November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Categories

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

VPN Server With OpenVPN

Depending on your circumstances you may want to run the VPN from your home, or you may want to rent a VPS to run it from. If you’re just trying to get into your home network, an SSH tunnel might be easier; I will write something about SSH tunneling later. For the purposes of this guide, there’s no difference between using a spare machine at your house or a VPS/Dedi other than port forwarding on the router. The configuration will be based on a machine running CentOS 5, with nano as the editor. It really doesn’t matter what Linux distribution you use, or what editor. I also use wget for downloading. You can use Links, lynx, or any method you want to get the files.

OpenVPN is being used for a number of reasons:

  1. It’s extensively used privately and publicly.
  2. It’s well supported
  3. It uses OpenSSL instead of more complicated PKI certificate systems. (Don’t confuse this with a Microsoft SSTP VPN, they aren’t the same thing)
  4. This type of VPN can be tunneled through a proxy or NAT device easily.
  5. It is a very capable VPN application, allowing for a large number of configuration scenarios including site to site, client to server, client to site, and reverse connections.
Now, there is one huge drawback… It uses its own special set of protocols, and cannot be intermixed with other VPN clients or servers. An OpenVPN client cannot connect to an IPSec, PPTP, or SSTP VPN, and only OpenVPN clients can connect to OpenVPN servers. That being said, there are several third party clients available for OpenVPN, for all platforms. I will list the various options at the end of the article.

Please read the entire guide before beginning the installation.

1. Downloading and installing OpenVPN

#rpm -i openvpn-as-1.8.3-CentOS5.i386.rpm

I’m just downloading and installing one of the RPMs, but you can easily build from source if that’s your style. The package should also be in most distro software repositories as well. The basic installation is insanely simple, just download and install the package. The installation will let you know that you need to change the password using “passwd openvpn”, and that web UIs are available at https://serveraddress:943/ and https://serveraddress:943/admin for the user and admin logins respectively.

2. Configuration of the VPN Server.

If you haven’t already set the password, please do so now.

#passwd openvpn

Changing password for user openvpn

New UNIX password:

BAD PASSWORD: it is based on a dictionary word

Retype UNIX password:

passwd: all authentication tokens updated successfully

I used “password” for my password, I’d advise that you actually use a strong password.

OpenVPN is now running on your server. Everything can be configured via the web interface available at https://server:943/admin. The user name is openvpn, and the password is whatever you have set. A basic VPN is already in place using default certificates, PAM authentication, and a relatively secure client configuration.  I’m not going to cover some of the more advanced configurations here, such as site to site via an intermediary server, LDAP interoperability, or layer 2 tunneling.

If you’re having trouble reaching the VPN administration page, you’ll need to check your firewall settings. I’m not going to go through iptables commands, but you need to make sure that the bare minimum is present. The administration page provides a simple means to configure everything from client IP ranges to ciphers and authentication. The only thing you might *need* to change is the IP range.

#!/bin/bash

###### TURN ON PORT FORWARDING ########
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -v -F;
iptables -F -t mangle
iptables -F -t nat;
iptables -v -A INPUT -i lo -j ACCEPT;

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 192.168.25.0/24 -o tun0 -j MASQUERADE

# iptables -A INPUT -i tun0 -j ACCEPT
# iptables -A OUTPUT -o tun0 -j ACCEPT
# iptables -A FORWARD -i tun0 -j ACCEPT
# iptables -I FORWARD -i em1 -o tun0 -j ACCEPT
# iptables -I FORWARD -i tun0 -o em1 -j ACCEPT

########### BASIC RULE SET #############
iptables -v -P INPUT DROP # Default Policy DROP
# iptables -v -A INPUT -m state –state RELATED,ESTABLISHED -j LOG –log-prefix “ACCEPT”
iptables -v -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT; # ACCEPT ESTABLISHED
iptables -A INPUT -p tcp -m state –state NEW –dport 80 -i em1 -j ACCEPT
iptables -A INPUT -i em1 -p tcp –dport 993 -m state –state NEW,ESTABLISHED -j ACCEPT #ALLOW SSL
iptables -A INPUT -i em1 -p tcp –dport 1194 -m state –state NEW,ESTABLISHED -j ACCEPT #ALLOW OPENVPN

########## CONNECTION LIMIT LOG/DROP ############
iptables -A INPUT -p tcp -i em1 -m state –state NEW -m recent –set
iptables -A INPUT -p tcp -i em1 -m state –state NEW -m recent –update –seconds 30 –hitcount 10 -j LOG –log-level 4 –log-prefix “LIMIT:”
iptables -A INPUT -p tcp -i em1 -m state –state NEW -m recent –update –seconds 30 –hitcount 10 -j DROP

########### DROP SPOOFED PACKETS ###############
iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j LOG –log-level 4 –log-prefix “SPOOF PACKETS:”
iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP

########### LOG/DROP NEW CONNECTIONS ##############
# iptables -A INPUT -p tcp -m state –state NEW -j LOG # LOG NEW TCP CONNECTIONS
# iptables -A INPUT -p tcp -m state –state NEW -j DROP # BLOCK NEW TCP CONNECTIONS

######### LOG/DROP FTP SSH AND SEDMAIL ############
iptables -v -A INPUT -p tcp -s 0/0 –dport 21 -j LOG # LOG FTP ATTEMPTS
iptables -v -A INPUT -p tcp -s 0/0 –dport 21 -j REJECT –reject-with tcp-reset # RESET FTP
iptables -v -A INPUT -p tcp -s 0/0 –dport 22 -j LOG # LOG SSH ATTEMPTS
iptables -v -A INPUT -p tcp -s 0/0 –dport 22 -j DROP # BLOCK SSH
iptables -v -A INPUT -p tcp -s 0/0 –dport 25 -j LOG # LOG SENDMAIL
iptables -v -A INPUT -p tcp -s 0/0 –dport 25 -j DROP # BLOCK SENDMAIL

########### INPUT THAT IS NEEDED #################
iptables -v -A INPUT -m state -m tcp –proto tcp –dport 80 –state NEW -j ACCEPT; # HTTP
iptables -v -A INPUT -m state -m udp –proto udp –dport 53 –state NEW -j ACCEPT; # DNS
iptables -v -A INPUT -m state -m tcp –proto tcp –dport 53 –state NEW -j ACCEPT; # DNS

iptables -v -A INPUT -m state -m tcp –proto tcp –dport 22 –state NEW -j ACCEPT; # SSH

iptables -v -A INPUT -m state -m tcp –proto tcp –dport 443 –state NEW -j ACCEPT; # HTTPS

########### DENY FRAGMENT PACKETS ###############
iptables -A INPUT -i em1 -f -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “FRAG DROP:”
iptables -A INPUT -i em1 -f -j DROP

########### DROPS BAD PACKETS ###############
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A INPUT -i em1 -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i em1 -p tcp –tcp-flags ALL ALL -j DROP

iptables -A INPUT -i em1 -p tcp –tcp-flags ALL NONE -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “NULL DROP:”
iptables -A INPUT -i em1 -p tcp –tcp-flags ALL NONE -j DROP # NULL packets

iptables -A INPUT -i em1 -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

iptables -A INPUT -i em1 -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “XMAS DROP:”
iptables -A INPUT -i em1 -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

iptables -A INPUT -i em1 -p tcp –tcp-flags FIN,ACK FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “FIN DROP:”
iptables -A INPUT -i em1 -p tcp –tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

iptables -A INPUT -i em1 -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

########### LIMIT PING ATTEMPTS ###################
iptables -A INPUT -p icmp -m icmp -m limit –limit 1/second -j ACCEPT

########### BLOCK CERTAIN ICMP ###################
iptables -v -A INPUT -p icmp -j ACCEPT # ACCEPT ICMP PACKETS
iptables -v -A INPUT -p icmp –icmp-type echo-request -j DROP # BLOCK ICMP ECHO

########## BLOCK INVALID ICMP #####################
iptables -v -A INPUT -i em1 -m state -p icmp –state INVALID -j DROP # BLOCK INVALID ICMP
iptables -v -A FORWARD -i em1 -m state -p icmp –state INVALID -j DROP # BLOCK INVALID ICMP
iptables -A OUTPUT -o em1 -m state -p icmp –state INVALID -j DROP # BLOCK INVALID ICMP
iptables -A FORWARD -o em1 -m state -p icmp –state INVALID -j DROP # BLOCK INVALID ICMP

############ BLOCK STEALTH SCAN ###################
iptables -N st_scan # STEALTH SCAN CHAIN
iptables -A st_scan -p tcp –tcp-flags SYN,FIN,RST,ACK RST,ACK -j RETURN # BLOCK STEALTH SCAN
iptables -A st_scan -j LOG –log-level 4 –log-prefix “STEALTH SCAN:” # LOG STEALTH SCAN
iptables -A st_scan -j DROP # DROP STEALTH SCAN

########## PORTSCAN RULE SETUP ###################
iptables -N port-scan # BEGIN PORTSCAN RULES
iptables -A port-scan -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j RETURN #BLOCK PSCAN
iptables -A port-scan -j LOG –log-level 4 –log-prefix “PORT SCAN:” # LOG PORT SCAN
iptables -A port-scan -j DROP # DROP PORT SCAN

########## LOG ALL DROPPED PACKETS #################
iptables -N logdrop
iptables -A logdrop -j LOG –log-level 4 –log-prefix “DROPPED:” # LOG DROPPED PACKETS
iptables -A logdrop -j DROP

iptables -v -A INPUT -j REJECT; # REJECT EVERYTHING ELSE

######## OUTPUT FOR SERVICES NEEDED ########

iptables -v -P OUTPUT ACCEPT # Default Policy Accept
iptables -v -A OUTPUT -o lo -j ACCEPT;
iptables -v -A OUTPUT -o em1 -j ACCEPT;
iptables -v -A OUTPUT -m tcp –proto tcp –dport 80 -j ACCEPT; # HTTP
iptables -v -A OUTPUT -m tcp –proto tcp –dport 443 -j ACCEPT; # HTTPS
iptables -v -A OUTPUT -m tcp –proto tcp –dport 445 -j ACCEPT; # SMB
iptables -v -A OUTPUT -m tcp –proto tcp –dport 53 -j ACCEPT; # DNS
iptables -v -A OUTPUT -m udp –proto udp –dport 53 -j ACCEPT; # DNS
iptables -v -A OUTPUT -m tcp –proto tcp –dport 5222 -j ACCEPT; #Google Talk or Jabber
iptables -v -A OUTPUT -m tcp –proto tcp –dport 5050 -j ACCEPT; #Yahoo
iptables -v -A OUTPUT -m tcp –proto tcp –dport 6667 -j ACCEPT; #IRC
iptables -v -A OUTPUT -m tcp –proto tcp –dport 7777 -j ACCEPT; #Jabber file Transfers
iptables -A OUTPUT -o em1 -p tcp –dport 31337 –sport 31337 -j DROP # BLOCK BACKDOOR
iptables -v -A OUTPUT -j REJECT;

######### DEFAULT DROPS #######

iptables -v -P FORWARD DROP # Default Policy DROP
iptables -A FORWARD -p tcp -i em1 -m state –state NEW -m recent –set
iptables -A FORWARD -p tcp -i em1 -m state –state NEW -m recent –update –seconds 30 –hitcount 10 -j DROP
iptables -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT # SYN FLOOD PROTECT
iptables -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT # DEATH BY PING
iptables -A FORWARD -p tcp -i em1 –dport 31337 –sport 31337 -j DROP # BLOCK BACKDOOR
iptables -v -A FORWARD -j REJECT; # DEFAULT REJECT

######### IPTABLES SAVE ##################

iptables-save > /tmp/iptables;

iptables-restore < /tmp/iptables;

/etc/init.d/iptables save

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>