You are on page 1of 4

Bitbull Tech Notes - home of free minds ...

OpenVPN Site to Site with CentOS 7 CATEGORIES


26 May, 2015
Uncategorised
Twitter Facebook Google+ Linkedin
Linux
OpenVPN site to site with centos7 and symmetric encryption Arduino
Private
OFFICE:
VMware
Network: 192.168.10.0/24

HOME:
SEARCH
Network: 192.168.20.0/24
Search
DO THIS ON ALL MACHINES:

yum install https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7- About me ...


5.noarch.rpm Hi, I'm Chris Ruettimann a
yum install openvpn passioned father, unix
system engineer and
Arduino hacker.
DO THIS ON OFFICE MACHINE:

vi /etc/openvpn/office-home.conf TAG CLOUD


------
BackupPC Bios Upgrade CentOS
remote home.compress.to
CentOS7 DOS GeoIP IOT Iptables
port 4001
OpenDNS OpenWRT PXE SMART
float
Ubuntu WIFIIO-83 apache arduino
proto udp
awk backup bash bash function
dev tun1
bind blacklist cacert centos
ifconfig 172.10.0.1 172.10.0.2
persist-tun centos7 chageip.com cisco
persist-local-ip debian devstack dnsmasq
persist-remote-ip domoticz downgrade dyndns
comp-lzo esp8266 esxi expect fail2ban
ping 15 lename redirection rewalld
secret /etc/openvpn/office-home.key google drive google photos
route 192.168.20.0 255.255.255.0 google safe search gpio grub
user openvpn iptables java kdump kickstart kvm
group openvpn
ldap linux logging logrotate
syslog office-home
logtail mediawiki monitoring mtu
verb 1
networking nfs debugging nic ntp
------
opendns openstack openvpn

vi /etc/sysconfig/iptables
openwrt pam parental control
perl port check port scanner post x
------
proxmox proxy qcow2 raspberry pi
*filter
:INPUT ACCEPT [0:0] redirect rhel7 robots.txt rsyslog
:FORWARD ACCEPT [0:0] samba sannce sed smbclient sms
:OUTPUT ACCEPT [0:0] snapshot soft raid spam ssh ssl
static route thinlinc tlwebaccess
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
tuning ubuntu ufw upgrade vRA
vRO vmware watchdog webcam
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
wget wireshark wlan
youtube restricted search yum
# openvpn
-A INPUT -p udp --dport 8001 -j ACCEPT zimbra
# do not allow anything else
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# openvpn
-A FORWARD -s 192.168.10.0/24 -d 192.168.20.0/24 -j ACCEPT
-A FORWARD -s 192.168.20.0/24 -d 192.168.10.0/24 -j ACCEPT
# do not allow anything else
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
------

openvpn --genkey --secret /etc/openvpn/office-home.key


chmod 600 /etc/openvpn/office-home.conf
chmod 400 /etc/openvpn/office-home.key
scp /etc/openvpn/office-home.key root@vpn-home:/etc/openvpn/office-home.key
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

systemctl enable iptables


systemctl restart iptables

systemctl enable openvpn@office-home


systemctl restart openvpn@office-home

DO THIS ON HOME MACHINE:

vi /etc/openvpn/home-office.conf
------
remote office.compress.to
port 4001
float
proto udp
dev tun1
ifconfig 172.10.0.2 172.10.0.1
persist-tun
persist-local-ip
persist-remote-ip
comp-lzo
ping 15
secret /etc/openvpn/office-home.key
route 192.168.10.0 255.255.255.0
user openvpn
group openvpn
syslog office-home
verb 1
------

vi /etc/sysconfig/iptables
------
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# openvpn
-A INPUT -p udp --dport 8001 -j ACCEPT
# do not allow anything else
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# openvpn
-A FORWARD -s 192.168.10.0/24 -d 192.168.20.0/24 -j ACCEPT
-A FORWARD -s 192.168.20.0/24 -d 192.168.10.0/24 -j ACCEPT
# do not allow anything else
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
------

chmod 600 /etc/openvpn/home-office.conf


chmod 400 /etc/openvpn/home-office.key

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf


sysctl -p

systemctl enable iptables


systemctl restart iptables

systemctl enable openvpn@home-office


systemctl restart openvpn@home-office

DO NOT FORGETT DO SET STATIC ROUTES ON DEFAULT GATEWAYS

Atom Top

You might also like