Реалии жизни заставляют задуматься как черпать информацию из бездонного простора интернета. Пора позаботиться о своем VPN сервере. Ubuntu 22.04 имеем в своем распоряжении, как VDS. Поехали...
Для удобства создадим своего пользователя
useradd admin
adduser admin sudo
Запретим root для ssh
Нам нужен свой домен. Установим noip
cd /usr/local/src/
wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz
tar -zxvf noip-duc-linux.tar.gz
cd noip-2.1.9-1/
apt install make gcc
make
make install
nano /etc/systemd/system/noip.service
[Unit]
Description=NoIP
After=syslog.target
After=network.target
[Service]
Type=forking
OOMScoreAdjust=-100
ExecStart=/usr/local/bin/noip2
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
[Install]
WantedBy=multi-user.target
Alias=noip
systemctl daemon-reload
cp /usr/local/etc/no-ip2.conf /usr/local/src/noip-2.1.9-1/lugawork
systemctl start noip
systemctl status noip
Выпустим свой сертификат SSL
apt install certbot
certbot certonly --standalone --preferred-challenges http -d mydomen.sytes.net
Теперь научим наш сервер предоставлять доступ из vpn соединений в интернет
Поправить в конфиге:
И выполнить команду:
sudo sysctl -p
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o ens3 -j MASQUERADE
где 10.10.10.0/24 подсеть для vpn, ens3 интерфейс через который приходит инет.
сохраним правила в автозагрузку
apt-get install iptables-persistent
netfilter-persistent save
Проверим что сохранилось:
cat /etc/iptables/rules.v4
cd /usr/local/src/
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-1.2.4.tar.xz
tar xvf ocserv-1.2.4.tar.xz && cd ocserv-1.2.4./configure
make
make install
mkdir /etc/ocserv
cp doc/sample.config /etc/ocserv/ocserv.conf
useradd ocserv
nano /etc/systemd/system/ocserv.service
[Unit]
Description=OpenConnect SSL VPN server
Documentation=man:ocserv(8)
After=network-online.target
[Service]
PrivateTmp=true
PIDFile=/run/ocserv.pid
Type=simple
ExecStart=/usr/local/src/ocserv-1.2.4/src/ocserv --foreground --pid-file /run/ocserv.pid --config /etc/ocserv/ocserv.conf
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
mkdir /var/lib/ocserv
mkdir /var/lib/ocserv//run/
systemctl enable ocserv
systemctl daemon-reload
systemctl start ocserv
systemctl status ocserv
ln -s /usr/local/bin/ocpasswd /etc/ocserv/ocpasswd
cd /etc/ocserv/
auth = "plain[passwd=./sample.passwd]"
listen-host = 127.0.0.1
tcp-port = 444
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
isolate-workers = true
max-clients = 16
max-same-clients = 2
listen-proxy-proto = true
rate-limit-ms = 100
server-stats-reset-time = 604800
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
log-level = 1
device = vpns
predictable-ips = true
default-domain = lugawork.sytes.net
ipv4-network = 10.10.110.0/24
tunnel-all-dns = true
dns = 8.8.8.8
dns = 8.8.4.4
ping-leases = false
route = default
cisco-client-compat = true
dtls-legacy = true
cisco-svc-client-compat = false
client-bypass-protocol = false
server-cert = /etc/letsencrypt/live/lugawork.sytes.net/fullchain.pem
server-key = /etc/letsencrypt/live/lugawork.sytes.net/privkey.pem
camouflage_secret = "HYg08Hv&g000"
camouflage_realm = "lugawork admin panel"
# HTTP headers
included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
included-http-headers = X-Frame-Options: deny
included-http-headers = X-Content-Type-Options: nosniff
included-http-headers = Content-Security-Policy: default-src 'none'
included-http-headers = X-Permitted-Cross-Domain-Policies: none
included-http-headers = Referrer-Policy: no-referrer
included-http-headers = Clear-Site-Data: "cache","cookies","storage"
included-http-headers = Cross-Origin-Embedder-Policy: require-corp
included-http-headers = Cross-Origin-Opener-Policy: same-origin
included-http-headers = Cross-Origin-Resource-Policy: same-origin
included-http-headers = X-XSS-Protection: 0
included-http-headers = Pragma: no-cache
included-http-headers = Cache-control: no-store, no-cache
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
# ca-base /etc/ssl/certs
# crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
# ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE>
# ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
# ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
# option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend https
bind 193.239.160.112:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend ocserv if { req_ssl_sni -i lugawork.sytes.net }
# use_backend nginx if { req_ssl_sni -i www.onedayadmin.sytes.net }
default_backend ocserv
backend ocserv
mode tcp
option ssl-hello-chk
server ocserv 127.0.0.1:444 send-proxy-v2
ocpasswd username
journalctl -eu ocserv.service