Created
September 6, 2020 00:12
-
-
Save remro/f17a83b445aeff04b3ea06eb52012089 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ВПС | |
Install ovpn & add users | |
https://github.com/angristan/openvpn-install | |
Add exta servers | |
Copy config & | |
systemctl start openvpn@xxxxxx.service | |
systemctl status openvpn@* | |
172.16.0.0/28 255.255.255.240 | |
.0 .1-.14 .15 | |
.16 .17-.30 .31 | |
.32 .33-.46 .47 | |
.48 .49-.62 .63 | |
.64 .65-.78 .79 | |
.80 .81-.94 .95 | |
.96 .97-.110 .111 | |
.112 .113-.126 .127 | |
.128 .129-.142 .143 | |
.144 .145-.158 .159 | |
.160 .161-.174 .175 | |
.176 .177-.190 .191 | |
.192 .193-.206 .207 | |
.208 .209-.222 .223 | |
.224 .225-.238 .239 | |
.240 .241-.254 .255 | |
>Openvpn сервер #1 для управления | |
port 61302 | |
proto tcp | |
dev tun | |
user nobody | |
group nogroup | |
persist-key | |
persist-tun | |
keepalive 10 120 | |
client-to-client | |
topology subnet | |
server 172.16.0.0 255.255.240.0 | |
route 172.0.0.0 255.255.240.0 | |
route 172.16.0.0 255.255.240.0 | |
push "route 172.16.0.0 255.255.240.0 172.16.0.2" | |
push "route 172.16.16.0 255.255.240.0 172.16.0.2" | |
push "dhcp-option DNS 194.135.89.143" | |
ifconfig-pool-persist ipp.txt | |
dh dh.pem | |
crl-verify crl.pem | |
ca ca.crt | |
cert server_OBUdS0CCEWg9NCHL.crt | |
key server_OBUdS0CCEWg9NCHL.key | |
auth SHA1 | |
cipher AES-128-CBC | |
ncp-ciphers AES-128-CBC | |
client-config-dir /etc/openvpn/ccd | |
status /var/log/openvpn/status.log | |
>Openvpn сервер #2 для удаленного офиса, все то же самое кроме | |
port 61301 | |
... | |
topology subnet | |
server 172.16.16.0 255.255.240.0 | |
push "dhcp-option DNS 194.135.89.143" | |
... | |
>CCD клиента для удаленного офиса | |
ifconfig-push 172.16.16.2 172.16.16.1 | |
iroute 172.16.16.0 255.255.240.0 | |
>Фаервол | |
iptables -A INPUT -i ens3 -m state --state NEW -p tcp --dport 61300:61400 -j ACCEPT | |
iptables -A INPUT -i tun+ -j ACCEPT | |
iptables -A FORWARD -i tun+ -j ACCEPT | |
iptables -A FORWARD -i tun+ -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -o tun+ -j ACCEPT | |
Микротик | |
/interface wireless | |
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \ | |
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\ | |
MikroTik-0249AC wireless-protocol=802.11 | |
/interface ethernet | |
set [ find default-name=ether3 ] disabled=yes | |
set [ find default-name=ether4 ] disabled=yes | |
/interface pwr-line | |
set [ find default-name=pwr-line1 ] disabled=yes | |
/interface wireless security-profiles | |
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\ | |
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=12345678 \ | |
wpa2-pre-shared-key=trsnglitjsbtsnboitn | |
/ip pool | |
add name=default-dhcp ranges=192.168.88.10-192.168.88.254 | |
/ip dhcp-server | |
add address-pool=default-dhcp name=defconf | |
/ppp profile | |
add change-tcp-mss=yes name=OVPN-client only-one=yes use-compression=no \ | |
use-encryption=yes use-mpls=no use-upnp=no | |
/interface ovpn-client | |
add certificate=RemoteOffice.ovpn_1 cipher=aes128 connect-to=123.123.123.123 \ | |
mac-address=FE:AE:C3:DD:D7:23 name=myvpn port=61301 profile=OVPN-client \ | |
user=RemoteOffice verify-server-certificate=yes | |
/interface bridge port | |
add comment=defconf interface=ether2 | |
add comment=defconf interface=ether3 | |
add comment=defconf interface=ether4 | |
add comment=defconf interface=pwr-line1 | |
add comment=defconf interface=wlan1 | |
/ip address | |
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\ | |
192.168.88.0 | |
/ip dhcp-client | |
add comment=defconf disabled=no interface=ether1 | |
/ip dhcp-server network | |
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24 | |
/ip dns | |
set servers=8.8.8.8 | |
/ip dns static | |
add address=192.168.88.1 comment=defconf name=router.lan | |
/ip firewall filter | |
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ | |
connection-state=established,related | |
add action=accept chain=forward comment=\ | |
"defconf: accept established,related, untracked" connection-state=\ | |
established,related,untracked | |
add action=drop chain=forward comment="defconf: drop invalid" \ | |
connection-state=invalid | |
add action=drop chain=forward comment=\ | |
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ | |
connection-state=new in-interface-list=WAN | |
/ip firewall nat | |
add action=netmap chain=dstnat dst-address=172.16.17.0/24 in-interface=myvpn \ | |
log=yes to-addresses=192.168.88.0/24 | |
add action=netmap chain=srcnat fragment=no hotspot="" log=yes out-interface=\ | |
myvpn psd=21,3s,3,1 src-address=192.168.88.0/24 src-address-type="" \ | |
to-addresses=172.16.17.0/24 | |
add action=masquerade chain=srcnat out-interface=myvpn | |
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1 \ | |
src-address=192.168.88.0/24 | |
/ip route | |
add distance=1 gateway=myvpn | |
add distance=2 gateway=ether1 | |
add distance=1 dst-address=172.16.16.0/28 gateway=myvpn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment