Difference between revisions of "Pomo as OpenVPN server"
From Tech
Jump to navigationJump to search (Created page with "* using OpenVPN, see [http://wiki.debian.org/OpenVPN wiki.debian.org OpenVPN] on how to set up * For NAT, using iptables, and the script from [http://www.debian-administration.or…") |
|||
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
* using OpenVPN, see [http://wiki.debian.org/OpenVPN wiki.debian.org OpenVPN] on how to set up |
* using OpenVPN, see [http://wiki.debian.org/OpenVPN wiki.debian.org OpenVPN] on how to set up |
||
* For NAT, using iptables, and the script from [http://www.debian-administration.org/articles/23 debian-administration.org] |
* For NAT, using iptables, and the script from [http://www.debian-administration.org/articles/23 debian-administration.org] |
||
| + | =iptables= |
||
| + | |||
| + | For iptables, I'm using this <tt>/etc/init.d/iptables</tt> script: |
||
| + | <nowiki>#!/bin/sh |
||
| + | |||
| + | PATH=/usr/sbin:/sbin:/bin:/usr/bin |
||
| + | EXT=eth0 |
||
| + | INT=tun1 |
||
| + | # |
||
| + | # delete all existing rules. |
||
| + | # |
||
| + | iptables -F |
||
| + | iptables -t nat -F |
||
| + | iptables -t mangle -F |
||
| + | iptables -X |
||
| + | |||
| + | |||
| + | case $1 in |
||
| + | start|restart) |
||
| + | # Always accept loopback traffic |
||
| + | iptables -A INPUT -i lo -j ACCEPT |
||
| + | |||
| + | |||
| + | # Allow established connections, and those not coming from the outside |
||
| + | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
||
| + | iptables -A INPUT -m state --state NEW ! -i $EXT -j ACCEPT |
||
| + | iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT |
||
| + | |||
| + | # Allow outgoing connections from the LAN side. |
||
| + | iptables -A FORWARD -i $INT -o $EXT -j ACCEPT |
||
| + | |||
| + | # Masquerade. |
||
| + | iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE |
||
| + | |||
| + | # Don't forward from the outside to the inside. |
||
| + | iptables -A FORWARD -i $EXT -o $EXT -j REJECT |
||
| + | |||
| + | # Enable routing. |
||
| + | echo 1 > /proc/sys/net/ipv4/ip_forward |
||
| + | ;; |
||
| + | stop) |
||
| + | echo 0 > /proc/sys/net/ipv4/ip_forward |
||
| + | ;; |
||
| + | esac</nowiki> |
||
| + | |||
| + | =openvpn= |
||
| + | Using [https://play.google.com/store/apps/details?id=de.blinkt.openvpn openvpn android app]. This apparently doesn't work with the static config, but it does work with the TLS certificated generated by [http://wiki.debian.org/OpenVPN wiki.debian.org OpenVPN]. The certs are in <tt>/etc/openvpn</tt> on my nexus 7 |
||
Latest revision as of 15:23, 26 December 2012
- using OpenVPN, see wiki.debian.org OpenVPN on how to set up
- For NAT, using iptables, and the script from debian-administration.org
iptables
For iptables, I'm using this /etc/init.d/iptables script:
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
EXT=eth0
INT=tun1
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
case $1 in
start|restart)
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i $EXT -j ACCEPT
iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i $INT -o $EXT -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i $EXT -o $EXT -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
;;
stop)
echo 0 > /proc/sys/net/ipv4/ip_forward
;;
esac
openvpn
Using openvpn android app. This apparently doesn't work with the static config, but it does work with the TLS certificated generated by wiki.debian.org OpenVPN. The certs are in /etc/openvpn on my nexus 7
