forked from quickbooks2018/bash-scipts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathopenvpn-site-2-site
180 lines (110 loc) · 4.11 KB
/
openvpn-site-2-site
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
SERVER-A
cd /etc/openvpn/
openvpn --genkey --secret mykey.key
# Note: copy this mykey.key to SERVER-B -? /etc/openvpn
Vim vpc1-to-vpc2.conf
#COPY BELOW SECTION
###START###
# Sample OpenVPN configuration file using a pre-shared static key
# Port to use: 1194 is the official IANA port number
port 1194
# Use a dynamic tun device.
dev tun
# Remote peer and network
#remote SERVER-B-PUBLIC-IP #Note: Not necessary IF this SERVER A is a SERVER & SERVER B is Client
#remote mydns.com #Give Dynamic DNS
#DYNAMIC IP
#www.dynu.com
route 192.168.1.0 255.255.255.0
# Configure local and remote VPN endpoints
ifconfig 10.1.1.1 10.1.1.2
# The pre-shared static key
secret mykey.key
###END###
systemctl daemon-reload
systemctl restart openvpn
#################IP Tables Server Side######################
iptables --flush
iptables --delete-chain
iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
###### to save new rules
apt install netfilter-persistent
netfilter-persistent save
##### apply to startup
systemctl enable netfilter-persistent
#################IP Tables Server Side######################
https://unix.stackexchange.com/questions/283801/iptables-forward-traffic-to-vpn-tunnel-if-open
#IP Forwarding
cat /proc/sys/net/ipv4/ip_forward
0
Than
echo 1 > /proc/sys/net/ipv4/ip_forward
To make the change permanent insert or edit the following line in edit /etc/sysctl.conf:
net.ipv4.ip_forward = 1
sysctl -p
systemctl daemon-reload
systemctl restart openvpn
SERVER-B Client-Side
# cd /etc/openvpn/
# vim vpc2-to-vpc1.conf
###START###
# Sample OpenVPN configuration file using a pre-shared static key
# Port to use: 1194 is the official IANA port number
port 1194
# Use a dynamic tun device.
dev tun
# Remote peer and network
#remote SERVER-A-PUBLIC-IP #Note: This is must
route 172.31.0.0 255.255.0.0
# Configure local and remote VPN endpoints
ifconfig 10.1.1.2 10.1.1.1
# The pre-shared static key
secret mykey.key
###END###
systemctl daemon-reload
systemctl restart openvpn
######### Client Side iptables paste all this in ############### ---> Note ---> always check the interface
iptables --flush
iptables --delete-chain
iptables -t nat -F
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
iptables -A INPUT -i ens33 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
iptables -I INPUT -i ens33 -m comment --comment "In from LAN" -j ACCEPT
iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
iptables -A OUTPUT -o ens33 -p udp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
iptables -A OUTPUT -o ens33 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
iptables -A OUTPUT -o ens33 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
iptables -A FORWARD -i tun+ -o ens33 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ens33 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
iptables -P FORWARD DROP
######### Client Side iptables paste all this in ###############
18 ###### to save new rules
apt install netfilter-persistent
sudo netfilter-persistent save
19 ##### apply to startup
sudo systemctl enable netfilter-persistent
https://unix.stackexchange.com/questions/283801/iptables-forward-traffic-to-vpn-tunnel-if-open
systemctl daemon-reload
systemctl restart openvpn
#IP Forwarding
cat /proc/sys/net/ipv4/ip_forward
0
Than
echo 1 > /proc/sys/net/ipv4/ip_forward
To make the change permanent insert or edit the following line in edit /etc/sysctl.conf:
net.ipv4.ip_forward = 1
sysctl -p
systemctl daemon-reload
systemctl restart openvpn
##############################################################################################
#LOGS
grep VPN /var/log/syslog