insecure
__ __________ __
| |
mullvad proxmox 7.x setup2024-02-12 14:26:25.402460
In /etc/pve/lxc/{{ VMID }}.conf add:
lxc.mount.entry: /dev/net dev/net none bind,create=dir
lxc.mount.entry: /tmp/net-cls-v1 tmp/net-cls-v1 none bind,create=dir
HOST:
script=/root/pepare-mullvad-lxc.sh
servicename=pepare-mullvad-lxc
cat > $script <<EOF
#!/usr/bin/env bash
chown 100000:100000 /dev/net/tun
mkdir -p /tmp/net-cls-v1
mount -t cgroup -o net_cls none /tmp/net-cls-v1
chown -R 100000:100000 /tmp/net-cls-v1
EOF
chmod +x $script
cat > /etc/systemd/system/$servicename.service <<EOF
[Service]
ExecStart=$script
[Install]
WantedBy=default.target
EOF
systemctl enable $servicename
systemctl start $servicename
CT:
iptables -t nat -A POSTROUTING -o wg-mullvad -j MASQUERADE
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
sysctl -w net.ipv4.ip_forward=1
echo 1 > /proc/sys/net/ipv4/ip_forward
mullvad lan set allow
mullvad lockdown-mode set on
mullvad relay set tunnel-protocol wireguard
mullvad relay set location {{ country }}
mullvad connect
|__ __________ __|
--- .:: eof ::. ---
__ __________ __
| |
angel2023-10-29 23:35:12.647865
.. .
...........:. :.:..:^ .^.:..........
.7~^~~ .. ..::..::::^^!! .:.
.^?Y~~.. .. . ..... ::7~. .
... . ........^.... ...^: ...... ...^: ::
..:~J55PY??:...... . . .......
.:..~~^:.:^^:. ..:^~:.
..... .. .^!~.
^. .^!~:
7^ .~:~.
^Y: !!J
5~ !Y~
:5. : ...^. . . .JY
!! .!5 :JY~^^ .. . ::~. YY.
J~ ~^?~ :5P7!&BYJ. ::7JYY7 ?!
7. .~ : :#5:Y@5. ... :^^B@G7. 7^.
. ... ~. ~.^ .&5~JB~ .. P5G@&! ~~:..5~.
..:.. 7: .BP7 77^. . ~~^YJ?:G^!:.!. .
.::.. 7: ^&&#?.!:.^. . .^.Y&G!.. ..:.~.
..... ?: ~#&&&P~~.~::. .. !&@5.:. ..^:. :
.:. .!: J&&&#BB&Y.~~. .?B@&#!.:. .^~~^.:. :
: ^~. 5&@&&&#@B :PBGJ!^^7YB&@@&&&7.:. .:::^:. ^:^.
.. ..: ^#&&@&#&5 .~5&PB&&B&&#&&#@?:.: ..... .!:..^
^ ...^ ~&&@@@7~. Y?#@@&&B&##B@7. ^ .^ ..:...
. :. ^ :^ ^&@&57 .. .~&@5#7?&&&&^. ^ .^ ~~.
.~ .. ^: .G?^ .. . .G?!~.&@@G: ! ~ .~:.
. . .!^:~.^ . .. ....^^ . .:P&&7 ~!?7 ..:~
. :~^.~: ..7:: . .. .....:. YJ J^ J7: ...
.^.~~. .:~^:.^ .?: . .. . :.::^^. ^: .7 :!^~::......
.:~~. ~:.: .:~7~:..: ..:..^...^7.. ^..! :?:^~?:
..:^... ..7!~. ....:. :^.. . . ^. ..:^.
... ~^~ .. . .... : :^...
:::^ . .:
!.^. .. .: ^
.! . : : ^~.
:! . . .^ .. .:.
:~ ^ .: .
.^ : . : :
::. .. ::.:. ::
|__ __________ __|
--- .:: eof ::. ---
__ __________ __
| |
route client subnet to other VPN clients (openvpn!)2023-06-08 04:27:10.307919
Given this scenario:
_______ _________ _________ _________
| | | | | | | |
| LAN |- - - -| CLIENT1 |======| VPN SRV |=======| CLIENT2 |
|_______| |_________| |_________| |_________|
192.168.1.0/24 192.168.1.100 X.X.X.X 1.3.3.10
| 1.3.3.7 1.3.3.1 _________
_|_ = | |
|pho| ==============| CLIENT3 |
|ne | |_________|
|___| 1.3.3.11
192.168.1.110
= : VPN traffic
- : Client-only LAN Traffic
I wanted to route client1 subnet (LAN) to other VPN clients (client2, client3).
...so...
1. Set client config dir on VPN server
/etc/openvpn/server.conf
> ...
> client-config-dir /etc/openvpn/client
> ...
2. Set static IP and OVPN internal route for that specific peer.
/etc/openvpn/client1
> ifconfig-push 1.3.3.7 255.255.255.0 ## VPN Static IP
> iroute 192.168.1.0 255.255.255.0 ## OpenVPN internal route via client
3. Set server route, allow traffic between clients and push route to clients
/etc/openvpn/server.conf
> ...
> route 192.168.1.0 255.255.255.0
> client-to-client
> push "route 192.168.1.0 255.255.255.0"
> ...
4. Enable ip forwarding on VPN *client* box
Linux:
$ sysctl -w net.ipv4.ip_forward=1
or
$ echo 1 > /proc/sys/net/ipv4/ip_forward
Windows:
"Try to go to the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
If not already there, create a new REG_DWORD value named IPEnableRouter.
Set IPEnableRouter to 1 and reboot. Packet forward should now be enabled.
To add static routes use the route command."
- https://serverfault.com/a/929086
5. Route client's subnet devices through VPN client box, pick one (or more):
- pfsense
- openWRT
- set VPN client box as gateway (manual or DHCP server)
- add custom routes on subnet devices:
C:\Users\egoist> route ADD 1.3.3.0 mask 255.255.255.0 192.168.1.100
or
yuki@nostalgia:~# ip route add 1.3.3.0/24 via 192.168.1.100 dev eth0
(you know, so packets get back to the vpn client and phone can see vpn stuff)
My friend (client2) was able to ping my iPhone (client1's LAN), which was using
my computer (client1) as gateway.
|__ __________ __|
--- .:: eof ::. ---
end.
[email protected] |