VPN: Difference between revisions

From base48
imported>Snajpa
(Created page with " == VPN == The VPN server is a 1U Atom D525 system, with EL6, running OpenVPN and it is shared with vpsFree.cz; it is located in Master Internet, Prague. Every member of bas...")
 
imported>Snajpa
Line 23: Line 23:
dev tap
dev tap
remote vpn.vpsfree.cz 443
remote vpn.vpsfree.cz 443
#remote vpn-mobile.vpsfree.cz 443
;remote vpn-mobile.vpsfree.cz 443
proto udp
proto udp
;proto tcp
;proto tcp


# This is for desktops
; This is for desktops
ca /get/from/snajpa/ca.crt
ca /get/from/snajpa/ca.crt
cert /get/from/snajpa/client.crt
cert /get/from/snajpa/client.crt
Line 33: Line 33:
dh /get/from/snajpa/dh.pem
dh /get/from/snajpa/dh.pem


# For mobile setups, you can embed these ^ files in <ca></ca>,<cert></cert>, ... markup tags.
; For mobile setups, you can embed these ^ files in <ca></ca>,<cert></cert>, ... markup tags.


keepalive 10 120
keepalive 10 120
Line 44: Line 44:
verb
verb


# Omit this for mobile setup
; Omit this for mobile setup
up-restart
up-restart
up "/path/to/use-dns-from-server.sh up"
up "/path/to/use-dns-from-server.sh up"

Revision as of 21:16, 26 August 2015

VPN

The VPN server is a 1U Atom D525 system, with EL6, running OpenVPN and it is shared with vpsFree.cz; it is located in Master Internet, Prague.

Every member of base48 is eligible to get a key, to access the server. Get it contact with User:Snajpa - the maintainer of the network - to get yours.

There are three different OpenVPN setups on the machine:

- vpn.vpsfree.cz @ UDP 443 - bridged setup, provides ipv6 connectivity, target devices: laptops, workstations, etc.

- vpn.vpsfree.cz @ TCP 443 - bridged setup, provides ipv6 connectivity, pushes default route via VPN (useful for networks with restrictive firewalls), target devices: laptops, workstations, etc.

- vpn-mobile.vpsfree.cz @ TCP 443 - routed setup, doesn't provide ipv6 (yet), target devices: Android, iOS, Mikrotik, etc. (devices not supporting UDP or bridged setup)

Note, that connecting to all three these VPN servers also pushes DNS resolvers to a client, which will cause your device to resolve from internal DNS servers. This is so that we can have DNS records for internal IP addresses under our base48.cz domain (and mainly for vpsFree.cz purposes, as there's a ton of metal, which doesn't have a public address).


Configuration files

client.conf

client
dev tap
remote vpn.vpsfree.cz 443
;remote vpn-mobile.vpsfree.cz 443
proto udp
;proto tcp

; This is for desktops
ca /get/from/snajpa/ca.crt
cert /get/from/snajpa/client.crt
key /get/from/snajpa/client.key
dh /get/from/snajpa/dh.pem

; For mobile setups, you can embed these ^ files in <ca></ca>,<cert></cert>, ... markup tags.

keepalive 10 120
cipher AES-128-CBC
comp-lzo
mssfix

script-security 2

verb

; Omit this for mobile setup
up-restart
up "/path/to/use-dns-from-server.sh up"
down "/path/to/use-dns-from-server.sh down"

use-dns-from-server.sh

#!/bin/bash
 
case "$1" in
    up)
        mv /etc/resolv.conf /etc/resolv.conf.bak
 
        for opt in ${!foreign_option_*};
        do
            echo ${!opt} | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /etc/resolv.conf
        done

	SEARCH="search "
	NEWRESOLV=/etc/resolv.conf.new
	echo "" > $NEWRESOLV
	while read line; do
		if echo $line | grep -i "domain"; then
			SEARCH+="$(echo $line | awk '{ print $2; }') "
		elif echo $line | grep -i "nameserver"; then
			echo $line >> $NEWRESOLV
		fi
	done < /etc/resolv.conf
	echo $SEARCH >> $NEWRESOLV
        echo "# Generated by OpenVPN Client UP Script" >> $NEWRESOLV
	tac $NEWRESOLV > /etc/resolv.conf
	rm $NEWRESOLV
        ;;
    down)
        mv /etc/resolv.conf.bak /etc/resolv.conf
        ;;
    *)
        echo "Pass either UP or DOWN"
        ;;
esac

exit 0