Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:pppossh:client [2023/03/15 03:50] – [1. Preparation] vgaeteradocs:guide-user:services:vpn:pppossh:client [2023/10/29 01:01] – consolidate naming vgaetera
Line 12: Line 12:
 ==== 1. Preparation ==== ==== 1. Preparation ====
 Install the required packages. Install the required packages.
-Generate server [[docs:guide-user:services:vpn:pppossh:extras#public_key|public key]] and transfer it to VPN client. 
 Specify configuration parameters for VPN client. Specify configuration parameters for VPN client.
  
Line 24: Line 23:
 VPN_PORT="22" VPN_PORT="22"
 VPN_SERV="SERVER_ADDRESS" VPN_SERV="SERVER_ADDRESS"
-VPN_ADDR="192.168.5.2 192.168.5.1"+VPN_ADDR="192.168.9.2 192.168.9.1"
 VPN_USER="root" VPN_USER="root"
-VPN_PRIV="/etc/dropbear/dropbear_ed25519_host_key"+</code> 
 + 
 +==== 2. Key management ==== 
 +Generate and exchange [[docs:guide-user:services:vpn:pppossh:start#key_management|keys]] between server and client. 
 +Set up key-based authentication. 
 + 
 +<code bash> 
 +# Client private key 
 +VPN_KEY="/etc/dropbear/dropbear_ed25519_host_key" 
 + 
 +# Generate client public key 
 +dropbearkey -y -f ${VPN_KEY} \ 
 +| sed -n -e "/^ssh-\S*\s/p" > sshclient.pub 
 + 
 +# Server public key
 VPN_PUB="$(cat sshserver.pub)" VPN_PUB="$(cat sshserver.pub)"
  
 # Configure PKI # Configure PKI
-mkdir -p ~root/.ssh +mkdir -p /root/.ssh 
-cat << EOF >> ~root/.ssh/known_hosts+cat << EOF >> /root/.ssh/known_hosts
 ${VPN_SERV} ${VPN_PUB% *} ${VPN_SERV} ${VPN_PUB% *}
 +EOF
 +cat << EOF >> /etc/sysupgrade.conf
 +/root/.ssh
 EOF EOF
 </code> </code>
  
-==== 2. Firewall ==== +==== 3. Firewall ==== 
-Consider VPN network as public. +{{section>docs:guide-user:services:vpn:wireguard:client#firewall&noheader&nofooter&noeditbutton}}
-Assign VPN interface to WAN zone to minimize firewall setup. +
- +
-<code bash> +
-Configure firewall +
-uci rename firewall.@zone[0]="lan" +
-uci rename firewall.@zone[1]="wan" +
-uci del_list firewall.wan.network="${VPN_IF}+
-uci add_list firewall.wan.network="${VPN_IF}+
-uci commit firewall +
-/etc/init.d/firewall restart +
-</code>+
  
-==== 3. Network ====+==== 4. Network ====
 Set up VPN interface. Set up VPN interface.
  
Line 63: Line 68:
 uci set network.${VPN_IF}.peeraddr="${VPN_ADDR#* }" uci set network.${VPN_IF}.peeraddr="${VPN_ADDR#* }"
 uci set network.${VPN_IF}.sshuser="${VPN_USER}" uci set network.${VPN_IF}.sshuser="${VPN_USER}"
-uci add_list network.${VPN_IF}.identity="${VPN_PRIV}"+uci add_list network.${VPN_IF}.identity="${VPN_KEY}"
 uci set network.${VPN_IF}.ipv6="1" uci set network.${VPN_IF}.ipv6="1"
 uci commit network uci commit network
-/etc/init.d/network restart+service network restart
 </code> </code>
  
Line 79: Line 84:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/network restart; sleep 10+service log restart; service network restart; sleep 10
  
 # Log and status # Log and status
  • Last modified: 2023/10/29 03:23
  • by vgaetera