Difference between revisions of "Firewall VPN"

(Created page with "Category:Linux =VPN firewall= Adjust the following to your own port, network ID and protocol: <syntaxhighlight lang="bash"> IPTABLES=`which iptables` INT_ETH=eth0 IP_...")
 
Line 1: Line 1:
 
[[Category:Linux]]
 
[[Category:Linux]]
 +
 +
 +
=What is a VPN=
 +
 +
As a quick reminder, you can use a VPN for 3 things:
 +
* Mask your source IP @
 +
 +
[[File:VPN change ip address 1.png|none|VPN change ip address (1)]]
 +
 +
[[File:VPN change ip address 2.png|none|VPN change ip address (2)]]
 +
 +
 +
* Secure communication through the VPN server
 +
 +
[[File:VPN client to client.png|none|VPN client to client]]
 +
 +
 +
* Access remote LAN
 +
 +
[[File:VPN to lan.png|none|VPN to LAN]]
 +
 +
 +
Of course you can combine some / all of these usages.
 +
 +
 +
  
  

Revision as of 13:55, 8 August 2014


What is a VPN

As a quick reminder, you can use a VPN for 3 things:

  • Mask your source IP @
VPN change ip address (1)
VPN change ip address (2)


  • Secure communication through the VPN server
VPN client to client


  • Access remote LAN
VPN to LAN


Of course you can combine some / all of these usages.



VPN firewall

Adjust the following to your own port, network ID and protocol:

IPTABLES=`which iptables`

INT_ETH=eth0
IP_LAN_ETH=`/sbin/ifconfig $INT_ETH | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'`

INT_VPN=tun0
VPN_PORT="8080"
VPN_PROTOCOL="udp"
LAN_ADDRESS_VPN="172.16.60.0/24"

echo -e " "		
echo -e "------------------------"
echo -e " VPN configuration"
echo -e "------------------------"

echo " " 
echo -e "# VPN interface  : $INT_VPN"
echo -e "# VPN IP @       : $LAN_ADDRESS_VPN"
echo -e "# VPN port       : $VPN_PORT"
echo -e "# VPN protocol   : $VPN_PROTOCOL"
echo -e "-------------------------------------- "

# Allow devices communication $ETH0 <--> tun0
$IPTABLES -t nat -A POSTROUTING -s $LAN_ADDRESS_VPN -o $INT_ETH -j MASQUERADE
$IPTABLES -A FORWARD -s $LAN_ADDRESS_VPN -j ACCEPT

echo -e " ... Allow VPN connections"
$IPTABLES -A INPUT -p $VPN_PROTOCOL --dport $VPN_PORT -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport $VPN_PORT -j ACCEPT

echo -e " ... Allow everything to go through VPN - all INPUT,OUTPUT,FORWARD"
$IPTABLES -A INPUT -i $INT_VPN -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_VPN -m state ! --state INVALID -j ACCEPT
$IPTABLES -A FORWARD -o $INT_VPN -m state ! --state INVALID -j ACCEPT

echo -e " ... Allow VPN network communication (required for client <> client comm.)"
$IPTABLES -A INPUT -s $LAN_ADDRESS_VPN -d $LAN_ADDRESS_VPN -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS_VPN -d $LAN_ADDRESS_VPN -j ACCEPT