Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- funkenpumpe-suedstern-tcp.conf:
- ======================================================================================================================
- # Freifunk Berlin VPN, TCP, Encrypted, OpenVPN 2.1+
- #client
- tls-client
- proto tcp-client
- dev tunfreifunkvpn
- remote vpn03.berlin.freifunk.net 443 # Standard Server
- remote vpn03-backup.berlin.freifunk.net 443 # Backup Server
- # remote vpn03.berlin.freifunk.net 80 tcp # Alternativer Port: 80
- # remote vpn03.berlin.freifunk.net 443 tcp6 # Alternative: IPv6 Transport
- nobind
- persist-key
- ca /etc/openvpn/funkenpumpe-suedstern/freifunk-ca.crt
- cert /etc/openvpn/funkenpumpe-suedstern/funkenpumpe-suedstern.crt
- key /etc/openvpn/funkenpumpe-suedstern/funkenpumpe-suedstern.key
- ns-cert-type server
- comp-lzo yes # Bessere Datenleitungs-Nutzung
- cipher AES-256-CBC # Ist kompatibel zu OpenVPN+PolarSSL
- pull
- dhcp-option DNS 8.8.8.8
- # Ignore the redirect-gateway so 'lan' works, and do policy-based routing "manually" in the script
- allow-pull-fqdn
- route-nopull
- script-security 2
- up /etc/openvpn/funkenpumpe-suedstern-updown.sh
- down /etc/openvpn/funkenpumpe-suedstern-updown.sh
- log-append /var/log/openvpn/openvpn.log
- ======================================================================================================================
- funkenpumpe-suedstern-updown.sh:
- ======================================================================================================================
- #!/bin/sh
- table=100
- case $script_type in up)
- ip route add default via $ifconfig_local dev $dev table $table
- ip rule add from 6.0.82.0/24 table $table
- ip route flush cache
- #iptable stuff id done in openwrt's firewall custom_rules because each time firewall restarts ip table's flushed.
- #iptables -I FORWARD -o $dev -j ACCEPT
- #iptables -t nat -I POSTROUTING -o $dev --src 6.0.82.0/24 -j MASQUERADE
- #ip tables logging
- #iptables -A FORWARD -s 6.0.82.0/24 -j LOG --log-level debug
- #iptables -t nat -A POSTROUTING --src 6.0.82.0/24 -p tcp -j LOG --log-level debug
- ;;
- down)
- ip rule del from 6.0.82.0/24 lookup 100
- ip route flush cache
- ;;
- esac
- ======================================================================================================================
- /etc/config/firewall:
- ======================================================================================================================
- config defaults
- option syn_flood '1'
- option input 'ACCEPT'
- option output 'ACCEPT'
- option forward 'REJECT'
- option drop_invalid '1'
- config zone
- option name 'lan'
- option output 'ACCEPT'
- option forward 'REJECT'
- option network 'lan'
- option input 'ACCEPT'
- config zone
- option name 'wan'
- option network 'wan'
- option output 'ACCEPT'
- option masq '1'
- option mtu_fix '1'
- option local_restrict '1'
- option forward 'REJECT'
- option input 'REJECT'
- config rule
- option name 'openvpn-tcp'
- option src 'wan'
- option target 'ACCEPT'
- option proto 'tcp'
- option dest_port '1194'
- config rule
- option name 'Allow-DHCP-Renew'
- option src 'wan'
- option proto 'udp'
- option dest_port '68'
- option target 'ACCEPT'
- option family 'ipv4'
- config rule
- option name 'Allow-Ping'
- option src 'wan'
- option proto 'icmp'
- option icmp_type 'echo-request'
- option family 'ipv4'
- option target 'ACCEPT'
- config rule
- option name 'Allow-DHCPv6'
- option src 'wan'
- option proto 'udp'
- option src_ip 'fe80::/10'
- option src_port '547'
- option dest_ip 'fe80::/10'
- option dest_port '546'
- option family 'ipv6'
- option target 'ACCEPT'
- config rule
- option name 'Allow-ICMPv6-Input'
- option src 'wan'
- option proto 'icmp'
- list icmp_type 'echo-request'
- list icmp_type 'echo-reply'
- list icmp_type 'destination-unreachable'
- list icmp_type 'packet-too-big'
- list icmp_type 'time-exceeded'
- list icmp_type 'bad-header'
- list icmp_type 'unknown-header-type'
- list icmp_type 'router-solicitation'
- list icmp_type 'neighbour-solicitation'
- list icmp_type 'router-advertisement'
- list icmp_type 'neighbour-advertisement'
- option limit '1000/sec'
- option family 'ipv6'
- option target 'ACCEPT'
- config rule
- option name 'Allow-ICMPv6-Forward'
- option src 'wan'
- option dest '*'
- option proto 'icmp'
- list icmp_type 'echo-request'
- list icmp_type 'echo-reply'
- list icmp_type 'destination-unreachable'
- list icmp_type 'packet-too-big'
- list icmp_type 'time-exceeded'
- list icmp_type 'bad-header'
- list icmp_type 'unknown-header-type'
- option limit '1000/sec'
- option family 'ipv6'
- option target 'ACCEPT'
- config include
- option path '/etc/firewall.user'
- config redirect
- option target 'DNAT'
- option src 'wan'
- option dest 'lan'
- option proto 'tcp'
- option src_dport '80'
- option dest_ip '192.168.49.2'
- option dest_port '80'
- option name 'http'
- config redirect
- option target 'DNAT'
- option src 'wan'
- option dest 'lan'
- option proto 'tcp'
- option src_dport '443'
- option dest_ip '192.168.49.2'
- option dest_port '443'
- option name 'https'
- config redirect
- option target 'DNAT'
- option src 'wan'
- option dest 'lan'
- option proto 'tcp'
- option src_dport '22'
- option dest_ip '192.168.49.2'
- option dest_port '22'
- option name 'ssh'
- config redirect
- option target 'DNAT'
- option src 'wan'
- option dest 'lan'
- option proto 'tcp'
- option src_dport '5223'
- option dest_ip '192.168.49.2'
- option dest_port '5223'
- option name 'xmmp/ssl'
- config redirect
- option target 'DNAT'
- option src 'wan'
- option dest 'lan'
- option proto 'tcp'
- option src_dport '993'
- option dest_ip '192.168.49.2'
- option dest_port '993'
- option name 'imaps'
- config redirect
- option target 'DNAT'
- option src 'wan'
- option dest 'lan'
- option proto 'tcp'
- option src_dport '25'
- option dest_ip '192.168.49.2'
- option dest_port '25'
- option name 'smtp'
- config include
- option path '/etc/firewall.freifunk'
- config zone 'zone_freifunk'
- option name 'freifunk'
- option output 'ACCEPT'
- option input 'REJECT'
- list masq_src 'wireless0dhcp'
- list masq_src 'wireless0ahdhcp'
- option conntrack '1'
- option network 'wireless0 wireless0dhcp'
- option forward 'REJECT'
- config include 'freifunk'
- option path '/etc/firewall.freifunk'
- config rule 'fficmp'
- option src 'freifunk'
- option target 'ACCEPT'
- option proto 'icmp'
- config rule 'ffhttp'
- option src 'freifunk'
- option target 'ACCEPT'
- option proto 'tcp'
- option dest_port '80'
- config rule 'ffhttps'
- option src 'freifunk'
- option target 'ACCEPT'
- option proto 'tcp'
- option dest_port '443'
- config rule 'ffssh'
- option src 'freifunk'
- option target 'ACCEPT'
- option proto 'tcp'
- option dest_port '22'
- config rule 'ffolsr'
- option src 'freifunk'
- option target 'ACCEPT'
- option proto 'udp'
- option dest_port '698'
- config rule 'ffwprobe'
- option src 'freifunk'
- option target 'ACCEPT'
- option proto 'tcp'
- option dest_port '17990'
- config rule 'ffdns'
- option dest_port '53'
- option src 'freifunk'
- option target 'ACCEPT'
- option proto 'udp'
- config rule 'ffdhcp'
- option src_port '68'
- option src 'freifunk'
- option target 'ACCEPT'
- option dest_port '67'
- option proto 'udp'
- option leasetime '30m'
- config rule 'ffsplash'
- option dest_port '8082'
- option src 'freifunk'
- option target 'ACCEPT'
- option proto 'tcp'
- config zone
- option output 'ACCEPT'
- option network 'freifunkvpn'
- option masq '1'
- option mtu_fix '1'
- option input 'REJECT'
- option forward 'REJECT'
- option name 'ffvpnzone'
- option conntrack '1'
- config forwarding
- option dest 'ffvpnzone'
- option src 'freifunk'
- config forwarding
- option dest 'freifunk'
- option src 'lan'
- config forwarding
- option dest 'wan'
- option src 'lan'
- ======================================================================================================================
- /etc/firewall.user:
- ======================================================================================================================
- # This file is interpreted as shell script.
- # Put your custom iptables rules here, they will
- # be executed with each firewall (re-)start.
- iptables -I FORWARD -o tunfreifunkvpn -j ACCEPT
- iptables -t nat -I POSTROUTING -o tunfreifunkvpn -j MASQUERADE
- ======================================================================================================================
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement