H1
H2
H3
P
code
Myradio24
PHP
SYS
Vmeste_html
webserv24
SYS
»
Настройка OpenVPN
Изменено 17.11.2023
Настройка OpenVPN
# INSTALL and make certificates ===================== # INSTALL and create keys =============================================== apt-get -y install openvpn #init VPN for 10 years VPN_SERVER="vpn.webserv24.com" cd /etc/openvpn rm -R rsa make-cadir rsa cd rsa echo 'set_var EASYRSA_CERT_EXPIRE 3650' >> vars #run commands . vars ./easyrsa init-pki ./easyrsa --batch --req-cn="$VPN_SERVER" build-ca nopass ./easyrsa --batch build-server-full server nopass ./easyrsa --batch build-client-full client nopass ./easyrsa gen-dh openvpn --genkey secret pki/ta.key #copy, set mode and restart cp pki/ta.key /etc/openvpn/ cp pki/ca.crt /etc/openvpn/ cp pki/private/server.key /etc/openvpn/ cp pki/issued/server.crt /etc/openvpn/ cp pki/dh.pem /etc/openvpn/dh2048.pem chmod 0600 /etc/openvpn/ca.crt /etc/openvpn/server.crt /etc/openvpn/server.key /etc/openvpn/dh2048.pem /etc/openvpn/ta.key /etc/init.d/openvpn restart #скопируйте себе на компьютер в C:\Program Files\OpenVPN\ovh\, из папки pki ключи: ca.crt, ta.key, issued/client.crt, private/client.key, # SERVER ============ cd /etc/openvpn; cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/;gunzip server.conf.gz nano server.conf ------------- #set values and open tcp/udp port: #(whitch better? tcp - secured, udp - faster) port 9999 proto tcp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" ;client-to-client #dont need for one!!! keepalive 10 120 tls-auth ta.key 0 cipher AES-256-GCM user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log ;log /var/log/openvpn/openvpn.log verb 5 mute 10 auth SHA512 tls-version-min 1.2 script-security 2 up up.sh down down.sh # MY TUNING ------------------- #OLD: tls-server #OLD: comp-lzo #speed tuning sndbuf 131072 rcvbuf 131072 push "sndbuf 131072" push "rcvbuf 131072" #UDP tuning ; mssfix 1300 ; fast-io ---------------- nano /etc/openvpn/up.sh -------------------------- #!/bin/sh #NOTE: for main IP replace POSTROUTING with: # iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE VPN_IP='87.98.245.106' SERVER_ETH=`ip route get 1|head -1|awk '{print $5}'` iptables -A FORWARD -i $SERVER_ETH -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -o $SERVER_ETH -j ACCEPT iptables -t nat -A POSTROUTING --src 10.8.0.0/24 -o $SERVER_ETH -j SNAT --to-source $VPN_IP iptables -I INPUT -i $SERVER_ETH -p tcp --dport 9999 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward nano /etc/openvpn/down.sh -------------------------------- #!/bin/sh VPN_IP='87.98.245.106' SERVER_ETH=`ip route get 1|head -1|awk '{print $5}'` iptables -t nat -D POSTROUTING --src 10.8.0.0/24 -o $SERVER_ETH -j SNAT --to-source $VPN_IP chmod 0700 /etc/openvpn/up.sh chmod 0700 /etc/openvpn/down.sh systemctl enable openvpn service openvpn restart #CLIENT ============================= #get sample-conbfig/client.ovpn, copy to ovh/client.ovpn #set server remote 87.98.245.106 9999 proto tcp #add lines to the end auth-nocache tls-auth ta.key 1 cipher AES-256-GCM auth SHA512 tls-version-min 1.2 ОСОБЕННОСТИ UDP настроек сервера Webhost1 Render ================================================ # Подсеть для клиентов server 10.10.0.0 255.255.0.0 server-ipv6 2a00:ab00:603:d8:80::/112 client-config-dir /etc/openvpn/ccd # Run client-specific script on connection and disconnection script-security 2 client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh" client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh" # Настройки client-to-client # разрешаем взаимодействие между клиентами keepalive 15 60 comp-lzo yes #tun-mtu 1480 #fragment 1300 mssfix 1300 fast-io txqueuelen 300 sndbuf 26624 rcvbuf 26624 push "sndbuf 26624" push "rcvbuf 26624" # IPv6 routes push "route-ipv6 2a00:ab00:603:d8::/64" push "route-ipv6 2000::/3" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 2606:4700:4700::1111" push "comp-lzo yes" ------------------------------------