此文章是http://devops.webres.wang/2016/10/debian-8-setup-secure-openvpn/的第二部分
OpenVPN配置
OpenVPN服务端配置文件/etc/openvpn/server.conf,需要更改几处。
1.设置OpenVPN推送网关配置到客户端,以让客户端流量通过OpenVPN传送。
/etc/openvpn/server.conf:
- # If enabled, this directive will configure
- # all clients to redirect their default
- # network gateway through the VPN, causing
- # all IP traffic such as web browsing and
- # and DNS lookups to go through the VPN
- # (The OpenVPN server machine may need to NAT
- # or bridge the TUN/TAP interface to the internet
- # in order for this to work properly).
- push "redirect-gateway def1 bypass-dhcp"
2.推荐DNS服务器地址到客户端设备
/etc/openvpn/server.conf:
- # Certain Windows-specific network settings
- # can be pushed to clients, such as DNS
- # or WINS server addresses. CAVEAT:
- # http://openvpn.net/faq.html#dhcpcaveats
- # The addresses below refer to the public
- # DNS servers provided by opendns.com.
- push "dhcp-option DNS 208.67.222.222"
- push "dhcp-option DNS 208.67.220.220"
3.重启OpenVPN
- sudo systemctl restart openvpn.service
网络规则
1.创建IPv4规则:
/etc/iptables/rules.v4
- *filter
- # Allow all loopback (lo) traffic and reject traffic
- # to localhost that does not originate from lo.
- -A INPUT -i lo -j ACCEPT
- -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
- -A OUTPUT -o lo -j ACCEPT
- # Allow ping and ICMP error returns.
- -A INPUT -p icmp -m state –state NEW –icmp-type 8 -j ACCEPT
- -A INPUT -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
- -A OUTPUT -p icmp -j ACCEPT
- # Allow SSH.
- -A INPUT -i eth0 -p tcp -m state –state NEW,ESTABLISHED –dport 22 -j ACCEPT
- -A OUTPUT -o eth0 -p tcp -m state –state ESTABLISHED –sport 22 -j ACCEPT
- # Allow UDP traffic on port 1194.
- -A INPUT -i eth0 -p udp -m state –state NEW,ESTABLISHED –dport 1194 -j ACCEPT
- -A OUTPUT -o eth0 -p udp -m state –state ESTABLISHED –sport 1194 -j ACCEPT
- # Allow DNS resolution and limited HTTP/S on eth0.
- # Necessary for updating the server and keeping time.
- -A INPUT -i eth0 -p udp -m state –state ESTABLISHED –sport 53 -j ACCEPT
- -A OUTPUT -o eth0 -p udp -m state –state NEW,ESTABLISHED –dport 53 -j ACCEPT
- -A INPUT -i eth0 -p tcp -m state –state ESTABLISHED –sport 53 -j ACCEPT
- -A OUTPUT -o eth0 -p tcp -m state –state NEW,ESTABLISHED –dport 53 -j ACCEPT
- -A INPUT -i eth0 -p tcp -m state –state ESTABLISHED –sport 80 -j ACCEPT
- -A OUTPUT -o eth0 -p tcp -m state –state NEW,ESTABLISHED –dport 80 -j ACCEPT
- -A INPUT -i eth0 -p tcp -m state –state ESTABLISHED –sport 443 -j ACCEPT
- -A OUTPUT -o eth0 -p tcp -m state –state NEW,ESTABLISHED –dport 443 -j ACCEPT
- # Allow traffic on the TUN interface.
- -A INPUT -i tun0 -j ACCEPT
- -A FORWARD -i tun0 -j ACCEPT
- -A OUTPUT -o tun0 -j ACCEPT
- # Allow forwarding traffic only from the VPN.
- -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -j ACCEPT
- -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
- # Log any packets which don’t fit the rules above…
- # (optional but useful)
- -A INPUT -m limit –limit 3/min -j LOG –log-prefix "iptables_INPUT_denied: " –log-level 4
- -A FORWARD -m limit –limit 3/min -j LOG –log-prefix "iptables_FORWARD_denied: " –log-level 4
- -A OUTPUT -m limit –limit 3/min -j LOG –log-prefix "iptables_OUTPUT_denied: " –log-level 4
- # then reject them.
- -A INPUT -j REJECT
- -A FORWARD -j REJECT
- -A OUTPUT -j REJECT
- COMMIT
2.导入新规则
sudo iptables-restore < /etc/iptables/rules.v4
3.应用路由规则,以便流量可以正常发送到VPN。
- sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
4.保存目前已加载的规则
- sudo dpkg-reconfigure iptables-persistent
5.允许IPv4流量转发
- echo ‘net.ipv4.ip_forward=1’ | sudo tee -a /etc/sysctl.d/99-sysctl.conf
6.应用生效
- sudo sysctl -p
7.重启OpenVPN
- sudo systemctl restart openvpn.service