Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- Firewall -> Aliases -> view [ add a new alias ]
- [ Type ] Network
- [ Name ] N_LOCALNETS
- [ Description ] All local Networks
- [ Aliases ]
- 192.168.x.x/XX (your local networks)
- [SAVE]
- [ add a new alias ]
- [ Type ] Network
- [ Name ] N_VPNUSER
- [ Description ] All Hosts/Networks that should use VPN
- [ Aliases ]
- 192.168.x.x/32 (your hosts or networks that should use VPN)
- [SAVE]
- [ add a new alias ]
- [ Type ] Hosts
- [ Name ] H_ALLOWED_DNS
- [ Description ] allowed DNS Server
- [ Aliases ]
- 10.4.0.1
- 10.5.0.1
- 10.30.0.1
- 10.50.0.1
- [SAVE]
- [ add a new alias ]
- [ Type ] Ports
- [ Name ] P_MS_CIFS_SMB
- [ Description ] block some MS ports
- [ Aliases ]
- 137
- 138
- 139
- 445
- [SAVE]
- ####################################################################
- Firewall -> NAT -> Outbound
- [X] Manual outbound NAT rule generation
- ## change the rest later
- ####################################################################
- System -> Trust -> Authorities [ Add or import CA ]
- [ Descriptive name ] AIRVPN CA
- [ Method ] import an existing
- [ Certificate data ]
- -----BEGIN CERTIFICATE-----
- <ca> section from .ovpn config
- -----END CERTIFICATE-----
- [SAVE]
- ####################################################################
- System -> Trust -> Certificates [ add or import certificate ]
- [ Method ] import an existing
- [ Descriptive name ] AIRVPN Client Auth
- [ Certificate data ]
- -----BEGIN CERTIFICATE-----
- <cert> section from .ovpn config
- -----END CERTIFICATE-----
- [ Private key data ]
- -----BEGIN RSA PRIVATE KEY-----
- <key> section from .ovpn config
- -----END RSA PRIVATE KEY-----
- [SAVE]
- ####################################################################
- VPN -> OpenVPN -> Clients:
- [ Server Mode ] Peer to Peer (SSL/TLS)
- [ Protocol ] UDP (or TCP)
- [ Device mode ] tun
- [ Interface ] WAN
- [ Server host ] nl.vpn.airdns.org (or whatever region you like)
- [ Server port ] 443 ( alternative 53/80/1194 )
- [ Server host name resoltion ] [X]
- [ Description ] AIRVPN1
- [ TLS Authentication ] [X] enable authentication
- [ ] automatically generate
- #
- # 2048 bit OpenVPN static key
- #
- -----BEGIN OpenVPN Static key V1-----
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- -----END OpenVPN Static key V1-----
- [ Peer Certificate Authority ] AIRVPN CA
- [ Client Certificate ] AIRVPN Client Auth
- [ Encryption algorithm ] AES-256-CBC (256 bit key, 128 bit block)
- [ Auth Digest algorithm ] SHA1 (160bit)
- [ Hardware Crypto ] No Hardware (AESNI is automatic)
- [ Compression ] Disabled
- [ Disable IPv6 ] [X]
- [ Advanced ]
- mssfix 1379; ## try to hide OpenVPN
- fast-io; ## only for UDP
- explicit-exit-notify 4; ## only UDP
- server-poll-timeout 10;
- key-direction 1;
- key-method 2;
- keysize 256;
- prng SHA512 64;
- remote-cert-tls server;
- tls-version-min 1.2;
- tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384;
- reneg-sec 3600;
- route 0.0.0.0 192.0.0.0 net_gateway
- route 64.0.0.0 192.0.0.0 net_gateway
- route 128.0.0.0 192.0.0.0 net_gateway
- route 192.0.0.0 192.0.0.0 net_gateway
- [SAVE]
- ####################################################################
- VPN -> OpenVPN -> Clients: [ AIRVPN1 -> clone ]
- [ Server host ] use a different server
- [ Server port ] use a different Port ( IMPORTANT for different IP Pool https://airvpn.org/specs/ )
- [ Description ] AIRVPN2
- [SAVE]
- ####################################################################
- Interfaces -> Assignments
- New interface: ovpnc1 [ + ] (could be different if you have an openvpn server / use the last two)
- New interface: ovpnc2 [ + ]
- [ OPTx ]
- [ Enable ] [x]
- [ Descriptition ] AIRVPN1
- [ Block bogon networks ] [x]
- [SAVE]
- [ OPTx ]
- [ Enable ] [x]
- [ Descriptition ] AIRVPN2
- [ Block bogon networks ] [x]
- [SAVE]
- ####################################################################
- System -> Gateways -> All
- [ AIRVPN1_VPNV6 ]
- [ Disabled ] [x]
- [ AIRVPN2_VPNV6 ]
- [ Disabled ] [x]
- [ AIRVPN1_VPNV4 ]
- [ Disabled Gatetway Monitoring ] [ ] uncheck
- [ AIRVPN2_VPNV4 ]
- [ Disabled Gatetway Monitoring ] [ ] uncheck
- ####################################################################
- System -> Gateways -> Group [ Add group ]
- [ Group Name ] GRP_AIRVPN
- [ Gateway Priority ]
- [ AIRVPN1_VPNV4 ] [ Tier 1 ]
- [ AIRVPN2_VPNV4 ] [ Tier 1 ]
- [ Trigger Level ] Packet Loss or High Latency
- [ Description ] GRP_AIRVPN Loadbalance
- [SAVE]
- [ Add group ]
- [ Group Name ] GRP_AIRVPN_1_2
- [ Gateway Priority ]
- [ AIRVPN1_VPNV4 ] [ Tier 1 ]
- [ AIRVPN2_VPNV4 ] [ Tier 2 ]
- [ Trigger Level ] Packet Loss or High Latency
- [ Description ] GRP_AIRVPN Failover 1 -> 2
- [SAVE]
- [ Add group ]
- [ Group Name ] GRP_AIRVPN_2_1
- [ Gateway Priority ]
- [ AIRVPN1_VPNV4 ] [ Tier 2 ]
- [ AIRVPN2_VPNV4 ] [ Tier 1 ]
- [ Trigger Level ] Packet Loss or High Latency
- [ Description ] GRP_AIRVPN Failover 2 -> 1
- [SAVE]
- ####################################################################
- Firewall -> Settings -> Advanced
- [ Skip rules ] [x] Skip rules when gateway is down (IMPORTANT)
- [ Sticky connections] [x] Use sticky connections (for loadbalance group)
- ####################################################################
- Firewall -> NAT -> Outbound
- [+]
- [ Interface ] AIRVPN1
- [ TCP/IP Version ] IPv4
- [ Protocol ] any
- [ Source address ] N_LOCALNETS
- [ Destination invert ] [X]
- [ Destination address ] N_LOCALNETS
- [ Translation/target ] Interface address
- [SAVE]
- [ AIRVPN1 ] [CLONE]
- [ Interface ] AIRVPN2
- [SAVE]
- ####################################################################
- Firewall -> Rules -> LAN (or whatever interface you want to force traffic to VPN /
- repeat for other internal interfaces or group them and use the rules on the group interface )
- [+]
- [ Action ] block
- [ Interface ] LAN (or LANGROUP)
- [ TCP/IP Version ] IPv4
- [ Protocol ] TCP/UDP
- [ Source ] N_VPNUSER
- [ Destination invert ] [X]
- [ Destination ] N_LOCALNETS
- [ Destination portrange] P_MS_CIFS_SMB
- [ Description ] Block MS CIFS/SMB
- [ Gateway ] GRP_AIRVPN (load balance)
- [SAVE]
- [+]
- [ Action ] pass
- [ Interface ] LAN (or LANGROUP)
- [ TCP/IP Version ] IPv4
- [ Protocol ] TCP/UDP
- [ Source ] N_VPNUSER
- [ Destination ] H_ALLOWED_DNS
- [ Destination portrange] DNS DNS
- [ Description ] Allow traffic to allowed DNS Server
- [ Gateway ] GRP_AIRVPN (load balance)
- [SAVE]
- [+]
- [ Action ] pass
- [ Interface ] LAN (or LANGROUP)
- [ TCP/IP Version ] IPv4
- [ Protocol ] any
- [ Source ] N_VPNUSER
- [ Destination invert ] [X]
- [ Destination ] N_LOCALNETS
- [ Description ] force traffic over VPN
- [ Gateway ] GRP_AIRVPN (load balance)
- [SAVE]
- ####################################################################
- Firewall -> NAT -> Port Forward
- [ Interface ] LAN (or LANGROUP)
- [ TCP/IP Version ] IPv4
- [ Protocol ] TCP/UDP
- [ Source ] N_VPNUSER
- [ Destination invert ] [X]
- [ Destination ] H_ALLOWED_DNS
- [ Destination portrange] DNS DNS
- [ Redirect Target ] single Host or Network
- 10.5.0.1 (or any other from the allowed DNS)
- [ Redirect Target Port ] DNS
- [ Descriptiton ] redirect all DNS to allowed DNS
- [SAVE]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement