VPN
nmcli con show --active | grep -i vpn
Links
https://www.networkinghowtos.com/howto/common-vpn-ports-and-protocols/
vpn
WireGuard
Server
sudo apt install -y wireguard cd /etc/wireguard umask 077; wg genkey | tee privatekey | wg pubkey > publickey /etc/wireguard/wg0.conf [Interface] Address = 192.168.6.1/24 ListenPort = 1194 PrivateKey = qz3LQkTEA8tOJEORyUxT2w2SIwdXwCLcO7joKq58tUs= PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE [Peer] PublicKey = wL+h2EqxaQpcWgwO8SIXPGqhHgssvj9xqjHAPjYLJ28= AllowedIPs = 192.168.6.2/32 sudo ufw allow 1194/udp sudo ufw status sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 sudo systemctl status wg-quick@wg0 # watch connections watch -n1 wg
Client
Side2Side VPN connection between OpenStack VPNaaS and AVM Fritz!Box
FRITZBOX_WAN_IP=111.1.2.3 FRITZBOX_CIDR=192.168.178.0/24 PSK=PASS1234 openstack vpn ike policy create ikepolicy \ --encryption-algorithm aes-256 \ --auth-algorithm sha512 \ --pfs group2 openstack vpn ipsec policy create ipsecpolicy \ --encryption-algorithm aes-256 \ --auth-algorithm sha512 \ --pfs group2 ROUTER_ID=$(openstack router list -c ID -f value) openstack vpn service create vpn \ --router ${ROUTER_ID} SUBNET_ID=$(openstack subnet list -c ID -f value) openstack vpn endpoint group create ep_subnet \ --type subnet \ --value ${SUBNET_ID} openstack vpn endpoint group create ep_cidr \ --type cidr \ --value ${FRITZBOX_CIDR} openstack vpn ipsec site connection create conn \ --vpnservice vpn \ --ikepolicy ikepolicy \ --ipsecpolicy ipsecpolicy \ --peer-address ${FRITZBOX_WAN_IP} \ --peer-id ${FRITZBOX_WAN_IP} \ --psk ${PSK} \ --local-endpoint-group ep_subnet \ --peer-endpoint-group ep_cidr
Add ingress ssh security rule
openstack security group rule create default \ --protocol tcp \ --dst-port 22 \ --remote-ip 192.168.178.0/24
Create S2S VPN connection on Fritz!Box
Site to Site IPSec VPN with strongSwan and OpenStack VPNaaS (IPsec)
Setup
# Left (Ubuntu client, behind NAT) Ubuntu Client IP: 212.8.9.10 Ubuntu net: 192.168.178.0/24 # Right (OpenStack VPNaaS) VPN_SERVICE_ID=$(openstack vpn service list -c ID -f value) VPN_SERVICE_IP=$(openstack vpn service show ${VPN_SERVICE_ID} -c external_v4_ip -f value) echo ${VPN_SERVICE_IP} OpenStack VPN IP: 217.50.60.70 OpenStack Net: 10.0.1.0/24
Create OpenStack VPN endpoint
http://www.panticz.de/openstack/vpnaas
/etc/ipsec.secrets
217.50.60.70 : PSK "PASS1234"/etc/ipsec.conf
config setup conn vpn1 keyexchange=ikev1 left=%defaultroute leftid=212.8.9.10 leftsubnet=192.168.178.0/24 leftauth=psk leftfirewall=yes authby=psk auto=start ike=aes256-sha512-modp1024 esp=aes256-sha512 right=217.50.60.70 rightsubnet=10.0.1.0/24 rightauth=psk ikelifetime=3600s keylife=3600s type=tunnel
CLI
sudo ipsec status sudo ipsec statusall sudo ipsec restart sudo ipsec up vpn1 sudo ipsec down vpn1 sudo ipsec listalgs
List
OpenStack Debug VPN connection
PROJECT_ID=9eaecf3b-0972-4166-806a-295f4e69fd3c ROUTER_ID=$(openstack vpn service list --long -f json | jq -r ".[] | select(.Project == \"${PROJECT_ID}\").Router") echo ${ROUTER_ID} openstack port list --router ${ROUTER_ID} --device-owner network:ha_router_replicated_interface -c binding_host_id -f value | sort -u CONTROL_NODE=ewos1-ctl1-prod ssh -t ${CONTROL_NODE} docker exec -u root -ti neutron_l3_agent bash apt update apt install -y vim vi /var/lib/neutron/ipsec/${ROUTER_ID}/etc/strongswan.d/charon-logging.conf charon { ... filelog { /var/log/vpn-debug-${ROUTER_ID}.log { append = no default = 2 ike_name = yes time_add_ms = yes time_format = %b %e %T } } ... } ip netns exec qrouter-${ROUTER_ID} neutron-vpn-netns-wrapper \
OpenStack: VPNaaS (VPN)
openstack vpn service list openstack vpn service list -c ID -f value | xargs -i openstack vpn service show {} openstack vpn ipsec site connection list -c ID -f value | xargs -L1 openstack vpn ipsec site connection show
Check VPN peer address
PRIVATE_PEER_ADDRESSES=$(openstack vpn ipsec site connection list -c "Peer Address" -f value | egrep "^10.|^172.|^192.") for PRIVATE_PEER_ADDRESSE in ${PRIVATE_PEER_ADDRESSES}; do echo "PRIVATE_PEER_ADDRESSES: ${PRIVATE_PEER_ADDRESSE}" CONNECTION_ID=$(openstack vpn ipsec site connection list | grep ${PRIVATE_PEER_ADDRESSE} | cut -d" " -f2) openstack vpn ipsec site connection show ${CONNECTION_ID} VPN_SERVICE_ID=$(openstack vpn ipsec site connection show ${CONNECTION_ID} -c "VPN Service" -f value) openstack vpn service show ${VPN_SERVICE_ID} PROJECT_ID=$(openstack vpn service show ${VPN_SERVICE_ID} -c project_id -f value) openstack project show ${PROJECT_ID} done
Links
https://docs.openstack.org/neutron/rocky/admin/vpnaas-scenario.html
sshuttle
sudo apt-get install -y sshuttle
sshuttle --dns --remote foo@example.com 10.0.0.0/8 192.168.251.36/3 --exclude 192.168.179.0/24
Linux
https://sshuttle.readthedocs.io/en/stable/
https://sshuttle.readthedocs.io/en/stable/windows.html
openconnect
echo pass1234 | openconnect --no-cert-check vpn.example.com --user foo
start-stop-daemon --start --make-pidfile --pidfile "${VPNPID}" \
--stderr "${VPNERRFILE}" --stdout "${VPNLOGFILE}" \
--background --exec /bin/bash \
-- -c "exec /usr/sbin/openconnect --pid-file=\"${VPNPID}\" ${!VPNOPTS} ${!SERVER} <<< \`echo \"${!PASSWORD}\"\`"
# Custom script
# cat /etc/vpnc/post-connect.d/route
#!/bin/bash
ip route del default
ip route add default via 10.0.17.254
ip route add 120.1.0.0/16 dev tun0 scope link
Install SSH VPN server
export CONTAINER=vpn
# create container
# TODO: configure MAC on create container
wget -q --no-check-certificate https://raw.githubusercontent.com/panticz/lxc/master/create.jessie.sh -O - | bash -s -- -f
# configure container MAC address
sed -i 's|lxc.network.hwaddr = .*|lxc.network.hwaddr = 00:11:22:33:44:5e|' /var/lib/lxc/${CONTAINER}/config
# enable autostart
echo "lxc.start.auto = 1" | tee -a /var/lib/lxc/${CONTAINER}/config
# configure container
##echo "lxc.hook.autodev=/var/lib/lxc/vpn/autodev" >> /var/lib/lxc/${CONTAINER}/config