-
-
Save awsvpc/c00ca9c3a2f2e809b66425eaf741712c to your computer and use it in GitHub Desktop.
Revisions
-
balupton revised this gist
Sep 24, 2022 . 1 changed file with 655 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,655 @@ ``` > sudo iptables -L -v [sudo] password for balupton: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination ``` ``` > resolvectl status --no-pager Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (ens33) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.4.1 DNS Servers: 192.168.4.1 ``` ``` > sudo-helper -- resolvectl default-route ens33 Link 2 (ens33): yes ``` ``` > openvpn --config au614.nordvpn.com.udp1194.ovpn 2022-09-23 22:27:19 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. 2022-09-23 22:27:19 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022 2022-09-23 22:27:19 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10 Enter Auth Username: redacted 🔐 Enter Auth Password: ************************ 2022-09-23 22:27:29 WARNING: --ping should normally be used with --ping-restart or --ping-exit 2022-09-23 22:27:29 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2022-09-23 22:27:29 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2022-09-23 22:27:29 TCP/UDP: Preserving recently used remote address: [AF_INET]103.137.12.163:1194 2022-09-23 22:27:29 Socket Buffers: R=[212992->212992] S=[212992->212992] 2022-09-23 22:27:29 UDP link local: (not bound) 2022-09-23 22:27:29 UDP link remote: [AF_INET]103.137.12.163:1194 2022-09-23 22:27:29 TLS: Initial packet from [AF_INET]103.137.12.163:1194, sid=6df699e9 adaca097 2022-09-23 22:27:29 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA 2022-09-23 22:27:29 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA7 2022-09-23 22:27:29 VERIFY KU OK 2022-09-23 22:27:29 Validating certificate extended key usage 2022-09-23 22:27:29 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2022-09-23 22:27:29 VERIFY EKU OK 2022-09-23 22:27:29 VERIFY X509NAME OK: CN=au614.nordvpn.com 2022-09-23 22:27:29 VERIFY OK: depth=0, CN=au614.nordvpn.com 2022-09-23 22:27:29 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512 2022-09-23 22:27:29 [au614.nordvpn.com] Peer Connection Initiated with [AF_INET]103.137.12.163:1194 2022-09-23 22:27:31 SENT CONTROL [au614.nordvpn.com]: 'PUSH_REQUEST' (status=1) 2022-09-23 22:27:31 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.1.6 255.255.255.0,peer-id 7,cipher AES-256-GCM' 2022-09-23 22:27:31 OPTIONS IMPORT: timers and/or timeouts modified 2022-09-23 22:27:31 OPTIONS IMPORT: explicit notify parm(s) modified 2022-09-23 22:27:31 OPTIONS IMPORT: compression parms modified 2022-09-23 22:27:31 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified 2022-09-23 22:27:31 Socket Buffers: R=[212992->425984] S=[212992->425984] 2022-09-23 22:27:31 OPTIONS IMPORT: --ifconfig/up options modified 2022-09-23 22:27:31 OPTIONS IMPORT: route options modified 2022-09-23 22:27:31 OPTIONS IMPORT: route-related options modified 2022-09-23 22:27:31 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2022-09-23 22:27:31 OPTIONS IMPORT: peer-id set 2022-09-23 22:27:31 OPTIONS IMPORT: adjusting link_mtu to 1657 2022-09-23 22:27:31 OPTIONS IMPORT: data channel crypto options modified 2022-09-23 22:27:31 Data Channel: using negotiated cipher 'AES-256-GCM' 2022-09-23 22:27:31 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-09-23 22:27:31 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-09-23 22:27:31 net_route_v4_best_gw query: dst 0.0.0.0 2022-09-23 22:27:31 net_route_v4_best_gw result: via 192.168.4.1 dev ens33 2022-09-23 22:27:31 ROUTE_GATEWAY 192.168.4.1/255.255.252.0 IFACE=ens33 HWADDR=00:0c:29:c7:7a:02 2022-09-23 22:27:31 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) 2022-09-23 22:27:31 Exiting due to fatal error ``` ``` > sudo openvpn --config au614.nordvpn.com.udp1194.ovpn 2022-09-23 22:27:46 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. 2022-09-23 22:27:46 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022 2022-09-23 22:27:46 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10 Enter Auth Username: redacted 🔐 Enter Auth Password: ************************ 2022-09-23 22:27:52 WARNING: --ping should normally be used with --ping-restart or --ping-exit 2022-09-23 22:27:52 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2022-09-23 22:27:52 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2022-09-23 22:27:52 TCP/UDP: Preserving recently used remote address: [AF_INET]103.137.12.163:1194 2022-09-23 22:27:52 Socket Buffers: R=[212992->212992] S=[212992->212992] 2022-09-23 22:27:52 UDP link local: (not bound) 2022-09-23 22:27:52 UDP link remote: [AF_INET]103.137.12.163:1194 2022-09-23 22:27:52 TLS: Initial packet from [AF_INET]103.137.12.163:1194, sid=7eb62b69 0ad279f4 2022-09-23 22:27:52 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA 2022-09-23 22:27:52 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA7 2022-09-23 22:27:52 VERIFY KU OK 2022-09-23 22:27:52 Validating certificate extended key usage 2022-09-23 22:27:52 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2022-09-23 22:27:52 VERIFY EKU OK 2022-09-23 22:27:52 VERIFY X509NAME OK: CN=au614.nordvpn.com 2022-09-23 22:27:52 VERIFY OK: depth=0, CN=au614.nordvpn.com 2022-09-23 22:27:52 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512 2022-09-23 22:27:52 [au614.nordvpn.com] Peer Connection Initiated with [AF_INET]103.137.12.163:1194 2022-09-23 22:27:52 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.1.9 255.255.255.0,peer-id 12,cipher AES-256-GCM' 2022-09-23 22:27:52 OPTIONS IMPORT: timers and/or timeouts modified 2022-09-23 22:27:52 OPTIONS IMPORT: explicit notify parm(s) modified 2022-09-23 22:27:52 OPTIONS IMPORT: compression parms modified 2022-09-23 22:27:52 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified 2022-09-23 22:27:52 Socket Buffers: R=[212992->425984] S=[212992->425984] 2022-09-23 22:27:52 OPTIONS IMPORT: --ifconfig/up options modified 2022-09-23 22:27:52 OPTIONS IMPORT: route options modified 2022-09-23 22:27:52 OPTIONS IMPORT: route-related options modified 2022-09-23 22:27:52 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2022-09-23 22:27:52 OPTIONS IMPORT: peer-id set 2022-09-23 22:27:52 OPTIONS IMPORT: adjusting link_mtu to 1657 2022-09-23 22:27:52 OPTIONS IMPORT: data channel crypto options modified 2022-09-23 22:27:52 Data Channel: using negotiated cipher 'AES-256-GCM' 2022-09-23 22:27:52 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-09-23 22:27:52 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-09-23 22:27:52 net_route_v4_best_gw query: dst 0.0.0.0 2022-09-23 22:27:52 net_route_v4_best_gw result: via 192.168.4.1 dev ens33 2022-09-23 22:27:52 ROUTE_GATEWAY 192.168.4.1/255.255.252.0 IFACE=ens33 HWADDR=00:0c:29:c7:7a:02 2022-09-23 22:27:52 TUN/TAP device tun0 opened 2022-09-23 22:27:52 net_iface_mtu_set: mtu 1500 for tun0 2022-09-23 22:27:52 net_iface_up: set tun0 up 2022-09-23 22:27:52 net_addr_v4_add: 10.8.1.9/24 dev tun0 2022-09-23 22:27:52 net_route_v4_add: 103.137.12.163/32 via 192.168.4.1 dev [NULL] table 0 metric -1 2022-09-23 22:27:52 net_route_v4_add: 0.0.0.0/1 via 10.8.1.1 dev [NULL] table 0 metric -1 2022-09-23 22:27:52 net_route_v4_add: 128.0.0.0/1 via 10.8.1.1 dev [NULL] table 0 metric -1 2022-09-23 22:27:52 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2022-09-23 22:27:52 Initialization Sequence Completed ``` ``` > what-is-my-ip Local: 192.168.7.162 Remote: 124.169.100.242 > route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default _gateway 0.0.0.0 UG 100 0 0 ens33 103.137.12.163 _gateway 255.255.255.255 UGH 0 0 0 ens33 192.168.4.0 0.0.0.0 255.255.252.0 U 100 0 0 ens33 _gateway 0.0.0.0 255.255.255.255 UH 100 0 0 ens33 ``` ``` > ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:c7:7a:02 brd ff:ff:ff:ff:ff:ff altname enp2s1 inet 192.168.7.162/22 metric 100 brd 192.168.7.255 scope global dynamic ens33 valid_lft 14017sec preferred_lft 14017sec inet6 fe80::20c:29ff:fec7:7a02/64 scope link valid_lft forever preferred_lft forever 3: tun0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc fq_codel state DOWN group default qlen 500 link/none ``` ``` > sudo iptables -L -v [sudo] password for balupton: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 22:31:30:balupton@vm-ubuntu-server:/home/balupton > resolvectl status --no-pager Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (ens33) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.4.1 DNS Servers: 192.168.4.1 Link 4 (tun0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported ``` ``` # adding redirect-gateway def1 to .ovpn and didn't do anything, even after sudo sysctl net.ipv4.ip_forward=1 sudo sysctl net.ipv6.conf.all.disable_ipv6=1 ufw disable # as well as sudo iptables -I FORWARD -i tun0 -o ens33 -s 10.8.0.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT sudo iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT sudo iptables -t nat -I POSTROUTING -o ens33 -s 10.8.0.0/24 - ``` ``` ; > sudo iptables -L -v ; [sudo] password for balupton: ; Chain INPUT (policy ACCEPT 0 packets, 0 bytes) ; pkts bytes target prot opt in out source destination ; Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) ; pkts bytes target prot opt in out source destination ; Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) ; pkts bytes target prot opt in out source destination ; 23:41:42:balupton@vm-ubuntu-server:/home/balupton ``` ``` # nord worked setup-util-nordvpn sudo usermod -aG nordvpn balupton exit nordvpn login --token redacted nordvpn whitelist add port 22 # ufw did not work nordvpn connect # this worked however killed ssh ``` ``` > sudo iptables -L -v [sudo] password for balupton: Chain INPUT (policy ACCEPT 3004 packets, 26M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- ens33 any anywhere anywhere udp dpt:22 /* nordvpn */ 0 0 ACCEPT udp -- ens33 any anywhere anywhere udp spt:22 /* nordvpn */ 99 12570 ACCEPT tcp -- ens33 any anywhere anywhere tcp dpt:ssh /* nordvpn */ 0 0 ACCEPT tcp -- ens33 any anywhere anywhere tcp spt:ssh /* nordvpn */ 229 67532 ACCEPT all -- ens33 any anywhere anywhere connmark match 0xe1f1 /* nordvpn */ 256 84166 DROP all -- ens33 any anywhere anywhere /* nordvpn */ Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2201 packets, 173K bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- any ens33 anywhere anywhere udp dpt:22 /* nordvpn */ 0 0 ACCEPT udp -- any ens33 anywhere anywhere udp spt:22 /* nordvpn */ 0 0 ACCEPT tcp -- any ens33 anywhere anywhere tcp dpt:ssh /* nordvpn */ 70 12768 ACCEPT tcp -- any ens33 anywhere anywhere tcp spt:ssh /* nordvpn */ 318 57844 CONNMARK all -- any ens33 anywhere anywhere mark match 0xe1f1 /* nordvpn */ CONNMARK save 318 57844 ACCEPT all -- any ens33 anywhere anywhere connmark match 0xe1f1 /* nordvpn */ 103 20804 DROP all -- any ens33 anywhere anywhere /* nordvpn */ Chain ufw-after-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-after-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-after-logging-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-after-logging-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-after-logging-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-after-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-before-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-before-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-before-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-reject-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-reject-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-reject-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-track-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-track-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-track-output (0 references) pkts bytes target prot opt in out source destination ``` ``` > nordvpn disconnect New feature - Meshnet! Link remote devices in Meshnet to connect to them directly over encrypted private tunnels, and route your traffic through another device. Use the `nordvpn meshnet --help` command to get started. Learn more: https://nordvpn.com/features/meshnet/ You are disconnected from NordVPN. How would you rate your connection quality on a scale from 1 (poor) to 5 (excellent)? Type 'nordvpn rate [1-5]'. 23:07:58:balupton@vm-ubuntu-server:/home/balupton ``` ``` > sudo iptables -L -v Chain INPUT (policy ACCEPT 3035 packets, 26M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2238 packets, 179K bytes) pkts bytes target prot opt in out source destination Chain ufw-after-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-after-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-after-logging-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-after-logging-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-after-logging-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-after-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-before-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-before-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-before-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-reject-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-reject-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-reject-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-track-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-track-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-track-output (0 references) pkts bytes target prot opt in out source destination ``` ``` # even after setup-dns, while nord is connected, it's still going to the local resolver # let's debug how it gets there > nslookup cloudflare.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: cloudflare.com Address: 104.16.133.229 Name: cloudflare.com Address: 104.16.132.229 Name: cloudflare.com Address: 2606:4700::6810:85e5 Name: cloudflare.com Address: 2606:4700::6810:84e5 ``` ``` nordvpn set threatprotectionlite on # works fine nordvpn set dns 192.168.5.20 # causes dns lookups to fail nordvpn set dns 124.169.100.242 # works fine ``` ``` # > debug-network ; DNS LISTENERS: ; Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process ; udp UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:* users:(("systemd-resolve",pid=10111,fd=13)) ; tcp LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:* users:(("systemd-resolve",pid=10111,fd=14)) ; LISTENERS: ; tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 10111/systemd-resol ; tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1129/sshd: /usr/sbi ; tcp6 0 0 :::22 :::* LISTEN 1129/sshd: /usr/sbi ; DNS: ; Global: ; Link 2 (ens33): 9.9.9.9 149.112.112.112 2620:fe::9 192.168.4.1 ; Link 11 (nordlynx): 124.169.100.242 ``` ``` # after `nordvpn d` internet failed, had to `sudo iptables -F` to fix # now trying setup-dns with cloudflared nordvpn set dns off > nordvpn set dns off ; New feature - Meshnet! Link remote devices in Meshnet to connect to them directly over encrypted private tunnels, and route your traffic through another device. Use the `nordvpn meshnet --help` command to get started. Learn more: https://nordvpn.com/features/meshnet/ ; DNS is set to 'disabled' successfully. ; 23:21:08:balupton@vm-ubuntu-server:/home/balupton ; > nordvpn settings ; New feature - Meshnet! Link remote devices in Meshnet to connect to them directly over encrypted private tunnels, and route your traffic through another device. Use the `nordvpn meshnet --help` command to get started. Learn more: https://nordvpn.com/features/meshnet/ ; Technology: NORDLYNX ; Firewall: enabled ; Kill Switch: disabled ; Threat Protection Lite: disabled ; Notify: disabled ; Auto-connect: disabled ; IPv6: disabled ; Meshnet: disabled ; DNS: disabled ; Whitelisted ports: ; 22 (UDP|TCP) ``` ``` # > debug-network ; DNS LISTENERS: ; Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process ; udp UNCONN 0 0 *:domain *:* users:(("cloudflared",pid=17894,fd=7)) ; tcp LISTEN 0 4096 *:domain *:* users:(("cloudflared",pid=17894,fd=8)) ; LISTENERS: ; tcp 0 0 127.0.0.1:46279 0.0.0.0:* LISTEN 17894/cloudflared ; tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1129/sshd: /usr/sbi ; tcp6 0 0 :::53 :::* LISTEN 17894/cloudflared ; tcp6 0 0 :::22 :::* LISTEN 1129/sshd: /usr/sbi ; DNS: ``` ``` # > what-is-my-ip ; Local: 192.168.7.162 ; Remote: 103.107.197.134 ``` ``` ; > sudo iptables -L -v ; Chain INPUT (policy ACCEPT 11145 packets, 62M bytes) ; pkts bytes target prot opt in out source destination ; 0 0 ACCEPT udp -- ens33 any anywhere anywhere udp dpt:22 /* nordvpn */ ; 0 0 ACCEPT udp -- ens33 any anywhere anywhere udp spt:22 /* nordvpn */ ; 293 17756 ACCEPT tcp -- ens33 any anywhere anywhere tcp dpt:ssh /* nordvpn */ ; 0 0 ACCEPT tcp -- ens33 any anywhere anywhere tcp spt:ssh /* nordvpn */ ; 166 50868 ACCEPT all -- ens33 any anywhere anywhere connmark match 0xe1f1 /* nordvpn */ ; 39 10153 DROP all -- ens33 any anywhere anywhere /* nordvpn */ ; Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) ; pkts bytes target prot opt in out source destination ; Chain OUTPUT (policy ACCEPT 11079 packets, 1185K bytes) ; pkts bytes target prot opt in out source destination ; 0 0 ACCEPT udp -- any ens33 anywhere anywhere udp dpt:22 /* nordvpn */ ; 0 0 ACCEPT udp -- any ens33 anywhere anywhere udp spt:22 /* nordvpn */ ; 0 0 ACCEPT tcp -- any ens33 anywhere anywhere tcp dpt:ssh /* nordvpn */ ; 227 35012 ACCEPT tcp -- any ens33 anywhere anywhere tcp spt:ssh /* nordvpn */ ; 217 39756 CONNMARK all -- any ens33 anywhere anywhere mark match 0xe1f1 /* nordvpn */ CONNMARK save ; 217 39756 ACCEPT all -- any ens33 anywhere anywhere connmark match 0xe1f1 /* nordvpn */ ; 4 356 DROP all -- any ens33 anywhere anywhere /* nordvpn */ ; Chain ufw-after-forward (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-after-input (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-after-logging-forward (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-after-logging-input (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-after-logging-output (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-after-output (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-before-forward (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-before-input (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-before-logging-forward (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-before-logging-input (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-before-logging-output (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-before-output (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-reject-forward (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-reject-input (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-reject-output (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-track-forward (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-track-input (0 references) ; pkts bytes target prot opt in out source destination ; Chain ufw-track-output (0 references) ; pkts bytes target prot opt in out source destination ``` ``` # however, nslookup is giving a different result ; > nslookup cloudflare.com ; Server: 103.86.96.100 ; Address: 103.86.96.100#53 <--- nordvpn dns srever ; Non-authoritative answer: ; Name: cloudflare.com ; Address: 104.16.132.229 ; Name: cloudflare.com ; Address: 104.16.133.229 ; Name: cloudflare.com ; Address: 2606:4700::6810:85e5 ; Name: cloudflare.com ; Address: 2606:4700::6810:84e5 ; 23:23:48:balupton@vm-ubuntu-server:/home/balupton ; > what-is-my-ip ; Local: 192.168.7.162 ; Remote: 103.107.197.134 ``` ``` ; > nordvpn set dns 127.0.0.1 ; New feature - Meshnet! Link remote devices in Meshnet to connect to them directly over encrypted private tunnels, and route your traffic through another device. Use the `nordvpn meshnet --help` command to get started. Learn more: https://nordvpn.com/features/meshnet/ ; DNS is set to '127.0.0.1' successfully. ; 23:25:08:balupton@vm-ubuntu-server:/home/balupton ; > nslookup cloudflare.com ; Server: 127.0.0.1 ; Address: 127.0.0.1#53 ; ** server can't find cloudflare.com: SERVFAIL ``` ``` ; > nordvpn set dns 0.0.0.0 ; New feature - Meshnet! Link remote devices in Meshnet to connect to them directly over encrypted private tunnels, and route your traffic through another device. Use the `nordvpn meshnet --help` command to get started. Learn more: https://nordvpn.com/features/meshnet/ ; DNS is set to '0.0.0.0' successfully. ; 23:25:28:balupton@vm-ubuntu-server:/home/balupton ; > nslookup cloudflare.com ; Server: 127.0.0.1 ; Address: 127.0.0.1#53 ; ** server can't find cloudflare.com: SERVFAIL ``` ``` ; > nordvpn whitelist add subnet 192.168.0.0/16 ; New feature - Meshnet! Link remote devices in Meshnet to connect to them directly over encrypted private tunnels, and route your traffic through another device. Use the `nordvpn meshnet --help` command to get started. Learn more: https://nordvpn.com/features/meshnet/ ; Subnet 192.168.0.0/16 is whitelisted successfully. ``` ``` ; > nordvpn set dns 192.168.5.20 ; New feature - Meshnet! Link remote devices in Meshnet to connect to them directly over encrypted private tunnels, and route your traffic through another device. Use the `nordvpn meshnet --help` command to get started. Learn more: https://nordvpn.com/features/meshnet/ ; DNS is set to '192.168.5.20' successfully. ; 23:26:42:balupton@vm-ubuntu-server:/home/balupton ``` ``` ; > nslookup cloudflare.com ; Server: 192.168.5.20 ; Address: 192.168.5.20#53 ; Non-authoritative answer: ; Name: cloudflare.com ; Address: 104.16.133.229 ; Name: cloudflare.com ; Address: 104.16.132.229 ; Name: cloudflare.com ; Address: 2606:4700::6810:84e5 ; Name: cloudflare.com ; Address: 2606:4700::6810:85e5 ; DNS LISTENERS: ; Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process ; udp UNCONN 0 0 *:domain *:* users:(("cloudflared",pid=17894,fd=7)) ; tcp LISTEN 0 4096 *:domain *:* users:(("cloudflared",pid=17894,fd=8)) ; LISTENERS: ; tcp 0 0 127.0.0.1:46279 0.0.0.0:* LISTEN 17894/cloudflared ; tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1129/sshd: /usr/sbi ; tcp6 0 0 :::53 :::* LISTEN 17894/cloudflared ; tcp6 0 0 :::22 :::* LISTEN 1129/sshd: /usr/sbi ; DNS: ``` # these both fail on nslookup, even with whitelist subnet and port guarantees > nordvpn set dns $(what-is-my-ip local) > nordvpn set dns 0.0.0.0 -
Sep 23, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -185,7 +185,7 @@ nordvpn whitelist remove subnet 192.168.0.0/16 - Remove the rule to whitelist a ip table rule. sudo iptables -t nat -A POSTROUTING -o nordlynx -j MASQUERADE sudo iptables -A FORWARD -i wlan0 -o nordlynx -j ACCEPT sudo iptables -A FORWARD -i nordLynx -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT ``` # openvpn -
Sep 23, 2022 . 5 changed files with 795 additions and 16 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,6 +6,208 @@ Networking on my Ubuntu machines is being flaking: Here are all the things I have tried or yet to try. # docker failures - https://github.com/gliderlabs/docker-alpine/issues/255 - https://github.com/gliderlabs/docker-alpine/issues/476 - https://serverfault.com/a/963155 - https://unix.stackexchange.com/q/552025/50703 - https://github.com/docker/for-win/issues/1344 ``` bash # https://serverfault.com/a/963155 noipv4ll # what is this? # https://www.daemon-systems.org/man/dhcpcd.8.html # When using IPv4LL, dhcpcd nearly always succeeds and returns an exit code # of 0. In the rare case it fails, it normally means that there is a # reverse ARP proxy installed which always defeats IPv4LL probing. To # disable this behaviour, you can use the -L, --noipv4ll option. # -L, --noipv4ll # Don't use IPv4LL (aka APIPA, aka Bonjour, aka ZeroConf). # ^ not helpful at explaining at all # https://unix.stackexchange.com/a/658014/50703 # Udhcpc need /etc/udhcpc/udhcpc.conf, accessible by all, with a single line dns="ns1 ns2" # ^ also a terrible explanation ``` # transmission ``` bash # https://help.ubuntu.com/community/TransmissionHowTo sudo vim /var/lib/transmission-daemon/info/settings.json sudo usermod -a -G debian-transmission user # "umask": 2, - WHY WHAT IS THIS # https://wiki.debian.org/Transmission apt install transmission-daemon --install-suggests systemctl edit transmission-daemon.service ``` # docker vpn - https://hub.docker.com/r/linuxserver/transmission - https://github.com/haugene/docker-transmission-openvpn - https://hub.docker.com/r/gzm55/vpn-client/ # nordvpn config - https://nordvpn.com/ovpn/ - https://support.nordvpn.com/Connectivity/Linux/1322207652/Troubleshooting-connectivity-Linux.htm - https://wiki.archlinux.org/title/NordVPN - https://support.nordvpn.com/Connectivity/Linux/1325531132/Installing-and-using-NordVPN-on-Debian-Ubuntu-Raspberry-Pi-Elementary-OS-and-Linux-Mint.htm ``` bash # https://www.makeuseof.com/how-to-install-nordvpn-ubuntu/ nordvpn set autoconnect on ``` # ufw ``` bash # https://askubuntu.com/a/1230322/22776 sudo ufw allow 1194/udp ``` # disable ipv6 apparently many things doesn't support it, including nord, however there is conflicting information about this ``` bash # https://wiki.archlinux.org/title/IPv6#Disable_IPv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.nic0.disable_ipv6 = 1 net.ipv6.conf.nicN.disable_ipv6 = 1 noipv6rs noipv6 nmcli connection modify ConnectionName ipv6.method "disabled" ``` # ip route ``` bash # https://serverfault.com/a/472364 ip route show table main ip route add 88.191.250.176 via <gatewayip> dev eth3 ``` # wireguard ``` bash # https://bbs.archlinux.org/viewtopic.php?id=251317 Install wireguard-tools. # https://www.cyberciti.biz/faq/ubuntu-20-04-set-up-wireguard-vpn-server/ sudo apt install wireguard sudo ufw allow 41194/udp sudo systemctl enable wg-quick@wg0 # and a bunch of other stuff ``` ``` bash # https://askubuntu.com/a/1378515/22776 # no idea sudo edit /etc/ppp/ip-up.d/0000usepeerdns ``` # nexthop ``` bash # https://bbs.archlinux.org/viewtopic.php?id=243382 ip a ip r systemctl list-unit-files --state=enabled ``` # protonvpn ``` bash # https://protonvpn.com/support/linux-vpn-setup/ # doesn't seem there is arm support for the official protonvpn client # https://protonvpn.com/support/linux-openvpn/ # Note: to use our NetShield DNS filtering feature, append the suffix +f1 to your username to block malware, or +f2 to block malware, ads, and trackers (for example 123456789+f2). sudo apt-get install openvpn sudo wget "https://raw.githubusercontent.com/ProtonVPN/scripts/master/update-resolv-conf.sh" -O "/etc/openvpn/update-resolv-conf" ``` # openvpn scripts ``` bash # https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-linux/ openvpn3 session-start --config ${client.ovpn} openvpn3 sessions-list openvpn --config client.ovpn --auth-user-pass --auth-retry interact script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf ``` ``` bash # https://www.ivpn.net/setup/linux-terminal/ ip a | grep tun curl https://api.ivpn.net/v4/geo-lookup curl https://api.ivpn.net/v4/geo-lookup | jq grep -i vpn /var/log/syslog ``` # nordvpn scripts ``` bash # nord support sudo iptables -P INPUT ACCEPT sudo iptables -F INPUT sudo iptables -P OUTPUT ACCEPT sudo iptables -F OUTPUT sudo systemctl restart NetworkManager ``` ``` bash # https://support.nord-help.com/Connectivity/Linux/1325531132/Installing-and-using-NordVPN-on-Debian-Ubuntu-Raspberry-Pi-Elementary-OS-and-Linux-Mint.htm nordvpn whitelist add port 22 - Add a rule to whitelist a specified incoming port. You can also whitelist multiple ports — just separate their numbers with a space. nordvpn whitelist remove port 22 - Remove the rule to whitelist a specified port. nordvpn whitelist add subnet 192.168.0.0/16 - Add a rule to whitelist a specified subnet. nordvpn whitelist remove subnet 192.168.0.0/16 - Remove the rule to whitelist a specified subnet. ``` - https://github.com/search?p=2&q=nordvpn+iptables&type=Code - https://github.com/search?q=nordvpn+forward&type=Code ``` bash # https://www.reddit.com/r/nordvpn/comments/jodvfs/comment/gb7f5yj/?utm_source=reddit&utm_medium=web2x&context=3 # required nordlynx to actually initiate ip table rule. sudo iptables -t nat -A POSTROUTING -o nordlynx -j MASQUERADE sudo iptables -A FORWARD -i wlan0 -o nordlynx -j ACCEPT sudo iptables -A FORWARD -i nordLynx -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT `` # openvpn ``` bash # https://openvpn.net/community-resources/how-to/ a whole bunch of routing and iptable stuff that doesn't seem relevant ``` ``` bash # https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway --pull-filter ignore redirect-gateway --route-noexec --route-nopull def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. route 0.0.0.0 128.0.0.0 net_gateway route 128.0.0.0 128.0.0.0 net_gateway route 0.0.0.0 192.0.0.0 net_gateway route 64.0.0.0 192.0.0.0 net_gateway route 128.0.0.0 192.0.0.0 net_gateway route 192.0.0.0 192.0.0.0 net_gateway ``` # general debugging ``` @@ -453,25 +655,63 @@ redirect-gateway def1 ``` # https://community.openvpn.net/openvpn/wiki/BridgingAndRouting dev tun topology subnet server 10.8.0.0 255.255.255.0 push "route 192.168.0.0 255.255.255.0" push "redirect-gateway def1" # Allow traffic initiated from VPN to access LAN iptables -I FORWARD -i tun0 -o eth0 \ -s 10.8.0.0/24 -d 192.168.0.0/24 \ -m conntrack --ctstate NEW -j ACCEPT # Allow established traffic to pass back and forth iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT # Masquerade all traffic from VPN clients -- done in the nat table iptables -t nat -I POSTROUTING -o eth0 \ -s 10.8.0.0/24 -j MASQUERADE ``` ``` bash # https://askubuntu.com/a/578550/22776 iptables -I FORWARD -i tun0 -o eth0 \ -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT iptables -t nat -I POSTROUTING -o eth0 \ -s 10.8.0.0/24 -j MASQUERADE # https://askubuntu.com/a/1341821/22776 push "redirect-gateway autolocal" # https://askubuntu.com/a/1157242/22776 push "redirect-gateway def1 bypass-dhcp" redirect-gateway def1 bypass-dhcp # https://forums.openvpn.net/viewtopic.php?t=27618 pull-filter ignore "redirect-gateway def1 bypass-dhcp" pull-filter ignore "dhcp-option DNS 192.168.55.1" pull-filter ignore "dhcp-option DOMAIN example.com" route 192.168.55.0 255.255.255.0 # https://blog.sellorm.com/2017/03/01/force-all-traffic-through-openvpn-connection/ redirect-gateway def1 # https://erwinbierens.com/route-all-traffic-by-openvpn/ push "redirect-gateway def1" push "dhcp-option DNS " push "dhcp-option DNS 1.1.1.1" sudo /etc/init.d/openvpn restart redirect-gateway def1 iptables -I FORWARD -i tun0 -o wlan0 \ -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT iptables -t nat -I POSTROUTING -o wlan0 \ -s 10.8.0.0/24 -j MASQUERADE ``` # iptables debugging This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,143 @@ # https://github.com/aerodomigue/qbittorrent-nordvpn/blob/a6f289fa7665831fc850a78cb39a8b30f7bf2343/root/etc/services.d/nordvpn/run #!/usr/bin/with-contenv bash [[ -n ${DEBUG} ]] && set -x [[ -n ${COUNTRY} && -z ${CONNECT} ]] && CONNECT=${COUNTRY} [[ "${PGID:-""}" =~ ^[0-9]+$ ]] && groupmod -g $PGID -o vpn DOCKER_NET="$(ip -o addr show dev eth0 | awk '$3 == "inet" {print $4}')" custom_kill_switch() { local docker6_network="$(ip -o addr show dev eth0 | awk '$3 == "inet6" {print $4; exit}')" iptables -F iptables -X iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i lo -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -o tap+ -j ACCEPT iptables -A OUTPUT -o tun+ -j ACCEPT iptables -A OUTPUT -m owner --gid-owner vpn -j ACCEPT || { iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A OUTPUT -o eth0 -d api.nordvpn.com -j ACCEPT } iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE if [[ -n ${DOCKER_NET} ]]; then iptables -A INPUT -s ${DOCKER_NET} -j ACCEPT iptables -A FORWARD -d ${DOCKER_NET} -j ACCEPT iptables -A FORWARD -s ${DOCKER_NET} -j ACCEPT iptables -A OUTPUT -d ${DOCKER_NET} -j ACCEPT fi [[ -n ${NETWORK} ]] && for net in ${NETWORK//[;,]/ }; do return_route ${net}; done [[ -n ${WHITELIST} ]] && for domain in ${WHITELIST//[;,]/ }; do white_list ${domain}; done ip6tables -F 2>/dev/null ip6tables -X 2>/dev/null ip6tables -P INPUT DROP 2>/dev/null ip6tables -P FORWARD DROP 2>/dev/null ip6tables -P OUTPUT DROP 2>/dev/null ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null ip6tables -A INPUT -p icmp -j ACCEPT 2>/dev/null ip6tables -A INPUT -i lo -j ACCEPT 2>/dev/null ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null ip6tables -A FORWARD -p icmp -j ACCEPT 2>/dev/null ip6tables -A FORWARD -i lo -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -o lo -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -o tap+ -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -o tun+ -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -m owner --gid-owner vpn -j ACCEPT 2>/dev/null || { ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -o eth0 -d api.nordvpn.com -j ACCEPT 2>/dev/null } if [[ -n ${docker6_network} ]]; then ip6tables -A INPUT -s ${docker6_network} -j ACCEPT 2>/dev/null ip6tables -A FORWARD -d ${docker6_network} -j ACCEPT 2>/dev/null ip6tables -A FORWARD -s ${docker6_network} -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -d ${docker6_network} -j ACCEPT 2>/dev/null fi [[ -n ${NETWORK6} ]] && for net in ${NETWORK6//[;,]/ }; do return_route6 ${net}; done } return_route() { # Add a route back to your network, so that return traffic works local network="$1" gw="$(ip route |awk '/default/ {print $3}')" ip route | grep -q "$network" || ip route add to $network via $gw dev eth0 iptables -A INPUT -s $network -j ACCEPT iptables -A FORWARD -d $network -j ACCEPT iptables -A FORWARD -s $network -j ACCEPT iptables -A OUTPUT -d $network -j ACCEPT } return_route6() { # Add a route back to your network, so that return traffic works local network="$1" gw="$(ip -6 route | awk '/default/{print $3}')" ip -6 route | grep -q "$network" || ip -6 route add to $network via $gw dev eth0 ip6tables -A INPUT -s $network -j ACCEPT 2>/dev/null ip6tables -A FORWARD -d $network -j ACCEPT 2>/dev/null ip6tables -A FORWARD -s $network -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -d $network -j ACCEPT 2>/dev/null } white_list() { # Allow unsecured traffic for an specific domain local domain=`echo $1 | sed 's/^.*:\/\///;s/\/.*$//'` sg vpn -c "iptables -A OUTPUT -o eth0 -d ${domain} -j ACCEPT" sg vpn -c "ip6tables -A OUTPUT -o eth0 -d ${domain} -j ACCEPT 2>/dev/null" } create_tun_device() { mkdir -p /dev/net [[ -c /dev/net/tun ]] || mknod -m 0666 /dev/net/tun c 10 200 } setup_nordvpn() { [[ -n ${TECHNOLOGY} ]] && nordvpn set technology ${TECHNOLOGY} [[ -n ${PROTOCOL} ]] && nordvpn set protocol ${PROTOCOL} [[ -n ${OBFUSCATE} ]] && nordvpn set obfuscate ${OBFUSCATE} [[ -n ${CYBER_SEC} ]] && nordvpn set cybersec ${CYBER_SEC} [[ -n ${DNS} ]] && nordvpn set dns ${DNS//[;,]/ } [[ -n ${DOCKER_NET} ]] && nordvpn whitelist add subnet ${DOCKER_NET} [[ -n ${NETWORK} ]] && for net in ${NETWORK//[;,]/ }; do nordvpn whitelist add subnet ${net}; done [[ -n ${PORTS} ]] && for port in ${PORTS//[;,]/ }; do nordvpn whitelist add port ${port}; done [[ -n ${DEBUG} ]] && nordvpn -version && nordvpn settings } if [ "${KILL_SWITCH}" = "custom" ]; then custom_kill_switch elif [ "${KILL_SWITCH}" = "on" ]; then nordvpn set killswitch on else nordvpn set killswitch off fi pkill nordvpnd rm -f /run/nordvpnd.sock sg vpn -c nordvpnd & while [ ! -S /run/nordvpnd.sock ]; do sleep 0.25 done nordvpn login -u ${USER} -p "${PASS}" setup_nordvpn create_tun_device nordvpn connect ${CONNECT} || exit 1 nordvpn status tail -f --pid=$(pidof nordvpnd) /var/log/nordvpn/daemon.log This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,228 @@ # https://raw.githubusercontent.com/davesdere/configs/836def6e3f7aac657fd007c8ef32e38ee91a4fac/dockerfiles/nordvpn/start_vpn.sh#!/bin/bash iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP ip6tables -P OUTPUT DROP 2>/dev/null ip6tables -P INPUT DROP 2>/dev/null ip6tables -P FORWARD DROP 2>/dev/null iptables -F iptables -X ip6tables -F 2>/dev/null ip6tables -X 2>/dev/null [[ "${DEBUG,,}" == trace* ]] && set -x if [ "$(cat /etc/timezone)" != "${TZ}" ]; then if [ -d "/usr/share/zoneinfo/${TZ}" ] || [ ! -e "/usr/share/zoneinfo/${TZ}" ] || [ -z "${TZ}" ]; then TZ="Etc/UTC" fi ln -fs "/usr/share/zoneinfo/${TZ}" /etc/localtime dpkg-reconfigure -f noninteractive tzdata 2>/dev/null fi echo "[$(date -Iseconds)] Firewall is up, everything has to go through the vpn" docker_network="$(ip -o addr show dev eth0 | awk '$3 == "inet" {print $4}')" docker6_network="$(ip -o addr show dev eth0 | awk '$3 == "inet6" {print $4; exit}')" echo "[$(date -Iseconds)] Enabling connection to secure interfaces" if [[ -n ${docker_network} ]]; then iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i lo -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -o tap+ -j ACCEPT iptables -A OUTPUT -o tun+ -j ACCEPT iptables -A OUTPUT -o nordlynx+ -j ACCEPT iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE iptables -t nat -A POSTROUTING -o nordlynx+ -j MASQUERADE fi if [[ -n ${docker6_network} ]]; then ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -p icmp -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A FORWARD -p icmp -j ACCEPT ip6tables -A FORWARD -i lo -j ACCEPT ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT ip6tables -A OUTPUT -o tap+ -j ACCEPT ip6tables -A OUTPUT -o tun+ -j ACCEPT ip6tables -A OUTPUT -o nordlynx+ -j ACCEPT ip6tables -t nat -A POSTROUTING -o tap+ -j MASQUERADE ip6tables -t nat -A POSTROUTING -o tun+ -j MASQUERADE ip6tables -t nat -A POSTROUTING -o nordlynx+ -j MASQUERADE fi echo "[$(date -Iseconds)] Enabling connection to nordvpn group" if [[ -n ${docker_network} ]]; then iptables -A OUTPUT -m owner --gid-owner nordvpn -j ACCEPT || { echo "[$(date -Iseconds)] group match failed, fallback to open necessary ports" iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT } fi if [[ -n ${docker6_network} ]]; then ip6tables -A OUTPUT -m owner --gid-owner nordvpn -j ACCEPT || { echo "[$(date -Iseconds)] ip6 group match failed, fallback to open necessary ports" ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT ip6tables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT ip6tables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT ip6tables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT ip6tables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT } fi echo "[$(date -Iseconds)] Enabling connection to docker network" if [[ -n ${docker_network} ]]; then iptables -A INPUT -s "${docker_network}" -j ACCEPT iptables -A FORWARD -d "${docker_network}" -j ACCEPT iptables -A FORWARD -s "${docker_network}" -j ACCEPT iptables -A OUTPUT -d "${docker_network}" -j ACCEPT fi if [[ -n ${docker6_network} ]]; then ip6tables -A INPUT -s "${docker6_network}" -j ACCEPT 2>/dev/null ip6tables -A FORWARD -d "${docker6_network}" -j ACCEPT 2>/dev/null ip6tables -A FORWARD -s "${docker6_network}" -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -d "${docker6_network}" -j ACCEPT 2>/dev/null fi if [[ -n ${docker_network} && -n ${NETWORK} ]]; then gw=$(ip route | awk '/default/ {print $3}') for net in ${NETWORK//[;,]/ }; do echo "[$(date -Iseconds)] Enabling connection to network ${net}" ip route | grep -q "$net" || ip route add to "$net" via "$gw" dev eth0 iptables -A INPUT -s "$net" -j ACCEPT iptables -A FORWARD -d "$net" -j ACCEPT iptables -A FORWARD -s "$net" -j ACCEPT iptables -A OUTPUT -d "$net" -j ACCEPT done fi if [[ -n ${docker6_network} && -n ${NETWORK6} ]]; then gw6=$(ip -6 route | awk '/default/{print $3}') for net6 in ${NETWORK6//[;,]/ }; do echo "[$(date -Iseconds)] Enabling connection to network ${net6}" ip -6 route | grep -q "$net6" || ip -6 route add to "$net6" via "$gw6" dev eth0 ip6tables -A INPUT -s "$net6" -j ACCEPT ip6tables -A FORWARD -d "$net6" -j ACCEPT ip6tables -A FORWARD -s "$net6" -j ACCEPT ip6tables -A OUTPUT -d "$net6" -j ACCEPT done fi if [[ -n ${WHITELIST} ]]; then for domain in ${WHITELIST//[;,]/ }; do domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//') echo "[$(date -Iseconds)] Enabling connection to host ${domain}" sg nordvpn -c "iptables -A OUTPUT -o eth0 -d ${domain} -j ACCEPT" sg nordvpn -c "ip6tables -A OUTPUT -o eth0 -d ${domain} -j ACCEPT 2>/dev/null" done fi mkdir -p /dev/net [[ -c /dev/net/tun ]] || mknod -m 0666 /dev/net/tun c 10 200 restart_daemon() { echo "[$(date -Iseconds)] Restarting the service" service nordvpn stop rm -rf /run/nordvpn/nordvpnd.sock service nordvpn start echo "[$(date -Iseconds)] Waiting for the service to start" attempt_counter=0 max_attempts=50 until [ -S /run/nordvpn/nordvpnd.sock ]; do if [ ${attempt_counter} -eq ${max_attempts} ]; then echo "[$(date -Iseconds)] Max attempts reached" exit 1 fi attempt_counter=$((attempt_counter + 1)) sleep 0.1 done } restart_daemon echo "[$(date -Iseconds)] Pre-logging settings $(nordvpn -version)" [[ -n ${DNS} ]] && nordvpn set dns ${DNS//[;,]/ } [[ -n ${CYBER_SEC} ]] && nordvpn set cybersec ${CYBER_SEC} [[ -n ${OBFUSCATE} ]] && nordvpn set obfuscate ${OBFUSCATE} && sleep 3 if [[ "${DEBUG,,}" == trace+* ]]; then echo "[$(date -Iseconds)] ############# WARNING ############### make sure to remove user/pass before sharing this log" else set +x [[ "${DEBUG,,}" == trace* ]] && echo "[$(date -Iseconds)] Hiding user/password from the logs, set DEBUG=trace+ if you want to show them in the logs" fi [[ -z "${PASS}" ]] && [[ -f "${PASSFILE}" ]] && PASS="$(head -n 1 "${PASSFILE}")" echo "[$(date -Iseconds)] Logging in" nordvpn logout >/dev/null nordvpn login --username "${USER}" --password "${PASS}" || { echo "[$(date -Iseconds)] Invalid Username or password." exit 1 } [[ "${DEBUG,,}" == trace* ]] && set -x echo "[$(date -Iseconds)] Post-logging settings $(nordvpn -version)" [[ -n ${FIREWALL} ]] && nordvpn set firewall ${FIREWALL} [[ -n ${KILLSWITCH} ]] && nordvpn set killswitch ${KILLSWITCH} [[ -n ${PROTOCOL} ]] && nordvpn set protocol ${PROTOCOL} [[ -n ${TECHNOLOGY} ]] && nordvpn set technology ${TECHNOLOGY} if [[ -n ${docker_network} ]]; then nordvpn whitelist add subnet ${docker_network} [[ -n ${NETWORK} ]] && for net in ${NETWORK//[;,]/ }; do nordvpn whitelist add subnet "${net}"; done fi if [[ -n ${docker6_network} ]]; then nordvpn set ipv6 on nordvpn whitelist add subnet ${docker6_network} [[ -n ${NETWORK6} ]] && for net in ${NETWORK6//[;,]/ }; do nordvpn whitelist add subnet "${net}"; done fi [[ -n ${PORTS} ]] && for port in ${PORTS//[;,]/ }; do nordvpn whitelist add port "${port}"; done [[ -n ${PORT_RANGE} ]] && nordvpn whitelist add ports ${PORT_RANGE} [[ -n ${DEBUG} ]] && nordvpn settings connect() { echo "[$(date -Iseconds)] Connecting..." current_sleep=1 until nordvpn connect ${CONNECT}; do if [ ${current_sleep} -gt 4096 ]; then echo "[$(date -Iseconds)] Unable to connect." tail -n 200 /var/log/nordvpn/daemon.log exit 1 fi echo "[$(date -Iseconds)] Unable to connect retrying in ${current_sleep} seconds." sleep ${current_sleep} current_sleep=$((current_sleep * 2)) done if [[ ! -z "${POST_CONNECT}" ]]; then eval ${POST_CONNECT} fi } connect [[ -n ${DEBUG} ]] && tail -n 1 -f /var/log/nordvpn/daemon.log & cleanup() { nordvpn status nordvpn disconnect nordvpn logout service nordvpn stop trap - SIGTERM SIGINT EXIT # https://bash.cyberciti.biz/guide/How_to_clear_trap exit 0 } trap cleanup SIGTERM SIGINT EXIT # https://www.ctl.io/developers/blog/post/gracefully-stopping-docker-containers/ [[ -n ${RECONNECT} && -z ${CHECK_CONNECTION_INTERVAL} ]] && CHECK_CONNECTION_INTERVAL=${RECONNECT} while true; do sleep "${CHECK_CONNECTION_INTERVAL:-300}" if [[ ! $(curl -Is -m 30 -o /dev/null -w "%{http_code}" "${CHECK_CONNECTION_URL:-www.google.com}") =~ ^[23] ]]; then echo "[$(date -Iseconds)] Unstable connection detected!" nordvpn status restart_daemon connect fi done This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,74 @@ # https://raw.githubusercontent.com/ProtonVPN/scripts/master/update-resolv-conf.sh # https://github.com/ProtonVPN/scripts #!/usr/bin/env bash # # Parses DHCP options from openvpn to update resolv.conf # To use set as 'up' and 'down' script in your openvpn *.conf: # up /etc/openvpn/update-resolv-conf # down /etc/openvpn/update-resolv-conf # # Used snippets of resolvconf script by Thomas Hood <[email protected]> # and Chris Hanson # Licensed under the GNU GPL. See /usr/share/common-licenses/GPL. # 07/2013 [email protected] Fixed intet name # 05/2006 [email protected] # # Example envs set from openvpn: # foreign_option_1='dhcp-option DNS 193.43.27.132' # foreign_option_2='dhcp-option DNS 193.43.27.133' # foreign_option_3='dhcp-option DOMAIN be.bnc.ch' # foreign_option_4='dhcp-option DOMAIN-SEARCH bnc.local' ## The 'type' builtins will look for file in $PATH variable, so we set the ## PATH below. You might need to directly set the path to 'resolvconf' ## manually if it still doesn't work, i.e. ## RESOLVCONF=/usr/sbin/resolvconf export PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin RESOLVCONF=$(type -p resolvconf) case $script_type in up) for optionname in ${!foreign_option_*} ; do option="${!optionname}" echo $option part1=$(echo "$option" | cut -d " " -f 1) if [ "$part1" == "dhcp-option" ] ; then part2=$(echo "$option" | cut -d " " -f 2) part3=$(echo "$option" | cut -d " " -f 3) if [ "$part2" == "DNS" ] ; then IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3" fi if [[ "$part2" == "DOMAIN" || "$part2" == "DOMAIN-SEARCH" ]] ; then IF_DNS_SEARCH="$IF_DNS_SEARCH $part3" fi fi done R="" if [ "$IF_DNS_SEARCH" ]; then R="search " for DS in $IF_DNS_SEARCH ; do R="${R} $DS" done R="${R} " fi for NS in $IF_DNS_NAMESERVERS ; do R="${R}nameserver $NS " done #echo -n "$R" | $RESOLVCONF -x -p -a "${dev}" echo -n "$R" | $RESOLVCONF -x -a "${dev}.inet" ;; down) $RESOLVCONF -d "${dev}.inet" ;; esac # Workaround / [email protected] # force exit with no errors. Due to an apparent conflict with the Network Manager # $RESOLVCONF sometimes exits with error code 6 even though it has performed the # action correctly and OpenVPN shuts down. exit 0 This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,94 @@ # https://raw.githubusercontent.com/Tyrean737/i3config/9009d0fd0e8d6fa9157abb020ed4273942ce554c/.scripts/vpn_secure_connect.sh #!/bin/bash #***************************************************************************************************************# # This Script uses iptables to block all traffic except to and from the IP of the selected VPN. # # When disconnected it asks if the normal setting shall be restore again. # # # # In case you want to manually restore the settings run 'iptables-restore iptables_BackUp_temp' (file is # # located in the user directory). # # # # This script uses 'dns_nordvpn_0.sh', 'dns_nordvpn_1.sh', 'ipv6_diable.sh' and 'ipv6_enable.sh'. # #***************************************************************************************************************# # Setting up paths USER="tobias" PATH_USER="/home/$USER" PATH_OVPN="/home/$USER/.ovpn" # Check if run as root if [ $(id -u) -ne 0 ]; then echo "Please run as root!" exit fi # Set DNS servers and disable ipv6 dns_nordvpn_1.sh ipv6_disable.sh # Get and print local network IP range LOCAL_IPS=$(ip a | awk '/inet 192.*/ {print $2}' | awk -F'.' '{print $1"."$2"."$3".0/24"}') echo "Local network IP range is: $LOCAL_IPS" read -p "Enter NordVPN server to connect to (e.g. de33): " VPN_ID read -p "Enter connection protocol (tcp/udp, only lower case letters!) [default: tcp]: " VPN_PROTOCOL if [ -z $VPN_PROTOCOL ]; then VPN_PROTOCOL="tcp" fi # Get VPN VPN_IP=$(awk '/remote / {print $2}' $PATH_OVPN/$VPN_PROTOCOL/$VPN_ID.nordvpn.com.$VPN_PROTOCOL.ovpn) # Backup current iptables config iptables-save -f $PATH_USER/iptables_BackUp_temp # Flush iptables iptables -F # Allow loopback device (internal communication) iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow all local traffic. iptables -A INPUT -s $LOCAL_IPS -j ACCEPT iptables -A OUTPUT -d $LOCAL_IPS -j ACCEPT # Allow traffic to VPN iptables -A INPUT -s $VPN_IP -j ACCEPT iptables -A OUTPUT -d $VPN_IP -j ACCEPT # Allow traffic to NordVPN DNS servers (Does not seem to be nescessary) #iptables -A INPUT -s 103.86.96.100 -j ACCEPT #iptables -A OUTPUT -d 103.86.96.100 -j ACCEPT #iptables -A INPUT -s 103.86.99.100 -j ACCEPT #iptables -A OUTPUT -d 103.86.99.100 -j ACCEPT # Accept all TUN connections (tun = VPN tunnel) iptables -A OUTPUT -o tun+ -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT # Set default policies to drop all communication unless specifically allowed iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Connect to VPN openvpn $PATH_OVPN/$VPN_PROTOCOL/$VPN_ID.nordvpn.com.$VPN_PROTOCOL.ovpn # Ask if setting shall be restored echo "Disconnected from VPN!" read -p "Shall traffic be allowed again? [y/N]" restore if [[ "$restore" == "y" || "$restore" == "Y" ]]; then iptables-restore $PATH_USER/iptables_BackUp_temp dns_nordvpn_0.sh ipv6_enable.sh echo "All settings restored and normal traffic allowed again!" else echo "Keep traffic forbidden!" fi -
Sep 23, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,706 @@ Networking on my Ubuntu machines is being flaking: - docker bridge interface failing - traffic not going to vpns - when vpn or docker bridge does work it knocks out all dns resolutions Here are all the things I have tried or yet to try. # general debugging ``` route ip addr ip route ip rule ifconfig tcpdump -i eth0 traceroute 8.8.8.8 sudo iptables -L -v ``` # RTNETLINK errors ``` bash # JUST REBOOT # https://stackoverflow.com/a/27708858/130638 # https://stackoverflow.com/a/64473630/130638 # --cap-add=NET_ADMIN # http://linux.die.net/man/7/capabilities # https://raspberrypi.stackexchange.com/a/51947/134746 sudo ip addr flush dev wlan0 # https://raspberrypi.stackexchange.com/a/65753/134746 sudo ifup --ignore-errors wlan0 # https://raspberrypi.stackexchange.com/a/79881/134746 ifdown --force --verbose ethX && ifup --force --verbose ethX # https://askubuntu.com/a/313367/22776 sudo ifdown eth0 && sudo ifup -v eth0 # https://debugah.com/ubuntu-how-to-solve-rtnetlink-answers-file-exists-two-methods-5679/ ip addr flush dev eth0 # nukes network access until ifup is run ip addre flush dev eth1 ifdown eth0 && ifup eth0 && ifdown eth1 && ifup eth1 # https://stackoverflow.com/a/53961002/130638 sudo tc qdisc replace dev eth0 root netem delay 100ms sudo tc qdisc del dev eth0 root sudo tc qdisc add dev eth0 root netem delay 100ms ``` # syncthing ``` xml # https://docs.syncthing.net/users/config.html # https://docs.syncthing.net/users/config.html#gui-element <gui enabled="true" tls="false" debugging="false"> <address>0.0.0.0:8384</address> </gui> # https://docs.syncthing.net/users/guilisten.html ``` # docker transmission ``` bash # https://haugene.github.io/docker-transmission-openvpn/config-options/#dropping_default_route_from_iptables_advanced # https://github.com/haugene/docker-transmission-openvpn/ # https://github.com/haugene/docker-transmission-openvpn/search?q=DROP_DEFAULT_ROUTE Network configuration options¶ Variable Function Example OPENVPN_CONFIG Sets the OpenVPN endpoint to connect to. OPENVPN_CONFIG=UK Southampton OPENVPN_OPTS Will be passed to OpenVPN on startup See OpenVPN doc LOCAL_NETWORK Sets the local network that should have access. Accepts comma separated list. LOCAL_NETWORK=192.168.0.0/24 CREATE_TUN_DEVICE Creates /dev/net/tun device inside the container, mitigates the need mount the device from the host CREATE_TUN_DEVICE=true PEER_DNS Controls whether to use the DNS provided by the OpenVPN endpoint. To use your host DNS rather than what is provided by OpenVPN, set PEER_DNS=false. This allows for potential DNS leakage. PEER_DNS_PIN_ROUTES Controls whether to force traffic to peer DNS through the OpenVPN tunnel. To disable this default, set PEER_DNS_PIN_ROUTES=false. Some VPNs do not override the default route, but rather set other routes with a lower metric. This might lead to the default route (your untunneled connection) to be used. To drop the default route set the environment variable DROP_DEFAULT_ROUTE to true. Note: This is not compatible with all VPNs. You can check your iptables routing with the ip r command in a running container. # https://github.com/haugene/docker-transmission-openvpn/blob/d1ece1c5f36f275d5d950bd2557ec43f79a80d14/transmission/start.sh#L70-L74 /sbin/ip route del default via "${route_net_gateway}" ``` # ufw ``` bash # https://askubuntu.com/a/98252/22776 sudo ufw enable sudo ufw allow 22/tcp ``` ``` bash # https://linuxconfig.org/how-to-enable-disable-firewall-on-ubuntu-20-04-lts-focal-fossa-linux sudo ufw status sudo ufw status verbose sudo ufw disable sudo ufw enable ``` # docker - https://docs.docker.com/engine/reference/commandline/dockerd/ - https://docs.docker.com/config/daemon/systemd/ - https://docs.docker.com/engine/reference/commandline/dockerd/#feature-options - https://docs.docker.com/network/bridge/#use-the-default-bridge-network ``` bash # https://stackoverflow.com/a/68992601/130638 docker network prune ``` ``` # https://docs.docker.com/network/bridge/#use-the-default-bridge-network # Configure the default bridge network { "bip": "192.168.1.1/24", "fixed-cidr": "192.168.1.0/25", "fixed-cidr-v6": "2001:db8::/64", "mtu": 1500, "default-gateway": "192.168.1.254", "default-gateway-v6": "2001:db8:abcd::89", "dns": ["10.20.1.2","10.20.1.3"] } ``` ``` # daemon.json { "allow-nondistributable-artifacts": [], "authorization-plugins": [], "bridge": "", "cluster-advertise": "", "cluster-store": "", "containerd": "\\\\.\\pipe\\containerd-containerd", "containerd-namespace": "docker", "containerd-plugin-namespace": "docker-plugins", "data-root": "", "debug": true, "default-ulimits": {}, "dns": [], "dns-opts": [], "dns-search": [], "exec-opts": [], "experimental": false, "features": {}, "fixed-cidr": "", "group": "", "hosts": [], "insecure-registries": [], "labels": [], "log-driver": "", "log-level": "", "max-concurrent-downloads": 3, "max-concurrent-uploads": 5, "max-download-attempts": 5, "mtu": 0, "pidfile": "", "raw-logs": false, "registry-mirrors": [], "shutdown-timeout": 15, "storage-driver": "", "storage-opts": [], "swarm-default-advertise-addr": "", "tlscacert": "", "tlscert": "", "tlskey": "", "tlsverify": true } debug: it changes the daemon to debug mode when set to true. cluster-store: it reloads the discovery store with the new address. cluster-store-opts: it uses the new options to reload the discovery store. cluster-advertise: it modifies the address advertised after reloading. labels: it replaces the daemon labels with a new set of labels. live-restore: Enables keeping containers alive during daemon downtime. max-concurrent-downloads: it updates the max concurrent downloads for each pull. max-concurrent-uploads: it updates the max concurrent uploads for each push. max-download-attempts: it updates the max download attempts for each pull. default-runtime: it updates the runtime to be used if not is specified at container creation. It defaults to “default” which is the runtime shipped with the official docker packages. runtimes: it updates the list of available OCI runtimes that can be used to run containers. authorization-plugin: it specifies the authorization plugins to use. allow-nondistributable-artifacts: Replaces the set of registries to which the daemon will push nondistributable artifacts with a new set of registries. insecure-registries: it replaces the daemon insecure registries with a new set of insecure registries. If some existing insecure registries in daemon’s configuration are not in newly reloaded insecure registries, these existing ones will be removed from daemon’s config. registry-mirrors: it replaces the daemon registry mirrors with a new set of registry mirrors. If some existing registry mirrors in daemon’s configuration are not in newly reloaded registry mirrors, these existing ones will be removed from daemon’s config. shutdown-timeout: it replaces the daemon’s existing configuration timeout with a new timeout for shutting down all containers. features: it explicitly enables or disables specific features. # flags The -b, --bridge= flag is set to docker0 as default bridge network. It is created automatically when you install Docker. If you are not using the default, you must create and configure the bridge manually or just set it to ‘none’: --bridge=none --exec-root is the path where the container state is stored. The default value is /var/run/docker. Specify the path for your running daemon here. --data-root is the path where persisted data such as images, volumes, and cluster state are stored. The default value is /var/lib/docker. To avoid any conflict with other daemons, set this parameter separately for each daemon. -p, --pidfile=/var/run/docker.pid is the path where the process ID of the daemon is stored. Specify the path for your pid file here. --host=[] specifies where the Docker daemon will listen for client connections. If unspecified, it defaults to /var/run/docker.sock. --iptables=false prevents the Docker daemon from adding iptables rules. If multiple daemons manage iptables rules, they may overwrite rules set by another daemon. Be aware that disabling this option requires you to manually add iptables rules to expose container ports. If you prevent Docker from adding iptables rules, Docker will also not add IP masquerading rules, even if you set --ip-masq to true. Without IP masquerading rules, Docker containers will not be able to connect to external hosts or the internet when using network other than default bridge. --config-file=/etc/docker/daemon.json is the path where configuration file is stored. You can use it instead of daemon flags. Specify the path for each daemon. --tls* Docker daemon supports --tlsverify mode that enforces encrypted and authenticated remote connections. The --tls* options enable use of specific certificates for individual daemons. sudo dockerd \ -H unix:///var/run/docker-bootstrap.sock \ -p /var/run/docker-bootstrap.pid \ --iptables=false \ --ip-masq=false \ --bridge=none \ --data-root=/var/lib/docker-bootstrap \ --exec-root=/var/run/docker-bootstrap ``` ``` bash # https://stackoverflow.com/a/35519951/130638 # /etc/systemd/system/docker.service.d/docker.conf # [Service] # ExecStart= # ExecStart=/usr/bin/docker daemon -H fd:// --bip=192.168.169.1/24 systemctl stop docker # We need a program called brctl to, well, control the bridge, which is part of the bridge-utils package. sudo apt-get install bridge-utils #Bring down the docker0 interface: sudo ip link set docker0 down # And delete the bridge. sudo brctl delbr docker0 # Finally, start the Docker daemon systemctl start docker ``` ``` bash https://www.suse.com/support/kb/doc/?id=000018916 DOCKER_OPTS="--bip=192.168.1.1/24" ``` ``` bash # https://github.com/kubernetes-sigs/kubespray/issues/213#issuecomment-212974520 ExecStartPre=-/usr/bin/ip link set dev docker0 down ExecStartPre=-/usr/sbin/brctl delbr docker0 ``` ``` bash # https://github.com/moby/moby/issues/42558#issuecomment-905313588 # don't work, breaks more things sudo apt remove netscript-2.4 ``` ``` bash # https://stackoverflow.com/a/64793583/130638 sysctl -w net.ipv4.ip_forward=1 ``` ``` bash # https://docs.docker.com.zh.xy2401.com/v17.09/engine/userguide/networking/default_network/custom-docker0/ sudo apt-get install bridge-utils sudo brctl show { "bip": "192.168.1.5/24", "fixed-cidr": "192.168.1.5/25", "fixed-cidr-v6": "2001:db8::/64", "mtu": 1500, "default-gateway": "10.20.1.1", "default-gateway-v6": "2001:db8:abcd::89", "dns": ["10.20.1.2","10.20.1.3"] } The same options are presented as flags to dockerd, with an explanation for each: --bip=CIDR: supply a specific IP address and netmask for the docker0 bridge, using standard CIDR notation. For example: 192.168.1.5/24. --fixed-cidr=CIDR and --fixed-cidr-v6=CIDRv6: restrict the IP range from the docker0 subnet, using standard CIDR notation. For example: 172.16.1.0/28. This range must be an IPv4 range for fixed IPs, and must be a subset of the bridge IP range (docker0 or set using --bridge or the bip key in the daemon.json file). For example, with --fixed-cidr=192.168.1.0/25, IPs for your containers will be chosen from the first half of addresses included in the 192.168.1.0/24 subnet. --mtu=BYTES: override the maximum packet length on docker0. --default-gateway=Container default Gateway IPV4 address and --default-gateway-v6=Container default gateway IPV6 address: designates the default gateway for containers connected to the docker0 bridge, which controls where they route traffic by default. Applicable for addresses set with --bip and --fixed-cidr flags. For instance, you can configure --fixed-cidr=172.17.2.0/24 and default-gateway=172.17.1.1. --dns=[]: The DNS servers to use. For example: --dns=172.17.2.10. ``` ``` bash # https://docs.docker.com.zh.xy2401.com/v17.09/engine/userguide/networking/default_network/container-communication/#communication-between-containers sysctl net.ipv4.conf.all.forwarding=1 iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP sudo iptables -L -n sudo iptables -P FORWARD ACCEPT ``` ``` bash # https://stackoverflow.com/a/43932266/130638 { "bip": "192.168.1.5/24", "fixed-cidr": "192.168.1.0/25" } ``` ``` # https://support.microfocus.com/kb/doc.php?id=7023491 { "bip": "192.168.1.5/24", "fixed-cidr": "192.168.1.5/25", "fixed-cidr-v6": "2001:db8::/64", "mtu": 1500, "default-gateway": "10.20.1.1", "default-gateway-v6": "2001:db8:abcd::89", "dns": ["10.20.1.2","10.20.1.3"] } ``` ``` bash # https://developpaper.com/question/the-docker-container-cannot-connect-to-the-internet/ sysctl net.ipv4.ip_forward iptables -t nat -L POSTROUTING iptables -t nat -L POSTROUTING | grep masquerade ``` ``` bash # https://github.com/moby/moby/issues/36151#issuecomment-811024910 lsmod | grep br_netfilter modprobe br_netfilter netstat -i ip link set dev docker0 promisc on ``` ``` bash # https://earthly.dev/blog/docker-networking/ docker network ls docker ps docker network inspect bridge ``` ``` bash # https://maximorlov.com/4-reasons-why-your-docker-containers-cant-talk-to-each-other/ docker network create -o com.docker.network.bridge.enable_icc=true [network] ``` ``` bash # https://www.reddit.com/r/docker/comments/o3axmn/docker_has_no_internet_access/ # https://stackoverflow.com/a/70421216/130638 sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138 echo "deb http://deb.debian.org/debian buster-backports main" | sudo tee -a /etc/apt/sources.list.d/buster-backports.list sudo apt update sudo apt install -t buster-backports libseccomp2 ``` ``` bash # https://github.com/moby/moby/issues/36151#issuecomment-370978922 # https://stackoverflow.com/a/20431030/130638 # https://superuser.com/a/1130993/32418 sudo systemctl stop docker sudo pkill docker sudo iptables -t nat -F sudo ifconfig docker0 down sudo brctl delbr docker0 sudo systemctl start docker ``` ``` bash # https://github.com/docker/for-win/issues/221#issuecomment-597431251 sudo route -n add -net 172.x.0.0/16 $(docker-machine ip default) sudo iptables -L sudo iptables -I DOCKER-USER -j ACCEPT ``` ``` bash # https://stackoverflow.com/a/39801518/130638 iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080 ``` ``` bash # https://stackoverflow.com/a/49621509/130638 sudo service iptables stop sudo service docker restart ``` ``` bash # https://stackoverflow.com/a/70939554/130638 sudo ip link delete docker0 ``` ``` bash # https://stackoverflow.com/a/68092908/130638 docker run --security-opt seccomp=unconfined imageName ``` ``` bash # https://github.com/moby/moby/issues/36151#issuecomment-968356070 # https://stackoverflow.com/a/70452290/130638 sudo systemctl disable nftables sudo systemctl stop nftables sudo reboot sudo systemctl start docker ``` # dns ``` # https://support.nordvpn.com/Connectivity/Linux/1134945702/Change-your-DNS-servers-on-Linux.htm # https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm nameserver 103.86.96.100 nameserver 103.86.99.100 chattr +i /etc/resolv.conf ``` # resolvectl default route ``` # https://www.freedesktop.org/software/systemd/man/resolvectl.html dns [LINK [SERVER…]], domain [LINK [DOMAIN…]], default-route [LINK [BOOL…]], llmnr [LINK [MODE]], mdns [LINK [MODE]], dnssec [LINK [MODE]], dnsovertls [LINK [MODE]], nta [LINK [DOMAIN…]] Get/set per-interface DNS configuration. These commands may be used to configure various DNS settings for network interfaces. These commands may be used to inform systemd-resolved or systemd-networkd about per-interface DNS configuration determined through external means. The dns command expects IPv4 or IPv6 address specifications of DNS servers to use. Each address can optionally take a port number separated with ":", a network interface name or index separated with "%", and a Server Name Indication (SNI) separated with "#". When IPv6 address is specified with a port number, then the address must be in the square brackets. That is, the acceptable full formats are "111.222.333.444:9953%ifname#example.com" for IPv4 and "[1111:2222::3333]:9953%ifname#example.com" for IPv6. The domain command expects valid DNS domains, possibly prefixed with "~", and configures a per-interface search or route-only domain. The default-route command expects a boolean parameter, and configures whether the link may be used as default route for DNS lookups, i.e. if it is suitable for lookups on domains no other link explicitly is configured for. The llmnr, mdns, dnssec and dnsovertls commands may be used to configure the per-interface LLMNR, MulticastDNS, DNSSEC and DNSOverTLS settings. Finally, nta command may be used to configure additional per-interface DNSSEC NTA domains. Commands dns, domain and nta can take a single empty string argument to clear their respective value lists. For details about these settings, their possible values and their effect, see the corresponding settings in systemd.network(5). ``` > The default-route command expects a boolean parameter, and configures whether the link may be used as default route for DNS lookups, i.e. if it is suitable for lookups on domains no other link explicitly is configured for. ``` bash # https://systemd.io/RESOLVED-VPNS/ resolvectl domain corporate0 '~corp-company.example' '~2.0.192.in-addr.arpa' resolvectl default-route corporate0 false resolvectl dns corporate0 192.0.2.1 resolvectl domain privacy0 '~.' resolvectl default-route privacy0 true resolvectl dns privacy0 8.8.8.8 ``` # openvpn ``` bash # https://askubuntu.com/a/466011/22776 # https://serverfault.com/a/953745 # https://serverfault.com/a/480098 redirect-gateway def1 ``` - apparently this needs server-side config - why isn't this config already inside the `.ovpn` files from nord? # openvpn and iptables ``` # https://community.openvpn.net/openvpn/wiki/BridgingAndRouting dev tun topology subnet server 10.8.0.0 255.255.255.0 push "route 192.168.0.0 255.255.255.0" push "redirect-gateway def1" # Allow traffic initiated from VPN to access LAN iptables -I FORWARD -i tun0 -o eth0 \ -s 10.8.0.0/24 -d 192.168.0.0/24 \ -m conntrack --ctstate NEW -j ACCEPT # Allow established traffic to pass back and forth iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT # Masquerade all traffic from VPN clients -- done in the nat table iptables -t nat -I POSTROUTING -o eth0 \ -s 10.8.0.0/24 -j MASQUERADE ``` # iptables debugging ``` bash # list rules iptables --line-numbers -t filter -L FORWARD ``` # iptables forwarding ``` bash # https://upcloud.com/resources/tutorials/configure-iptables-ubuntu sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Next, allow traffic to a specific port to enable SSH connections with the following. sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT # To enable access to an HTTP web server, use the following command. sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT # hanging the default rule to drop will permit only specifically accepted connection. sudo iptables -P INPUT DROP # Now if you were to restart your cloud server all of these iptables configurations would be wiped. To prevent this, save the rules to a file. sudo iptables-save > /etc/iptables/rules.v4 # You can then simply restore the saved rules by reading the file you saved. # Overwrite the current rules sudo iptables-restore < /etc/iptables/rules.v4 # Add the new rules keeping the current ones sudo iptables-restore -n < /etc/iptables/rules.v4 # You can automate the restore process at reboot by installing an additional package for iptables which takes over the loading of the saved rules. To this with the following command. sudo apt-get install iptables-persistent # If you make further changes to your iptables rules, remember to save them again using the same command as above. The iptables-persistent looks for the files rules.v4 and rules.v6 under /etc/iptables. # To know which index number to enter, use the following command. sudo iptables -L --line-numbers # For example to insert a new rule to the top of the chain, use the following command with index number 1. sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT # For example to delete the second rule on the input chain, use this command. # sudo iptables -D INPUT 2 # Warning: Make sure you set the default rule to ACCEPT before flushing any chain. sudo iptables -P INPUT ACCEPT # Clear input chain sudo iptables -F INPUT # Flush the whole iptables sudo iptables -F ``` ``` bash # https://www.hostinger.com/tutorials/iptables-tutorial # sudo iptables -A <chain> -i <interface> -p <protocol (tcp/udp) > -s <source> --dport <port no.> -j <target> # -i (interface) — the network interface whose traffic you want to filter, such as eth0, lo, ppp0, etc. # -p (protocol) — the network protocol where your filtering process takes place. It can be either tcp, udp, udplite, icmp, sctp, icmpv6, and so on. Alternatively, you can type all to choose every protocol. # -s (source) — the address from which traffic comes from. You can add a hostname or IP address. # –dport (destination port) — the destination port number of a protocol, such as 22 (SSH), 443 (https), etc. # -j (target) — the target name (ACCEPT, DROP, RETURN). You need to insert this every time you make a new rule. # list rules sudo iptables -L -v # To allow traffic on localhost, type this command: sudo iptables -A INPUT -i lo -j ACCEPT # Enabling Connections on HTTP, SSH, and SSL Port sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Filtering Packets Based on Source sudo iptables -A INPUT -s 192.168.1.3 -j ACCEPT sudo iptables -A INPUT -s 192.168.1.3 -j DROP sudo iptables -A INPUT -m iprange --src-range 192.168.1.100-192.168.1.200 -j DROP # Dropping all Other Traffic sudo iptables -A INPUT -j DROP # Deleting Rules sudo iptables -F # erase all apparently aka flush sudo iptables -L --line-numbers # list rules sudo iptables -D INPUT 3 # delete a specific rule # Persisting Changes across reboots sudo /sbin/iptables-save # Disable iptables sudo iptables -F sudo /sbin/iptables-save ``` ``` bash # https://askubuntu.com/a/218053/22776 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A INPUT -m state --state INVALID -j DROP ``` ``` bash # https://serverfault.com/a/1025183 update-alternatives --set iptables /usr/sbin/iptables-legacy update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy update-alternatives --set arptables /usr/sbin/arptables-legacy update-alternatives --set ebtables /usr/sbin/ebtables-legacy ``` ``` bash # https://serverfault.com/a/480098 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE ``` ``` bash # https://askubuntu.com/a/578550/22776 iptables -I FORWARD -i tun0 -o eth0 \ -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT iptables -t nat -I POSTROUTING -o eth0 \ -s 10.8.0.0/24 -j MASQUERADE ``` ``` bash # https://serverfault.com/a/200658 iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X ip6tables -P INPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -t nat -F ip6tables -t mangle -F ip6tables -F ip6tables -X iptables -nvL ``` ``` bash # https://serverfault.com/a/200642 iptables-save | awk '/^[*]/ { print $1 } /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; } /COMMIT/ { print $0; }' | iptables-restore ``` ``` bash # https://serverfault.com/a/962809 iptables-save | tee iptables_backup.conf | grep -v '\-A' | iptables-restore iptables-restore < iptables_backup.conf ``` ``` bash # https://serverfault.com/a/998574 # It resets (and disables) ufw and then resets iptables clearing and removing all chains. Then it enables the ufw again, but not before it allows port 22 for remote access. The two commands that require user confirmation are "forced" ensuring no input is required. I was able to run this over an active SSH connection. sudo bash -c "ufw -f reset && iptables -F && iptables -X && ufw allow 22 && ufw -f enable" ``` ``` bash # https://serverfault.com/a/1002428 iptables -S |grep DROP| sed 's/-A/-D/' >rules # -A becomes -D: delete nano rules # check that everything is correct cat rules | while read line; do iptables $line; done iptables-save ``` ``` bash # https://serverfault.com/a/1082227 sudo iptables -t nat -F sudo iptables -t mangle -F sudo iptables -t filter -F sudo iptables -t raw -F sudo iptables -t nat -X sudo iptables -t mangle -X sudo iptables -t filter -X sudo iptables -t raw -X echo "=== NAT ==="; sudo iptables -t nat -S; echo "\n=== MANGLE ==="; sudo iptables -t mangle -S; echo "\n=== FILTER ==="; sudo iptables -t filter -S; echo "\n=== RAW ==="; sudo iptables -t raw -S ``` ``` bash # https://unix.stackexchange.com/a/283803/50703 # Masquerade outgoing traffic iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE # Allow return traffic iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT # Forward everything iptables -A FORWARD -j ACCEPT ``` ``` bash # https://unix.stackexchange.com/a/283802/50703 -I FORWARD 1 -m state --state RELATED,ESTABLISHED -j ACCEPT ``` ``` bash # https://serverfault.com/a/866668 # too complicated no explanation ``` ``` bash # https://arashmilani.com/post?id=53 iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -A OUTPUT -o tun+ -j ACCEPT ``` - why is linux help never explanatory, what do those commands even do?