tanner/personal-site
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update Bypassing Ports article

Browse Source
This commit is contained in:
Tanner Collin
2024-01-07 15:11:55 -07:00
parent 67eecb9f16
commit 2a2ecdf72e
3 changed files with 409 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
content/Bypassing Ports.md
View File

@@ -1,5 +1,5 @@
Title: Bypassing ISP Blocked Ports
Date: 2021-04-10
Date: 2023-12-10
Category: Writing
Summary: Bypass ISP blocked ports using VPN port forwarding for public access.
Wide: true
@@ -13,7 +13,7 @@ This article explains how I set it up and is targeted towards Linux sysadmins.
## Overview
I have a cheap $5 per month virtual server with [Digital Ocean](https://digitalocean.com) that runs Debian GNU/Linux 10. An OpenVPN server is running on this virtual server.
I have a cheap $6 per month virtual server with [Digital Ocean](https://digitalocean.com) that runs Debian GNU/Linux 12. An OpenVPN server is running on this virtual server.
My media server at home has an OpenVPN client connected to the server and is assigned a static IP on the VPN network.
@@ -21,42 +21,43 @@ The virtual server has routing enabled and forwards inbound traffic __from the i
## Server Setup
Spin up a Debian 10 virtual server on your favourite hosting provider and set your user up as you would normally. You should probably harden this server. Assign a subdomain to it like `vpn.example.com`.
Spin up a Debian 12 server on your favourite hosting provider. If you're using an older version of Debian, you can follow the [[Bypassing Ports Old |old version of this article]]. You should harden this server. Assign a subdomain to it like `vpn.example.com`.
Install the following requirements:
```
$ sudo apt update
$ sudo apt install openvpn easy-rsa ufw
$ sudo ufw allow ssh
$ sudo ufw allow 1194 # openvpn's port
```
### OpenVPN Server
These steps roughly follow [this guide](https://wiki.debian.org/OpenVPN#TLS-enabled_VPN).
These steps roughly follow [this guide](https://wiki.debian.org/OpenVPN#TLS-enabled_VPN_connection).
Generate TLS certificates and keys:
```
$ cd /etc/openvpn
$ sudo openvpn --genkey --secret static.key
$ sudo openvpn --genkey secret static.key
$ sudo make-cadir easy-rsa/
$ sudo chown -R tanner:tanner easy-rsa/
$ sudo chown -R tanner:tanner /etc/openvpn
```
Replace `tanner` with your Linux username, this is temporary.
<span class="aside">(The `.rnd` file prevents a warning)</span>
<span class="aside">(The certs will expire in 100 years)</span>
```
$ cd easy-rsa/
$ export EASYRSA_CERT_EXPIRE=36500
$ export EASYRSA_CA_EXPIRE=36500
$ ./easyrsa init-pki
$ head /dev/urandom > pki/.rnd
$ ./easyrsa build-ca
```
Enter a password you won't forget in case you want to add another client later. The Common Name you choose is not important.
Enter passwords you won't forget in case you want to add another client later. The Common Name you choose is not important.
Generate DiffieHellman params:
@@ -70,10 +71,12 @@ Generate a server cert:
$ ./easyrsa build-server-full server nopass
```
Generate a client cert:
Generate client certs:
```
$ ./easyrsa build-client-full mediaserver nopass
$ ./easyrsa build-client-full anotherserver nopass
... etc
```
We make a `mediaserver` client because we want to assign a static IP to it. You need to make a different one for each client you want with a static IP.
@@ -84,7 +87,7 @@ Also, if you want generic clients that all get dynamic IPs for use on your lapto
$ ./easyrsa build-client-full client nopass # optional
```
Leave off `nopass` if you want to password protect the config file keys when you set up a new client.
Leave off `nopass` if you want to password protect the config file keys when you set up a new client (PEM pass phrase).
Create the server config file `/etc/openvpn/server.conf`:
@@ -115,21 +118,15 @@ persist-key
persist-tun
```
Assign a static IP + chmod:
```
$ cd /etc/openvpn
$ sudo chown -R root:root easy-rsa/
$ sudo mkdir ccd
$ sudo touch ccd/mediaserver
```
Replace `mediaserver` with whatever client name you used above. Edit it like so:
Assign a static IP:
<span class="aside">(Your home server will be `10.8.0.100`)</span>
```
ifconfig-push 10.8.0.100 255.255.255.0
$ cd /etc/openvpn
$ mkdir ccd
$ echo "ifconfig-push 10.8.0.100 255.255.255.0" > mediaserver
$ echo "ifconfig-push 10.8.0.101 255.255.255.0" > anotherserver
```
Test your config by running:
@@ -149,6 +146,12 @@ If you run `ip addr` in another terminal, you should see an entry like this:
valid_lft forever preferred_lft forever
```
Change back ownership:
```
$ sudo chown -R root:root /etc/openvpn
```
### systemd
If it works fine, persist OpenVPN with systemd:
@@ -201,7 +204,7 @@ Add this to the top of `/etc/ufw/before.rules`:
-A POSTROUTING -d 10.8.0.100 -p tcp --dport 2222 -j SNAT --to-source 10.8.0.1
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
```