هک‌ها و تشعشعات وجدان آزاد

نوشته‌های سیدمحمدمسعود صدرنژاد

User Tools

Site Tools


en:vpn

Basic Ubuntu 20.04 Setup

Basic system setup:

dpkg-reconfigure tzdata
apt update -y
apt upgrade -y
apt autoremove -y

Install client applications:

apt install unzip htop mc git telnet git curl build-essential libssl-dev zlib1g-dev net-tools -y

Ocserv Installation

Install ocserv:

apt install ocserv gnutls-bin -y

Run a performance benchmark for gnuTLS and find the best one:

gnutls-cli --benchmark-tls-ciphers

Generate Diffie-Hellman parameters:

certtool --generate-dh-params --outfile /etc/ocserv/dh.pem

Edit ocserv configurations:

nano /etc/ocserv/ocserv.conf

Find the line:

tcp-port = 443
udp-port = 443

Replace it with the following:

tcp-port = 8080
udp-port = 8080

Find the line:

server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
server-key = /etc/ssl/private/ssl-cert-snakeoil.key

Replace it with the following:

server-cert = /etc/letsencrypt/live/oc.YOURDOMAIN.com/fullchain.pem
server-key = /etc/letsencrypt/live/oc.YOURDOMAIN.com/privkey.pem

Change the value of try-mtu-discovery from false to true:

try-mtu-discovery = true

Place a # in front of following lines:

route = 10.0.0.0/8
route = 172.16.0.0/12
route = 192.168.0.0/16

Find the line:

default-domain = example.com

Replace it with the following:

default-domain = cisco.com

Uncomment the following line:

tunnel-all-dns = true

Add the following lines:

no-route = 10.0.0.0/255.0.0.0
no-route = 172.16.0.0/255.240.0.0
no-route = 192.168.0.0/255.255.0.0

Find:

ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0

Replace it with the following:

ipv4-network = 10.10.0.0
ipv4-netmask = 255.255.0.0

Uncomment the following line:

#dtls-psk = false

Uncomment the following line:

# ipv6-network = fda9:4efe:7e3b:03ea::/48

Find the line:

rekey-method = ssl

Replace it with the following:

rekey-method = new-tunnel

Uncomment the following line:

dh-params = /etc/ocserv/dh.pem

Find this line:

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"

Change it to something like this:

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:+AES-128-GCM"

To see all of your configurations:

egrep -v '^(#|$)' /etc/ocserv/ocserv.conf

Edit system control configuration file to allow forwarding:

nano /etc/sysctl.conf

Uncomment the following line:

net.ipv4.ip_forward=1

Activate the change:

sysctl -p

Stop the ocserv service:

systemctl stop ocserv

Migrate Users from a previously installed Linux

On Old Machine:

mkdir /root/move/
export UGIDLIMIT=500
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/passwd > /root/move/passwd.mig
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/group > /root/move/group.mig
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) {print $1}' /etc/passwd | tee - |egrep -f - /etc/shadow > /root/move/shadow.mig
cp /etc/gshadow /root/move/gshadow.mig
scp -r /root/move/* [email protected]_SERVER_IP_ADDRESS:/root/

On New Machine:

mkdir /root/newsusers.bak
cp /etc/passwd /etc/shadow /etc/group /etc/gshadow /root/newsusers.bak
cat /root/passwd.mig >> /etc/passwd
cat /root/group.mig >> /etc/group
cat /root/shadow.mig >> /etc/shadow
/bin/cp /root/gshadow.mig /etc/gshadow
cd /
rm -rf /root/*
reboot

Install Webmin

Add the Webmin repository:

nano /etc/apt/sources.list

Add this line to the bottom of the file:

deb http://download.webmin.com/download/repository sarge contrib

Add the Webmin PGP key and update the list of packages:

wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
rm jcameron-key.asc
apt update -y

Install Webmin:

apt install webmin -y

Use nginx proxy to connect to webmin

To tell Webmin to stop using TLS/SSL:

nano /etc/webmin/miniserv.conf

Find the following line:

ssl=1

Change the 1 to a 0:

ssl=0

Add our domain to the list of allowed domains:

nano /etc/webmin/config

Add the following line to the bottom of the file:

referers=webmin.YOURDOMAIN.com

Install nginx in case it is not installed:

apt install nginx -y

Create a new Nginx virtual host file for Webmin:

nano /etc/nginx/sites-available/default

Put this in place:

server {
  listen 80;
  listen [::]:80;
  server_name webmin.YOURDOMAIN.com;
  rewrite ^/$ https://webmin.YOURDOMAIN.com redirect;
}
server {
  listen 80;
  listen [::]:80;
  server_name oc.YOURDOMAIN.com;
  rewrite ^/$ https://oc.YOURDOMAIN.com redirect;
}
server {
  listen 443 ssl http2;
  server_name webmin.YOURDOMAIN.com;

  ssl_certificate /etc/letsencrypt/live/oc.YOURDOMAIN.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/oc.YOURDOMAIN.com/privkey.pem;

  location / {
      proxy_set_header X-Forwarded-Host $http_host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_http_version 1.1;

      proxy_pass http://localhost:10000;
  }
}
server {
  listen 443 ssl http2;
  server_name oc.YOURDOMAIN.com;

  ssl_certificate /etc/letsencrypt/live/oc.YOURDOMAIN.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/oc.YOURDOMAIN.com/privkey.pem;

  location / {
      proxy_set_header X-Forwarded-Host $http_host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_http_version 1.1;

      proxy_pass http://localhost:20000;
  }
}

Configure HTTPS with Let's Encrypt

Update the package list and install Certbot:

apt install certbot -y

Stop webserver and tell Certbot to generate a TLS/SSL certificate:

service nginx stop
certbot certonly --email [email protected] -d oc.YOURDOMAIN.com -d webmin.YOURDOMAIN.com -d oc2.YOURDOMAIN.com --standalone --agree-tos --redirect --noninteractive

Generate Strong Diffie-Hellman Group:

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Restart Nginx and Webmin completely:

systemctl restart {nginx,webmin}

Test the renewal process:

service nginx stop && /usr/bin/certbot renew --dry-run && service nginx start

Edit root user’s crontab file.

crontab -e

Add the following line at the end of the file:

@daily service nginx stop && /usr/bin/certbot renew --quiet --renew-hook "/bin/systemctl reload nginx"

Go to DNS settings for YOURDOMAIN.com and activate CDN for webmin.YOURDOMAIN.com.

Create users

Add all users one by one to ocserv group:

  1. Login to Webmin panel as root.
  2. Go to [System → Users and Groups → Create a new user](https://webmin.YOURDOMAIN.com/useradmin/edit_user.cgi)
  3. Enter Username, Real Name. Choose /bin/false in Shell. Choose “Normal Password” and enter the password. Choose “Yes” in “Force change at next login?”.
  4. Choose ocserv in “Secondary groups”.
  5. Click on “Create”.

Usermin Installation

Follow these steps to install Usermin:

  1. Connect to [your Webmin](https://webmin.YOURDOMAIN.com/) and log in with the server root user.
  2. On the left menu, click [Un-used Modules → Usermin Configuration](https://webmin.YOURDOMAIN.com/usermin).
  3. Click on “Install Usermin tar.gz package”

Enable Start Usermin at boot:

  1. On the left menu, click [Webmin → Usermin Configuration](https://webmin.YOURDOMAIN.com/usermin).
  2. Enable Start at boot time.

Add our domain to the list of allowed domains:

nano /etc/usermin/config

Add the following line to the bottom of the file:

referers=oc.YOURDOMAIN.com

Disable SSL Encryption:

  1. On the left menu, click [Webmin → Usermin Configuration → SSL Encryption](https://webmin.YOURDOMAIN.com/usermin/edit_ssl.cgi).
  2. Choose “No” in “Enable SSL?”.
  3. Restart Usermin.

Now restrict group ocserv to just changing passwords:

  1. On the left menu, click [Webmin → Usermin Configuration → Module Restrictions](https://webmin.YOURDOMAIN.com/usermin/list_restrict.cgi).
  2. Select “Add a new user or group restriction”.
  3. Click on “Members of group” and type “ocserv”.
  4. Select Change Password.
  5. Click on “Create”.

IPTable Configuration

Add ocserv's 8080 port to the firewall’s accepted list:

iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p udp --dport 8080 -j ACCEPT

Add mtproxy's 9000 port to firewall's accepted list:

iptables -I INPUT -p tcp --dport 9000 -m state --state NEW,ESTABLISHED -j ACCEPT

Add http, https and ssh ports to firewall's accepted list:

iptables -A INPUT -p tcp -m multiport --dports http,https,ssh -j ACCEPT

All traffic from LAN to WAN is allowed:

iptables -A FORWARD -s 172.16.0.0/255.240.0.0 -j ACCEPT
iptables -A FORWARD -s 10.0.0.0/255.0.0.0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Enable NAT by using the following command:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Circumventing Path MTU Discovery issues with MSS Clamping:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu

Make iptable rules persist across server reboots:

apt install iptables-persistent -y
invoke-rc.d netfilter-persistent save

Change the default behavior of chains to drop all connections:

iptables -P INPUT DROP
iptables -P FORWARD DROP

Run OCServ

Start it:

systemctl start ocserv
systemctl status ocserv

Find the respective unit that is listening to the 443 port:

netstat -tulpn | grep 443

Reboot server and test everything:

reboot

Troubleshooting

Create a connection with your client and connect. If things go wrong, use this command to debug:

journalctl -lu myocserv

If you want to see logs from the last service boot:

journalctl -b -lu myocserv

To run ocserv in foreground on server:

ocserv -c /etc/ocserv/ocserv.conf -f -d 1

PAM Issue

Sometimes after the first user connects and disconnects, try to connect again, it gets the following error (Basically looks like ocserv crashes on every second try) when using PAM as authentication method libpam-cap, we can remove it and try again. we can remove it and try again:

apt remove libpam-cap -y

Plain Authentication

If you want to activate plain authentication edit ocserv configurations:

nano /etc/ocserv/ocserv.conf

Find the line:

auth = "pam[gid-min=1000]"

Replace it with the following:

auth = "plain[/etc/ocserv/ocpasswd]"

Create a password file with your desired username with details. Then type your password and confirmation of password:

ocpasswd -c /etc/ocserv/ocpasswd YOUR_USERNAME_HERE

DNS Issue

If you have a DNS problem on the server check resolv.conf:

nano /etc/resolv.conf

If you see 127.0.0.53 here it means that systemd-resolved is overwriting this file. So put this in place:

nameserver 213.133.100.100
nameserver 213.133.99.99
nameserver 213.133.98.98

Change this file contents to static:

apt install resolvconf -y
dpkg-reconfigure resolvconf

Reboot the server to check the DNS after reboot:

reboot

Clients Setup

Installation

Run

Host: oc.YOURDOMAIN.com

Port: 8080

Username: YOUR_USERNAME

Password: YOUR_PASSWORD

Ubuntu:

echo "YOUR_PASSWORD" | sudo openconnect -u YOUR_USERNAME --passwd-on-stdin oc.YOURDOMAIN.com:8080 --no-cert-check --no-dtls

MTProxy Installation

Clone the repo:

git clone https://github.com/TelegramMessenger/MTProxy /opt/MTProxy
cd /opt/MTProxy

Build the project:

make && cd objs/bin

Running

Obtain a secret, used to connect to telegram servers:

curl -s https://core.telegram.org/getProxySecret -o proxy-secret

Obtain current telegram configuration:

curl -s https://core.telegram.org/getProxyConfig -o proxy-multi.conf

Generate a secret to be used by users to connect to your proxy:

head -c 16 /dev/urandom | xxd -ps

Replace the secret and run it for test:

/opt/MTProxy/objs/bin/mtproto-proxy -u nobody -p 8888 -H 9000 -S YOUR_SECRET --aes-pwd /opt/MTProxy/objs/bin/proxy-secret /opt/MTProxy/objs/bin/proxy-multi.conf -M 2

Systemd Service

Create systemd service file:

nano /etc/systemd/system/MTProxy.service

Edit this basic service:

[Unit]
Description=MTProxy
After=network.target

[Service]
Type=simple
WorkingDirectory=/opt/MTProxy
ExecStart=/opt/MTProxy/objs/bin/mtproto-proxy -u nobody -p 8888 -H 9000 -S YOUR_SECRET --aes-pwd /opt/MTProxy/objs/bin/proxy-secret /opt/MTProxy/objs/bin/proxy-multi.conf -M 2
Restart=on-failure

[Install]
WantedBy=multi-user.target

Reload daemons:

systemctl daemon-reload

Test fresh MTProxy service:

systemctl restart MTProxy.service
systemctl status MTProxy.service

Enable it, to autostart service after reboot:

systemctl enable MTProxy.service

Algo Installation

Download and install dependencies:

apt -y install unzip python3-virtualenv
wget -c https://github.com/trailofbits/algo/archive/master.zip -O /opt/algo.zip
cd /opt/
unzip algo.zip 
cd algo-master/
python3 -m virtualenv --python="$(command -v python3)" .env &&
  source .env/bin/activate &&
  python3 -m pip install -U pip virtualenv &&
  python3 -m pip install -r requirements.txt

Open configuration file:

nano config.cfg

Specify the users you wish to create in the users list:

users:
 - masoud

Run the Ansible Setup Wizard

Start the deployment:

./algo

Choose below options:

What provider would you like to use?
  1. DigitalOcean
  2. Amazon Lightsail
  3. Amazon EC2
  4. Microsoft Azure
  5. Google Compute Engine
  6. Hetzner Cloud
  7. Vultr
  8. Scaleway
  9. OpenStack (DreamCompute optimised)
  10. CloudStack (Exoscale optimised)
  11. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)
11
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks? [y/N]
N
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi? [y/N]
N
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
Y
Do you want to enable DNS ad blocking on this VPN server? [y/N]
N
Do you want each user to have their own account for SSH tunneling? [y/N]
N
Enter the IP address of your server: (or use localhost for local installation): [localhost]
localhost
Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate) [YOUR_PUBLIC_IP]
YOUR_PUBLIC_IP

Client

Android

Install WireGuard Client:

https://www.wireguard.com/install/

For Android Device Download and Scan QR Code:

scp [email protected]_PUBLIC_IP:/opt/algo-master/configs/YOUR_PUBLIC_IP/wireguard/masoud{.png,.conf} .

Linux

add-apt-repository ppa:wireguard/wireguard
apt update -y
apt install wireguard -y

Copy Client Configs:

sudo install -o root -g root -m 600 masoud.conf /etc/wireguard/wg0.conf
systemctl enable [email protected]
systemctl start [email protected]

Another Method:

add-apt-repository ppa:nm-l2tp/network-manager-l2tp
apt update -y
apt install network-manager-l2tp-gnome -y

Add VPN Connection.

Another Method Using IPSec:

apt install strongswan -y
scp [email protected]_PUBLIC_IP:/opt/algo/configs/YOUR_PUBLIC_IP/ipsec/.pki/private/masoud.key .
scp [email protected]_PUBLIC_IP:/opt/algo/configs/YOUR_PUBLIC_IP/ipsec/.pki/certs/masoud.crt .
scp [email protected]_PUBLIC_IP:/opt/algo/configs/YOUR_PUBLIC_IP/ipsec/manual/* .

Copy Files

cp masoud.key /etc/ipsec.d/private/
cp masoud.crt /etc/ipsec.d/private/
cp masoud.conf /etc/ipsec.conf
cp masoud.secrets /etc/ipsec.secrets
cp cacert.pem /etc/ipsec.d/cacerts/cacert.pem

Copy Files

cp masoud.crt /etc/ipsec.d/certs/
cp masoud.key /etc/ipsec.d/private/
cp cacert.pem /etc/ipsec.d/cacerts/
cp masoud.secrets /etc/ipsec.secrets
cp masoud.conf /etc/ipsec.conf
ipsec restart
ipsec up algovpn-116.202.102.246

Visit https://whoer.net/

Add user:

After the installation, you can add other users to list in your config.cfg

users:
 test
 pech
 admin 
 user2

Once the list is updated, activate the virtual environment and run the users update script.

source env/bin/activate
./algo update-users

After this process completes, the Algo VPN server will contain only the users listed in the config.cfg file.

# id test
uid=1002(test) gid=1003(test) groups=1003(test),1000(algo)

The configuration files for each VPN profile are located under the ./algo/configs/ServerIP directory.

See the conncection status:

wg show

Check if the following UDP ports are open:

nc -vz -u YOUR_PUBLIC_IP 500
nc -vz -u YOUR_PUBLIC_IP 51820
nc -vz -u YOUR_PUBLIC_IP 4500

Fail2Ban Setup

Install fail2ban:

apt install fail2ban -y

Copy `jail.conf` to `jail.local` with all lines commented:

awk '{ printf "# "; print; }' /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local

Uncomment these jails settings:

[DEFAULT]
. . .
ignoreip = 127.0.0.1/8 95.216.139.16/32
. . .
bantime  = 60m
. . .
findtime  = 10m
. . .
maxretry = 5
. . .
[sshd]
. . .
enabled = true
port    = ssh
logpath = %(sshd_log)s

Reset the fail2ban:

service fail2ban restart

Check new iptables rules:

iptables --list

Check if all of the jails are enabled:

fail2ban-client status

Add a new floating IP

Open the project in hetzner console. Open the Floating IPs section and add a new one.

Add few new lines to configuration file:

nano /etc/netplan/50-cloud-init.yaml

Paste the following configuration into the editor and replace YOUR_NEW_IP with your Floating IP:

network:
    version: 2
    ethernets:
        eth0:
            addresses:
            - 2a01:4f9:c010:18be::1/64
            dhcp4: true
            gateway6: fe80::1
            match:
                macaddress: 96:00:00:a6:82:87
            set-name: eth0
        lo:
            addresses:
            - YOUR_NEW_IP/32

restart your network:

netplan apply
en/vpn.txt · Last modified: 2021/05/04 14:58 by smmsadrnezh