3.9 KiB
Neuer VPN Server
Samstag, 30. März 2019
10:46
**Server Details **
**============================= **
**Hostname: kvm-0219.server-rapid-host.de **
Main IP:
Root Password: VsdECbgY*kN5 geändert .Bunte1.
SSH Port:22
IP-Adresse:
5.104.110.219
Routen
root@kvm-0219:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default ve301-s3-h0521. 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
ve301-s3-h0521. 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.132.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
root@kvm-0219:~#
Firewall Regeln :
# Generated by iptables-save v1.4.14 on Sat Jun 15 20:28:54 2019
*raw
:PREROUTING ACCEPT [46939888:7861470454]
:OUTPUT ACCEPT [40553918:9712203424]
COMMIT
# Completed on Sat Jun 15 20:28:54 2019
# Generated by iptables-save v1.4.14 on Sat Jun 15 20:28:54 2019
*nat
:PREROUTING ACCEPT [2714613:172384622]
:POSTROUTING ACCEPT [896761:60296620]
:OUTPUT ACCEPT [670249:48861805]
-A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.132.7:443
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.132.7:80
-A POSTROUTING -s 192.168.132.0/24 -o eth0 -j SNAT --to-source 5.104.110.219
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 5.104.110.219
COMMIT
# Completed on Sat Jun 15 20:28:54 2019
# Generated by iptables-save v1.4.14 on Sat Jun 15 20:28:54 2019
*filter
:INPUT ACCEPT [41293551:4967640475]
:FORWARD ACCEPT [913841:70809128]
:OUTPUT ACCEPT [40553918:9712203424]
-A FORWARD -s 192.168.132.0/24 -i tun0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Jun 15 20:28:54 2019
# Generated by iptables-save v1.4.14 on Sat Jun 15 20:28:54 2019
*mangle
:PREROUTING ACCEPT [46939888:7861470454]
:INPUT ACCEPT [41293551:4967640475]
:FORWARD ACCEPT [5582343:2882891385]
:OUTPUT ACCEPT [40553918:9712203424]
:POSTROUTING ACCEPT [46136261:12595094809]
COMMIT
Server conf :
port 1194
proto udp
dev tun
ca ca.crt
cert VPNServer.crt
key VPNServer.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.132.0 255.255.255.0"
client-config-dir ccd
route 192.168.132.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
client-to-client
route 192.168.132.0 255.255.255.0
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
;log-append openvpn.log
verb 3
explicit-exit-notify 1
Client Conf
Verzeichnis CCD muss bestehen, dort muss eine Datei rein mitz folgenden inhalt :
# Internes Routing zum Heimnetz über diesen Client
iroute 192.168.132.0 255.255.255.0
Name der Datei muss mit dem Namen in der Client Conf übereinstimmen.
Bei mir ist das datenserver
{width="0.3541666666666667in" height="0.3333333333333333in"}
{width="2.4791666666666665in" height="0.22916666666666666in"}
Verzeichnis ccd mus unter /etc/openvpn angelegt werden, dort muss eine Datei liegen mit dem Namen des Client (beispiel vpn-router) dort steht drin " iroute 192.168.132.0 255.255.255.0"
Damit ist das komplette Netz hinter dem Client erreichbar. Sonst nicht.
{width="0.3958333333333333in" height="0.3125in"}