понедельник, 29 мая 2017 г.

FreeBSD заборона

Инструкция должна подходить к большинству версий FreeBDSM и производных

Для примера возьмём чистую систему на bhyve виртуалке, работаем под рутом

## Установка пакетов
```
root@iscsi:/home/test # pkg install openvpn
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
Installing pkg-1.10.1...
Extracting pkg-1.10.1: 100%
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100%    944 B   0.9kB/s    00:01
Fetching packagesite.txz: 100%    6 MiB 663.8kB/s    00:09
Processing entries: 100%
FreeBSD repository update completed. 26288 packages processed.
All repositories are up to date.
Updating database digests format: 100%
The following 4 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        openvpn: 2.4.2
        easy-rsa: 3.0.1_1
        lzo2: 2.10_1
        liblz4: 1.7.5,1

Number of packages to be installed: 4

The process will require 3 MiB more space.
696 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/4] Fetching openvpn-2.4.2.txz: 100%  455 KiB 466.3kB/s    00:01
[2/4] Fetching easy-rsa-3.0.1_1.txz: 100%   33 KiB  33.4kB/s    00:01
[3/4] Fetching lzo2-2.10_1.txz: 100%  113 KiB 115.4kB/s    00:01
[4/4] Fetching liblz4-1.7.5,1.txz: 100%   95 KiB  97.4kB/s    00:01
Checking integrity... done (0 conflicting)
[1/4] Installing easy-rsa-3.0.1_1...
[1/4] Extracting easy-rsa-3.0.1_1: 100%
[2/4] Installing lzo2-2.10_1...
[2/4] Extracting lzo2-2.10_1: 100%
[3/4] Installing liblz4-1.7.5,1...
[3/4] Extracting liblz4-1.7.5,1: 100%
[4/4] Installing openvpn-2.4.2...
Extracting openvpn-2.4.2: 100%
Message from openvpn-2.4.2:
### ------------------------------------------------------------------------
###  Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
###  startup. See /usr/local/etc/rc.d/openvpn for details.
### ------------------------------------------------------------------------
###  Connect to VPN server as a client with this command to include
###  the client.up/down scripts in the initialization:
###  openvpn-client <spec>.ovpn
### ------------------------------------------------------------------------
###  For compatibility notes when interoperating with older OpenVPN
###  versions, please, see <http://openvpn.net/relnotes.html>
### ------------------------------------------------------------------------
```
если сам pkg не был установлен, система это предложит

## Лепим конфиг
```
root@iscsi:/home/test # fetch https://zaborona.help/zaborona-help.ovpn
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
34374329736:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1264:
fetch: https://zaborona.help/zaborona-help.ovpn: Authentication error
root@iscsi:/home/test # fetch --no-verify-peer https://zaborona.help/zaborona-help.ovpn
zaborona-help.ovpn                            100% of 4532  B   14 MBps 00m00s
root@iscsi:/home/test # cp zaborona-help.ovpn /usr/local/etc/openvpn/openvpn.conf
cp: /usr/local/etc/openvpn/openvpn.conf: No such file or directory
root@iscsi:/home/test # mkdir /usr/local/etc/openvpn/
root@iscsi:/home/test # cp zaborona-help.ovpn /usr/local/etc/openvpn/openvpn.conf
```
Почти всё готово, теперь добавляем в openvpn в конфиг и запускаем, проверяем
```
root@iscsi:/home/test # echo 'openvpn_enable="YES"' >> /etc/rc.conf
root@iscsi:/home/test # service openvpn restart
openvpn not running? (check /var/run/openvpn.pid).
Starting openvpn.
root@iscsi:/home/test # netstat -nr | grep tun0
5.45.192.0/18      192.168.224.1      UGS        tun0
5.61.16.0/21       192.168.224.1      UGS        tun0
5.61.232.0/21      192.168.224.1      UGS        tun0
5.255.192.0/18     192.168.224.1      UGS        tun0
37.9.64.0/18       192.168.224.1      UGS        tun0
37.140.128.0/18    192.168.224.1      UGS        tun0
74.82.42.42/32     192.168.224.1      UGS        tun0
77.74.176.0/22     192.168.224.1      UGS        tun0
77.74.176.0/21     192.168.224.1      UGS        tun0
77.74.181.0/24     192.168.224.1      UGS        tun0
77.74.183.0/24     192.168.224.1      UGS        tun0
77.75.152.0/22     192.168.224.1      UGS        tun0
77.75.159.0/24     192.168.224.1      UGS        tun0
77.88.0.0/18       192.168.224.1      UGS        tun0
79.137.157.0/24    192.168.224.1      UGS        tun0
79.137.183.0/24    192.168.224.1      UGS        tun0
84.201.128.0/18    192.168.224.1      UGS        tun0
87.240.128.0/18    192.168.224.1      UGS        tun0
87.250.224.0/19    192.168.224.1      UGS        tun0
91.103.64.0/21     192.168.224.1      UGS        tun0
93.158.128.0/18    192.168.224.1      UGS        tun0
93.159.224.0/21    192.168.224.1      UGS        tun0
93.159.228.0/22    192.168.224.1      UGS        tun0
93.186.224.0/20    192.168.224.1      UGS        tun0
94.100.176.0/20    192.168.224.1      UGS        tun0
95.108.128.0/17    192.168.224.1      UGS        tun0
95.142.192.0/20    192.168.224.1      UGS        tun0
95.163.32.0/19     192.168.224.1      UGS        tun0
95.163.248.0/21    192.168.224.1      UGS        tun0
95.213.0.0/18      192.168.224.1      UGS        tun0
100.43.64.0/19     192.168.224.1      UGS        tun0
109.235.160.0/21   192.168.224.1      UGS        tun0
128.140.168.0/21   192.168.224.1      UGS        tun0
130.193.32.0/19    192.168.224.1      UGS        tun0
141.8.128.0/18     192.168.224.1      UGS        tun0
178.22.88.0/21     192.168.224.1      UGS        tun0
178.154.128.0/17   192.168.224.1      UGS        tun0
178.237.16.0/20    192.168.224.1      UGS        tun0
185.5.136.0/22     192.168.224.1      UGS        tun0
185.16.148.0/22    192.168.224.1      UGS        tun0
185.16.244.0/22    192.168.224.1      UGS        tun0
185.29.130.0/24    192.168.224.1      UGS        tun0
185.32.185.0/24    192.168.224.1      UGS        tun0
185.32.186.0/24    192.168.224.1      UGS        tun0
185.32.248.0/22    192.168.224.1      UGS        tun0
185.54.220.0/23    192.168.224.1      UGS        tun0
185.71.76.0/22     192.168.224.1      UGS        tun0
185.85.12.0/24     192.168.224.1      UGS        tun0
185.85.14.0/23     192.168.224.1      UGS        tun0
188.93.56.0/21     192.168.224.1      UGS        tun0
192.168.224.0/22   192.168.224.1      UGS        tun0
192.168.224.1      link#3             UH         tun0
194.186.63.0/24    192.168.224.1      UGS        tun0
195.211.20.0/22    192.168.224.1      UGS        tun0
195.211.128.0/22   192.168.224.1      UGS        tun0
195.218.168.0/24   192.168.224.1      UGS        tun0
199.21.96.0/22     192.168.224.1      UGS        tun0
199.36.240.0/22    192.168.224.1      UGS        tun0
208.87.94.0/24     192.168.224.1      UGS        tun0
213.180.192.0/19   192.168.224.1      UGS        tun0
217.20.144.0/20    192.168.224.1      UGS        tun0
217.69.128.0/20    192.168.224.1      UGS        tun0
root@iscsi:/home/test # ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 192.168.226.41 --> 192.168.224.1  netmask 0xfffffc00
        nd6 options=1<PERFORMNUD>
        groups: tun
        Opened by PID 2737
```
Сессия поднялась, маршрутики прописались

## Если машина роутер
На примере ipfw, добавляем новый нат
```
ipfw nat 4 config log if tun0 reset same_ports deny_in
ipfw add nat 4 ip from any to any via tun0
```
Если не наворачивали выше ничего запрещающего, то все машины во внутренней сети будут ходить куда надо
Автор: на 3 комментария:
Подписаться на: Сообщения (Atom)