![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2018\/10\/OpenVPN.png\")
<\/p>\n<\/p>\n
Only allow networks that fall under the ban through a VPN, the rest should go directly. The convenience of connecting devices, cross-platform, speed and security are also important.<\/p>\n
All steps were performed on CentOS 7<\/strong>.<\/p>\n Install the EPEL<\/strong> repository if it is not already in the system and install the necessary packages:<\/p>\n Create a configuration file:<\/p>\n <\/p>\n And copy the following into it:<\/p>\n To ensure that not all our traffic goes through the VPN, but only the necessary networks, we will create a configuration file for the client:<\/p>\n And copy the following into it:<\/p>\n Create a folder for keys and copy the necessary scripts to create them:<\/p>\n For convenience, we can immediately specify the information necessary for creating keys in environment variables so that we do not constantly enter it in the future:<\/p>\n And we bring it to this form:<\/p>\n Copy the OpenSSL<\/strong> configuration:<\/p>\n Go to the script folder for creating keys, and clear its contents for our future keys:<\/p>\n Create a root certificate:<\/p>\n Create a key and a public certificate:<\/p>\n Create a Diffie-Hellman<\/strong> key:<\/p>\n Let’s go to the directory with the keys and certificates that we created:<\/p>\n And copy the files we need to the OpenVPN<\/strong> directory:<\/p>\n <\/p>\n It is important that after copying these files retain the permission<\/p><\/blockquote>\n <\/p>\n Create a certificate and a key for the client:<\/p>\n Further the configuration is given for iptables<\/strong>, if firewalld<\/strong> is used then you can disable it as follows:<\/p>\n <\/p>\n Be sure to check the interface name is correct, in my case it is eth0<\/strong><\/p><\/blockquote>\n In the file \"\/etc\/sysctl.conf<\/strong>\" we enable packet forwarding:<\/p>\n And restart the network service:<\/p>\n Add the OpenVPN<\/strong> service to autorun and start it:<\/p>\n Create a client configuration file for connecting to the server, immediately inserting the necessary keys and certificates:<\/p>\n And copy the following into it:<\/p>\n Then this file can be imported to client devices and connected to the server.<\/p>\n","protected":false},"excerpt":{"rendered":" Goal: Only allow networks that fall under the ban through a VPN, the rest should go directly. The convenience of connecting devices, cross-platform, speed and security are also important. All steps were performed on CentOS 7. Install the EPEL repository if it is not already in the system and install the necessary packages: Create a … \u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u0442\u044c \u0447\u0438\u0442\u0430\u0442\u044c "OpenVPN — Selective traffic (mail.ru, yandex.ru, vk.com, ok.ru, kaspersky.ru)"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1335],"tags":[855,1337],"_links":{"self":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/1688"}],"collection":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1688"}],"version-history":[{"count":3,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/1688\/revisions"}],"predecessor-version":[{"id":1763,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/1688\/revisions\/1763"}],"wp:attachment":[{"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1688"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1688"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1688"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\r\nyum install epel-release -y\r\nyum install openvpn easy-rsa -y\r\n<\/pre>\n
\r\nvim \/etc\/openvpn\/server.conf\r\n<\/pre>\n
\r\nlocal CHANGE_THIS_ON_YOUR_PUBLIC_IP\r\nport 1194\r\n\r\nproto udp\r\ndev-type tun\r\ndev tun\r\n\r\nca ca.crt\r\ncert server.crt\r\nkey server.key\r\n\r\ndh dh2048.pem\r\n\r\ntopology subnet\r\nserver 10.8.0.0 255.255.255.0\r\n\r\ntxqueuelen 250\r\nkeepalive 300 900\r\n\r\ncipher AES-128-CBC\r\nncp-ciphers AES-128-GCM\r\n\r\nuser nobody\r\ngroup nobody\r\n\r\nduplicate-cn\r\n\r\npersist-key\r\npersist-tun\r\n\r\nstatus openvpn-status.log\r\n\r\nclient-config-dir ccd\r\n<\/pre>\n
\r\nmkdir \/etc\/openvpn\/ccd\r\nvim \/etc\/openvpn\/ccd\/DEFAULT\r\n<\/pre>\n
\r\npush "dhcp-option DNS 8.8.8.8"\r\npush "route 8.8.8.8"\r\n\r\npush "dhcp-option DNS 74.82.42.42" # HE.net DNS\r\npush "route 74.82.42.42" # Route to HE.net DNS\r\n\r\n# Persist TUN\r\npush "persist-tun"\r\n\r\n# Routes\r\n\r\n# Yandex network\r\npush "route 5.45.192.0 255.255.192.0"\r\npush "route 5.255.192.0 255.255.192.0"\r\npush "route 37.9.64.0 255.255.192.0"\r\npush "route 37.140.128.0 255.255.192.0"\r\npush "route 77.75.152.0 255.255.248.0"\r\npush "route 77.88.0.0 255.255.192.0"\r\npush "route 84.201.128.0 255.255.192.0"\r\npush "route 87.250.224.0 255.255.224.0"\r\npush "route 93.158.128.0 255.255.192.0"\r\npush "route 95.108.128.0 255.255.128.0"\r\npush "route 100.43.64.0 255.255.224.0"\r\npush "route 109.235.160.0 255.255.248.0"\r\npush "route 130.193.32.0 255.255.224.0"\r\npush "route 141.8.128.0 255.255.192.0"\r\npush "route 178.154.128.0 255.255.128.0"\r\npush "route 185.32.185.0 255.255.255.0"\r\npush "route 185.32.186.0 255.255.255.0"\r\npush "route 185.71.76.0 255.255.252.0"\r\npush "route 199.21.96.0 255.255.252.0"\r\npush "route 199.36.240.0 255.255.252.0"\r\npush "route 213.180.192.0 255.255.224.0"\r\n\r\npush "route-ipv6 2001:678:384::\/48"\r\npush "route-ipv6 2620:10f:d000::\/44"\r\npush "route-ipv6 2a02:6b8::\/32"\r\npush "route-ipv6 2a02:5180::\/32"\r\n\r\n# Mail.ru network\r\npush "route 5.61.16.0 255.255.248.0"\r\npush "route 5.61.232.0 255.255.248.0"\r\npush "route 79.137.157.0 255.255.255.0"\r\npush "route 79.137.183.0 255.255.255.0"\r\npush "route 94.100.176.0 255.255.240.0"\r\npush "route 95.163.32.0 255.255.224.0"\r\npush "route 95.163.248.0 255.255.248.0"\r\npush "route 128.140.168.0 255.255.248.0"\r\npush "route 178.22.88.0 255.255.248.0"\r\npush "route 178.237.16.0 255.255.240.0"\r\npush "route 185.5.136.0 255.255.252.0"\r\npush "route 185.16.148.0 255.255.252.0"\r\npush "route 185.16.244.0 255.255.252.0"\r\npush "route 188.93.56.0 255.255.248.0"\r\npush "route 194.186.63.0 255.255.255.0"\r\npush "route 195.211.20.0 255.255.252.0"\r\npush "route 195.211.128.0 255.255.252.0"\r\npush "route 195.218.168.0 255.255.255.0"\r\npush "route 208.87.92.0 255.255.252.0"\r\npush "route 217.20.144.0 255.255.240.0"\r\npush "route 217.69.128.0 255.255.240.0"\r\n\r\npush "route-ipv6 2a00:1148::\/32"\r\npush "route-ipv6 2a00:a300::\/32"\r\npush "route-ipv6 2a00:b4c0::\/32"\r\n\r\n# VK.com network\r\npush "route 87.240.128.0 255.255.192.0"\r\npush "route 93.186.224.0 255.255.240.0"\r\npush "route 95.142.192.0 255.255.240.0"\r\npush "route 95.213.0.0 255.255.192.0"\r\npush "route 185.29.130.0 255.255.255.0"\r\npush "route 185.32.248.0 255.255.252.0"\r\n\r\npush "route-ipv6 2a00:bdc0::\/36"\r\npush "route-ipv6 2a00:bdc0:e003::\/48"\r\npush "route-ipv6 2a00:bdc0:e004::\/46"\r\npush "route-ipv6 2a00:bdc0:e008::\/48"\r\npush "route-ipv6 2a00:bdc0:f000::\/36"\r\n\r\n# Kaspersky network\r\npush "route 77.74.176.0 255.255.248.0"\r\npush "route 91.103.64.0 255.255.248.0"\r\npush "route 93.159.224.0 255.255.248.0"\r\npush "route 185.54.220.0 255.255.254.0"\r\npush "route 185.85.12.0 255.255.255.0"\r\npush "route 185.85.14.0 255.255.254.0"\r\n\r\npush "route-ipv6 2a03:2480::\/33"\r\n<\/pre>\n
\r\nmkdir -p \/etc\/openvpn\/easy-rsa\/keys\r\ncp -a \/usr\/share\/easy-rsa\/2.0\/* \/etc\/openvpn\/easy-rsa\r\n<\/pre>\n
\r\nvim \/etc\/openvpn\/easy-rsa\/vars\r\n<\/pre>\n
\r\nexport KEY_COUNTRY="UA"\r\nexport KEY_PROVINCE="UA"\r\nexport KEY_CITY="Kiev"\r\nexport KEY_ORG="openvpn"\r\nexport KEY_EMAIL="admin@artem.services"\r\nexport KEY_OU="VPN"\r\nexport KEY_NAME="openvpn"\r\nexport KEY_CN="openvpn.artem.services"\r\n<\/pre>\n
\r\ncp \/etc\/openvpn\/easy-rsa\/openssl-1.0.0.cnf \/etc\/openvpn\/easy-rsa\/openssl.cnf\r\n<\/pre>\n
\r\ncd \/etc\/openvpn\/easy-rsa\r\nsource .\/vars\r\n.\/clean-all\r\n<\/pre>\n
\r\n.\/build-ca\r\n<\/pre>\n
\r\n.\/build-key-server server\r\n<\/pre>\n
\r\n.\/build-dh\r\n<\/pre>\n
\r\ncd \/etc\/openvpn\/easy-rsa\/keys\r\n<\/pre>\n
\r\ncp -a dh2048.pem ca.crt server.crt server.key \/etc\/openvpn\r\n<\/pre>\n
\r\ncd \/etc\/openvpn\/easy-rsa\r\n.\/build-key client\r\n<\/pre>\n
\r\nyum install iptables-services -y\r\nsystemctl mask firewalld\r\nsystemctl enable iptables\r\nsystemctl stop firewalld\r\nsystemctl start iptables\r\niptables --flush\r\n\r\n\u0414\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c \u043f\u0440\u0430\u0432\u0438\u043b\u043e \u0432 iptables \u0438 \u0441\u043e\u0445\u0440\u0430\u043d\u044f\u0435\u043c:\r\n\r\n\r\niptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\r\niptables-save > \/etc\/sysconfig\/iptables\r\n<\/pre>\n
\r\nnet.ipv4.ip_forward = 1\r\n<\/pre>\n
\r\nsystemctl restart network.service\r\n<\/pre>\n
\r\nsystemctl -f enable openvpn@server.service\r\nsystemctl start openvpn@server.service\r\n<\/pre>\n
\r\nvim openvpn.ovpn\r\n<\/pre>\n
\r\nclient\r\nremote artem.services 1194\r\n\r\nnobind\r\n\r\nremote-cert-tls server\r\n\r\ncipher AES-128-CBC\r\n\r\nsetenv opt ncp-ciphers AES-128-GCM\r\n\r\nsetenv opt block-outside-dns\r\n\r\ndev tun\r\n\r\nproto udp\r\n<ca>\r\nFILE CONTENTS ca.crt\r\n<\/ca>\r\n\r\n<cert>\r\nFILE CONTENTS client.crt\r\n<\/cert>\r\n\r\n<key>\r\nFILE CONTENTS client.key\r\n<\/key>\r\n<\/pre>\n