Jump to content
io.kent

[VPN] DoubleVPN

By io.kent, in Programe securitate

Recommended Posts

io.kent Newbie

io.kent

Posted
Posted

Or anything new will not open, but as a useful tip to create vpn own hands will be useful. The generation of certificates and keys are not considered, the key can be a maximum length of 4096. Configuration for Linux: Settings for OpenVZ host machine. If you do not have access to the hypervisor, you can skip block OpenVZ-HN

CTID = 101 
$ vzctl set CTID --devnodes net / TUN: rw --save 
vzctl set $ CTID --devices C: 10: 200: rw --save 
vzctl set $ CTID --capability net_admin: on --save 
vzctl Exec $ mkdir -p CTID / dev / net 
vzctl Exec $ CTID mknod / dev / net / TUN C 10,200 
vzctl exec $ CTID chmod 600 / dev / net / tun

Proxy, Socks, which help the user to maintain their anonymity online. What is it for a single user - the reasons may be many, at the same time we will not focus. Consider the process of creating OpenVPN-server, which is connected with another OpenVPN-server, wherein the user traffic goes through the first server, then the second and further to have the desired resource. Traffic returns the chain into the same sequence in reverse. Many owners of such a scheme called her «double» (double) OpenVPN. Schematically, such a scheme can be displayed as follows: Client -> OpenVPN-server_1 -> OpenVPN-server_2 -> Internet Return traffic on the reverse pattern: Client <- OpenVPN-server_1 <- OpenVPN-server_2 <- Internet to create such a scheme requires two VPS / VDS (as a rule, VDS is used for large loads (volume of traffic)). At the same time, if it is used with the type of VPS OpenVZ virtualization or other, in which containers of virtual machines share a common nucleus of the host system, you must check with the host, whether to enable the module loading tun for virtual machines. The implementation of the scheme involves the connection setup via the OpenVPN client and OpenVPN-Server 1, between the two OpenVPN-Server, configure NAT on the OpenVPN-Server 2 and the routing configuration on the two OpenVPN-servers. Set on both servers OpenVPN. Let us, for example, the installation process for OS CentOS. In the standard repositories CentOS openvpn package is missing, so connect the appropriate sources (consider arhiterkutu version and OS)

rpm -ihv [URL='http://mirror.yandex.ru/epel/6/x86_64/epel-release-6-7.noarch.rpm']http://mirror.yandex...-6-7.noarch.rpm[/URL]
rpm -ihv [URL='http://centos.alt.ru/repository/centos/6/x86_64/centalt-release-6-1.noarch.rpm']http://centos.alt.ru...-6-1.noarch.rpm[/URL]

Install OpenVPN

yum -y install openvpn

Check whether the module is loaded tun

lsmod | grep tun

If the output of the previous command is empty Loading tun module

modprobe tun

How to organize the automatic download OpenVPN and tun module at startup depends on the operating system, in this case, CentOS

chkconfig openvpn on

To create a connection between two servers using the settings OpenVPN point-to-point. To do this, OpenVPN-Server 2 /etc/openvpn/server.conf create a configuration file with this content:

dev tun
proto tcp-server
ifconfig 10.0.2.1 10.0.2.2
tls-server
comp-lzo
daemon
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
tls-auth /etc/openvpn/keys/tls.key 0
cipher AES-256-CBC
port 1195
user nobody
group nobody
max-clients 1
persist-key
persist-tun
verb 3
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
script-security system 3
route-up "ip route add 10.0.1.0/24 via 10.0.2.2 dev tun0"

Keys and certificates that are located in the / etc / openvpn / keys / create according to the FAQ from the developers of OpenVPN using easy-rsa.

The contents of the command route-up depends on the customer's network configuration and connection settings between servers.

Turn forwarding packets. To /etc/sysctl.conf net.ipv4.ip_forward value changes from 0 to 1

net.ipv4.ip_forward = 1

Loading variables from the updated kernel sysctl.conf file

sysctl -p

Also on the second server is configured NAT using iptables:

iptables -t nat -A POSTROUTING --src 10.0.1.0/24 -o eth0 -j SNAT --to-source 1.1.1.1,

where 1.1.1.1 - external IP server 2. On the first server and install OpenVPN and create a configuration file

vi /etc/openvpn/s2s.conf:

dev tun0
remote 1.1.1.1
port 1195
proto tcp-client
ifconfig 10.0.2.2 10.0.2.1
tls-client
comp-lzo
daemon
script-security system 3
ns-cert-type server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/s2s.crt
key /etc/openvpn/keys/s2s.key
dh /etc/openvpn/keys/dh1024.pem
tls-auth /etc/openvpn/keys/tls.key 1
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
verb 3
route-up "ip route add default via 10.0.2.1 dev tun0 table 10 && ip rule add from 10.0.1.0/24 lookup pref 10 10"
mute 10
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log

Also includes the forwarding of packets.

Configuring OpenVPN-Server 1 for connecting clients. To do this, create a configuration file /etc/openvpn/server.conf:

port 1194
local 2.2.2.2
proto tcp
dev tun1
server 10.0.1.0 255.255.255.0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
tls-auth /etc/openvpn/keys/tls.key 0
cipher AES-256-CBC
user nobody
group nobody
status /var/log/openvpn/openvpnserver-status.log
log-append /var/log/openvpn/openvpnserver.log
verb 3
max-clients 30
keepalive 10 120
tls-server
comp-lzo
persist-key
persist-tun
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"

Certificates and keys for client connections also create according FAQ from the developers OpenVPN using easy-rsa.

After the settings on each server run OpenVPN

/etc/init.d/openvpn start

If the launch fails, look in the error log files and eliminate them. To be able to connect to the client requires the following files: ca.crt client01.crt client01.key dh1024.pem tls.key need to pass them along with the configuration parameters. On the client side in Depending on the OS you need to perform these actions. For OS linux: Install openvpn. Check whether the module is loaded tun. Create a configuration file /etc/openvpn/client01.conf

client
remote 2.2.2.2 1194
proto tcp
dev tun
ca ca.crt
dh dh1024.pem
cert client01.crt
key client01.key
tls-auth tls.key 1
cipher AES-256-CBC
verb 3
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
resolv-retry infinite
nobind

Copy the files (ca.crt, client01.crt, client01.key, dh1024.pem, tls.key) in the / etc / openvpn /. Zapusit openvpn:

/etc/init.d/openvpn start

Check to see if the interface tun0. For Windows: Install OpenVPN to windosw ( OpenVPN - Open Source VPN ). Copy the files (ca.crt, client01.crt, client01.key, dh1024.pem, tls.key) in C: \ Program Files \ OpenVPN \ config \ client01. In the same directory create a configuration file client01.ovpn (identical in content with client01.conf for linux). Connect. Once connected, check how is the traffic. Both servers must appear in the track: traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 10.1.0.1 (10.1.0.1) 165.178 ms 329.870 ms 329.807 ms 2 10.2.0.1 (10.2.0.1) 493,908 ms 658.640 ms 824.653 ms Configuration for FreeBSD :

###########################
#Server
#FREEDBSD - Openvpn config, redirect traffic
###########################
dev ovpns2 # - interface name
dev-type tun # - type tun / tap (tun faster)
tun-ipv6
dev-node / dev / tun2 # - device name
writepid /var/run/openvpn_server2.pid # - where to put the process
#user nobody # - from any user to run
#group nobody # - from a group run
script-security 3
daemon # - work as a service
keepalive 10 60 # - how to keep the connection if fallen off
ping-timer-rem
persist-tun
persist-key
proto tcp-server # - on which protocol to use tcp / udp (here TCP)
cipher AES-128-CBC # - any type of encryption that is available to the system (openvpn --show-ciphers)
up / usr / local / sbin / ovpn-linkup
down / usr / local / sbin / ovpn-linkdown
local xxxx # - static external address
tls-server # - used tls encryption
server 172.172.11.0 255.255.255.0 # - what subnet used inside the tunnel
client-config-dir / var / etc / openvpn-csc # - Client Configuration (ccd in Linux)
lport # 443 - the port on which the VPN server will be available for a connection
management /var/etc/openvpn/server2.sock unix # - process control and monitoring connections
max-clients # 2 - the maximum number of clients
push "dhcp-option DNS 192.168.1.1" # - dns server sends to the client
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1" # - sends the client the default gateway, which is the server itself
client-to-client # - allow communication between clients (for example between two RDP client connection)
ca /var/etc/openvpn/server2.ca # - key server
cert /var/etc/openvpn/server2.cert # - server certificate
key /var/etc/openvpn/server2.key # - key
dh /etc/dh-parameters.1024 # - dh
comp-lzo # - traffic compression
persist-remote-ip
float
push "route 192.168.1.0 255.255.255.0" # - adds the route in the network where the server itself
server-poll-timeout 20 # - connection time (20 seconds if the client does not connect it resets)

IMPORTANT:

For the initial setup required logs after they can be turned off. With logs:

status openvpn-status.log
log /var/log/openvpn.log
verb 3
mute 20

Without logs:

log / dev / null

Have fun.. :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...