Ricmedia PC Help

Tech guides for everyone.

  • Home
  • Browsers +
    • Chrome
    • Chromium
    • Firefox
    • Internet Explorer
    • Microsoft Edge
    • Safari
    • Opera
    • Browsers (all)
  • Windows +
    • Windows 10
    • Windows 8/8.1
    • Windows 7
    • Windows Vista
    • Windows XP
    • Windows (all)
  • Other OS +
    • Linux
    • MAC OS X
    • Raspbian
    • Other OS (all)
  • MS Office +
    • Office 2013
    • Office 2010
    • Office 2007
  • Software +
    • Antivirus
    • Audio
    • Image
    • System Tools
    • Video
    • Web
  • More +
    • Raspberry Pi
    • Networking
    • Hardware
    • Builds
    • Tools & Apps
    • Miscellaneous
    • Get a Product Reviewed
    • Support +
      • Help
      • Sitemap
      • Legal
      • About
      • Contact
    • Legal +
      • Disclaimer
      • Copyright
      • Privacy Policy
      • Terms of Service

Setup private VPN network or VPN service provider – complete guide

December 18, 2017 By Richie Leave a Comment

Install & Setup dnsmasq, Setup IPTables

So you’ve come this far! Well done. I know it can seem long and tedious, but you’re almost home 😉

We need to install dnsmasq to manage DHCP IP address leases, then setup a basic IP Tables firewall rules to keep your server safe. Login to your server via PuTTY.

Get American Netflix Guide - Open your VPS with PuTTY
Select your VPS connection and click Open

Just before we start installing dnsmasq, let’s lock down the SoftEther config file to prevent any unwanted changes, so enter the following commands:

1
2
cd /usr/local/vpnserver
chmod 400 vpn_server.config

Let’s also double check that the tap_netflix adapter is up and running by entering the following command:

1
ifconfig

You should see similar to the following (look for “tap_netflix” and the terms “UP BROADCAST RUNNING“):

ifconfig look for UP and RUNNING
ifconfig look for UP and RUNNING

Install dnsmasq

Now let’s install dnsmasq, enter the following command:

1
apt-get install dnsmasq -y

We need to edit the dnsmasq config file with Nano, enter the following command:

1
nano /etc/dnsmasq.conf

Using your down Arrow key, bring the cursor down to the very bottom of the file, then copy and past the following code at that location:

1
2
3
4
5
interface=tap_netflix
dhcp-range=tap_netflix,192.168.10.2,192.168.10.254,12h
dhcp-option=tap_netflix,3,192.168.10.1
server=8.8.8.8
server=8.8.4.4

Now hit Ctrl+o (letter o) and Enter to save, then Ctrl+x to exit Nano.

By default, Debian won’t forward packets through the system, so we need to explicitly enable this by creating a new file:

1
nano /etc/sysctl.d/ipv4_forwarding.conf

Now copy and paste the following code into the file:

1
net.ipv4.ip_forward = 1

Then hit Ctrl+o and Enter to save, then Ctrl+x to exit Nano. Now we need to update the system settings by entering the following command:

1
sysctl --system

We need to make absolutely sure that Debian and SoftEther are querying only Googles public DNS servers, so open the following file with Nano:

1
nano /etc/resolvconf/resolv.conf.d/head

Using the Arrow keys move the cursor down to the bottom of the file, then copy and paste in the following code:

1
2
nameserver 8.8.8.8
nameserver 8.8.4.4

Then Ctrl+o and Enter to save, then Ctrl+x to exit Nano.

Now enter the following commands to update the system:

1
2
resolvconf --enable-updates
resolvconf -u

Setup IP Tables

We need to secure our VPN server with some basic IP Tables rules, first we open the main config file with Nano:

1
nano /etc/rc.local

Using your Arrow keys, move the cursor to the bottom of the file, then Backspace to remove the “exit 0” code.

Move the cursor using arrow keys to bottom of file
Move the cursor using arrow keys to bottom of file
Backspace to remove the exit 0 code
Backspace to remove the exit 0 code

Copy the following code, then click your right mouse button once to paste making sure the cursor is on the same line that “exit 0” was on:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that does not use lo0
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
 
# Accepts all established inbound connections
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Allows all outbound traffic
/sbin/iptables -A OUTPUT -j ACCEPT
 
# For updates to system and MS-SSTP and SSL-VPN, also allows HTTP and HTTPS connections
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
 
# Allows SSH connections
# The --dport number is the same as in /etc/ssh/sshd_config
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
 
# Open ports for L2TP-IPSec
/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 1701 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT
 
# Open ports for OpenVPN
/sbin/iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
 
# Listener ports for SoftEther
/sbin/iptables -A INPUT -p tcp --dport 992 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 5555 -j ACCEPT
 
# Rules for dnsmasq routing
/sbin/iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source XXX.XXX.XXX.XXX
 
# Open DHCP and DNS ports
/sbin/iptables -A INPUT -p udp --dport 67 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 68 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
 
# Allow ping
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 
# log iptables denied calls (access via dmesg command)
/sbin/iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
 
exit 0

Copy and paste the code on the same line that exit 0 was on
Copy and paste the code on the same line that exit 0 was on

Then hit Ctrl+o and Enter to save but before we exit this file, we need to change XXX.XXX.XXX.XXX to your VPS’ IP address on the following line:

1
... 192.168.10.0/24 -j SNAT --to-source XXX.XXX.XXX.XXX

changes to your VPS’ IP address

1
... 192.168.10.0/24 -j SNAT --to-source 123.123.12.123

Locate the XXX.XXX.XXX.XXX line
Locate the XXX.XXX.XXX.XXX line
Backpsace then enter your VPS' IP address
Backpsace then enter your VPS’ IP address

Now we save Ctrl+o and Enter, then Ctrl+x to exit Nano.

Let’s restart the VPN Server and dnsmasq services by entering the following commands:

1
2
/etc/init.d/vpnserver restart
/etc/init.d/dnsmasq restart

Reboot Server

We now need to reboot the entire server just to make sure all our settings are applied. Login to your DigitalOcean account and click on your Droplet:

Login to your DigitalOcean account and click on your VPS server
Login to your DigitalOcean account and click on your VPS server

Now click on Power from the left side menu, then click on the Power Cycle button:

Click on Power from left side menu, then click the Power Cycle button
Click on Power from left side menu, then click the Power Cycle button

You VPS will take about 1 minute to reboot.

Congratulations! Your shiny new VPN server is ready to accept client connections 😉

You can now move onto the very last section: Connecting to your VPN server, Summary.

Share ➤

  • Twitter
  • Facebook
  • Google
  • Print

Related

Pages: 1 2 3 4 5 6 7

Filed Under: Linux, Networking, Other OS, VPN, VPN Guide Tagged With: Cloud Server, Debian, DigitalOcean, dnsmasq, IPTables, L2TP, L2TP/IPSec, Linux, MS-SSTP, OpenVPN, Private Network, Private VPN, SoftEther, SSTP, VPN, VPN Service, VPN Service Provider

About Richie

I started working with computers in 1996 with the advent of the Internet and started my own online shop selling musical instrument accessories in 2000.

In 2006 I studied Multimedia Development & Design which opened up the world of Photoshop, HTML, Flash and JavaScript.

Since then I have designed dozens of websites as well as maintaining my own group of websites including Ricmedia PC Help and Ricmedia Guitar among others.

I am currently the webmaster and content creator for all Ricmedia.com websites.

Leave a comment Cancel reply

Find, follow, subscribe

Find me on Facebook, Twitter, Google+ & YouTubeFind me on FacebookFollow me on TwitterCheck out my Google+ pageVisit my YouTube channel

Categories

Recent Posts

  • AlexaPi 3D Printed Case Kit Assembly Instructions
  • Build an AlexaPi with Amazon Alexa & Raspberry Pi
  • Fast video delivery using AWS S3 Bucket & CloudFront CDN

Recent Comments

  • ProtonMail is being blocked in Turkey. Right here’s the becoming blueprint to circumvent Turkey’s on-line censorship. – ProtonMail Blog – Startupon.net on Set custom DNS servers on Linux with Network Manager or resolv.conf
  • ProtonMail is being blocked in Turkey. Here’s how to bypass Turkey’s online censorship. - ProtonMail Blog – TECHNOWPOST on Set custom DNS servers on Linux with Network Manager or resolv.conf

HELP & SUPPORT

  • About us
  • Contact details
  • FAQ
  • Sitemap

NEWS & FEED

  • Latest news
  • Subscribe to Newsletter
  • Subscribe to RSS feed

SOCIAL

  • facebook.com/ricmedia.pchelp
  • twitter.com/RicmediaPCHelp
  • youtube.com/user/RicmediaPCHelp
  • Google+ Page

Help & Support • Legal, Terms & Privacy • Contact Details • Copyright ©2006- Ricmedia • Part of the Ricmedia group of websites   Part of the Ricmedia group of websites