1,211
edits
Changes
Template:Networking rutos manual vpn (view source)
Revision as of 17:18, 15 March 2023
, 17:18, 15 March 2023→ZeroTier
</tr>
</tr>
</table>
</table>
====OpenVPN Server Brute-force Prevention====
----
OpenVPN Servers with <b>Authentication</b> set to <b>TLS/Password</b> or <b>Password</b>, <b>Protocol</b> set to <b>UDP</b> and running on <b>Port 1194</b> have a feature where after a client attempts to connect to the server 10 times with incorrect credentials (password and/or username) they are then blocked from the server.
To check which addresses are blocked one first needs to connect to their device's [[Command_Line_Interfaces_RutOS|CLI]].
After connecting to your device's CLI use the command <b>ipset list</b> and find the section named <b>ipb_port</b>. There under <b>Members</b> you should see all IP addresses that are blocked.
<pre>
Name: ipb_port
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 164
References: 2
Number of entries: 1
Members:
188.XXX.XXX.XXX,udp:1194
</pre>
Another way to check blocked IP addresses is to use the command <b>ubus call ip_block show</b>. This will show all ip addresses that failed to connect to your device. If the <b>counter</b> atribute of the IP address entry is larger or equal then <b>max_attempt_count</b> then that IP address is blocked.
<pre>
{
"globals": {
"max_attempt_count": 10
},
"ip_blockd 188.XXX.XXX.XXX": {
"ip": "188.XXX.XXX.XXX",
"port": "udp:1194",
"counter": "1"
},
"ip_blockd 188.XXX.XXX.XXX": {
"ip": "188.XXX.XXX.XXX",
"port": "udp:1194",
"counter": "10"
}
}
</pre>
To unblock a blocked client's IP address use the command <b>ubus call ip_block unblock '{"ip":"<blocked_ip_address>","port":"udp:1194"}</b> (replace <blocked_ip_address> inside the quotes with your blocked IP address). If the IP address was unblocked succesfully you should see a similar response:
<pre>
{
"unblocked": {
"ip": "188.XXX.XXX.XXX",
"port": "udp:1194"
}
}
</pre>
==GRE==
==GRE==
====Advanced settings====
====Advanced settings====
----
----
[[File:Networking_rutos_vpn_ipsec_connection_settings_advanced_settings.png|border|class=tlt-border]]
[[File:Networking_rutos_vpn_ipsec_connection_settings_advanced_settings_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
<b>Secure Socket Tunneling Protocol</b> (SSTP) is a VPN protocol designed to transport PPP traffic via a secure SSL/TLS channel.
<b>Secure Socket Tunneling Protocol</b> (SSTP) is a VPN protocol designed to transport PPP traffic via a secure SSL/TLS channel.
{{#ifeq: {{{series}}} | RUTX | |
{{#switch: {{{series}}} | RUTX | RUTM= | #default=
</br><u><b>Note:</b> SSTP is additional software that can be installed from the <b>Services → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
</br><u><b>Note:</b> SSTP is additional software that can be installed from the <b>Services → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
}}
}}
The Stunnel Globals section is used to manage the Stunnel service as a whole.
The Stunnel Globals section is used to manage the Stunnel service as a whole.
Refer to the figure and table below for information on the fields contained in the Stunnel Globals section.
Refer to the figure and table below for information on the fields contained in the Stunnel Globals section.
{{#ifeq: {{{series}}} | RUTX | |
{{#switch: {{{series}}} | RUTX | RUTM= | #default=
</br><u><b>Note:</b> Stunnel is additional software that can be installed from the <b>Services → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
</br><u><b>Note:</b> Stunnel is additional software that can be installed from the <b>Services → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
}}
}}
<b>Dynamic Multipoint VPN</b> (<b>DMVPN</b>) is a method of building scalable IPsec VPNs. DMVPN is configured as a hub-and-spoke network, where tunnels between spokes are built dynamically; therefore, no change in configuration is required on the hub in order to connect new spokes.
<b>Dynamic Multipoint VPN</b> (<b>DMVPN</b>) is a method of building scalable IPsec VPNs. DMVPN is configured as a hub-and-spoke network, where tunnels between spokes are built dynamically; therefore, no change in configuration is required on the hub in order to connect new spokes.
{{#ifeq: {{{series}}} | RUTX | |
{{#switch: {{{series}}} | RUTX | RUTM= | #default=
</br><u><b>Note:</b> DMPVN is additional software that can be installed from the <b>Services → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
</br><u><b>Note:</b> DMPVN is additional software that can be installed from the <b>Services → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
}}
}}
<td>Default route</td>
<td>Default route</td>
<td>off {{!}} on; default: <b>off</b></td>
<td>off {{!}} on; default: <b>off</b></td>
<td>When turned on, this connection will become device default route. This means that all traffic directed to the Internet will go through the L2TP server and the server's IP address will be seen as this device's source IP to other hosts on the Internet.{{#ifeq:{{{series}}}|RUTX|<br><b>NOTE</b>: this can only be used when [[{{{name}}} Failover|Failover]] is turned off.}}</td>
<td>When turned on, this connection will become device default route. This means that all traffic directed to the Internet will go through the L2TP server and the server's IP address will be seen as this device's source IP to other hosts on the Internet.{{#switch:{{{series}}}|RUTX|RUTM=<br><b>NOTE</b>: this can only be used when [[{{{name}}} Failover|Failover]] is turned off.}}</td>
</tr>
</tr>
</table>
</table>
In order to create a new ZeroTier Instance, look to the Add New ZeroTier Configuration section; enter a custom name and click the 'Add' button:
In order to create a new ZeroTier Instance, look to the Add New ZeroTier Configuration section; enter a custom name and click the 'Add' button:
[[File:Networking_rutos_manual_vpn_zerotier_add_button.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_vpn_zerotier_add_button_v2.png|border|class=tlt-border]]
You should be redirected to the configuration page for the newly added ZeroTier Instance which should look similar to this:
You should be redirected to the configuration page for the newly added ZeroTier Instance which should look similar to this:
[[File:Networking_rutos_manual_vpn_zerotier_instance.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_vpn_zerotier_instance_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Enabled</td>
<td>off {{!}} on; default: <b>off</b></td>
<td>Turns the ZeroTier Instance on or off.</td>
</tr>
</table>
ZeroTier network configuration instance should look similar to this:
[[File:Networking rutos manual vpn zerotier network instance.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
</tr>
</tr>
<tr>
<tr>
<td>Networks</td>
<td>Port</td>
<td>integer [0..65535]; default: <b>9993</b></td>
<td>ZeroTier Network port.</td>
</tr>
<tr>
<td>Network ID</td>
<td>hex string; default: <b>none</b></td>
<td>hex string; default: <b>none</b></td>
<td>ZeroTier Network ID. Log in to your ZeroTier account in order to locate the ZeroTier Network ID, which should be a string of hexadecimal characters.</td>
<td>ZeroTier Network ID. Log in to your ZeroTier account in order to locate the ZeroTier Network ID, which should be a string of hexadecimal characters.</td>
</tr>
</tr>
<tr>
<tr>
<td>Port</td>
<td>Allow default route</td>
<td>integer [0..65535]; default: <b>none</b></td>
<td>off {{!}} on; default: <b>off</b></td>
<td>ZeroTier Network port.</td>
<td>Allows ZeroTier to override system default route</td>
</tr>
<tr>
<td>Allow global IP</td>
<td>off {{!}} on; default: <b>off</b></td>
<td>Allows ZeroTier managed IPs and routes to overlap public IP space</td>
</tr>
<tr>
<td>Allow managed IP</td>
<td>off {{!}} on; default: <b>on</b></td>
<td>Assigns ZeroTier managed IPs and routes </td>
</tr>
<tr>
<td>Allow DNS</td>
<td>off {{!}} on; default: <b>off</b></td>
<td>Applies DNS servers that are set at the network controller</td>
</tr>
</tr>
</table>
</table>
