INT 21h

Hi, I am Vladimir Smagin, SysAdmin and Kaptain. Telegram Email / GIT / RSS / GPG

OpenVPN dynamic local domain names with dnsmasq

№ 9436 В разделе Sysadmin от September 25th, 2018,
В подшивках: ,

There two ways:

  • Generate full config once a time
  • Generate many configs separately for all clients

Way #1

pip install openvpn_status

from openvpn_status import parse_status

hostDomain = "vpn"

with open('/etc/openvpn/openvpn-status.log') as logfile:
    status = parse_status(logfile.read())

for client in status.routing_table:
    domain = status.routing_table[client].common_name + "." + hostDomain
    address = status.routing_table[client].virtual_address
    print("address=/{}/{}".format(domain, address))

Way #2

Add to /etc/openvpn/server.conf these lines:

script-security 3 system
client-connect /opt/ovpn-dns/ovpn-dns-connect.sh
client-disconnect /opt/ovpn-dns/ovpn-dns-disconnect.sh

Script /opt/ovpn-dns/ovpn-dns-connect.sh:

#!/bin/bash
echo "address=/$common_name.vpn/$ifconfig_pool_remote_ip" > /etc/dnsmasq.d/$common_name.conf
/bin/systemctl restart dnsmasq

Script /opt/ovpn-dns/ovpn-dns-disconnect.sh:

#!/bin/bash
rm -f /etc/dnsmasq.d/$common_name.conf
/bin/systemctl restart dnsmasq

Нет комментариев »

Конфиг openvpn не стартует в Ubuntu и Debian

№ 8260 В разделе Sysadmin от December 27th, 2016,
В подшивках: , ,

А всему виной переход на systemd. Теперь /etc/defaults/openvpn можно не править. Конфиги включаются и отключаются так:

Убрать конфиг из автозапуска:
root@boroda:/# systemctl disable openvpn@ntr
Removed symlink /etc/systemd/system/multi-user.target.wants/openvpn@ntr.service.

Добавить конфик в автозапуск и запустить его:
root@boroda:/# systemctl enable openvpn@asusw6a
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@asusw6a.service to /lib/systemd/system/openvpn@.service.
root@boroda:/# systemctl start openvpn@asusw6a

Нет комментариев »

Single connection OpenVPN in 15 minutes

№ 1935 В разделе Sysadmin от March 11th, 2010,
В подшивках: ,

VPN is a nice choice to bypass your local network blocking rules. I love OpenVPN and now I show you how to bring more freedom to your home or office network.

Server side

Connect to your future VPN server and install OpenVPN apt-get install openvpn.

Now generate new key file:

cd /etc/openvpn/
openvpn --genkey --secret masupakey.key

Create /etc/openvpn/myvpn.conf and save this:

port 5432 # change port as you like
dev my_vpn
dev-type tun
proto tcp-server
ifconfig 172.21.0.1 172.21.0.2
secret /etc/openvpn/masupakey.key
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
cipher AES-256-CBC

So you have following connection information:
Protocol: TCP
Port: 5432
Server IP: 172.21.0.1
Client IP: 172.21.0.2

Now enable autostart and run server:

systemctl enable openvpn@myvpn
systemctl start openvpn@myvpn

Activate IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/99-nat.conf

Activate SNAT on server side (74.153.11.70 – external server IP, my_vpn – VPN interface, eth0 – external interface):

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 74.153.11.70
iptables -A FORWARD -i eth0 -o my_vpn -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i my_vpn -o eth0 -j ACCEPT

Client side

Connect to your home or office server and install OpenVPN apt-get install openvpn. Copy your VPN key from server and save to same place.

Create /etc/openvpn/myvpn.conf and save this:

remote 74.153.11.70
port 5432
dev vpn_server
dev-type tun
proto tcp-client
ifconfig 172.21.0.2 172.21.0.1
secret /etc/openvpn/masupakey.key
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
cipher AES-256-CBC

Now enable autostart and run server:

systemctl enable openvpn@myvpn
systemctl start openvpn@myvpn

Add routes to your new VPN connection ip r a 8.8.8.8 via 172.21.0.1

Now check route traceroute 8.8.8.8

You great!

Всего 1 комментарий »

Яндекс.Метрика

Fortune cookie: I wonder if I ought to tell them about my PREVIOUS LIFE as a COMPLETE STRANGER?