VPN
VPN
The VPN server is a 1U Atom D525 system, with EL6, running OpenVPN and it is shared with vpsFree.cz; it is located in Master Internet, Prague.
Every member of base48 is eligible to get a key, to access the server. Get it contact with User:Snajpa - the maintainer of the network - to get yours.
There are three different OpenVPN setups on the machine:
- vpn.vpsfree.cz @ UDP 443 - bridged setup, provides ipv6 connectivity, target devices: laptops, workstations, etc.
- vpn.vpsfree.cz @ TCP 443 - bridged setup, provides ipv6 connectivity, pushes default route via VPN (useful for networks with restrictive firewalls), target devices: laptops, workstations, etc.
- vpn-mobile.vpsfree.cz @ TCP 443 - routed setup, doesn't provide ipv6 (yet), target devices: Android, iOS, Mikrotik, etc. (devices not supporting UDP or bridged setup)
Note, that connecting to all three these VPN servers also pushes DNS resolvers to a client, which will cause your device to resolve from internal DNS servers. This is so that we can have DNS records for internal IP addresses under our base48.cz domain (and mainly for vpsFree.cz purposes, as there's a ton of metal, which doesn't have a public address).
Configuration files
client.conf
client dev tap remote vpn.vpsfree.cz 443 ;remote vpn-mobile.vpsfree.cz 443 proto udp ;proto tcp ; This is for desktops ca /get/from/snajpa/ca.crt cert /get/from/snajpa/client.crt key /get/from/snajpa/client.key dh /get/from/snajpa/dh.pem ; For mobile setups, you can embed these ^ files in <ca></ca>,<cert></cert>, ... markup tags. keepalive 10 120 cipher AES-128-CBC comp-lzo mssfix script-security 2 verb 4 ; Omit this for mobile setup up-restart up "/path/to/use-dns-from-server.sh up" down "/path/to/use-dns-from-server.sh down"
use-dns-from-server.sh
#!/bin/bash case "$1" in up) mv /etc/resolv.conf /etc/resolv.conf.bak for opt in ${!foreign_option_*}; do echo ${!opt} | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /etc/resolv.conf done SEARCH="search " NEWRESOLV=/etc/resolv.conf.new echo "" > $NEWRESOLV while read line; do if echo $line | grep -i "domain"; then SEARCH+="$(echo $line | awk '{ print $2; }') " elif echo $line | grep -i "nameserver"; then echo $line >> $NEWRESOLV fi done < /etc/resolv.conf echo $SEARCH >> $NEWRESOLV echo "# Generated by OpenVPN Client UP Script" >> $NEWRESOLV tac $NEWRESOLV > /etc/resolv.conf rm $NEWRESOLV ;; down) mv /etc/resolv.conf.bak /etc/resolv.conf ;; *) echo "Pass either UP or DOWN" ;; esac exit 0
NixOS config
Save following snippet as vpn.nix and include it from configuration.nix:
let
credsPath = "/root/your-dir-with-certs/";
in
{
services.openvpn.servers = {
vpsf = {
config = ''
client
dev tap
remote 77.93.223.7 443
proto udp
keepalive 10 120
cipher AES-128-CBC
comp-lzo
mssfix
ca ${credsPath}/ca.crt
cert ${credsPath}/client.crt
key ${credsPath}/client.key
dh ${credsPath}/dh2048.pem
'';
updateResolvConf = true;
};
};
}