VPN配置第二部分 – 设置你的流量走OpenVPN通道

此文章是http://devops.webres.wang/2016/10/debian-8-setup-secure-openvpn/的第二部分

OpenVPN配置

OpenVPN服务端配置文件/etc/openvpn/server.conf,需要更改几处。
1.设置OpenVPN推送网关配置到客户端,以让客户端流量通过OpenVPN传送。
/etc/openvpn/server.conf:

  1. # If enabled, this directive will configure
  2. # all clients to redirect their default
  3. # network gateway through the VPN, causing
  4. # all IP traffic such as web browsing and
  5. # and DNS lookups to go through the VPN
  6. # (The OpenVPN server machine may need to NAT
  7. # or bridge the TUN/TAP interface to the internet
  8. # in order for this to work properly).
  9. push "redirect-gateway def1 bypass-dhcp"

2.推荐DNS服务器地址到客户端设备
/etc/openvpn/server.conf:

  1. # Certain Windows-specific network settings
  2. # can be pushed to clients, such as DNS
  3. # or WINS server addresses.  CAVEAT:
  4. # http://openvpn.net/faq.html#dhcpcaveats
  5. # The addresses below refer to the public
  6. # DNS servers provided by opendns.com.
  7. push "dhcp-option DNS 208.67.222.222"
  8. push "dhcp-option DNS 208.67.220.220"

3.重启OpenVPN

  1. sudo systemctl restart openvpn.service

网络规则

1.创建IPv4规则:
/etc/iptables/rules.v4

  1. *filter
  2.  
  3. # Allow all loopback (lo) traffic and reject traffic
  4. # to localhost that does not originate from lo.
  5. -A INPUT -i lo -j ACCEPT
  6. -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
  7. -A OUTPUT -o lo -j ACCEPT
  8.  
  9. # Allow ping and ICMP error returns.
  10. -A INPUT -p icmp -m state –state NEW –icmp-type 8 -j ACCEPT
  11. -A INPUT -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
  12. -A OUTPUT -p icmp -j ACCEPT
  13.  
  14. # Allow SSH.
  15. -A INPUT -i eth0 -p tcp -m state –state NEW,ESTABLISHED –dport 22 -j ACCEPT
  16. -A OUTPUT -o eth0 -p tcp -m state –state ESTABLISHED –sport 22 -j ACCEPT
  17.  
  18. # Allow UDP traffic on port 1194.
  19. -A INPUT -i eth0 -p udp -m state –state NEW,ESTABLISHED –dport 1194 -j ACCEPT
  20. -A OUTPUT -o eth0 -p udp -m state –state ESTABLISHED –sport 1194 -j ACCEPT
  21.  
  22. # Allow DNS resolution and limited HTTP/S on eth0.
  23. # Necessary for updating the server and keeping time.
  24. -A INPUT -i eth0 -p udp -m state –state ESTABLISHED –sport 53 -j ACCEPT
  25. -A OUTPUT -o eth0 -p udp -m state –state NEW,ESTABLISHED –dport 53 -j ACCEPT
  26. -A INPUT -i eth0 -p tcp -m state –state ESTABLISHED –sport 53 -j ACCEPT
  27. -A OUTPUT -o eth0 -p tcp -m state –state NEW,ESTABLISHED –dport 53 -j ACCEPT
  28.  
  29. -A INPUT -i eth0 -p tcp -m state –state ESTABLISHED –sport 80 -j ACCEPT
  30. -A OUTPUT -o eth0 -p tcp -m state –state NEW,ESTABLISHED –dport 80 -j ACCEPT
  31. -A INPUT -i eth0 -p tcp -m state –state ESTABLISHED –sport 443 -j ACCEPT
  32. -A OUTPUT -o eth0 -p tcp -m state –state NEW,ESTABLISHED –dport 443 -j ACCEPT
  33.  
  34. # Allow traffic on the TUN interface.
  35. -A INPUT -i tun0 -j ACCEPT
  36. -A FORWARD -i tun0 -j ACCEPT
  37. -A OUTPUT -o tun0 -j ACCEPT
  38.  
  39. # Allow forwarding traffic only from the VPN.
  40. -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -j ACCEPT
  41. -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
  42.  
  43. # Log any packets which don’t fit the rules above…
  44. # (optional but useful)
  45. -A INPUT -m limit –limit 3/min -j LOG –log-prefix "iptables_INPUT_denied: " –log-level 4
  46. -A FORWARD -m limit –limit 3/min -j LOG –log-prefix "iptables_FORWARD_denied: " –log-level 4
  47. -A OUTPUT -m limit –limit 3/min -j LOG –log-prefix "iptables_OUTPUT_denied: " –log-level 4
  48.  
  49. # then reject them.
  50. -A INPUT -j REJECT
  51. -A FORWARD -j REJECT
  52. -A OUTPUT -j REJECT
  53.  
  54. COMMIT

2.导入新规则
sudo iptables-restore < /etc/iptables/rules.v4
3.应用路由规则,以便流量可以正常发送到VPN。

  1. sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

4.保存目前已加载的规则

  1. sudo dpkg-reconfigure iptables-persistent

5.允许IPv4流量转发

  1. echo ‘net.ipv4.ip_forward=1’ | sudo tee -a /etc/sysctl.d/99-sysctl.conf

6.应用生效

  1. sudo sysctl -p

7.重启OpenVPN

  1. sudo systemctl restart openvpn.service