API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 19th, 2016
202
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.93 KB | None | 0 0
raw download clone embed print report
  1. ###server config:###
  2.  
  3. #################################################
  4. # Sample OpenVPN 2.0 config file for #
  5. # multi-client server. #
  6. # #
  7. # This file is for the server side #
  8. # of a many-clients <-> one-server #
  9. # OpenVPN configuration. #
  10. # #
  11. # OpenVPN also supports #
  12. # single-machine <-> single-machine #
  13. # configurations (See the Examples page #
  14. # on the web site for more info). #
  15. # #
  16. # This config should work on Windows #
  17. # or Linux/BSD systems. Remember on #
  18. # Windows to quote pathnames and use #
  19. # double backslashes, e.g.: #
  20. # "C:\\Program Files\\OpenVPN\\config\\foo.key" #
  21. # #
  22. # Comments are preceded with '#' or ';' #
  23. #################################################
  24.  
  25. # Which local IP address should OpenVPN
  26. # listen on? (optional)
  27. ;local a.b.c.d
  28.  
  29. # Which TCP/UDP port should OpenVPN listen on?
  30. # If you want to run multiple OpenVPN instances
  31. # on the same machine, use a different port
  32. # number for each one. You will need to
  33. # open up this port on your firewall.
  34. port 123
  35.  
  36. # TCP or UDP server?
  37. ;proto tcp
  38. proto tcp
  39.  
  40. # "dev tun" will create a routed IP tunnel,
  41. # "dev tap" will create an ethernet tunnel.
  42. # Use "dev tap0" if you are ethernet bridging
  43. # and have precreated a tap0 virtual interface
  44. # and bridged it with your ethernet interface.
  45. # If you want to control access policies
  46. # over the VPN, you must create firewall
  47. # rules for the the TUN/TAP interface.
  48. # On non-Windows systems, you can give
  49. # an explicit unit number, such as tun0.
  50. # On Windows, use "dev-node" for this.
  51. # On most systems, the VPN will not function
  52. # unless you partially or fully disable
  53. # the firewall for the TUN/TAP interface.
  54. ;dev tap
  55. dev tun
  56.  
  57. # Windows needs the TAP-Win32 adapter name
  58. # from the Network Connections panel if you
  59. # have more than one. On XP SP2 or higher,
  60. # you may need to selectively disable the
  61. # Windows firewall for the TAP adapter.
  62. # Non-Windows systems usually don't need this.
  63. ;dev-node MyTap
  64.  
  65. # SSL/TLS root certificate (ca), certificate
  66. # (cert), and private key (key). Each client
  67. # and the server must have their own cert and
  68. # key file. The server and all clients will
  69. # use the same ca file.
  70. #
  71. # See the "easy-rsa" directory for a series
  72. # of scripts for generating RSA certificates
  73. # and private keys. Remember to use
  74. # a unique Common Name for the server
  75. # and each of the client certificates.
  76. #
  77. # Any X509 key management system can be used.
  78. # OpenVPN can also use a PKCS #12 formatted key file
  79. # (see "pkcs12" directive in man page).
  80. ca ca.crt
  81. cert server.crt
  82. key server.key # This file should be kept secret
  83.  
  84. # Diffie hellman parameters.
  85. # Generate your own with:
  86. # openssl dhparam -out dh1024.pem 1024
  87. # Substitute 2048 for 1024 if you are using
  88. # 2048 bit keys.
  89. dh dh2048.pem
  90.  
  91. # Configure server mode and supply a VPN subnet
  92. # for OpenVPN to draw client addresses from.
  93. # The server will take 10.8.0.1 for itself,
  94. # the rest will be made available to clients.
  95. # Each client will be able to reach the server
  96. # on 10.8.0.1. Comment this line out if you are
  97. # ethernet bridging. See the man page for more info.
  98. server 10.8.0.0 255.255.255.0
  99.  
  100. # Maintain a record of client <-> virtual IP address
  101. # associations in this file. If OpenVPN goes down or
  102. # is restarted, reconnecting clients can be assigned
  103. # the same virtual IP address from the pool that was
  104. # previously assigned.
  105. ifconfig-pool-persist ipp.txt
  106.  
  107. # Configure server mode for ethernet bridging.
  108. # You must first use your OS's bridging capability
  109. # to bridge the TAP interface with the ethernet
  110. # NIC interface. Then you must manually set the
  111. # IP/netmask on the bridge interface, here we
  112. # assume 10.8.0.4/255.255.255.0. Finally we
  113. # must set aside an IP range in this subnet
  114. # (start=10.8.0.50 end=10.8.0.100) to allocate
  115. # to connecting clients. Leave this line commented
  116. # out unless you are ethernet bridging.
  117. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
  118.  
  119. # Configure server mode for ethernet bridging
  120. # using a DHCP-proxy, where clients talk
  121. # to the OpenVPN server-side DHCP server
  122. # to receive their IP address allocation
  123. # and DNS server addresses. You must first use
  124. # your OS's bridging capability to bridge the TAP
  125. # interface with the ethernet NIC interface.
  126. # Note: this mode only works on clients (such as
  127. # Windows), where the client-side TAP adapter is
  128. # bound to a DHCP client.
  129. ;server-bridge
  130.  
  131. # Push routes to the client to allow it
  132. # to reach other private subnets behind
  133. # the server. Remember that these
  134. # private subnets will also need
  135. # to know to route the OpenVPN client
  136. # address pool (10.8.0.0/255.255.255.0)
  137. # back to the OpenVPN server.
  138. ;push "route 192.168.10.0 255.255.255.0"
  139. push "route 0.0.0.0 255.0.0.0"
  140.  
  141. # To assign specific IP addresses to specific
  142. # clients or if a connecting client has a private
  143. # subnet behind it that should also have VPN access,
  144. # use the subdirectory "ccd" for client-specific
  145. # configuration files (see man page for more info).
  146.  
  147. # EXAMPLE: Suppose the client
  148. # having the certificate common name "Thelonious"
  149. # also has a small subnet behind his connecting
  150. # machine, such as 192.168.40.128/255.255.255.248.
  151. # First, uncomment out these lines:
  152. ;client-config-dir ccd
  153. ;route 192.168.40.128 255.255.255.248
  154. # Then create a file ccd/Thelonious with this line:
  155. # iroute 192.168.40.128 255.255.255.248
  156. # This will allow Thelonious' private subnet to
  157. # access the VPN. This example will only work
  158. # if you are routing, not bridging, i.e. you are
  159. # using "dev tun" and "server" directives.
  160.  
  161. # EXAMPLE: Suppose you want to give
  162. # Thelonious a fixed VPN IP address of 10.9.0.1.
  163. # First uncomment out these lines:
  164. ;client-config-dir ccd
  165. ;route 10.9.0.0 255.255.255.252
  166. # Then add this line to ccd/Thelonious:
  167. # ifconfig-push 10.9.0.1 10.9.0.2
  168.  
  169. # Suppose that you want to enable different
  170. # firewall access policies for different groups
  171. # of clients. There are two methods:
  172. # (1) Run multiple OpenVPN daemons, one for each
  173. # group, and firewall the TUN/TAP interface
  174. # for each group/daemon appropriately.
  175. # (2) (Advanced) Create a script to dynamically
  176. # modify the firewall in response to access
  177. # from different clients. See man
  178. # page for more info on learn-address script.
  179. ;learn-address ./script
  180.  
  181. # If enabled, this directive will configure
  182. # all clients to redirect their default
  183. # network gateway through the VPN, causing
  184. # all IP traffic such as web browsing and
  185. # and DNS lookups to go through the VPN
  186. # (The OpenVPN server machine may need to NAT
  187. # or bridge the TUN/TAP interface to the internet
  188. # in order for this to work properly).
  189. push "redirect-gateway def1 bypass-dhcp"
  190.  
  191. # Certain Windows-specific network settings
  192. # can be pushed to clients, such as DNS
  193. # or WINS server addresses. CAVEAT:
  194. # http://openvpn.net/faq.html#dhcpcaveats
  195. # The addresses below refer to the public
  196. # DNS servers provided by opendns.com.
  197. push "dhcp-option DNS 208.67.222.222"
  198. push "dhcp-option DNS 208.67.220.220"
  199.  
  200. # Uncomment this directive to allow different
  201. # clients to be able to "see" each other.
  202. # By default, clients will only see the server.
  203. # To force clients to only see the server, you
  204. # will also need to appropriately firewall the
  205. # server's TUN/TAP interface.
  206. client-to-client
  207.  
  208. # Uncomment this directive if multiple clients
  209. # might connect with the same certificate/key
  210. # files or common names. This is recommended
  211. # only for testing purposes. For production use,
  212. # each client should have its own certificate/key
  213. # pair.
  214. #
  215. # IF YOU HAVE NOT GENERATED INDIVIDUAL
  216. # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
  217. # EACH HAVING ITS OWN UNIQUE "COMMON NAME",
  218. # UNCOMMENT THIS LINE OUT.
  219. ;duplicate-cn
  220.  
  221. # The keepalive directive causes ping-like
  222. # messages to be sent back and forth over
  223. # the link so that each side knows when
  224. # the other side has gone down.
  225. # Ping every 10 seconds, assume that remote
  226. # peer is down if no ping received during
  227. # a 120 second time period.
  228. keepalive 10 120
  229.  
  230. # For extra security beyond that provided
  231. # by SSL/TLS, create an "HMAC firewall"
  232. # to help block DoS attacks and UDP port flooding.
  233. #
  234. # Generate with:
  235. # openvpn --genkey --secret ta.key
  236. #
  237. # The server and each client must have
  238. # a copy of this key.
  239. # The second parameter should be '0'
  240. # on the server and '1' on the clients.
  241. ;tls-auth ta.key 0 # This file is secret
  242.  
  243. # Select a cryptographic cipher.
  244. # This config item must be copied to
  245. # the client config file as well.
  246. ;cipher BF-CBC # Blowfish (default)
  247. ;cipher AES-128-CBC # AES
  248. ;cipher DES-EDE3-CBC # Triple-DES
  249.  
  250. # Enable compression on the VPN link.
  251. # If you enable it here, you must also
  252. # enable it in the client config file.
  253. comp-lzo
  254.  
  255. # The maximum number of concurrently connected
  256. # clients we want to allow.
  257. ;max-clients 100
  258.  
  259. # It's a good idea to reduce the OpenVPN
  260. # daemon's privileges after initialization.
  261. #
  262. # You can uncomment this out on
  263. # non-Windows systems.
  264. user nobody
  265. group nogroup
  266.  
  267. # The persist options will try to avoid
  268. # accessing certain resources on restart
  269. # that may no longer be accessible because
  270. # of the privilege downgrade.
  271. persist-key
  272. persist-tun
  273.  
  274. # Output a short status file showing
  275. # current connections, truncated
  276. # and rewritten every minute.
  277. status openvpn-status.log
  278.  
  279. # By default, log messages will go to the syslog (or
  280. # on Windows, if running as a service, they will go to
  281. # the "\Program Files\OpenVPN\log" directory).
  282. # Use log or log-append to override this default.
  283. # "log" will truncate the log file on OpenVPN startup,
  284. # while "log-append" will append to it. Use one
  285. # or the other (but not both).
  286. ;log openvpn.log
  287. ;log-append openvpn.log
  288.  
  289. # Set the appropriate level of log
  290. # file verbosity.
  291. #
  292. # 0 is silent, except for fatal errors
  293. # 4 is reasonable for general usage
  294. # 5 and 6 can help to debug connection problems
  295. # 9 is extremely verbose
  296. verb 3
  297.  
  298. # Silence repeating messages. At most 20
  299. # sequential messages of the same message
  300. # category will be output to the log.
  301. ;mute 20
  302.  
  303. client-cert-not-required
  304. username-as-common-name
  305. tmp-dir "/etc/openvpn/tmp/"
  306. plugin /etc/openvpn/openvpn-plugin-auth-pam.so /etc/pam.d/login
  307.  
  308.  
  309. ###iptables -L -v:###
  310.  
  311. root@orehawa:~# iptables -L -v
  312. Chain INPUT (policy DROP 87 packets, 10309 bytes)
  313. pkts bytes target prot opt in out source destination
  314. 297 24980 f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh
  315. 0 0 fail2ban-VESTA tcp -- any any anywhere anywhere tcp dpt:8083
  316. 0 0 fail2ban-MAIL tcp -- any any anywhere anywhere multiport dports smtp,urd,submission,2525,pop3,pop3s,imap2,imaps
  317. 297 24980 fail2ban-SSH tcp -- any any anywhere anywhere tcp dpt:ssh
  318. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ntp
  319. 297 24980 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
  320. 74 5135 ACCEPT tcp -- any any anywhere anywhere multiport dports http,https
  321. 0 0 ACCEPT tcp -- any any anywhere anywhere multiport dports ftp,12000:12100
  322. 53 3909 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
  323. 0 0 ACCEPT tcp -- any any anywhere anywhere multiport dports smtp,urd,submission,2525
  324. 0 0 ACCEPT tcp -- any any anywhere anywhere multiport dports pop3,pop3s
  325. 0 0 ACCEPT tcp -- any any anywhere anywhere multiport dports imap2,imaps
  326. 0 0 ACCEPT tcp -- any any anywhere anywhere multiport dports mysql,postgresql
  327. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:8083
  328. 58 2084 ACCEPT icmp -- any any anywhere anywhere
  329. 0 0 ACCEPT all -- any any vps171130.ovh.net anywhere
  330. 50 8383 ACCEPT all -- any any localhost anywhere
  331. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:ftp-data
  332. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:ftp
  333. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:ssh
  334. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:smtp
  335. 129 77215 ACCEPT udp -- any any anywhere anywhere udp spt:domain
  336. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:http
  337. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:https
  338. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:pop3
  339. 32 2432 ACCEPT udp -- any any anywhere anywhere udp spt:ntp
  340. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:imap2
  341. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:mysql
  342. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:postgresql
  343. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:http-alt
  344. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:8433
  345. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:8083
  346. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:12000:12100
  347. 0 0 ACCEPT tcp -- any any anywhere anywhere state RELATED,ESTABLISHED
  348.  
  349. Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  350. pkts bytes target prot opt in out source destination
  351. 0 0 ACCEPT all -- tun+ any anywhere anywhere
  352. 0 0 ACCEPT all -- tun+ eth0 anywhere anywhere state RELATED,ESTABLISHED
  353. 0 0 ACCEPT all -- eth0 tun+ anywhere anywhere state RELATED,ESTABLISHED
  354.  
  355. Chain OUTPUT (policy ACCEPT 523 packets, 52926 bytes)
  356. pkts bytes target prot opt in out source destination
  357. 0 0 ACCEPT all -- any tun+ anywhere anywhere
  358.  
  359. Chain f2b-sshd (1 references)
  360. pkts bytes target prot opt in out source destination
  361. 297 24980 RETURN all -- any any anywhere anywhere
  362. 0 0 RETURN all -- any any anywhere anywhere
  363.  
  364. Chain fail2ban-MAIL (1 references)
  365. pkts bytes target prot opt in out source destination
  366. 0 0 RETURN all -- any any anywhere anywhere
  367.  
  368. Chain fail2ban-SSH (1 references)
  369. pkts bytes target prot opt in out source destination
  370. 297 24980 RETURN all -- any any anywhere anywhere
  371.  
  372. Chain fail2ban-VESTA (1 references)
  373. pkts bytes target prot opt in out source destination
  374. 0 0 RETURN all -- any any anywhere anywhere
  375.  
  376. Chain vesta (0 references)
  377. pkts bytes target prot opt in out source destination
  378.  
  379.  
  380. ###iptables -L -v -t nat:###
  381.  
  382. root@orehawa:~# iptables -L -v -t nat
  383. Chain PREROUTING (policy ACCEPT 205 packets, 16933 bytes)
  384. pkts bytes target prot opt in out source destination
  385.  
  386. Chain POSTROUTING (policy ACCEPT 148 packets, 10642 bytes)
  387. pkts bytes target prot opt in out source destination
  388. 148 10642 all -- any any anywhere anywhere
  389. 0 0 MASQUERADE all -- any eth0 anywhere anywhere
  390. 0 0 MASQUERADE all -- any eth0 10.8.0.0/24 anywhere
  391. 0 0 SNAT all -- any any 10.8.0.0/24 anywhere to:5.196.229.23
  392.  
  393. Chain OUTPUT (policy ACCEPT 148 packets, 10642 bytes)
  394. pkts bytes target prot opt in out source destination
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!