OpenVPN – Selective traffic (mail.ru, yandex.ru, vk.com, ok.ru, kaspersky.ru)

ArtemNetwork

Goal:

Only allow networks that fall under the ban through a VPN, the rest should go directly. The convenience of connecting devices, cross-platform, speed and security are also important.

All steps were performed on CentOS 7.

Install the EPEL repository if it is not already in the system and install the necessary packages:

1
2
yum install epel-release -y
yum install openvpn easy-rsa -y

Create a configuration file:

1
vim /etc/openvpn/server.conf

And copy the following into it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
local CHANGE_THIS_ON_YOUR_PUBLIC_IP
port 1194
 
proto udp
dev-type tun
dev tun
 
ca ca.crt
cert server.crt
key server.key
 
dh dh2048.pem
 
topology subnet
server 10.8.0.0 255.255.255.0
 
txqueuelen 250
keepalive 300 900
 
cipher AES-128-CBC
ncp-ciphers AES-128-GCM
 
user nobody
group nobody
 
duplicate-cn
 
persist-key
persist-tun
 
status openvpn-status.log
 
client-config-dir ccd

To ensure that not all our traffic goes through the VPN, but only the necessary networks, we will create a configuration file for the client:

1
2
mkdir /etc/openvpn/ccd
vim /etc/openvpn/ccd/DEFAULT

And copy the following into it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
push "dhcp-option DNS 8.8.8.8"
push "route 8.8.8.8"
 
push "dhcp-option DNS 74.82.42.42" # HE.net DNS
push "route 74.82.42.42" # Route to HE.net DNS
 
# Persist TUN
push "persist-tun"
 
# Routes
 
# Yandex network
push "route 5.45.192.0 255.255.192.0"
push "route 5.255.192.0 255.255.192.0"
push "route 37.9.64.0 255.255.192.0"
push "route 37.140.128.0 255.255.192.0"
push "route 77.75.152.0 255.255.248.0"
push "route 77.88.0.0 255.255.192.0"
push "route 84.201.128.0 255.255.192.0"
push "route 87.250.224.0 255.255.224.0"
push "route 93.158.128.0 255.255.192.0"
push "route 95.108.128.0 255.255.128.0"
push "route 100.43.64.0 255.255.224.0"
push "route 109.235.160.0 255.255.248.0"
push "route 130.193.32.0 255.255.224.0"
push "route 141.8.128.0 255.255.192.0"
push "route 178.154.128.0 255.255.128.0"
push "route 185.32.185.0 255.255.255.0"
push "route 185.32.186.0 255.255.255.0"
push "route 185.71.76.0 255.255.252.0"
push "route 199.21.96.0 255.255.252.0"
push "route 199.36.240.0 255.255.252.0"
push "route 213.180.192.0 255.255.224.0"
 
push "route-ipv6 2001:678:384::/48"
push "route-ipv6 2620:10f:d000::/44"
push "route-ipv6 2a02:6b8::/32"
push "route-ipv6 2a02:5180::/32"
 
# Mail.ru network
push "route 5.61.16.0 255.255.248.0"
push "route 5.61.232.0 255.255.248.0"
push "route 79.137.157.0 255.255.255.0"
push "route 79.137.183.0 255.255.255.0"
push "route 94.100.176.0 255.255.240.0"
push "route 95.163.32.0 255.255.224.0"
push "route 95.163.248.0 255.255.248.0"
push "route 128.140.168.0 255.255.248.0"
push "route 178.22.88.0 255.255.248.0"
push "route 178.237.16.0 255.255.240.0"
push "route 185.5.136.0 255.255.252.0"
push "route 185.16.148.0 255.255.252.0"
push "route 185.16.244.0 255.255.252.0"
push "route 188.93.56.0 255.255.248.0"
push "route 194.186.63.0 255.255.255.0"
push "route 195.211.20.0 255.255.252.0"
push "route 195.211.128.0 255.255.252.0"
push "route 195.218.168.0 255.255.255.0"
push "route 208.87.92.0 255.255.252.0"
push "route 217.20.144.0 255.255.240.0"
push "route 217.69.128.0 255.255.240.0"
 
push "route-ipv6 2a00:1148::/32"
push "route-ipv6 2a00:a300::/32"
push "route-ipv6 2a00:b4c0::/32"
 
# VK.com network
push "route 87.240.128.0 255.255.192.0"
push "route 93.186.224.0 255.255.240.0"
push "route 95.142.192.0 255.255.240.0"
push "route 95.213.0.0 255.255.192.0"
push "route 185.29.130.0 255.255.255.0"
push "route 185.32.248.0 255.255.252.0"
 
push "route-ipv6 2a00:bdc0::/36"
push "route-ipv6 2a00:bdc0:e003::/48"
push "route-ipv6 2a00:bdc0:e004::/46"
push "route-ipv6 2a00:bdc0:e008::/48"
push "route-ipv6 2a00:bdc0:f000::/36"
 
# Kaspersky network
push "route 77.74.176.0 255.255.248.0"
push "route 91.103.64.0 255.255.248.0"
push "route 93.159.224.0 255.255.248.0"
push "route 185.54.220.0 255.255.254.0"
push "route 185.85.12.0 255.255.255.0"
push "route 185.85.14.0 255.255.254.0"
 
push "route-ipv6 2a03:2480::/33"

Create a folder for keys and copy the necessary scripts to create them:

1
2
mkdir -p /etc/openvpn/easy-rsa/keys
cp -a /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

For convenience, we can immediately specify the information necessary for creating keys in environment variables so that we do not constantly enter it in the future:

1
vim /etc/openvpn/easy-rsa/vars

And we bring it to this form:

1
2
3
4
5
6
7
8
export KEY_COUNTRY="UA"
export KEY_PROVINCE="UA"
export KEY_CITY="Kiev"
export KEY_ORG="openvpn"
export KEY_EMAIL="admin@artem.services"
export KEY_OU="VPN"
export KEY_NAME="openvpn"
export KEY_CN="openvpn.artem.services"

Copy the OpenSSL configuration:

1
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

Go to the script folder for creating keys, and clear its contents for our future keys:

1
2
3
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all

Create a root certificate:

1
./build-ca

Create a key and a public certificate:

1
./build-key-server server

Create a Diffie-Hellman key:

1
./build-dh

Let’s go to the directory with the keys and certificates that we created:

1
cd /etc/openvpn/easy-rsa/keys

And copy the files we need to the OpenVPN directory:

1
cp -a dh2048.pem ca.crt server.crt server.key /etc/openvpn

 

It is important that after copying these files retain the permission

 

Create a certificate and a key for the client:

1
2
cd /etc/openvpn/easy-rsa
./build-key client

Further the configuration is given for iptables, if firewalld is used then you can disable it as follows:

1
2
3
4
5
6
7
8
9
10
11
12
yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables --flush
 
Добавляем правило в iptables и сохраняем:
 
 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables

 

Be sure to check the interface name is correct, in my case it is eth0

In the file "/etc/sysctl.conf" we enable packet forwarding:

1
net.ipv4.ip_forward = 1

And restart the network service:

1
systemctl restart network.service

Add the OpenVPN service to autorun and start it:

1
2
systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service

Create a client configuration file for connecting to the server, immediately inserting the necessary keys and certificates:

1
vim openvpn.ovpn

And copy the following into it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
client
remote artem.services 1194
 
nobind
 
remote-cert-tls server
 
cipher AES-128-CBC
 
setenv opt ncp-ciphers AES-128-GCM
 
setenv opt block-outside-dns
 
dev tun
 
proto udp
<ca>
FILE CONTENTS ca.crt
</ca>
 
<cert>
FILE CONTENTS client.crt
</cert>
 
<key>
FILE CONTENTS client.key
</key>

Then this file can be imported to client devices and connected to the server.

Tagged: Tags

Related Posts