Software

VPN


Setp 1 - Install

Install

  • 1) New VM

    • [New VM] RockyLinux85 => Copy vm
    [Network] eth0, VLAN_71, VLAN_81
    [Memory] 2G


  • 2) VPN Install

    • eth0 - dhcp
    eth1 - ip : 192.168.71.8
    eth2 - ip : 192.168.81.8


    dnf install epel-release -y
    dnf install openvpn ppp pptpd iptables iptables-services -y

    [pptpd]
    echo "connections 100" >> /etc/pptpd.conf
    echo "localip 192.168.99.1" >> /etc/pptpd.conf
    echo "remoteip 192.168.99.100-200" >> /etc/pptpd.conf

    echo "ms-dns 8.8.8.8" >> /etc/ppp/options.pptpd
    echo "ms-dns 8.8.4.4" >> /etc/ppp/options.pptpd
    echo "mtu 1400" >> /etc/ppp/options.pptpd

    ====================

  • 3) WireGuard

    • Install Wireguard VPN on Rocky Linux 9

    modprobe wireguard
lsmod | grep wireguard
echo wireguard > /etc/modules-load.d/wireguard.conf
dnf install wireguard-tools -y
wg genkey | tee /etc/wireguard/server.key
chmod 0400 /etc/wireguard/server.key
cat /etc/wireguard/server.key | wg pubkey | tee /etc/wireguard/server.pub
mkdir -p /etc/wireguard/clients
wg genkey | tee /etc/wireguard/clients/client1.key
cat /etc/wireguard/clients/client1.key | wg pubkey | tee /etc/wireguard/clients/client1.pub

    vi /etc/wireguard/wg0.conf
    [Interface]
# Wireguard Server private key - server.key
PrivateKey = 서버키

# Wireguard interface will be run at 10.8.0.1
Address = 10.8.0.1/24

# Clients will connect to UDP port 51820
ListenPort = 51820

# Ensure any changes will be saved to the Wireguard config file
SaveConfig = true


PostUp = firewall-cmd --zone=public --add-masquerade
PostUp = firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg -o ens160 -j ACCEPT
PostUp = firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o ens160 -j MASQUERADE

PostDown = firewall-cmd --zone=public --remove-masquerade
PostDown = firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg -o ens160 -j ACCEPT
PostDown = firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o ens160 -j MASQUERADE

[Peer]
# Wireguard client public key - client1.pub
PublicKey = FrDq2dG6C15Z08aKiMkFbYqvFXNdXes+sH/3im5V5nM=

# clients' VPN IP addresses you allow to connect
# possible to specify subnet ⇒ [172.16.100.0/24]
AllowedIPs = 10.8.0.8/24

    echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
    echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
    sysctl -p
    ip route show default
    firewall-cmd --add-port=51820/udp --permanent
    firewall-cmd --reload
    firewall-cmd --list-all

    systemctl start wg-quick@wg0.service
    systemctl enable wg-quick@wg0.service
    systemctl status wg-quick@wg0.service
    ip a show wg0
    wg-quick up /etc/wireguard/wg0.conf
    wg-quick down /etc/wireguard/wg0.conf


    client1.conf
    [Interface]
# Private key for the client - client1.key
PrivateKey = OENFqmyUSQd2SvPiyR/2KFPhOFnuJAfA9+EfFo0zRFQ=

#Define the IP address for the client - must be matched with wg0 on Wireguard Server
Address = 10.8.0.8/24

[Peer]
# Public key of the Wireguard server - server.pub
PublicKey = MwKaMUy+ecLyg04DJ+4WumSVStxxuyu+wkY/8mZaTz0=

# Allow all traffic to be routed via Wireguard VPN
AllowedIPs = 0.0.0.0/0

# Public IP address of the Wireguard Server
Endpoint = 192.168.0.24:51820

# Sending Keepalive every 25 sec
PersistentKeepalive = 25