**
- Openvpn
**
config openvpn 'vpn_server'
option dev 'tun'
option ifconfig '10.0.0.1 10.0.0.2'
option keepalive '10 60'
option log '/var/log/openvpn.log'
option status '/var/run/openvpn.status 5'
option mute '5'
option mode 'server'
option port '1194'
option route_gateway 'dhcp'
option persist_tun '1'
option persist_key '1'
option server '10.8.0.0 255.255.255.0'
option client_to_client '1'
option tls_server '1'
option cert '/etc/easy-rsa/pki/issued/vpn_server.crt'
option key '/etc/easy-rsa/pki/private/vpn_server.key'
option tls_auth '/etc/easy-rsa/pki/ta.key 0'
option user 'nobody'
option group 'nogroup'
option dh '/etc/easy-rsa/pki/dh.pem'
option ca '/etc/easy-rsa/pki/ca.crt'
option comp_lzo 'yes'
option enabled '1'
list push 'persist-key'
list push 'persist-tun'
list push 'user nobody'
list push 'topology subnet'
list push 'route-gateway dhcp'
list push 'redirect-gateway def1'
list push 'dhcp-option DNS 192.168.1.1'
list push 'block-outside-dns'
option verb '3'
option float '1'
option proto 'tcp-server'
**
- Firewall
**
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option network 'vpn0'
config forwarding
option src 'vpn'
option dest 'wan'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Autoriser-OpenVPN'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '1194'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
[......]
config redirect
option dest_port '8443'
option src 'wan'
option name 'Lifedomus'
option src_dport '8443'
option target 'DNAT'
option dest_ip '192.168.1.126'
option dest 'lan'
list proto 'tcp'
[......]
**
- Network
**
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd48:2080:194b::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
#list dns '8.8.8.8'
#list dns '8.8.4.4'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'c0:4a:00:50:fd:6b'
config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
option auto '1'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
**
- tcpdump
**
# tcpdump -i eth0.2 -vvn tcp port 443
tcpdump: listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
23:35:14.082297 IP (tos 0x0, ttl 63, id 44110, offset 0, flags [DF], proto TCP (6), length 85)
192.168.0.11.33204 > 52.21.27.19.443: Flags [P.], cksum 0xe107 (correct), seq 4105355480:4105355513, ack 206168032, win 3994, options [nop,no p,TS val 483507005 ecr 2112865033], length 33
23:35:14.165479 IP (tos 0x0, ttl 240, id 4408, offset 0, flags [DF], proto TCP (6), length 83)
52.21.27.19.443 > 192.168.0.11.33204: Flags [P.], cksum 0xd1cd (correct), seq 1:32, ack 33, win 422, options [nop,nop,TS val 2112956017 ecr 4 83507005], length 31
23:35:14.166584 IP (tos 0x0, ttl 63, id 44111, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.11.33204 > 52.21.27.19.443: Flags [.], cksum 0xb55c (correct), seq 33, ack 32, win 3994, options [nop,nop,TS val 483507026 ecr 2112 956017], length 0
hope it is clearly now