VPN

From "PTTLink Wiki"
Revision as of 21:28, 15 November 2020 by Bryan (talk | contribs) (→‎Other)
Jump to navigation Jump to search
THIS ARTICLE IS A WORK IN PROGRESS AND IS STILL BEING EDITED BY THE AUTHOR

VPN

The following contains information on how to setup a Virtual Private Network (VPN) connection using various popular packages.

IPSEC

Information on how to setup IPSEC tunnels.

strongSwan to MikroTik

Use the following configurations to connect a system running stongSwan[1] to a MikroTik[2] device using IPSEC.

strongSwan config

The following configuration will work on FreeBSD or Linux systems with strongSwan installed.

Note: You can use this config to connect two non-MikroTik systems as well. Just replicate the config below for each system you wish to connect.

ipsec.conf

/etc/ipsec.conf:

  conn <name>
            authby=secret
            auto=route
            keyexchange=ike
            left=<your local IP>
            right=<remote IP of Mikrotik system>
            leftikeport=500
            rightikeport=500
            type=transport
            ike=aes256-sha1-modp1024!
            esp=aes256-sha1!
            dpddelay=5
            dpdtimeout=20
            dpdaction=clear
ipsec.secrets

/etc/ipsec.secrets:

   <your local IP> <remote IP of Mikrotik system> :  PSK "<Put your preshared key here>"

MikroTik Config

The following config is best done from the terminal on a MikroTik device.

Note: You can use the following config to connect two MikroTik system. Just replicate the config below on each system you wish to connect.

 /ip ipsec policy
 add src-address=0.0.0.0/0 dst-address=<remote IP of strongswan system> proposal=ike2 ipsec-protocols=esp
 
 /ip ipsec proposal
 add name="ike2" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=30m pfs-group=none
 
 /ip ipsec peer
 add name="<name of strongswan system>" address=<local IP> profile=ike2 exchange-mode=main send-initial-contact=yes
 
 /ip ipsec identity
 add peer=<remote IP of strongswan system> auth-method=pre-shared-key secret="<Put your preshared key here>" generate-policy=no
 
 /ip ipsec profile
 add name="ike2" hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des,des dh-group=modp2048,modp1024 lifetime=8h proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5

OpenVPN

Information on OpenVPN is available from https://openvpn.net/[3]

TINC

Tinc is an open-source, self-routing, mesh networking protocol, used for compressed, encrypted, virtual private networks.

Tinc is available for FreeBSD, OpenBSD, NetBSD, Dragonfly BSD, Mac OS X, Linux, Microsoft Windows, Solaris, IOS (jailbroken only), and Android with full support for IPv6.

You can download tinc for *nix and Windows systems from https://www.tinc-vpn.org/[4]

The tinc website includes many examples on common setups. They can be found at https://www.tinc-vpn.org/examples/

Standard tinc setup

Tinc can be setup in a mesh network with multiple systems.

Note: You can setup tinc with just two systems using these instructions and adjusting the steps accordingly.

For this setup we will have three hosts called Server 1, Server 2, and Server 3. The following is a brief synopsis of the network config for each:

 
Tinc Mesh Network Example

VPN NAME: NoMoreSecrets
SERVER 1:

   public ip:    1.1.1.100
   vpn ip:       10.0.0.1
   connects to:  server 2, server 3

SERVER 2:

   public ip:    1.1.2.100
   vpn ip:       10.0.0.2
   connects to:  server 1, server 3

SERVER 3:

   public ip:    1.1.3.100
   vpn ip:       10.0.0.3
   connects to:  server 1, server 2



The following directory tree will be present on all three hosts for this setup:

/etc
└── tinc
    └── NoMoreSecrets
        ├── hosts
        │   ├── server1
        │   ├── server2
        │   └── server3
        ├── rsa_key.priv
        ├── tinc.conf
        ├── tinc-down
        └── tinc-up

Individual node setup and configuration

All servers used in this example will be running Ubuntu 18.04.

Server1
  • Install tinc
   apt install tinc -y
  • Create directories
   mkdir -p /etc/tinc/NoMoreSecrets/hosts/

Create the following files:

  • /etc/tinc/NoMoreSecrets/hosts/server1:
   Address = 1.1.1.100
   Subnet = 10.0.0.1
  • /etc/tinc/NoMoreSecrets/tinc.conf:
   Name = server1
   Interface = tun0
   AddressFamily = ipv4
   ConnectTo = server2
   ConnectTo = server3
  • /etc/tinc/NoMoreSecrets/tinc-up:
   #!/bin/sh
   ip link set $INTERFACE up
   ip addr add 10.0.0.1/32 dev $INTERFACE
   ip route add 10.0.0.0/24 dev $INTERFACE
  • /etc/tinc/NoMoreSecrets/tinc-down:
   #!/bin/sh
   ip route del 10.0.0.0/24 dev $INTERFACE
   ip addr del 10.0.0.1/32 dev $INTERFACE
   ip link set $INTERFACE down
Server2
  • Install tinc
   apt install tinc -y
  • Create directories
   mkdir -p /etc/tinc/NoMoreSecrets/hosts/

Create the following files:

  • /etc/tinc/NoMoreSecrets/hosts/server2:
   Address = 1.1.2.100
   Subnet = 10.0.0.2
  • /etc/tinc/NoMoreSecrets/tinc.conf:
   Name = server2
   Interface = tun0
   AddressFamily = ipv4
   ConnectTo = server1
   ConnectTo = server3
  • /etc/tinc/NoMoreSecrets/tinc-up:
   #!/bin/sh
   ip link set $INTERFACE up
   ip addr add 10.0.0.2/32 dev $INTERFACE
   ip route add 10.0.0.0/24 dev $INTERFACE
  • /etc/tinc/NoMoreSecrets/tinc-down:
   #!/bin/sh
   ip route del 10.0.0.0/24 dev $INTERFACE
   ip addr del 10.0.0.2/32 dev $INTERFACE
   ip link set $INTERFACE down
Server3
  • Install tinc
   apt install tinc -y
  • Create directories
   mkdir -p /etc/tinc/NoMoreSecrets/hosts/

Create the following files:

  • /etc/tinc/NoMoreSecrets/hosts/server3:
   Address = 1.1.3.100
   Subnet = 10.0.0.3
  • /etc/tinc/NoMoreSecrets/tinc.conf:
   Name = server3
   Interface = tun0
   AddressFamily = ipv4
   ConnectTo = server1
   ConnectTo = server2
  • /etc/tinc/NoMoreSecrets/tinc-up:
   #!/bin/sh
   ip link set $INTERFACE up
   ip addr add 10.0.0.3/32 dev $INTERFACE
   ip route add 10.0.0.0/24 dev $INTERFACE
  • /etc/tinc/NoMoreSecrets/tinc-down:
   #!/bin/sh
   ip route del 10.0.0.0/24 dev $INTERFACE
   ip addr del 10.0.0.3/32 dev $INTERFACE
   ip link set $INTERFACE down
Create keypair
  • On all servers create public/private keypair with:
   tincd -n NoMoreSecrets -K4096
Synchronize host files
  • Synchronize host files with public keys between all three servers with rsync:
  • From Server1:
   rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server2:/etc/tinc/NoMoreSecrets/hosts/
   rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server3:/etc/tinc/NoMoreSecrets/hosts/
  • From Server2:
   rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server1:/etc/tinc/NoMoreSecrets/hosts/
   rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server3:/etc/tinc/NoMoreSecrets/hosts/
  • From Server3:
   rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server1:/etc/tinc/NoMoreSecrets/hosts/
   rsync -avz /etc/tinc/NoMoreSecrets/hosts/ server2:/etc/tinc/NoMoreSecrets/hosts/
  • On all servers set the executable bit on the tinc-up and tinc-down scripts
   chmod +x /etc/tinc/NoMoreSecrets/tinc-up
   chmod +x /etc/tinc/NoMoreSecrets/tinc-down
Start tinc
  • On all servers enable and start tinc
   systemctl enable tinc@NoMoreSecrets
   systemctl start tinc@NoMoreSecrets

Once tinc is up and running on all three servers you should be able to communicate over the 10.0.0.0/24 network.

Since this is a mesh network, if direct communication between two nodes drops, tinc will route all traffic through the remaining node until direct communication is restored.

Troubleshooting

  1. Check tinc logs to see what the error shown is. Refer to official documentation at https://www.tinc-vpn.org/docs/
  2. Check firewall on both hosts to make sure port 655 is being accepted.
  3. Check IP on Address line of hosts to ensure they are correct.
  4. Check IP on Subnet line of hosts files to ensure they are correct.

Simplified tinc 1.1 Windows setup

Examples on how to setup tinc 1.1 on Windows as either a server or client.

Server side config

  1. Download tinc
  2. Install tinc
  3. Open command prompt and type the following:
   cd "C:\Program Files\tinc"
   tinc -n vpn init master
   tinc -n vpn add subnet 10.0.1.1
   tinc -n vpn add address=public.domain-or-ip
   cd tap-win64
   addtap.bat
   netsh interface ipv4 show interfaces      (Note disconnected interface.  May be called Ethernet 2)
   netsh interface set interface name = "Ethernet 2" newname = "tinc"
   netsh interface ip set address "tinc" static 10.0.1.1  255.255.255.0
   netsh interface ipv4 show config          (Should create a tinc interface with IP and subnet)
   cd ..

To start tinc:

   tincd -n vpn

To invite clients:

   tinc -n vpn invite client1

Client side config

  1. Download tinc
  2. Install tinc
  3. Open command prompt and type the following:
   cd "C:\Program Files\tinc"
   tinc join <invite-url>
   tinc -n vpn add subnet 10.0.1.2
   cd tap-win64
   addtap.bat
   netsh interface ipv4 show interfaces      (Note disconnected interface.  May be called Ethernet 2)
   netsh interface set interface name = "Ethernet 2" newname = "tinc"
   netsh interface ip set address "tinc" static 10.0.1.2  255.255.255.0
   cd ..

To test connection:

   tincd -n vpn -D -d3

To run tinc as service:

   tincd -n vpn

Notes

Tinc will automatically register itself as a service when started without -D or --no-detach option.

Calling tinc with -k or --kill option will cause it to automatically unregister itself.

SoftEther

SoftEther VPN is an Open-Source Free Cross-platform Multi-protocol VPN Program, that is an academic project from the University of Tsukuba in Japan.

You can download SoftEther for FreeBSD, Linux, Mac, Solaris, and Windows from https://www.softether.org/[5]

Features

  • SSL-VPN tunnelling on HTTPS to pass though NAT and firewalls
  • Revolutionary VPN over ICMP and VPN over DNS featuers
  • Ethernet-bridging (L2) and IP-routing (L3) over VPN.
  • Embedded dynamic-DNS and NAT-traversal
  • SSL-VPN (HTTPS) and support for 6 major VPN protocols: OpenVPN, IPSEC, L2TP, MS-SSTP, L2TPv3, and EtherIP)

Cisco L2TPv3

Use the setup of SoftEther here as a guide for an L2TPv3 connection to a Cisco device.

SoftEther settings

Now make the following adjustments to the IPSEC/L2TPv3 settings shown there:

  • Under IPSEC/L2TP setting select the checkbox for Enable EtherIP/L2TPv3 over IPsec Server Function
  • Select EtherIP / L2TP Detail Settings
  • ISAKMP Phase 1 ID: Specify local IP address of Cisco device here
  • Fill in username/password settings
  • Under Virtual Hub management
  • Select Virtual NAT and virtual DHCP server function
  • Secure NAT settings wtill be used to set Virtual DHCP server settings
Ports used by Softether for this configuration
Type Port #
UDP 500
UDP 4500
UDP 1701
  • Encryption: If you have an issue with using AES during your initial testing, try using DES or 3DES. Once you have the connection established try switching to a more secure algorithm.
Cisco config

And then use the following config below on your Cisco device instead of what is listed on the SoftEther site to get L2TPv3 working:

Information used in this example
Local IP addess Peer IP (SoftEther Public IP) Pre-shared key
192.168.100.100 (ISAKMP Phase 1 ID) 1.1.1.100 CHANGEME
  • Note: By default Cisco may have NAT-Traversal enabled. This settings is not required.
  • Specify the L2TPv3 settings and interface (change FastEterhnet0/0 to match your device's interface).
pseudowire-class L2TPv3
   encapsulation l2tpv3
   ip local interface FastEthernet0/0
  • Note: You can chance the pseudowire-class interface's name from L2TPv3 to something more descriptive if you want.
  • ISAKMP settings:
crypto isakmp policy 1
   encr aes 256
   authentication pre-share
   group 2
crypto isakmp key CHANGEME address 1.1.1.100
crypto isakmp keepalive 10 periodic

Note: You can use AES 256 encryption here. DH group uses type 2 1024 bit encryption.

  • IPSEC settings:
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
   mode transport
crypto ipsec fragmentation after-encryption

Note: 3des is being used here in this example. If you put this tunnel into production make sure you change the cipher used to AES!!!

  • Cryptographic map:
crypto map MAP 1 ipsec-isakmp
   set peer 1.1.1.100
   set transform-set IPSEC
   match address IPSEC_MATCH_RULE
  • Interface configuration
interface FastEthernet0/0
   ip address 192.168.100.100 255.255.255.0
   no ip proxy-arp
   duplex auto
   speed auto
   crypto map MAP

Note: FastEthernet0/0 uses the local IP address specified above and has the crypto map applied.

  • Use FastEthernet0/1 as the interface for the tunnel
interface FastEthernet0/1
   no ip address
   duplex auto
   speed auto
   no cdp enable
   xconnect 1.1.1.100 1 encapsulation l2tpv3 pw-class L2TPv3
   bridge-group 1
  • Access list:
ip access-list extended IPSEC_MATCH_RULE
   permit 115 any any
  • Now connect a device to FastEthernet0/1. It should get a DHCP lease from SoftEther and be on the network.
Troubelshooting

To troubleshoot the tunnel use the following commands:

debug crypt isakmp
debug crypt ipsec
debug l2tp all
  • Show ISAKMP SA status:
#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
1.1.1.100       192.168.100.100    QM_IDLE           1011 ACTIVE
 
IPv6 Crypto ISAKMP SA
 
・IPSec
#show crypto ipsec sa
 
interface: FastEthernet0/0
    Crypto map tag: MAP, local addr 192.168.100.100
 
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0)
   current_peer 1.1.1.100 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 54342, #pkts encrypt: 54342, #pkts digest: 54342
    #pkts decaps: 179917, #pkts decrypt: 179917, #pkts verify: 179917
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 23, #recv errors 0
 
     local crypto endpt.: 192.168.100.100, remote crypto endpt.: 1.1.1.100
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x48E82D7A(1223175546)
     PFS (Y/N): N, DH group: none
 
     inbound esp sas:
      spi: 0x1B68FD22(459865378)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2107, flow_id: NETGX:107, sibling_flags 80000046, crypto map: MAP
        sa timing: remaining key lifetime (k/sec): (4386973/1557)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
      spi: 0x48E82D7A(1223175546)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2108, flow_id: NETGX:108, sibling_flags 80000046, crypto map: MAP
        sa timing: remaining key lifetime (k/sec): (4386975/1557)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
 
     outbound ah sas:
 
     outbound pcp sas:
  • Check L2TP session:
#show l2tp session
L2TP Session Information Total tunnels 1 sessions 1
 
LocID      RemID      TunID      Username, Intf/      State  Last Chg Uniq ID
                                 Vcid, Circuit
23239**** 1900**** 2306***** 1, Fa0/1             est    01:32:52 1
  • Check L2TP tunnel:
L2TP Tunnel Information Total tunnels 1 sessions 1
LocTunID   RemTunID   Remote Name   State  Remote Address  Sessn L2TP Class/
                                                           Count VPDN Group
230**** 1          ******* est    1.1.1.100   1     l2tp_default_cl

Note: If you use AES for IPSEC it will become TunID 0.

WireGuard

WireGuard can be downloaded from https://www.wireguard.com/[6]

VPNC

vpnc is an open-source VPN client that is compatible with Cisco VPN setups. VPNC is much easier to configure than the Cisco client and works on almost every flavor of UNIX systems including Linux, Macs and BSD, as well as Ubuntu.

This is handy if you have a VPN server or IOS router setup and wish to use it. w9cr.net runs this as a means to get public IP's directly on nodes, bypassing NAT444 and man-in-the-middle IAX level filtering.

install

  • sudo apt-get install vpnc

config

Create a configuration file for the RPI Wireless and/or RPI External profile. Usually these files would be stored in /etc/vpnc/profile_name.conf. The default /etc/vpnc/default.conf.

An example config for the W9CR.net vpn server:

w9cr example config

IPSec gateway cisco.keekles.org
IPSec id AMPRNET
IPSec secret EzAsARDC
Xauth username YOUR-CALLSIGN
Xauth password _YOUR_PASSWORD_HERE_ 

running it

To connect to the VPN you would run one of the following commands as root or using sudo:

  • sudo vpnc -- This command would run VPNC using /etc/vpnc/default.conf, if it exists. If it does not, it would prompt for the connection information
  • sudo vpnc external -- This would run VPNC using /etc/vpnc/external.conf, if it exists.

Starting it at boot

IF you're behind NAT, you want to start this at boot.

The simplest way is to call it from /etc/rc.local, but that's a bit in-elegant.

make the following file at /usr/lib/systemd/system/vpnc@.service

[Unit]                                                                                                                                                                        
Description=VPNC connection to %i
Wants=network-online.target
After=network.target network-online.target

[Service]
Type=forking
ExecStart=/usr/bin/vpnc --pid-file=/run/vpnc@%i.pid /etc/vpnc/%i.conf
PIDFile=/run/vpnc@%i.pid 

[Install]
WantedBy=multi-user.target

So, in order to have your VPN autostart from the configuration file /etc/vpnc/w9cr.conf, you'd do:

systemctl enable vpnc@w9cr
systemctl start vpnc@w9cr


More info

If you want a vpn connection via w9cr.net using 44net public IP space, please contact bryan@bryanfields.net. Include your callsign and details.


Other

Any other information that doesn't fit elsewhere.

Firewall

Information regarding firewall setup as related to the VPN configs above.

Linux

The following script can be used to setup a basic firewall on a Linux based system using iptables.

Supports IPv4 and IPv6. Comment out the parts that are not need with a # or optionally delete them.

 #!/bin/bash
 
 #Modify to match your network interface  
 INET_IF=eth0
 
 #Edit IP address below to match the IP and netmask of the system or subnet you want to allow access to 
 #"Management only" services.  Add or remove as needed.  Make sure to update the ManagementFilterV4 with
 #the changes
 System1="XX.XX.XX.XX/YY"  
 System2="XX.XX.XX.XX/YY"
   
 ManagementFilterV4=$System1,$System2
 
 #Flush and zero all tables
 modprobe ip_tables
 modprobe ipt_limit
 modprobe iptable_mangle
 modprobe ipt_state
 modprobe ipt_LOG
 modprobe iptable_filter
 modprobe ipv6
 
 iptables -F INPUT
 iptables -F FORWARD
 iptables -t nat -F POSTROUTING
 iptables -t nat -F PREROUTING
 
 ip6tables -F INPUT
 ip6tables -F FORWARD
 
 #init the log-and-drop chain
 iptables -F log-and-drop
 iptables -X log-and-drop
 iptables -N log-and-drop
 
 ip6tables -F log-and-drop
 ip6tables -X log-and-drop
 ip6tables -N log-and-drop
 
 iptables -F log-and-reject
 iptables -X log-and-reject
 iptables -N log-and-reject
 
 ip6tables -F log-and-reject
 ip6tables -X log-and-reject
 ip6tables -N log-and-reject
 
 #Now add in rules to affect DOCKER containers - uncomment if using Docker
 #See https://unrouted.io/2017/08/15/docker-firewall/
 #iptables -F DOCKER-USER
 #iptables -X DOCKER-USER
 #iptables -N DOCKER-USER
 
 #ip6tables -F DOCKER-USER
 #ip6tables -X DOCKER-USER
 #ip6tables -N DOCKER-USER
 
 #iptables -F FILTERS
 #iptables -X FILTERS
 #iptables -N FILTERS
 
 #ip6tables -F FILTERS
 #ip6tables -X FILTERS
 #ip6tables -N FILTERS
 
 echo "all tables flushed and dropped"
 # Specific chain used for logging packets before blocking them
 iptables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop "
 iptables -A log-and-drop -j DROP
 
 ip6tables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop "
 ip6tables -A log-and-drop -j DROP
 
 # Specific chain used for logging packets before blocking them
 iptables -A log-and-reject -j LOG --log-prefix "[IPTables] Reject "
 iptables -A log-and-reject -j REJECT
 
 ip6tables -A log-and-reject -j LOG --log-prefix "[IPTables] Reject "
 ip6tables -A log-and-reject -j REJECT
 
 echo "logging chains setup"
   
 # The packets having the TCP flags activated are dropped
 # and so for the ones with no flag at all (often used with Nmap scans)
 iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
 iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop
 
 ip6tables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
 ip6tables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop
 
 #setup DOCKER-USER related rules - uncomment if using Docker
 #iptables -A DOCKER-USER -i $INET_IF -j FILTERS
 
 #Now add any rules you want Docker to abide by for containers to -A FILTERS
 
 #limit traffic to 80 an 443
 #DCQ="2"   #max requests in 1 second
 #DCH="25"   #max requests over 7 seconds
 
 #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --set --name P80QF --rsource
 #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P80QF --rsource -j log-and-drop
 #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --set --name P80HF --rsource
 #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P80HF --rsource -j log-and-drop
  
 #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --set --name P443QF --rsource
 #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P443QF --rsource -j log-and-drop
 #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --set --name P443HF --rsource
 #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P443HF --rsource -j log-and-drop
   
 #default return chain
 #iptables -A FILTERS -j RETURN
 
 #Global blocks
 #iptables -t filter -A INPUT -j DROP -s 12.34.56.78/32
 
 #Limit DNS requests to prevent flood attacks - use if you are running a DNS server on the system this is installed on.  
 # Requests per second
 #RQS="15"
 # Requests per 7 seconds
 #RQH="35"
 
 #iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSQF --rsource
 #iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount ${RQS} --name DNSQF --rsource -j DROP
 #iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSHF --rsource
 #iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 7 --hitcount ${RQH} --name DNSHF --rsource -j DROP
 
 #Uncomment the next sections if using IPSEC
 #Clamp MSS on IPSEC tunnels
 #iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
 #iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
 
 # allow IPSEC from other boxes
 #IPSECsrc='XX.XX.XX.XX/YY'  # Put in the form of XX.XX.XX.XX = IP address you want to allow IPSEC in from and YY is the netmask.
 
 #Technically the next two are not needed as we have the policy
 #iptables -A INPUT -i $INET_IF -p 50 -j ACCEPT --src "$IPSECsrc"
 #iptables -A INPUT -i $INET_IF -p 51 -j ACCEPT --src "$IPSECsrc"
 #iptables -A INPUT -i $INET_IF -p udp --dport 500 -j ACCEPT --src "$IPSECsrc"
 #iptables -A INPUT -i $INET_IF -p udp --dport 4500 -j ACCEPT --src "$IPSECsrc"
 # this is needed to allow all ipsec packets when it's host to host
 #iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc" 
 
 #allow DNS in
 #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53
 #iptables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53
 
 #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53
 #ip6tables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53
 
 #allow port 80 in
 #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80
 #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80
 
 #allow port 443 in
 #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443
 #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443
 
 # allow all ssh in - uncomment ManagemetnFilterV4 and comment out the two lines below to restrict SSH access on port 22
 #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 --src $ManagementFilterV4
 iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 
 ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 
 
 echo "end of services"
 # allow ping at 2 per sec
 iptables -t filter -A INPUT -j ACCEPT --in-interface $INET_IF --protocol icmp --icmp-type echo-request --match limit --limit 4/s --limit-burst 3
 iptables -t filter -A INPUT -j log-and-drop  --in-interface $INET_IF --protocol icmp --icmp-type echo-request
 
 ip6tables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT 
 
 # allow responces to local initated connections
 #iptables -A INPUT -i  $INET_IF --match state --state NEW,INVALID -j log-and-drop
 #iptables -A FORWARD -i $INET_IF  --match state --state NEW,INVALID -j log-and-drop
 iptables -t filter -A INPUT -j ACCEPT --match state --state RELATED,ESTABLISHED
 ip6tables -t filter -A INPUT -j ACCEPT --match state --state RELATED,ESTABLISHED
 
 # Set rp_filter to 2
 for i in `find /proc/sys/net/ipv*/conf -name rp_filter`
 do
 	echo "2" >$i
 done
 # setup a default deny rule for outside traffic
 iptables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop
 ip6tables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop
 
 #uncomment if you are using Docker
 #echo "Restarting Docker"
 #systemctl restart docker
 
 #uncomment the next two lines if fail2ban is installed
 #echo "Restarting fail2ban"
 #systemctl restart fail2ban

External Links

  1. strongSwan Official Site [1]
  2. MikroTik Official Site [2]
  3. OpenVPN Official Site [3]
  4. Tinc-vpn Official Site [4]
  5. SoftEther VPN Official Site [5]
  6. WireGuard Offical Site [6]