Difference between revisions of "VPN"

From "PTTLink Wiki"
Jump to navigation Jump to search
(Added initial Linux iptables firewall script)
Line 124: Line 124:
 
    
 
    
 
   #Edit IP address below to match the IP and netmask of the system or subnet you want to allow access to  
 
   #Edit IP address below to match the IP and netmask of the system or subnet you want to allow access to  
   #"Management only" services.  You modify and add or remove as needed.  Make sure to update the ManagementFilterV4 with
+
   #"Management only" services.  Add or remove as needed.  Make sure to update the ManagementFilterV4 with
 
   #the changes
 
   #the changes
 
   System1="XX.XX.XX.XX/YY"   
 
   System1="XX.XX.XX.XX/YY"   

Revision as of 06:44, 15 November 2020

VPN

The following contains information on various VPN setups that you can use.

IPSEC

Information on how to setup IPSEC tunnels.

Mikrotik to Strongswan

Use the following configurations to connect a system running Stongswan to a Mikrotik device using IPSEC.

Strongswan config

/etc/ipsec.conf: 

  conn <name>
            authby=secret
            auto=route
            keyexchange=ike
            left=<your local IP>
            right=<remote IP of Mikrotik system>
            leftikeport=500
            rightikeport=500
            type=transport
            ike=aes256-sha1-modp1024!
            esp=aes256-sha1!
            dpddelay=5
            dpdtimeout=20
            dpdaction=clear

/etc/ipsec.secrets: 

   <your local IP> <remote IP of Mikrotik system> :  PSK "<Put your preshared key here>"

Mikrotik Config

 /ip ipsec policy
 add src-address=0.0.0.0/0 dst-address=<remote IP of strongswan system> proposal=ike2 ipsec-protocols=esp
 
 /ip ipsec proposal
 add name="ike2" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=30m pfs-group=none
 
 /ip ipsec peer
 add name="<name of strongswan system>" address=<local IP> profile=ike2 exchange-mode=main send-initial-contact=yes
 
 /ip ipsec identity
 add peer=<remote IP of strongswan system> auth-method=pre-shared-key secret="<Put your preshared key here>" generate-policy=no
 
 /ip ipsec profile
 add name="ike2" hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des,des dh-group=modp2048,modp1024 lifetime=8h proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5

OpenVPN

Information on how to setup OpenVPN.

L2TP

Information on how to setup L2TP.

TINC

Information on how to setup tinc.

You can download tinc for *nix and Windows systems from https://www.tinc-vpn.org/

Simplified tinc 1.1 Windows setup

Examples on how to setup tinc 1.1 on Windows as either a server or client.

Server side config

  1. Download tinc
  2. Install tinc
  3. Open command prompt and type the following:
   cd "C:\Program Files\tinc"
   tinc -n vpn init master
   tinc -n vpn add subnet 10.0.1.1
   tinc -n vpn add address=public.domain-or-ip
   cd tap-win64
   addtap.bat
   netsh interface ipv4 show interfaces      (Note disconnected interface.  May be called Ethernet 2)
   netsh interface set interface name = "Ethernet 2" newname = "tinc"
   netsh interface ip set address "tinc" static 10.0.1.1  255.255.255.0
   netsh interface ipv4 show config          (Should create a tinc interface with IP and subnet)
   cd ..

To start tinc: 

   tincd -n vpn

To invite clients: 

   tinc -n vpn invite client1

Client side config

  1. Download tinc
  2. Install tinc
  3. Open command prompt and type the following:
   cd "C:\Program Files\tinc"
   tinc join <invite-url>
   tinc -n vpn add subnet 10.0.1.2
   cd tap-win64
   addtap.bat
   netsh interface ipv4 show interfaces      (Note disconnected interface.  May be called Ethernet 2)
   netsh interface set interface name = "Ethernet 2" newname = "tinc"
   netsh interface ip set address "tinc" static 10.0.1.2  255.255.255.0
   cd ..

To test connection: 

   tincd -n vpn -D -d3

To run tinc as service: 

   tincd -n vpn

Wireguard

Information on how to setup Wireguard.

Other

Any other information that doesn't fit elsewhere.

Firewall

Information regarding firewall setup as related to the VPN configs above.

Linux

The following script can be used to setup a basic firewall on a Linux based system using iptables.

Supports IPv4 and IPv6. Comment out the parts that are not need with a # or optionally delete them. 

 #!/bin/bash
 
 #Modify to match your network interface  
 INET_IF=eth0
 
 #Edit IP address below to match the IP and netmask of the system or subnet you want to allow access to 
 #"Management only" services.  Add or remove as needed.  Make sure to update the ManagementFilterV4 with
 #the changes
 System1="XX.XX.XX.XX/YY"  
 System2="XX.XX.XX.XX/YY"
   
 ManagementFilterV4=$System1,$System2
 
 #Flush and zero all tables
 modprobe ip_tables
 modprobe ipt_limit
 modprobe iptable_mangle
 modprobe ipt_state
 modprobe ipt_LOG
 modprobe iptable_filter
 modprobe ipv6
 
 iptables -F INPUT
 iptables -F FORWARD
 iptables -t nat -F POSTROUTING
 iptables -t nat -F PREROUTING
 
 ip6tables -F INPUT
 ip6tables -F FORWARD
 
 #init the log-and-drop chain
 iptables -F log-and-drop
 iptables -X log-and-drop
 iptables -N log-and-drop
 
 ip6tables -F log-and-drop
 ip6tables -X log-and-drop
 ip6tables -N log-and-drop
 
 iptables -F log-and-reject
 iptables -X log-and-reject
 iptables -N log-and-reject
 
 ip6tables -F log-and-reject
 ip6tables -X log-and-reject
 ip6tables -N log-and-reject
 
 #Now add in rules to affect DOCKER containers - uncomment if using Docker
 #See https://unrouted.io/2017/08/15/docker-firewall/
 #iptables -F DOCKER-USER
 #iptables -X DOCKER-USER
 #iptables -N DOCKER-USER
 
 #ip6tables -F DOCKER-USER
 #ip6tables -X DOCKER-USER
 #ip6tables -N DOCKER-USER
 
 #iptables -F FILTERS
 #iptables -X FILTERS
 #iptables -N FILTERS
 
 #ip6tables -F FILTERS
 #ip6tables -X FILTERS
 #ip6tables -N FILTERS
 
 echo "all tables flushed and dropped"
 # Specific chain used for logging packets before blocking them
 iptables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop "
 iptables -A log-and-drop -j DROP
 
 ip6tables -A log-and-drop -j LOG --log-prefix "[IPTables] Drop "
 ip6tables -A log-and-drop -j DROP
 
 # Specific chain used for logging packets before blocking them
 iptables -A log-and-reject -j LOG --log-prefix "[IPTables] Reject "
 iptables -A log-and-reject -j REJECT
 
 ip6tables -A log-and-reject -j LOG --log-prefix "[IPTables] Reject "
 ip6tables -A log-and-reject -j REJECT
 
 echo "logging chains setup"
   
 # The packets having the TCP flags activated are dropped
 # and so for the ones with no flag at all (often used with Nmap scans)
 iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
 iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop
 
 ip6tables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
 ip6tables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop
 
 #setup DOCKER-USER related rules - uncomment if using Docker
 #iptables -A DOCKER-USER -i $INET_IF -j FILTERS
 
 #Now add any rules you want Docker to abide by for containers to -A FILTERS
 
 #limit traffic to 80 an 443
 #DCQ="2"   #max requests in 1 second
 #DCH="25"   #max requests over 7 seconds
 
 #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --set --name P80QF --rsource
 #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P80QF --rsource -j log-and-drop
 #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --set --name P80HF --rsource
 #iptables -A FILTERS -p tcp --dport 80 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P80HF --rsource -j log-and-drop
  
 #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --set --name P443QF --rsource
 #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --update --second 1 --hitcount ${DCQ} --name P443QF --rsource -j log-and-drop
 #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --set --name P443HF --rsource
 #iptables -A FILTERS -p tcp --dport 443 -m state --state NEW -m recent --update --second 7 --hitcount ${DCH} --name P443HF --rsource -j log-and-drop
   
 #default return chain
 #iptables -A FILTERS -j RETURN
 
 #Global blocks
 #iptables -t filter -A INPUT -j DROP -s 12.34.56.78/32
 
 #Limit DNS requests to prevent flood attacks - use if you are running a DNS server on the system this is installed on.  
 # Requests per second
 #RQS="15"
 # Requests per 7 seconds
 #RQH="35"
 
 #iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSQF --rsource
 #iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount ${RQS} --name DNSQF --rsource -j DROP
 #iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSHF --rsource
 #iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 7 --hitcount ${RQH} --name DNSHF --rsource -j DROP
 
 #Uncomment the next sections if using IPSEC
 #Clamp MSS on IPSEC tunnels
 #iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
 #iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
 
 # allow IPSEC from other boxes
 #IPSECsrc='XX.XX.XX.XX/YY'  # Put in the form of XX.XX.XX.XX = IP address you want to allow IPSEC in from and YY is the netmask.
 
 #Technically the next two are not needed as we have the policy
 #iptables -A INPUT -i $INET_IF -p 50 -j ACCEPT --src "$IPSECsrc"
 #iptables -A INPUT -i $INET_IF -p 51 -j ACCEPT --src "$IPSECsrc"
 #iptables -A INPUT -i $INET_IF -p udp --dport 500 -j ACCEPT --src "$IPSECsrc"
 #iptables -A INPUT -i $INET_IF -p udp --dport 4500 -j ACCEPT --src "$IPSECsrc"
 # this is needed to allow all ipsec packets when it's host to host
 #iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT --src "$IPSECsrc" 
 
 #allow DNS in
 #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53
 #iptables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53
 
 #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 53
 #ip6tables -t filter -A INPUT -j ACCEPT --protocol udp --dport 53
 
 #allow port 80 in
 #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80
 #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 80
 
 #allow port 443 in
 #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443
 #ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 443
 
 # allow all ssh in - uncomment ManagemetnFilterV4 and comment out the two lines below to restrict SSH access on port 22
 #iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 --src $ManagementFilterV4
 iptables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 
 ip6tables -t filter -A INPUT -j ACCEPT --protocol tcp --dport 22 
 
 echo "end of services"
 # allow ping at 2 per sec
 iptables -t filter -A INPUT -j ACCEPT --in-interface $INET_IF --protocol icmp --icmp-type echo-request --match limit --limit 4/s --limit-burst 3
 iptables -t filter -A INPUT -j log-and-drop  --in-interface $INET_IF --protocol icmp --icmp-type echo-request
 
 ip6tables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT 
 
 # allow responces to local initated connections
 #iptables -A INPUT -i  $INET_IF --match state --state NEW,INVALID -j log-and-drop
 #iptables -A FORWARD -i $INET_IF  --match state --state NEW,INVALID -j log-and-drop
 iptables -t filter -A INPUT -j ACCEPT --match state --state RELATED,ESTABLISHED
 ip6tables -t filter -A INPUT -j ACCEPT --match state --state RELATED,ESTABLISHED
 
 # Set rp_filter to 2
 for i in `find /proc/sys/net/ipv*/conf -name rp_filter`
 do
 	echo "2" >$i
 done
 # setup a default deny rule for outside traffic
 iptables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop
 ip6tables -t filter -A INPUT --in-interface $INET_IF -j log-and-drop
 
 #uncomment if you are using Docker
 #echo "Restarting Docker"
 #systemctl restart docker
 
 #uncomment the next two lines if fail2ban is installed
 #echo "Restarting fail2ban"
 #systemctl restart fail2ban
Retrieved from "http://wiki.pttlink.org/index.php?title=VPN&oldid=1990"