remro/gist:f17a83b445aeff04b3ea06eb52012089 Secret

## gistfile1.txt
ВПС

Install ovpn & add users
https://github.com/angristan/openvpn-install

Add exta servers
Copy config &
systemctl start openvpn@xxxxxx.service
systemctl status openvpn@*

172.16.0.0/28 255.255.255.240
.0		.1-.14		.15
.16		.17-.30		.31
.32		.33-.46		.47
.48		.49-.62		.63
.64		.65-.78		.79
.80		.81-.94		.95
.96		.97-.110	.111
.112	.113-.126	.127
.128	.129-.142	.143
.144	.145-.158	.159
.160	.161-.174	.175
.176	.177-.190	.191
.192	.193-.206	.207
.208	.209-.222	.223
.224	.225-.238	.239
.240	.241-.254	.255

>Openvpn сервер #1 для управления
port 61302
proto tcp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
client-to-client
topology subnet
server 172.16.0.0 255.255.240.0
route 172.0.0.0 255.255.240.0
route 172.16.0.0 255.255.240.0
push "route 172.16.0.0 255.255.240.0 172.16.0.2"
push "route 172.16.16.0 255.255.240.0 172.16.0.2"
push "dhcp-option DNS 194.135.89.143"
ifconfig-pool-persist ipp.txt
dh dh.pem
crl-verify crl.pem
ca ca.crt
cert server_OBUdS0CCEWg9NCHL.crt
key server_OBUdS0CCEWg9NCHL.key
auth SHA1
cipher AES-128-CBC
ncp-ciphers AES-128-CBC
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log

>Openvpn сервер #2 для удаленного офиса, все то же самое кроме
port 61301
...
topology subnet
server 172.16.16.0 255.255.240.0
push "dhcp-option DNS 194.135.89.143"
...

>CCD клиента для удаленного офиса
ifconfig-push 172.16.16.2 172.16.16.1
iroute 172.16.16.0 255.255.240.0

>Фаервол
iptables -A INPUT -i ens3 -m state --state NEW -p tcp --dport 61300:61400 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT

Микротик

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-0249AC wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=12345678 \
    wpa2-pre-shared-key=trsnglitjsbtsnboitn

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp name=defconf

/ppp profile
add change-tcp-mss=yes name=OVPN-client only-one=yes use-compression=no \
    use-encryption=yes use-mpls=no use-upnp=no
/interface ovpn-client
add certificate=RemoteOffice.ovpn_1 cipher=aes128 connect-to=123.123.123.123 \
    mac-address=FE:AE:C3:DD:D7:23 name=myvpn port=61301 profile=OVPN-client \
    user=RemoteOffice verify-server-certificate=yes

/interface bridge port
add comment=defconf interface=ether2
add comment=defconf interface=ether3
add comment=defconf interface=ether4
add comment=defconf interface=pwr-line1
add comment=defconf interface=wlan1

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall nat
add action=netmap chain=dstnat dst-address=172.16.17.0/24 in-interface=myvpn \
    log=yes to-addresses=192.168.88.0/24
add action=netmap chain=srcnat fragment=no hotspot="" log=yes out-interface=\
    myvpn psd=21,3s,3,1 src-address=192.168.88.0/24 src-address-type="" \
    to-addresses=172.16.17.0/24
add action=masquerade chain=srcnat out-interface=myvpn
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1 \
    src-address=192.168.88.0/24

/ip route
add distance=1 gateway=myvpn
add distance=2 gateway=ether1
add distance=1 dst-address=172.16.16.0/28 gateway=myvpn
	ВПС

	Install ovpn & add users
	https://github.com/angristan/openvpn-install

	Add exta servers
	Copy config &
	systemctl start openvpn@xxxxxx.service
	systemctl status openvpn@*

	172.16.0.0/28 255.255.255.240
	.0 .1-.14 .15
	.16 .17-.30 .31
	.32 .33-.46 .47
	.48 .49-.62 .63
	.64 .65-.78 .79
	.80 .81-.94 .95
	.96 .97-.110 .111
	.112 .113-.126 .127
	.128 .129-.142 .143
	.144 .145-.158 .159
	.160 .161-.174 .175
	.176 .177-.190 .191
	.192 .193-.206 .207
	.208 .209-.222 .223
	.224 .225-.238 .239
	.240 .241-.254 .255

	>Openvpn сервер #1 для управления
	port 61302
	proto tcp
	dev tun
	user nobody
	group nogroup
	persist-key
	persist-tun
	keepalive 10 120
	client-to-client
	topology subnet
	server 172.16.0.0 255.255.240.0
	route 172.0.0.0 255.255.240.0
	route 172.16.0.0 255.255.240.0
	push "route 172.16.0.0 255.255.240.0 172.16.0.2"
	push "route 172.16.16.0 255.255.240.0 172.16.0.2"
	push "dhcp-option DNS 194.135.89.143"
	ifconfig-pool-persist ipp.txt
	dh dh.pem
	crl-verify crl.pem
	ca ca.crt
	cert server_OBUdS0CCEWg9NCHL.crt
	key server_OBUdS0CCEWg9NCHL.key
	auth SHA1
	cipher AES-128-CBC
	ncp-ciphers AES-128-CBC
	client-config-dir /etc/openvpn/ccd
	status /var/log/openvpn/status.log

	>Openvpn сервер #2 для удаленного офиса, все то же самое кроме
	port 61301
	...
	topology subnet
	server 172.16.16.0 255.255.240.0
	push "dhcp-option DNS 194.135.89.143"
	...

	>CCD клиента для удаленного офиса
	ifconfig-push 172.16.16.2 172.16.16.1
	iroute 172.16.16.0 255.255.240.0

	>Фаервол
	iptables -A INPUT -i ens3 -m state --state NEW -p tcp --dport 61300:61400 -j ACCEPT
	iptables -A INPUT -i tun+ -j ACCEPT
	iptables -A FORWARD -i tun+ -j ACCEPT
	iptables -A FORWARD -i tun+ -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -o tun+ -j ACCEPT

	Микротик

	/interface wireless
	set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
	distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
	MikroTik-0249AC wireless-protocol=802.11
	/interface ethernet
	set [ find default-name=ether3 ] disabled=yes
	set [ find default-name=ether4 ] disabled=yes
	/interface pwr-line
	set [ find default-name=pwr-line1 ] disabled=yes
	/interface wireless security-profiles
	set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
	dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=12345678 \
	wpa2-pre-shared-key=trsnglitjsbtsnboitn

	/ip pool
	add name=default-dhcp ranges=192.168.88.10-192.168.88.254
	/ip dhcp-server
	add address-pool=default-dhcp name=defconf

	/ppp profile
	add change-tcp-mss=yes name=OVPN-client only-one=yes use-compression=no \
	use-encryption=yes use-mpls=no use-upnp=no
	/interface ovpn-client
	add certificate=RemoteOffice.ovpn_1 cipher=aes128 connect-to=123.123.123.123 \
	mac-address=FE:AE:C3:DD:D7:23 name=myvpn port=61301 profile=OVPN-client \
	user=RemoteOffice verify-server-certificate=yes

	/interface bridge port
	add comment=defconf interface=ether2
	add comment=defconf interface=ether3
	add comment=defconf interface=ether4
	add comment=defconf interface=pwr-line1
	add comment=defconf interface=wlan1

	/ip address
	add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
	192.168.88.0
	/ip dhcp-client
	add comment=defconf disabled=no interface=ether1
	/ip dhcp-server network
	add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
	/ip dns
	set servers=8.8.8.8
	/ip dns static
	add address=192.168.88.1 comment=defconf name=router.lan

	/ip firewall filter
	add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
	connection-state=established,related
	add action=accept chain=forward comment=\
	"defconf: accept established,related, untracked" connection-state=\
	established,related,untracked
	add action=drop chain=forward comment="defconf: drop invalid" \
	connection-state=invalid
	add action=drop chain=forward comment=\
	"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
	connection-state=new in-interface-list=WAN

	/ip firewall nat
	add action=netmap chain=dstnat dst-address=172.16.17.0/24 in-interface=myvpn \
	log=yes to-addresses=192.168.88.0/24
	add action=netmap chain=srcnat fragment=no hotspot="" log=yes out-interface=\
	myvpn psd=21,3s,3,1 src-address=192.168.88.0/24 src-address-type="" \
	to-addresses=172.16.17.0/24
	add action=masquerade chain=srcnat out-interface=myvpn
	add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1 \
	src-address=192.168.88.0/24

	/ip route
	add distance=1 gateway=myvpn
	add distance=2 gateway=ether1
	add distance=1 dst-address=172.16.16.0/28 gateway=myvpn