[vpsFree.cz: community-list] OpenVPN config

Lukáš Němec lu.nemec at gmail.com
Thu Feb 21 16:53:32 CET 2019 

Chain INPUT (policy DROP 221 packets, 11897 bytes)
 pkts bytes target     prot opt in     out     source               destination
   23  1656 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9292 state NEW
 691K  146M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 8072  429K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
24441 1325K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 state NEW
29529 7540K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 4647  190K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 2495  129K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 state NEW
14416  605K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:9987 state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:30033 state NEW
    1    40 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30033 state NEW
  282 17685 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22000 state NEW
23970 7190K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:21027 state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:34197 state NEW
  105  4580 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8000 state NEW
  165 10456 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1194 state NEW
   21   898 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194 state NEW

Chain FORWARD (policy DROP 1624 packets, 110K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4881 packets, 1307K bytes)
 pkts bytes target     prot opt in     out     source               destination


net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0


> On 21 Feb 2019, at 16:50, Miroslav Misek <miroslav.misek at netgarden.cz> wrote:
> 
> Tohle natuje vsechny odchozi pakety. Tzn i ty primo z VPS. Tim nechci rict, ze je to spatne :-)
> Posli jeste vypis:
> iptables -L -v -n
> sysctl -a | grep net.ipv4.ip_forward
> 
> On 21. 02. 19 16:44, Lukáš Němec wrote:
>> Ahoj,
>> 
>> už jsem našel ten iptables, a zdá se že to nějaké pakety natuje, ale klient stále nepingá nikam :/
>> 
>> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>>  pkts bytes target     prot opt in     out     source               destination
>> 13469  842K SNAT       all  --  *      venet0  0.0.0.0/0            0.0.0.0/0            to:37.205.10.108
>> 
>> Díky,
>> Lukáš
>> 
>>> On 21 Feb 2019, at 16:41, Lukáš Němec <lu.nemec at gmail.com <mailto:lu.nemec at gmail.com>> wrote:
>>> 
>>> Ahoj,
>>> 
>>> díky za odpovědi, zkusil jsem co jste psali, a stále nefunguje. Připojím se OK, ale ping 8.8.8.8 píše no route to host, nebo timeoutuje.
>>> IPv4 forwarding jsem zapl, a přidal nat dle wiki, ale tahle část se mi nějak nezdá, když se snažím vylistovat pravidla v POSTROUTING, píše mi iptables že takový chain nezná. To nechápu.
>>> 
>>> root at nemec /etc/openvpn # ip addr show dev venet0:0 scope global                                                                       
>>> 2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
>>>     link/void
>>>     inet 37.205.10.108/32 brd 37.205.10.108 scope global venet0:0
>>>     inet6 2a01:430:17:1::ffff:71/128 scope global
>>>        valid_lft forever preferred_lft forever
>>> root at nemec /etc/openvpn # iptables -t nat -A POSTROUTING  -o venet0 -j SNAT --to 37.205.10.108                                         
>>> root at nemec /etc/openvpn # iptables -L POSTROUTING                                                                                     
>>> iptables: No chain/target/match by that name. 
>>> 
>>> Můj server config:
>>> mode server
>>> tls-server
>>> port 1194
>>> proto tcp-server
>>> dev tap1
>>> client-config-dir ccd
>>> tun-mtu 1500
>>> 
>>> ca /etc/openvpn/easy-rsa/keys/ca.crt
>>> cert /etc/openvpn/easy-rsa/keys/nemec.crt
>>> key /etc/openvpn/easy-rsa/keys/nemec.key
>>> dh /etc/openvpn/easy-rsa/keys/dh2048.pem
>>> 
>>> topology subnet
>>> server 172.16.123.0 255.255.255.0
>>> push "redirect-gateway def1 bypass-dhcp"
>>> push "dhcp-option DNS 8.8.8.8"
>>> 
>>> ifconfig-pool-persist ipp.txt
>>> 
>>> keepalive 10 120
>>> max-clients 10
>>> cipher AES-256-CBC
>>> user nobody
>>> group nogroup
>>> persist-key
>>> persist-tun
>>> status /tmp/openvpn.status 1
>>> log-append /var/log/openvpn.log
>>> status-version 3
>>> verb 4
>>> mute 20
>>> reneg-sec 180
>>> 
>>> Díky za jakékoliv rady,
>>> Lukáš
>>> 
>>> 
>>>> On 21 Feb 2019, at 14:57, Miroslav Misek <miroslav.misek at netgarden.cz <mailto:miroslav.misek at netgarden.cz>> wrote:
>>>> 
>>>> Pokud ma OpenVPN fungovat jako gateway (tzn klient pak bude posilat vsechny data do internetu pres VPN), 
>>>> tak je potreba jeste nastavit bud na klientovi:
>>>>   redirect-gateway
>>>> nebo na serveru:
>>>>   push "redirect-gateway"
>>>> 
>>>> A navic v iptables (firewalld) nastavit masquerade (aby data pochazejici z vpn pri preposilani do internetu mela source ip toho VPSka.
>>>> A jak uz bylo napsano v predeslem emailu je potreba povolit ip forwarding (echo 1 > /proc/sys/net/ipv4/ip_forward) a taky forwarding ve firewallu (iptables, firewalld).
>>>> 
>>>> Miroslav Misek
>>>> 
>>>> On 21. 02. 19 14:16, Jiri Drozd wrote:
>>>>> Ahoj,
>>>>> 
>>>>> uz nevim podle ceho sem to nastavoval, tady je muj config ktery funguje:
>>>>> 
>>>>> port 1111
>>>>> proto udp
>>>>> dev tun
>>>>> ca /etc/openvpn/full/keys/ca.crt
>>>>> cert /etc/openvpn/full/keys/server.crt
>>>>> key /etc/openvpn/full/keys/server.key 
>>>>> dh /etc/openvpn/full/keys/dh2048.pem
>>>>> topology subnet
>>>>> server 172.16.123.0 255.255.255.0
>>>>> ifconfig-pool-persist ipp-full.txt
>>>>> push "redirect-gateway def1 bypass-dhcp"
>>>>> push "dhcp-option DNS 8.8.8.8"
>>>>> keepalive 10 30
>>>>> tls-auth /etc/openvpn/easy-rsa-full/keys/ta.key 0
>>>>> cipher AES-256-CBC 
>>>>> comp-lzo
>>>>> max-clients 100
>>>>> user nobody
>>>>> group nogroup
>>>>> persist-key
>>>>> persist-tun
>>>>> status openvpn-full-status.log
>>>>> verb 3
>>>>> mute 20
>>>>> reneg-sec 180
>>>>> 
>>>>> treba mit jeste povoleny forwarding https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux <https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux>
>>>>> a pokud mas zaple iptables tak zkontroluj, ze ti tam ten traffic nic neblokuje (asi nejlepsi nachvilku vypnout firewall uplne)
>>>>> 
>>>>> JDrozd / Buger
>>>>> 
>>>>> From: "Lukáš Němec" <lu.nemec at gmail.com> <mailto:lu.nemec at gmail.com>
>>>>> To: "vpsFree.cz <http://vpsfree.cz/> Community list" <community-list at lists.vpsfree.cz> <mailto:community-list at lists.vpsfree.cz>
>>>>> Sent: Friday, February 15, 2019 5:29:57 PM
>>>>> Subject: [vpsFree.cz <http://vpsfree.cz/>: community-list] OpenVPN config
>>>>> 
>>>>> Ahoj,
>>>>> Snažím se rozjet openvpn jako internet gateway na vpsce. Jel jsem podle návodu na wiki vpsfree ale zdá se zastaralý. Už jsem ve stavu kdy se v pohodě připojím na vps vpn, ale net nefunguje-asi bude špatně ip adresa pro nat v návodu wiki? (https://kb.vpsfree.cz/navody/server/openvpn <https://kb.vpsfree.cz/navody/server/openvpn>)
>>>>> 
>>>>> Našel jsem ještě maily z 2017 z tohoto listu ale nevím jestli ta konfigurace bude platit.
>>>>> 
>>>>> Poradíte? Btw configy mám stejné jako v návodu-jel jsem krok za krokem.
>>>>> 
>>>>> Díky,
>>>>> Lukáš
>>>>> 
>>>>> _______________________________________________
>>>>> Community-list mailing list
>>>>> Community-list at lists.vpsfree.cz <mailto:Community-list at lists.vpsfree.cz>
>>>>> http://lists.vpsfree.cz/listinfo/community-list <http://lists.vpsfree.cz/listinfo/community-list>
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Community-list mailing list
>>>>> Community-list at lists.vpsfree.cz <mailto:Community-list at lists.vpsfree.cz>
>>>>> http://lists.vpsfree.cz/listinfo/community-list <http://lists.vpsfree.cz/listinfo/community-list>
>>>> _______________________________________________
>>>> Community-list mailing list
>>>> Community-list at lists.vpsfree.cz <mailto:Community-list at lists.vpsfree.cz>
>>>> http://lists.vpsfree.cz/listinfo/community-list <http://lists.vpsfree.cz/listinfo/community-list>
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> Community-list mailing list
>> Community-list at lists.vpsfree.cz <mailto:Community-list at lists.vpsfree.cz>
>> http://lists.vpsfree.cz/listinfo/community-list <http://lists.vpsfree.cz/listinfo/community-list>
> _______________________________________________
> Community-list mailing list
> Community-list at lists.vpsfree.cz
> http://lists.vpsfree.cz/listinfo/community-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vpsfree.cz/pipermail/community-list/attachments/20190221/e30f6792/attachment-0001.html>

More information about the Community-list mailing list