View File

@@ -0,0 +1,26 @@
client
dev tun
proto udp
remote ovpn.bastionado.es 6174
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
verb 3
key-direction 1

35
assets/files/openvpn-server/default-site-nginx.conf Normal file
View File

@@ -0,0 +1,35 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html;
server_name _;
location /download/client1 {
try_files $uri $uri/ =404;
auth_basic "Client Area";
auth_basic_user_file /var/www/.htpasswd1;
}
location /download/client2 {
try_files $uri $uri/ =404;
auth_basic "Client Area";
auth_basic_user_file /var/www/.htpasswd2;
}
location /download/client3 {
try_files $uri $uri/ =404;
auth_basic "Client Area";
auth_basic_user_file /var/www/.htpasswd2;
}
location /download/client4 {
try_files $uri $uri/ =404;
auth_basic "Client Area";
auth_basic_user_file /var/www/.htpasswd4;
}
}

0
assets/files/easyrsa-vars → assets/files/openvpn-server/easyrsa-vars
View File

68
assets/files/openvpn-server/nftables-tor.conf Normal file
View File

@@ -0,0 +1,68 @@
#!/usr/sbin/nft -f
flush ruleset
define vpn_port=6174
define vpn_if=tun0
define outside_if=enp0s17
define vpn_subnet=10.10.10.0/24
define vpn_port_tor=6175
define vpn_if_tor=tun1
define vpn_subnet_tor=10.10.20.0/24
table inet filter {
chain input {
# allow OpenVPN connections to the Server
udp dport $vpn_port accept
# allow OpenVPN TOR connections to the Server
udp dport $vpn_port_tor accept
}
chain forward {
#Drop forwarded packets if they are not matched
type filter hook forward priority 0; policy drop;
# allow existing connections
ct state related,established accept
# allow packets from vpn interface
iifname $vpn_if oifname $outside_if accept
# allow packets from vpn interface
iifname $vpn_if_tor oifname $outside_if accept
}
chain output {
## Transproxy leak blocked:
# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#WARNING
ct state invalid counter drop
oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (fin|ack) == fin|ack counter drop
oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (rst|ack) == rst|ack counter drop
}
}
# create a ipv4 table only for NAT entries (you need both chains even if they're empty)
table ip nat {
chain postrouting {
type nat hook postrouting priority 100;
# enable NAT for VPN
iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade
# enable NAT for TOR VPN
iifname $vpn_if_tor oifname $outside_if ip saddr $vpn_subnet_tor masquerade
}
chain prerouting {
# Transparent proxy to TOR
type nat hook prerouting priority 0;
iifname $vpn_if_tor ip saddr $vpn_subnet_tor udp dport 53 counter dnat to 10.10.20.1:53530
iifname $vpn_if_tor ip protocol tcp ip saddr $vpn_subnet_tor counter dnat to 10.10.20.1:9040
iifname $vpn_if_tor ip protocol udp ip saddr $vpn_subnet_tor counter dnat to 10.10.20.1:9040
}
}

53
assets/files/openvpn-server/nftables.conf Normal file
View File

@@ -0,0 +1,53 @@
#!/usr/sbin/nft -f
flush ruleset
define vpn_port=6174
define vpn_if=tun0
define outside_if=enp0s17
define vpn_subnet=10.10.10.0/24
table inet filter {
chain input {
# allow OpenVPN VPN connections to the Server
udp dport $vpn_port accept
}
chain forward {
#Drop forwarded packets if they are not matched
type filter hook forward priority 0; policy drop;
# allow existing connections
ct state related,established accept
# allow packets from vpn interface
iifname $vpn_if oifname $outside_if accept
}
chain output {
# Security drops
ct state invalid counter drop
oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (fin|ack) == fin|ack counter drop
oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (rst|ack) == rst|ack counter drop
}
}
# create a ipv4 table only for NAT entries (you need both chains even if they're empty)
table ip nat {
chain postrouting {
type nat hook postrouting priority 100;
# enable NAT for VPN
iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade
}
chain prerouting {
type nat hook prerouting priority 0;
}
}

23
assets/files/openvpn-server/nginx.conf Normal file
View File

@@ -0,0 +1,23 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

43
assets/files/openvpn-server/server-crl.conf Normal file
View File

@@ -0,0 +1,43 @@
port 6174
proto udp
dev tun0
ca ca.crt
cert ovpn.crt
key ovpn.key
dh dh.pem
server 10.10.10.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA512
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
crl-verify crl.pem

41
assets/files/openvpn-server/server.conf Normal file
View File

@@ -0,0 +1,41 @@
port 6174
proto udp
dev tun0
ca ca.crt
cert ovpn.crt
key ovpn.key
dh dh.pem
server 10.10.10.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA512
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

43
assets/files/openvpn-server/tor.conf Normal file
View File

@@ -0,0 +1,43 @@
port 6175
proto udp
dev tun1
ca ca.crt
cert ovpn.crt
key ovpn.key
dh dh.pem
server 10.10.20.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp-tor.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.10.20.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA512
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status-tor.log
log-append /var/log/openvpn/openvpn-tor.log
verb 3
explicit-exit-notify 1
crl-verify crl.pem

1415
vpn/openvpn/guide.md Normal file
View File

File diff suppressed because it is too large Load Diff

785
vpn/openvpn/servidor.md
View File

File diff suppressed because it is too large Load Diff