diff --git a/openvpn-test/client.conf b/openvpn-test/client.conf index 687c79f..7149179 100644 --- a/openvpn-test/client.conf +++ b/openvpn-test/client.conf @@ -33,7 +33,7 @@ dev tun # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. -proto tcp-client +proto udp ;proto udp # The hostname/IP and port of the server. diff --git a/overlay/etc/firewall.sh b/overlay/etc/firewall.sh index b763612..e9a4658 100755 --- a/overlay/etc/firewall.sh +++ b/overlay/etc/firewall.sh @@ -92,7 +92,9 @@ iptables -A FORWARD -p icmp --icmp-type 0/0 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 3 -j ACCEPT # Allow services such as ssh (can be disabled) -iptables -A INPUT -p tcp -m multiport --dports ssh,1194 -j ACCEPT -m state --state NEW +iptables -A INPUT -p tcp --dport ssh -j ACCEPT -m state --state NEW + +iptables -A INPUT -p udp --dport 1194 -j ACCEPT -m state --state NEW # Allow packets from TUN/TAP devices. # When OpenVPN is run in a secure mode, @@ -177,7 +179,8 @@ ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow ssh and openvpn access -ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p tcp -m multiport --dports ssh,1194 -m state --state NEW -j ACCEPT +ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p tcp --dport ssh -m state --state NEW -j ACCEPT +ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p udp --dport 1194 -m state --state NEW -j ACCEPT # Allow useful ICMPv6 ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -m state --state NEW -j ACCEPT @@ -187,9 +190,15 @@ ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m state - ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m state --state NEW -j ACCEPT ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -m state --state NEW -j ACCEPT -# Allow ARPv6 +# Allow NDP ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 135/0 -j ACCEPT ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 136/0 -j ACCEPT +ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j ACCEPT +ip6tables -N NoRouterAdv +ip6tables -A OUTPUT -o $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j NoRouterAdv # Protect from misconfiguration (we are not a router) +ip6tables -A FORWARD -o $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j NoRouterAdv +ip6tables -A NoRouterAdv -j LOG --log-prefix "NORADV6 " +ip6tables -A NoRouterAdv -j DROP ip6tables -A INPUT -j LOG --log-prefix "CATCHALL6 " ip6tables -A FORWARD -j LOG --log-prefix "CATCHALL6 " diff --git a/overlay/etc/openvpn/crl.pem b/overlay/etc/openvpn/crl.pem new file mode 100644 index 0000000..c6273aa --- /dev/null +++ b/overlay/etc/openvpn/crl.pem @@ -0,0 +1,12 @@ +-----BEGIN X509 CRL----- +MIIBsTCBmgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJERTEbMBkGA1UE +CAwSQmFkZW4tV3VlcnR0ZW1iZXJnMRIwEAYDVQQHDAlLYXJsc3J1aGUxGDAWBgNV +BAMMD3BhbmRhLmhhZGlrby5kZRcNMTQwNDE0MTIxODM5WhcNMTQwNTE0MTIxODM5 +WqAOMAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEFBQADggEBAHunprmA/Oi8v3LM +83uYwq8vOVWNTLf9Z9bwBgdgX9NCYlj8bBqWmHi81IMa0Io2W8nk4Rn9/bV4Qu3H +oeYrMr891RGM2RfSkVlbb3biCj9ulUFn154YAwm0oyGRCaDp2eH7ohziWwRQGIjE +miQ6Trak4N1g+7m5dInFYAN7RCY1VvOaKaE3rbr0P/t6yNrgi6+KQPRyJc8rbGcj +NIU6tdaeEl0v2ahp98xMbUFYNa6MkoOidngcl+Lo9Jnzs86mWwqDD9Aw3nfBSL6+ +viPq4W9EGwdXL26svdIz/myC0+tVG5VWHfBLP+Ur9BD3PaY3GRcr0iX99GZ81Y0Y +7MB6CnQ= +-----END X509 CRL----- diff --git a/overlay/etc/openvpn/vpn.conf b/overlay/etc/openvpn/vpn.conf index 07c3eab..b080ddd 100644 --- a/overlay/etc/openvpn/vpn.conf +++ b/overlay/etc/openvpn/vpn.conf @@ -32,7 +32,7 @@ port 1194 # TCP or UDP server? -proto tcp6-server +proto udp6 ;proto udp # "dev tun" will create a routed IP tunnel, @@ -78,6 +78,7 @@ dev tun0 ca ca.crt cert panda.crt key panda.key # This file should be kept secret +crl-verify crl.pem # Diffie hellman parameters. # Generate your own with: