-
Make initial server setup https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04 except installing UFW. UFW doesn't work correctly on OpenVz containers
-
If you are using OpenVz container, comment out LIMITNPROC line in
/lib/systemd/system/openvpn@.service
-
Install OpenVpn via openvpn install script https://github.com/Angristan/OpenVPN-install
-
Replace /etc/openvpn/server.conf file with server.conf from gist
-
Create files /etc/openvpn/full and /etc/openvpn/ukrunblock. copy
full
file from gist tofull
. copy https://github.com/zhovner/zaborona_help/blob/master/config/openvpn/ccd/DEFAULT toukrunblock
-
Harden server with iptables (https://linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server/, https://arashmilani.com/post?id=53)
-
Flush any pre-existing rules and non-standard chains which may be in the system:
sudo iptables -F && sudo iptables -X
-
Install iptables-persistent so any iptables rules we make now will be restored on succeeding bootups. When asked if you want to save the current IPv4 and IPv6 rules, choose No for both protocols.
sudo apt install iptables-persistent
-
Create iptables rulesets
/etc/iptables/rules.v4
and copyrules.v4
from gist to it. -
Activate the rulesets
iptables-restore < /etc/iptables/rules.v4
-
-
Save mozzi/96490ddfac72e4f5fb3eaa3d18ed6c68 to your computer and use it in GitHub Desktop.
VPN configuration for Ukraine
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
push "redirect-gateway def1 bypass-dhcp" | |
push "dhcp-option DNS 8.8.8.8" | |
push "dhcp-option DNS 8.8.4.4" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*nat | |
:POSTROUTING ACCEPT [0:0] | |
# Allow traffic from OpenVPN client to eth0 | |
-A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE | |
COMMIT | |
*filter | |
# Allow TUN interface connections to be forwarded through other interfaces | |
-A FORWARD -i tun0 -j ACCEPT | |
-A FORWARD -i tun0 -o venet0 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
-A FORWARD -i eth0 -o venet0 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
# Allow all loopback (lo) traffic and reject anything | |
# to localhost that does not originate from lo. | |
-A INPUT -i lo -j ACCEPT | |
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT | |
-A OUTPUT -o lo -j ACCEPT | |
# Allow ping and ICMP error returns. | |
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT | |
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT | |
-A OUTPUT -p icmp -j ACCEPT | |
# Allow SSH. | |
-A INPUT -i venet0 -p tcp -m state --state NEW,ESTABLISHED --dport 53821 -j ACCEPT | |
-A OUTPUT -o venet0 -p tcp -m state --state ESTABLISHED --sport 53821 -j ACCEPT | |
# Allow UDP traffic on port 1194. | |
-A INPUT -i venet0 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT | |
-A OUTPUT -o venet0 -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT | |
# Allow DNS resolution and limited HTTP/S on eth0. | |
# Necessary for updating the server and timekeeping. | |
-A INPUT -i venet0 -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT | |
-A OUTPUT -o venet0 -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT | |
-A INPUT -i venet0 -p tcp -m state --state ESTABLISHED --sport 80 -j ACCEPT | |
-A INPUT -i venet0 -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT | |
-A OUTPUT -o venet0 -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT | |
-A OUTPUT -o venet0 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT | |
# Allow traffic on the TUN interface so OpenVPN can communicate with eth0. | |
-A INPUT -i tun0 -j ACCEPT | |
-A OUTPUT -o tun0 -j ACCEPT | |
# Log any packets which don't fit the rules above. | |
# (optional but useful) | |
# -A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 4 | |
# -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 4 | |
# -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: " --log-level 4 | |
# then reject them. | |
#-A INPUT -j REJECT | |
#-A FORWARD -j REJECT | |
#-A OUTPUT -j REJECT | |
COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment