Install & Setup dnsmasq, Setup IPTables
So you’ve come this far! Well done. I know it can seem long and tedious, but you’re almost home 😉
We need to install dnsmasq to manage DHCP IP address leases, then setup a basic IP Tables firewall rules to keep your server safe. Login to your server via PuTTY.
Just before we start installing dnsmasq, let’s lock down the SoftEther config file to prevent any unwanted changes, so enter the following commands:
1 2 | cd /usr/local/vpnserver chmod 400 vpn_server.config |
Let’s also double check that the tap_netflix adapter is up and running by entering the following command:
1 | ifconfig |
You should see similar to the following (look for “tap_netflix” and the terms “UP BROADCAST RUNNING“):
Install dnsmasq
Now let’s install dnsmasq, enter the following command:
1 | apt-get install dnsmasq -y |
We need to edit the dnsmasq config file with Nano, enter the following command:
1 | nano /etc/dnsmasq.conf |
Using your down Arrow key, bring the cursor down to the very bottom of the file, then copy and past the following code at that location:
1 2 3 4 5 | interface=tap_netflix dhcp-range=tap_netflix,192.168.10.2,192.168.10.254,12h dhcp-option=tap_netflix,3,192.168.10.1 server=8.8.8.8 server=8.8.4.4 |
Now hit Ctrl+o (letter o) and Enter to save, then Ctrl+x to exit Nano.
By default, Debian won’t forward packets through the system, so we need to explicitly enable this by creating a new file:
1 | nano /etc/sysctl.d/ipv4_forwarding.conf |
Now copy and paste the following code into the file:
1 | net.ipv4.ip_forward = 1 |
Then hit Ctrl+o and Enter to save, then Ctrl+x to exit Nano. Now we need to update the system settings by entering the following command:
1 | sysctl --system |
We need to make absolutely sure that Debian and SoftEther are querying only Googles public DNS servers, so open the following file with Nano:
1 | nano /etc/resolvconf/resolv.conf.d/head |
Using the Arrow keys move the cursor down to the bottom of the file, then copy and paste in the following code:
1 2 | nameserver 8.8.8.8 nameserver 8.8.4.4 |
Then Ctrl+o and Enter to save, then Ctrl+x to exit Nano.
Now enter the following commands to update the system:
1 2 | resolvconf --enable-updates resolvconf -u |
Setup IP Tables
We need to secure our VPN server with some basic IP Tables rules, first we open the main config file with Nano:
1 | nano /etc/rc.local |
Using your Arrow keys, move the cursor to the bottom of the file, then Backspace to remove the “exit 0” code.
Copy the following code, then click your right mouse button once to paste making sure the cursor is on the same line that “exit 0” was on:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 | # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that does not use lo0 /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic /sbin/iptables -A OUTPUT -j ACCEPT # For updates to system and MS-SSTP and SSL-VPN, also allows HTTP and HTTPS connections /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections # The --dport number is the same as in /etc/ssh/sshd_config /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Open ports for L2TP-IPSec /sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 1701 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT # Open ports for OpenVPN /sbin/iptables -A INPUT -p tcp --dport 1194 -j ACCEPT # Listener ports for SoftEther /sbin/iptables -A INPUT -p tcp --dport 992 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 5555 -j ACCEPT # Rules for dnsmasq routing /sbin/iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source XXX.XXX.XXX.XXX # Open DHCP and DNS ports /sbin/iptables -A INPUT -p udp --dport 67 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 68 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT # Allow ping /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls (access via dmesg command) /sbin/iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 exit 0 |
Then hit Ctrl+o and Enter to save but before we exit this file, we need to change XXX.XXX.XXX.XXX to your VPS’ IP address on the following line:
1 | ... 192.168.10.0/24 -j SNAT --to-source XXX.XXX.XXX.XXX |
changes to your VPS’ IP address
1 | ... 192.168.10.0/24 -j SNAT --to-source 123.123.12.123 |
Now we save Ctrl+o and Enter, then Ctrl+x to exit Nano.
Let’s restart the VPN Server and dnsmasq services by entering the following commands:
1 2 | /etc/init.d/vpnserver restart /etc/init.d/dnsmasq restart |
Reboot Server
We now need to reboot the entire server just to make sure all our settings are applied. Login to your DigitalOcean account and click on your Droplet:
Now click on Power from the left side menu, then click on the Power Cycle button:
You VPS will take about 1 minute to reboot.
Congratulations! Your shiny new VPN server is ready to accept client connections 😉
You can now move onto the very last section: Connecting to your VPN server, Summary.
Leave a comment