VPN configuration for Ukraine

full

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS  8.8.4.4"

rules.v4

*nat

:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE

COMMIT


*filter

# Allow TUN interface connections to be forwarded through other interfaces
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o venet0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o venet0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow all loopback (lo) traffic and reject anything
# to localhost that does not originate from lo.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A OUTPUT -o lo -j ACCEPT

# Allow ping and ICMP error returns.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# Allow SSH.
-A INPUT -i venet0 -p tcp -m state --state NEW,ESTABLISHED --dport 53821 -j ACCEPT
-A OUTPUT -o venet0 -p tcp -m state --state ESTABLISHED --sport 53821 -j ACCEPT

# Allow UDP traffic on port 1194.
-A INPUT -i venet0 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
-A OUTPUT -o venet0 -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT

# Allow DNS resolution and limited HTTP/S on eth0.
# Necessary for updating the server and timekeeping.
-A INPUT -i venet0 -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A OUTPUT -o venet0 -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
-A INPUT -i venet0 -p tcp -m state --state ESTABLISHED --sport 80 -j ACCEPT
-A INPUT -i venet0 -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT
-A OUTPUT -o venet0 -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
-A OUTPUT -o venet0 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT

# Allow traffic on the TUN interface so OpenVPN can communicate with eth0.
-A INPUT -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT


# Log any packets which don't fit the rules above.
# (optional but useful)
# -A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 4
# -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 4
# -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: " --log-level 4

# then reject them.
#-A INPUT -j REJECT
#-A FORWARD -j REJECT
#-A OUTPUT -j REJECT

COMMIT

vpn.md

1. Make initial server setup https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04 except installing UFW. UFW doesn't work correctly on OpenVz containers

2. If you are using OpenVz container, comment out LIMITNPROC line in /lib/systemd/system/openvpn@.service

3. Install OpenVpn via openvpn install script https://github.com/Angristan/OpenVPN-install

4. Replace /etc/openvpn/server.conf file with server.conf from gist

5. Create files /etc/openvpn/full and /etc/openvpn/ukrunblock. copy full file from gist to full. copy https://github.com/zhovner/zaborona_help/blob/master/config/openvpn/ccd/DEFAULT to ukrunblock

6. Harden server with iptables (https://linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server/, https://arashmilani.com/post?id=53)

7. Flush any pre-existing rules and non-standard chains which may be in the system: sudo iptables -F && sudo iptables -X

8. Install iptables-persistent so any iptables rules we make now will be restored on succeeding bootups. When asked if you want to save the current IPv4 and IPv6 rules, choose No for both protocols. sudo apt install iptables-persistent

9. Create iptables rulesets /etc/iptables/rules.v4 and copy rules.v4 from gist to it.

10. Activate the rulesets iptables-restore < /etc/iptables/rules.v4