a


insecure

insecure

mullvad proxmox 7.x setup

2024-02-12 14:26:25.402460 by demon

    In /etc/pve/lxc/{{ VMID }}.conf add:
        lxc.mount.entry: /dev/net dev/net none bind,create=dir
        lxc.mount.entry: /tmp/net-cls-v1 tmp/net-cls-v1 none bind,create=dir

    HOST:
        script=/root/pepare-mullvad-lxc.sh
        servicename=pepare-mullvad-lxc
        cat > $script <<EOF
        #!/usr/bin/env bash
        chown 100000:100000 /dev/net/tun
        mkdir -p /tmp/net-cls-v1
        mount -t cgroup -o net_cls none /tmp/net-cls-v1
        chown -R 100000:100000 /tmp/net-cls-v1
        EOF
        chmod +x $script
        cat > /etc/systemd/system/$servicename.service <<EOF
        [Service]
        ExecStart=$script
        [Install]
        WantedBy=default.target
        EOF
        systemctl enable $servicename
        systemctl start $servicename

    CT:
        iptables -t nat -A POSTROUTING -o wg-mullvad -j MASQUERADE
        iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
        sysctl -w net.ipv4.ip_forward=1
        echo 1 > /proc/sys/net/ipv4/ip_forward
        mullvad lan set allow
        mullvad lockdown-mode set on
        mullvad relay set tunnel-protocol wireguard
        mullvad relay set location {{ country }}
        mullvad connect

angel

2023-10-29 23:35:12.647865 by lemon

                                  .. .                                                 
                          ...........:.   :.:..:^ .^.:..........                       
                        .7~^~~ ..                  ..::..::::^^!!  .:.                 
                        .^?Y~~..  ..         .      .....          ::7~. .             
                           ...    . ........^....   ...^:  ......  ...^: ::            
                                      ..:~J55PY??:......    .   .  .......             
                                    .:..~~^:.:^^:. ..:^~:.                             
                                .....          ..       .^!~.                          
                               ^.                         .^!~:                        
                              7^                            .~:~.                      
                             ^Y:                              !!J                      
                             5~                                !Y~                     
                            :5.   :     ...^.    .     .       .JY                     
                            !!  .!5      :JY~^^ ..    .  ::~.   YY.                   
                            J~  ~^?~   :5P7!&BYJ.    ::7JYY7    ?!                    
                                 7.  .~ :   :#5:Y@5.   ... :^^B@G7.   7^.             
 .  ...                     ~.   ~.^   .&5~JB~   ..   P5G@&! ~~:..5~.                  
      ..:..                 7:   .BP7  77^.        .  ~~^YJ?:G^!:.!.                 .  
          .::..             7:   ^&&#?.!:.^. .         .^.Y&G!..                 ..:.~. 
             .....          ?:   ~#&&&P~~.~::.   ..      !&@5.:.              ..^:.  :  
                 .:.       .!:   J&&&#BB&Y.~~.        .?B@&#!.:.           .^~~^.:. :   
                   :       ^~.   5&@&&&#@B :PBGJ!^^7YB&@@&&&7.:.      .:::^:.    ^:^.   
                   ..     ..:    ^#&&@&#&5  .~5&PB&&B&&#&&#@?:.:   .....       .!:..^   
                    ^    ...^    ~&&@@@7~.     Y?#@@&&B&##B@7. ^ .^           ..:...    
     .              :.   ^ :^    ^&@&57     ..  .~&@5#7?&&&&^. ^ .^             ~~.     
                    .~  .. ^:    .G?^       ..  . .G?!~.&@@G:  ! ~           .~:.       
       .      .   .!^:~.^         . ..      ....^^  . .:P&&7  ~!?7         ..:~         
        .     :~^.~: ..7::         . ..     .....:.      YJ  J^ J7:        ...          
            .^.~~.  .:~^:.^  .?:  .   ..   . :.::^^.     ^: .7 :!^~::......             
             .:~~.   ~:.: .:~7~:..:     ..:..^...^7..     ^..! :?:^~?:                  
                  ..:^... ..7!~.          ....:. :^..   . .  ^. ..:^.                   
                        ... ~^~         ..   .  ....      :  :^...                      
                           :::^          .                .:                            
                           !.^.          ..            .:  ^                            
                          .! .            :             :  ^~.                          
                          :!   .      .  .^             ..  .:.                         
                          :~              ^             .:    .                         
                          .^            : .              :     :                        
                          ::.            ..              ::.:. ::

route client subnet to other VPN clients (openvpn!)

2023-06-08 04:27:10.307919 by demon

   Given this scenario:
          _______         _________        _________         _________
         |       |       |         |      |         |       |         |
         |  LAN  |- - - -| CLIENT1 |======| VPN SRV |=======| CLIENT2 |
         |_______|       |_________|      |_________|       |_________|
      192.168.1.0/24    192.168.1.100       X.X.X.X          1.3.3.10
            |              1.3.3.7          1.3.3.1          _________
           _|_                                =             |         |
          |pho|                               ==============| CLIENT3 |
          |ne |                                             |_________|
          |___|                                              1.3.3.11
      192.168.1.110
      
      = : VPN traffic
      - : Client-only LAN Traffic

   I wanted to route client1 subnet (LAN) to other VPN clients (client2, client3).

   ...so...

   1. Set client config dir on VPN server
   /etc/openvpn/server.conf
      > ...
      > client-config-dir /etc/openvpn/client
      > ...

   2. Set static IP and OVPN internal route for that specific peer.
   /etc/openvpn/client1
      > ifconfig-push 1.3.3.7 255.255.255.0 ## VPN Static IP 
      > iroute 192.168.1.0 255.255.255.0    ## OpenVPN internal route via client

   3. Set server route, allow traffic between clients and push route to clients
   /etc/openvpn/server.conf
      > ...
      > route 192.168.1.0 255.255.255.0  
      > client-to-client
      > push "route 192.168.1.0 255.255.255.0"
      > ...

   4. Enable ip forwarding on VPN *client* box
   Linux:
      $ sysctl -w net.ipv4.ip_forward=1
      or
      $ echo 1 > /proc/sys/net/ipv4/ip_forward
      
   Windows: 
      "Try to go to the registry key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.

      If not already there, create a new REG_DWORD value named IPEnableRouter. 
      Set IPEnableRouter to 1 and reboot. Packet forward should now be enabled.
      To add static routes use the route command."
   	- https://serverfault.com/a/929086

   5. Route client's subnet devices through VPN client box, pick one (or more):
      - pfsense
      - openWRT
      - set VPN client box as gateway (manual or DHCP server)
      - add custom routes on subnet devices:
	  C:\Users\egoist> route ADD 1.3.3.0 mask 255.255.255.0 192.168.1.100
	or
	  yuki@nostalgia:~# ip route add 1.3.3.0/24 via 192.168.1.100 dev eth0
 
   (you know, so packets get back to the vpn client and phone can see vpn stuff)
   
   My friend (client2) was able to ping my iPhone (client1's LAN), which was using
   my computer (client1) as gateway.

insecure


	d b


	b a