Difference between revisions of "Firewall VPN"

Line 73: Line 73:
 
#echo "      ... add VPN route between VPN LAN and current location"
 
#echo "      ... add VPN route between VPN LAN and current location"
 
#route add -net 192.168.12.0/24 gw 192.168.1.45
 
#route add -net 192.168.12.0/24 gw 192.168.1.45
 +
 +
</syntaxhighlight>
 +
 +
 +
 +
=Many VPN networks=
 +
 +
If you plan to use many VPN networks then you can use something like that:
 +
 +
 +
<syntaxhighlight lang="bash">
 +
IPTABLES=`which iptables`
 +
 +
INT_ETH=eth0
 +
IP_LAN_ETH=`/sbin/ifconfig $INT_ETH | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'`
 +
 +
INT_VPN=tun0
 +
VPN_PORT="8080"
 +
VPN_PROTOCOL="udp"
 +
IP_LAN_VPN_PRV="172.16.60.0/24"
 +
IP_LAN_VPN_PRO="192.168.12.0/24"
 +
 +
if [[ ! -z "$IP_LAN_VPN_PRV" || ! -z "$IP_LAN_VPN_VEHCO" ]]
 +
then
 +
 +
  echo " "
 +
  echo "------------------------"
 +
  echo " VPN configuration"
 +
  echo "------------------------"
 +
  echo "    # VPN interface  : $INT_VPN"
 +
  echo "    # VPN port      : $VPN_PORT"
 +
  echo "    # VPN protocol  : $VPN_PROTOCOL"
 +
  echo "    -------------------------------------- "
 +
 +
  echo "      ... Allow VPN connections through $INT_VPN"
 +
  $IPTABLES -A INPUT -p $VPN_PROTOCOL --dport $VPN_PORT -j ACCEPT
 +
  $IPTABLES -A OUTPUT -p $VPN_PROTOCOL --dport $VPN_PORT -j ACCEPT
 +
  # Hint: if you do not accept all RELATED,ESTABLISHED connections then you must allow the source port
 +
  $IPTABLES -A OUTPUT -p $VPN_PROTOCOL --sport $VPN_PORT -j ACCEPT
 +
 +
  echo "    ... Allow VPN packets type INPUT,OUTPUT,FORWARD"
 +
  $IPTABLES -A INPUT -i $INT_VPN -m state ! --state INVALID -j ACCEPT
 +
  $IPTABLES -A OUTPUT -o $INT_VPN -m state ! --state INVALID -j ACCEPT
 +
  $IPTABLES -A FORWARD -o $INT_VPN -m state ! --state INVALID -j ACCEPT
 +
 +
  # Allow forwarding
 +
  echo "      ... Allow packets to by forward from|to the VPN"
 +
  $IPTABLES -A FORWARD -i $INT_VPN -o $INT_ETH -j ACCEPT
 +
  $IPTABLES -A FORWARD -i $INT_ETH -o $INT_VPN -j ACCEPT
 +
 +
 +
  echo "    -------------------------------------- "
 +
  echo "      Open VPN LAN(s)"
 +
  echo "    -------------------------------------- "
 +
 +
  if [ ! -z "$IP_LAN_VPN_PRV" ]
 +
  then
 +
      echo "      # VPN network IP @  : $IP_LAN_VPN_PRV"
 +
 +
      # Allow packets to be send from|to the VPN network
 +
      $IPTABLES -A FORWARD -s $IP_LAN_VPN_PRV -j ACCEPT
 +
      $IPTABLES -t nat -A POSTROUTING -s $IP_LAN_VPN_PRV -o $INT_ETH -j MASQUERADE
 +
 +
      # Allow VPN client <-> client communication
 +
      $IPTABLES -A INPUT -s $IP_LAN_VPN_PRV -d $IP_LAN_VPN_PRV -m state ! --state INVALID -j ACCEPT
 +
      $IPTABLES -A OUTPUT -s $IP_LAN_VPN_PRV -d $IP_LAN_VPN_PRV -m state ! --state INVALID -j ACCEPT
 +
  fi
 +
 +
  if [ ! -z "$IP_LAN_VPN_PRO" ]
 +
  then
 +
      echo "      # VPN network IP @  : $IP_LAN_VPN_PRO"
 +
      # Allow packets to be send from|to the VPN network
 +
      $IPTABLES -A FORWARD -s $IP_LAN_VPN_PRO -j ACCEPT
 +
      $IPTABLES -t nat -A POSTROUTING -s $IP_LAN_VPN_PRO -o $INT_ETH -j MASQUERADE
 +
 +
      # Allow VPN client <-> client communication
 +
      $IPTABLES -A INPUT -s $IP_LAN_VPN_PRO -d $IP_LAN_VPN_PRO -m state ! --state INVALID -j ACCEPT
 +
      $IPTABLES -A OUTPUT -s $IP_LAN_VPN_PRO -d $IP_LAN_VPN_PRO -m state ! --state INVALID -j ACCEPT
 +
  fi
 +
 +
  ####### Add route(s) to remote network(s)
 +
  # You must add a new route for each network you'd like to access through the VPN server!
 +
  # The VPN server must be able to reach the remote network! (otherwise it cannot acts as a GW !)
 +
  # route add -net <network>/<mask> gw <VPN_SERVER_ETH_IP>
 +
  #
 +
  # !! This information should be pushed by the server !!
 +
  # If not you can either add it manually over here (= in Iptables) or in the OpenVPN client conf.
 +
  #######
 +
  #echo "      ... add VPN route between VPN LAN and current location"
 +
  #route add -net 192.168.12.0/24 gw 192.168.1.45
 +
 +
fi
  
 
</syntaxhighlight>
 
</syntaxhighlight>

Revision as of 11:05, 7 February 2015


What is a VPN?

See What is a VPN?


VPN firewall

Adjust the following to your own port, network ID and protocol:

IPTABLES=`which iptables`

INT_ETH=eth0
IP_LAN_ETH=`/sbin/ifconfig $INT_ETH | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'`

INT_VPN=tun0
VPN_PORT="8080"
VPN_PROTOCOL="udp"
IP_LAN_VPN="172.16.60.0/24"

echo " "		
echo "------------------------"
echo " VPN configuration"
echo "------------------------"
echo "    # VPN interface  : $INT_VPN"
echo "    # VPN port       : $VPN_PORT"
echo "    # VPN protocol   : $VPN_PROTOCOL"
echo "    -------------------------------------- "

echo "      ... Allow VPN connections through $INT_VPN"
$IPTABLES -A INPUT -p $VPN_PROTOCOL --dport $VPN_PORT -j ACCEPT
$IPTABLES -A OUTPUT -p $VPN_PROTOCOL --dport $VPN_PORT -j ACCEPT
# Hint: if you do not accept all RELATED,ESTABLISHED connections then you must allow the source port
$IPTABLES -A OUTPUT -p $VPN_PROTOCOL --sport $VPN_PORT -j ACCEPT
		
echo "     ... Allow VPN packets type INPUT,OUTPUT,FORWARD"
$IPTABLES -A INPUT -i $INT_VPN -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_VPN -m state ! --state INVALID -j ACCEPT
$IPTABLES -A FORWARD -o $INT_VPN -m state ! --state INVALID -j ACCEPT

# Allow forwarding
echo "      ... Allow packets to by forward from|to the VPN"
$IPTABLES -A FORWARD -i $INT_VPN -o $INT_ETH -j ACCEPT
$IPTABLES -A FORWARD -i $INT_ETH -o $INT_VPN -j ACCEPT


echo "    -------------------------------------- "
echo "      Open VPN LAN(s)"
echo "    -------------------------------------- "
echo "      # VPN network IP @  : $IP_LAN_VPN"

# Allow packets to be send from|to the VPN network
$IPTABLES -A FORWARD -s $IP_LAN_VPN -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $IP_LAN_VPN -o $INT_ETH -j MASQUERADE

# Allow VPN client <-> client communication
$IPTABLES -A INPUT -s $IP_LAN_VPN -d $IP_LAN_VPN -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -s $IP_LAN_VPN -d $IP_LAN_VPN -m state ! --state INVALID -j ACCEPT


####### Add route(s) to remote network(s)
# You must add a new route for each network you'd like to access through the VPN server!
# The VPN server must be able to reach the remote network! (otherwise it cannot acts as a GW !)
# route add -net <network>/<mask> gw <VPN_SERVER_ETH_IP>
#
# !! This information should be pushed by the server !! 
# If not you can either add it manually over here (= in Iptables) or in the OpenVPN client conf.
#######
#echo "      ... add VPN route between VPN LAN and current location"
#route add -net 192.168.12.0/24 gw 192.168.1.45


Many VPN networks

If you plan to use many VPN networks then you can use something like that:


IPTABLES=`which iptables`

INT_ETH=eth0
IP_LAN_ETH=`/sbin/ifconfig $INT_ETH | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'`

INT_VPN=tun0
VPN_PORT="8080"
VPN_PROTOCOL="udp"
IP_LAN_VPN_PRV="172.16.60.0/24"
IP_LAN_VPN_PRO="192.168.12.0/24"

if [[ ! -z "$IP_LAN_VPN_PRV" || ! -z "$IP_LAN_VPN_VEHCO" ]]
then

  echo " "		
  echo "------------------------"
  echo " VPN configuration"
  echo "------------------------"
  echo "    # VPN interface  : $INT_VPN"
  echo "    # VPN port       : $VPN_PORT"
  echo "    # VPN protocol   : $VPN_PROTOCOL"
  echo "    -------------------------------------- "

  echo "      ... Allow VPN connections through $INT_VPN"
  $IPTABLES -A INPUT -p $VPN_PROTOCOL --dport $VPN_PORT -j ACCEPT
  $IPTABLES -A OUTPUT -p $VPN_PROTOCOL --dport $VPN_PORT -j ACCEPT
  # Hint: if you do not accept all RELATED,ESTABLISHED connections then you must allow the source port
  $IPTABLES -A OUTPUT -p $VPN_PROTOCOL --sport $VPN_PORT -j ACCEPT
		
  echo "     ... Allow VPN packets type INPUT,OUTPUT,FORWARD"
  $IPTABLES -A INPUT -i $INT_VPN -m state ! --state INVALID -j ACCEPT
  $IPTABLES -A OUTPUT -o $INT_VPN -m state ! --state INVALID -j ACCEPT
  $IPTABLES -A FORWARD -o $INT_VPN -m state ! --state INVALID -j ACCEPT

  # Allow forwarding
  echo "      ... Allow packets to by forward from|to the VPN"
  $IPTABLES -A FORWARD -i $INT_VPN -o $INT_ETH -j ACCEPT
  $IPTABLES -A FORWARD -i $INT_ETH -o $INT_VPN -j ACCEPT


  echo "    -------------------------------------- "
  echo "      Open VPN LAN(s)"
  echo "    -------------------------------------- "

  if [ ! -z "$IP_LAN_VPN_PRV" ]
  then
      echo "      # VPN network IP @  : $IP_LAN_VPN_PRV"

      # Allow packets to be send from|to the VPN network
      $IPTABLES -A FORWARD -s $IP_LAN_VPN_PRV -j ACCEPT
      $IPTABLES -t nat -A POSTROUTING -s $IP_LAN_VPN_PRV -o $INT_ETH -j MASQUERADE

      # Allow VPN client <-> client communication
      $IPTABLES -A INPUT -s $IP_LAN_VPN_PRV -d $IP_LAN_VPN_PRV -m state ! --state INVALID -j ACCEPT
      $IPTABLES -A OUTPUT -s $IP_LAN_VPN_PRV -d $IP_LAN_VPN_PRV -m state ! --state INVALID -j ACCEPT
  fi

  if [ ! -z "$IP_LAN_VPN_PRO" ]
  then
      echo "      # VPN network IP @  : $IP_LAN_VPN_PRO"
      # Allow packets to be send from|to the VPN network
      $IPTABLES -A FORWARD -s $IP_LAN_VPN_PRO -j ACCEPT
      $IPTABLES -t nat -A POSTROUTING -s $IP_LAN_VPN_PRO -o $INT_ETH -j MASQUERADE

      # Allow VPN client <-> client communication
      $IPTABLES -A INPUT -s $IP_LAN_VPN_PRO -d $IP_LAN_VPN_PRO -m state ! --state INVALID -j ACCEPT
      $IPTABLES -A OUTPUT -s $IP_LAN_VPN_PRO -d $IP_LAN_VPN_PRO -m state ! --state INVALID -j ACCEPT
  fi

  ####### Add route(s) to remote network(s)
  # You must add a new route for each network you'd like to access through the VPN server!
  # The VPN server must be able to reach the remote network! (otherwise it cannot acts as a GW !)
  # route add -net <network>/<mask> gw <VPN_SERVER_ETH_IP>
  #
  # !! This information should be pushed by the server !! 
  # If not you can either add it manually over here (= in Iptables) or in the OpenVPN client conf.
  #######
  #echo "      ... add VPN route between VPN LAN and current location"
  #route add -net 192.168.12.0/24 gw 192.168.1.45

fi