АГИС Администрирование

VPN server

132 просмотров 0

How to Install OpenVPN Server on Ubuntu

# curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
$ chmod +x openvpn-install.sh
Then run it:

# ./openvpn-install.sh

I need to know the IPv4 address of the network interface you want OpenVPN listen
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 212.45.92.98
Custom port [1-65535]: 30600
Protocol [1-2]: 1
DNS [1-12]: 1
Do you want to use compression? It is not recommended since the VORACLE attack m
Enable compression? [y/n]: n
Customize encryption settings? [y/n]: n
Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an undersco
Client name: agis

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 1
The configuration file has been written to /home/agis/agis.ovpn.
Download the .ovpn file and import it in your OpenVPN client.

# systemctl status openvpn@server.service
● openvpn@server.service – OpenVPN connection to server
Loaded: loaded (/etc/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2024-05-13 20:21:16 +05; 4h 34min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 73082 (openvpn)
Status: “Initialization Sequence Completed”
Tasks: 1 (limit: 77137)
Memory: 1.9M
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─73082 /usr/sbin/openvpn –daemon ovpn-server –status /run/openvpn/server.status 10 –cd /etc/openvpn –script-security 2 –config /etc/openvpn/server.conf –writepid />

May 14 00:23:56 kos144 ovpn-server[73082]: agis/178.89.24.80:46697 peer info: IV_LZ4v2=1
May 14 00:23:56 kos144 ovpn-server[73082]: agis/178.89.24.80:46697 peer info: IV_LZO=1
May 14 00:23:56 kos144 ovpn-server[73082]: agis/178.89.24.80:46697 peer info: IV_COMP_STUB=1
May 14 00:23:56 kos144 ovpn-server[73082]: agis/178.89.24.80:46697 peer info: IV_COMP_STUBv2=1
May 14 00:23:56 kos144 ovpn-server[73082]: agis/178.89.24.80:46697 peer info: IV_TCPNL=1
May 14 00:23:56 kos144 ovpn-server[73082]: agis/178.89.24.80:46697 peer info: IV_GUI_VER=OpenVPN_GUI_11
May 14 00:23:56 kos144 ovpn-server[73082]: agis/178.89.24.80:46697 peer info: IV_SSO=openurl,crtext
May 14 00:23:56 kos144 ovpn-server[73082]: agis/178.89.24.80:46697 Outgoing Data Channel: Cipher ‘AES-128-GCM’ initialized with 128 bit key
May 14 00:23:56 kos144 ovpn-server[73082]: agis/178.89.24.80:46697 Incoming Data Channel: Cipher ‘AES-128-GCM’ initialized with 128 bit key
May 14 00:23:56 kos144 ovpn-server[73082]: agis/178.89.24.80:46697 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1

Контейнер openvpn server

Использование и запуск 
# генерация ключа сервера CA. Нужно ввести фразу и записать. Понадобится при создании ключей клиентов
$ ./init.sh
# Генерация ключа клиента agisю Создается файл agis.ovpn
$ ./create_client.sh agis
# Запуск, остановка сервера. Просмотр логов
$ docker-compose up -d
$ docker-compose down -v
$ docker-compose logs
Исходники 
$ cat docker-compose.yml
version: "3"
services:
  ovpn:
    image: kylemanna/openvpn:2.4
    restart: always
    volumes:
      - ./ovpn-data:/etc/openvpn:rw
    ports:
      - 1194:1194/udp
    cap_add:
      - NET_ADMIN

$ cat init.sh
#!/bin/bash -x
docker-compose run --rm ovpn ovpn_genconfig -u udp://kossu.kz
docker-compose run --rm ovpn ovpn_initpki

$ cat create_client.sh
#!/bin/bash -ex
docker-compose run --rm ovpn easyrsa build-client-full $1 nopass
docker-compose run --rm ovpn ovpn_getclient $1 > $1.ovpn

# Конфигруционный файл
$ cat ovpn-data/openvpn.conf
server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/kossu.kz.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/kossu.kz.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
comp-lzo no

### Route Configurations Below
route 192.168.254.0 255.255.255.0

### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"

Установка VPN сервера ubuntu внутри корпративной сети

Настройка интеренет сервера на базе pfsense смотреть тут

Два сетевых интерфейса:
– etho 192.168.1.10/24 На этот адрес идет проброс с корпоративного публичного IP адреса
– eth1 192.168.1.12/24 На этот адрес обращаются клиенты из локальной сети
– gw 192.168.1.1 внутри локальной сети

$cat /etc/netplan/00-installer-config.yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    eno1:
      addresses: [192.168.1.10/24]
      routes:
        - to: default
          via: 192.168.1.1
      mtu: 1500
      nameservers:
        addresses: [8.8.8.8, 8.8.4.4]
    eno2:
      addresses: [192.168.1.12/24]

$cat /etc/sysctl.conf | grep net.ipv4.ip_forward
net.ipv4.ip_forward=1

# sysctl --system

или чтобы прочитать файл и загрузить значения для текущей сессии:

# sysctl -p
net.ipv4.ip_forward = 1
fs.inotify.max_user_watches = 524288

Настройка Netfilter

Отключаем ufw

# ufw disable

Настараиваем правила через утилиту iptables. Далее запускаем команды из под root

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A FORWARD -t filter -p icmp -j ACCEPT
iptables -t NAT -A PREROTING -i eth0 -p tcp -m tcp --dport 30300 -j DNAT --to-destination 192.168.1.10:30300
iptables -t NAT -A PREROTING -i eth0 -p udp -m tcp --dport 30300 -j DNAT --to-destination 192.168.1.10:30300
iptables -t NAT -A PREROTING -i eth0 -p tcp -m tcp --dport 4315 -j DNAT --to-destination 192.168.1.10:4315
iptables -t NAT -A PREROTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80

# Gitlab
iptables -t NAT -A PREROTING -i eth0 -p tcp -m tcp --dport 10543 -j DNAT --to-destination 192.168.1.10:10543
iptables -t NAT -A PREROTING -i eth0 -p tcp -m tcp --dport 10032 -j DNAT --to-destination 192.168.1.10:10032
iptables -t NAT -A PREROTING -i eth0 -p tcp -m tcp --dport 5040 -j DNAT --to-destination 192.168.1.10:5040

Далее…

Прикрепленные файлы
#
Тип файл
Размер файла
Скачать
1 .zip 10,70 КБ openvpn-install
Вам может быть интересно