記事一覧

OpenVPN その2

vyattaでの作業です。
何らかの方法でvyatta.alleycat.co.jp.tarをアップロードしておいてください。

どこかにアップロードしてwgetしてくるなり、FileZillaやEmFTPでアップロードするなり。

コンソールでconfigureで編集モードになる前に、openvpnのファイルを展開しておきます。
mkdir openvpn
mv vyatta.alleycat.co.jp.tar openvpn/
cd openvpn
tar xzf vyatta.alleycat.co.jp.tar

次いで、openvpnクライアントとして設定をします。
configure
set interfaces openvpn vtun10
set interfaces openvpn vtun10 mode client
set interfaces openvpn vtun10 openvpn-option "--cipher aes-128-cbc"
set interfaces openvpn vtun10 protocol tcp-active
set interfaces openvpn vtun10 remote-host alleycat.co.jp
set interfaces openvpn vtun10 remote-port 11194
set interfaces openvpn vtun10 tls
set interfaces openvpn vtun10 tls ca-cert-file /home/vyatta/openvpn/ca.crt
set interfaces openvpn vtun10 tls cert-file /home/vyatta/openvpn/vyatta.alleycat.co.jp.crt
set interfaces openvpn vtun10 tls key-file /home/vyatta/openvpn/vyatta.alleycat.co.jp.key
commit
save

次いで、OpenVPN上から流れてくるパケットを制限します。
OpenVPN経由からは、リモートデスクトップ以外の接続は拒否する前提です。

set firewall name FROM-EXTERNAL description "Block Unwanted OpenVPN Traffic"

set firewall name FROM-EXTERNAL rule 10 description "Accept Established-Related Connections"
set firewall name FROM-EXTERNAL rule 10 action accept
set firewall name FROM-EXTERNAL rule 10 state established enable
set firewall name FROM-EXTERNAL rule 10 state related enable
set firewall name FROM-EXTERNAL rule 10 log disable

set firewall name FROM-EXTERNAL rule 20 description "Remote Desktop Access"
set firewall name FROM-EXTERNAL rule 20 action accept
set firewall name FROM-EXTERNAL rule 20 protocol tcp
set firewall name FROM-EXTERNAL rule 20 source address 10.8.0.1/24
set firewall name FROM-EXTERNAL rule 20 destination port 3389
set firewall name FROM-EXTERNAL rule 20 log disable
commit

set firewall name TO-ROUTER description "Traffic Destined for Router Itself"
set firewall name TO-ROUTER rule 10 description "Accept Established-Related Connections"
set firewall name TO-ROUTER rule 10 action accept
set firewall name TO-ROUTER rule 10 state established enable
set firewall name TO-ROUTER rule 10 state related enable
set firewall name TO-ROUTER rule 10 log disable

set firewall name TO-ROUTER rule 20 description "Accept ICMP Unreachable"
set firewall name TO-ROUTER rule 20 action accept
set firewall name TO-ROUTER rule 20 protocol icmp
set firewall name TO-ROUTER rule 20 icmp type 3
set firewall name TO-ROUTER rule 20 log disable
set firewall name TO-ROUTER rule 22 description "Accept ICMP Echo Request"
set firewall name TO-ROUTER rule 22 action accept
set firewall name TO-ROUTER rule 22 protocol icmp
set firewall name TO-ROUTER rule 22 icmp type 8
set firewall name TO-ROUTER rule 22 log disable
set firewall name TO-ROUTER rule 24 description "Accept ICMP Time-Exceeded"
set firewall name TO-ROUTER rule 24 action accept
set firewall name TO-ROUTER rule 24 protocol icmp
set firewall name TO-ROUTER rule 24 icmp type 11
set firewall name TO-ROUTER rule 24 log disable

#普通ルータへのOpenVPN経由SSHログインは認めないので、
#このブロックは無視してよいです。
set firewall name TO-ROUTER rule 50 description "SSH Access"
set firewall name TO-ROUTER rule 50 action accept
set firewall name TO-ROUTER rule 50 protocol tcp
set firewall name TO-ROUTER rule 50 source address 10.8.0.1/24
set firewall name TO-ROUTER rule 50 destination port ssh
set firewall name TO-ROUTER rule 50 log disable

#普通ルータへのOpenVPN経由HTTPSログインは認めないので、
#このブロックは無視してよいです。
set firewall name TO-ROUTER rule 52 description "HTTPS Access"
set firewall name TO-ROUTER rule 52 action accept
set firewall name TO-ROUTER rule 52 protocol tcp
set firewall name TO-ROUTER rule 52 source address 10.8.0.1/24
set firewall name TO-ROUTER rule 52 destination port https
set firewall name TO-ROUTER rule 52 log disable

commit
save

set interfaces openvpn vtun10 firewall in name FROM-EXTERNAL
set interfaces openvpn vtun10 firewall local name TO-ROUTER
commit
save

こんな感じかな?
これでまだテストしてないので、コマンド直すかも。