diff options
-rw-r--r-- | blog/dst/a/vpn_server_with_openvpn.html | 12 | ||||
-rw-r--r-- | blog/dst/rss.xml | 15 | ||||
-rw-r--r-- | blog/src/.files | 2 | ||||
-rw-r--r-- | blog/src/a/vpn_server_with_openvpn.md | 11 |
4 files changed, 22 insertions, 18 deletions
diff --git a/blog/dst/a/vpn_server_with_openvpn.html b/blog/dst/a/vpn_server_with_openvpn.html index 000e72a..e65fc14 100644 --- a/blog/dst/a/vpn_server_with_openvpn.html +++ b/blog/dst/a/vpn_server_with_openvpn.html @@ -233,8 +233,8 @@ verb 3 # Only usable with udp. explicit-exit-notify 1 </code></pre> -<p><code>#</code> and <code>;</code> are comments. Read each and every line, you might want to change some stuff (like the logging).</p> -<p>Now, we need to enable <em>packet forwarding</em>, which can be enabled on the interface level or globally (you can check the different options with <code>sysctl -a | grep forward</code>). I’ll do it globally, run:</p> +<p><code>#</code> and <code>;</code> are comments. Read each and every line, you might want to change some stuff (like the logging), specially the first line which is your server public IP.</p> +<p>Now, we need to enable <em>packet forwarding</em> (so we can access the web while connected to the VPN), which can be enabled on the interface level or globally (you can check the different options with <code>sysctl -a | grep forward</code>). I’ll do it globally, run:</p> <pre><code class="language-sh">sysctl net.ipv4.ip_forward=1 </code></pre> <p>And create/edit the file <code>/etc/sysctl.d/30-ipforward.conf</code>:</p> @@ -243,6 +243,7 @@ explicit-exit-notify 1 <p>Now we need to configure <code>ufw</code> to forward traffic through the VPN. Append the following to <code>/etc/default/ufw</code> (or edit the existing line):</p> <pre><code>... DEFAULT_FORWARD_POLICY="ACCEPT" +... </code></pre> <p>And change the <code>/etc/ufw/before.rules</code>, appending the following lines after the header <strong>but before the *filter line</strong>:</p> <pre><code>... @@ -260,7 +261,7 @@ COMMIT *filter ... </code></pre> -<p>Where <code>interface</code> must be changed depending on your interface (in my case is <code>ens3</code>, another common one is <code>eth0</code>); I always check this by running <code>ip addr</code>, you will get a list of interfaces of which the one containing your public ip is the one that you want, for me it looks something like:</p> +<p>Where <code>interface</code> must be changed depending on your system (in my case it’s <code>ens3</code>, another common one is <code>eth0</code>); I always check this by running <code>ip addr</code> which gives you a list of interfaces (the one containing your server public IP is the one you want, or whatever interface your server uses to connect to the internet):</p> <pre><code>... 2: ens3: <SOMETHING,SOMETHING> bla bla link/ether bla:bla @@ -268,7 +269,7 @@ COMMIT inet my.public.ip.addr bla bla ... </code></pre> -<p>And also make sure the <code>10.8.0.0/24</code> matches the subnet mask specified in the <code>server.conf</code> file (in this example it matches). You should check this very carefully, because I just spend a good 2 hours debugging why my configuration wasn’t working, and this was te reason (I could connect to the VPN, but had no external connection to the web).</p> +<p>And also make sure the <code>10.8.0.0/24</code> matches the subnet mask specified in the <code>server.conf</code> file (in this example it matches). You should check this very carefully, because I just spent a good 2 hours debugging why my configuration wasn’t working, and this was te reason (I could connect to the VPN, but had no external connection to the web).</p> <p>Finally, allow the OpenVPN port you specified (in this example its <code>1194/udp</code>) and reload <code>ufw</code>:</p> <pre><code class="language-sh">ufw allow 1194/udp comment "OpenVPN" ufw reload @@ -277,7 +278,7 @@ ufw reload <pre><code class="language-sh">systemctl start openvpn-server@server.service systemctl enable openvpn-server@server.service </code></pre> -<p>Where the <code>server</code> after <code>@</code> is your specific configuration, in my case it is called just <code>server</code>.</p> +<p>Where the <code>server</code> after <code>@</code> is the name of your configuration, <code>server.conf</code> without the <code>.conf</code> in my case.</p> <h3 id="create-client-configurations">Create client configurations</h3> <p>You might notice that I didn’t specify how to actually connect to our server. For that we need to do a few more steps. We actually need a configuration file similar to the <code>server.conf</code> file that we created.</p> <p>The real way of doing this would be to run similar steps as the ones with <code>easy-rsa</code> locally, send them to the server, sign them, and retrieve them. Nah, we’ll just create all configuration files on the server as I was mentioning earlier.</p> @@ -376,6 +377,7 @@ cd $CPWD <div class="article-info"> <p>By David Luévano</p> <p>Created: Sun, Aug 01, 2021 @ 09:27 UTC</p> + <p>Modified: Sun, Aug 01, 2021 @ 10:13 UTC</p> <div class="article-tags"> <p>Tags: <a href="https://blog.luevano.xyz/tag/@english.html">english</a>, <a href="https://blog.luevano.xyz/tag/@server.html">server</a>, <a href="https://blog.luevano.xyz/tag/@tools.html">tools</a>, <a href="https://blog.luevano.xyz/tag/@tutorial.html">tutorial</a> </p> diff --git a/blog/dst/rss.xml b/blog/dst/rss.xml index 556a62a..cf4d94e 100644 --- a/blog/dst/rss.xml +++ b/blog/dst/rss.xml @@ -13,8 +13,8 @@ <copyright>Copyright 2021 David Luévano Alvarado</copyright> <managingEditor>david@luevano.xyz (David Luévano Alvarado)</managingEditor> <webMaster>david@luevano.xyz (David Luévano Alvarado)</webMaster> - <pubDate>Sun, 01 Aug 2021 09:27:47 GMT</pubDate> - <lastBuildDate>Sun, 01 Aug 2021 09:27:47 GMT</lastBuildDate> + <pubDate>Sun, 01 Aug 2021 10:13:12 GMT</pubDate> + <lastBuildDate>Sun, 01 Aug 2021 10:13:12 GMT</lastBuildDate> <generator>pyssg v0.5.9</generator> <docs>https://validator.w3.org/feed/docs/rss2.html</docs> <ttl>30</ttl> @@ -188,8 +188,8 @@ verb 3 # Only usable with udp. explicit-exit-notify 1 </code></pre> -<p><code>#</code> and <code>;</code> are comments. Read each and every line, you might want to change some stuff (like the logging).</p> -<p>Now, we need to enable <em>packet forwarding</em>, which can be enabled on the interface level or globally (you can check the different options with <code>sysctl -a | grep forward</code>). I’ll do it globally, run:</p> +<p><code>#</code> and <code>;</code> are comments. Read each and every line, you might want to change some stuff (like the logging), specially the first line which is your server public IP.</p> +<p>Now, we need to enable <em>packet forwarding</em> (so we can access the web while connected to the VPN), which can be enabled on the interface level or globally (you can check the different options with <code>sysctl -a | grep forward</code>). I’ll do it globally, run:</p> <pre><code class="language-sh">sysctl net.ipv4.ip_forward=1 </code></pre> <p>And create/edit the file <code>/etc/sysctl.d/30-ipforward.conf</code>:</p> @@ -198,6 +198,7 @@ explicit-exit-notify 1 <p>Now we need to configure <code>ufw</code> to forward traffic through the VPN. Append the following to <code>/etc/default/ufw</code> (or edit the existing line):</p> <pre><code>... DEFAULT_FORWARD_POLICY="ACCEPT" +... </code></pre> <p>And change the <code>/etc/ufw/before.rules</code>, appending the following lines after the header <strong>but before the *filter line</strong>:</p> <pre><code>... @@ -215,7 +216,7 @@ COMMIT *filter ... </code></pre> -<p>Where <code>interface</code> must be changed depending on your interface (in my case is <code>ens3</code>, another common one is <code>eth0</code>); I always check this by running <code>ip addr</code>, you will get a list of interfaces of which the one containing your public ip is the one that you want, for me it looks something like:</p> +<p>Where <code>interface</code> must be changed depending on your system (in my case it’s <code>ens3</code>, another common one is <code>eth0</code>); I always check this by running <code>ip addr</code> which gives you a list of interfaces (the one containing your server public IP is the one you want, or whatever interface your server uses to connect to the internet):</p> <pre><code>... 2: ens3: <SOMETHING,SOMETHING> bla bla link/ether bla:bla @@ -223,7 +224,7 @@ COMMIT inet my.public.ip.addr bla bla ... </code></pre> -<p>And also make sure the <code>10.8.0.0/24</code> matches the subnet mask specified in the <code>server.conf</code> file (in this example it matches). You should check this very carefully, because I just spend a good 2 hours debugging why my configuration wasn’t working, and this was te reason (I could connect to the VPN, but had no external connection to the web).</p> +<p>And also make sure the <code>10.8.0.0/24</code> matches the subnet mask specified in the <code>server.conf</code> file (in this example it matches). You should check this very carefully, because I just spent a good 2 hours debugging why my configuration wasn’t working, and this was te reason (I could connect to the VPN, but had no external connection to the web).</p> <p>Finally, allow the OpenVPN port you specified (in this example its <code>1194/udp</code>) and reload <code>ufw</code>:</p> <pre><code class="language-sh">ufw allow 1194/udp comment "OpenVPN" ufw reload @@ -232,7 +233,7 @@ ufw reload <pre><code class="language-sh">systemctl start openvpn-server@server.service systemctl enable openvpn-server@server.service </code></pre> -<p>Where the <code>server</code> after <code>@</code> is your specific configuration, in my case it is called just <code>server</code>.</p> +<p>Where the <code>server</code> after <code>@</code> is the name of your configuration, <code>server.conf</code> without the <code>.conf</code> in my case.</p> <h3 id="create-client-configurations">Create client configurations</h3> <p>You might notice that I didn’t specify how to actually connect to our server. For that we need to do a few more steps. We actually need a configuration file similar to the <code>server.conf</code> file that we created.</p> <p>The real way of doing this would be to run similar steps as the ones with <code>easy-rsa</code> locally, send them to the server, sign them, and retrieve them. Nah, we’ll just create all configuration files on the server as I was mentioning earlier.</p> diff --git a/blog/src/.files b/blog/src/.files index d43f207..c5c8a85 100644 --- a/blog/src/.files +++ b/blog/src/.files @@ -12,4 +12,4 @@ a/acomodada_la_pagina_de_arte.md 1623006369.6071973 1623006525.2665823 short,spa a/xmpp_server_with_prosody.md 1623216270.0372887 1627809865.4920528 english,server,tools,tutorial a/tenia_esto_descuidado.md 1626594710.918819 0.0 short,spanish,update a/hoy_toco_desarrollo_personaje.md 1627452655.5560262 0.0 spanish -a/vpn_server_with_openvpn.md 1627810022.100739 0.0 english,server,tools,tutorial +a/vpn_server_with_openvpn.md 1627810022.100739 1627812788.832212 english,server,tools,tutorial diff --git a/blog/src/a/vpn_server_with_openvpn.md b/blog/src/a/vpn_server_with_openvpn.md index 4eb8438..7346264 100644 --- a/blog/src/a/vpn_server_with_openvpn.md +++ b/blog/src/a/vpn_server_with_openvpn.md @@ -202,9 +202,9 @@ verb 3 explicit-exit-notify 1 ``` -`#` and `;` are comments. Read each and every line, you might want to change some stuff (like the logging). +`#` and `;` are comments. Read each and every line, you might want to change some stuff (like the logging), specially the first line which is your server public IP. -Now, we need to enable *packet forwarding*, which can be enabled on the interface level or globally (you can check the different options with `sysctl -a | grep forward`). I'll do it globally, run: +Now, we need to enable *packet forwarding* (so we can access the web while connected to the VPN), which can be enabled on the interface level or globally (you can check the different options with `sysctl -a | grep forward`). I'll do it globally, run: ```sh sysctl net.ipv4.ip_forward=1 @@ -221,6 +221,7 @@ Now we need to configure `ufw` to forward traffic through the VPN. Append the fo ``` ... DEFAULT_FORWARD_POLICY="ACCEPT" +... ``` And change the `/etc/ufw/before.rules`, appending the following lines after the header **but before the \*filter line**: @@ -242,7 +243,7 @@ COMMIT ... ``` -Where `interface` must be changed depending on your interface (in my case is `ens3`, another common one is `eth0`); I always check this by running `ip addr`, you will get a list of interfaces of which the one containing your public ip is the one that you want, for me it looks something like: +Where `interface` must be changed depending on your system (in my case it's `ens3`, another common one is `eth0`); I always check this by running `ip addr` which gives you a list of interfaces (the one containing your server public IP is the one you want, or whatever interface your server uses to connect to the internet): ``` ... @@ -253,7 +254,7 @@ Where `interface` must be changed depending on your interface (in my case is `en ... ``` -And also make sure the `10.8.0.0/24` matches the subnet mask specified in the `server.conf` file (in this example it matches). You should check this very carefully, because I just spend a good 2 hours debugging why my configuration wasn't working, and this was te reason (I could connect to the VPN, but had no external connection to the web). +And also make sure the `10.8.0.0/24` matches the subnet mask specified in the `server.conf` file (in this example it matches). You should check this very carefully, because I just spent a good 2 hours debugging why my configuration wasn't working, and this was te reason (I could connect to the VPN, but had no external connection to the web). Finally, allow the OpenVPN port you specified (in this example its `1194/udp`) and reload `ufw`: @@ -269,7 +270,7 @@ systemctl start openvpn-server@server.service systemctl enable openvpn-server@server.service ``` -Where the `server` after `@` is your specific configuration, in my case it is called just `server`. +Where the `server` after `@` is the name of your configuration, `server.conf` without the `.conf` in my case. ### Create client configurations |