Open ports on ISP using a OpenVPN and KVM VPS

This was originally created to open ports on a ISP connection that locks all incoming ports. This can be used to create a DDoS protected network. It can also be used on a dynamic ip without the need of updating end users of the new ip each time it changes.

Originally created: 01/24/2015 - https://sesipod.info/DATA_FILES/VPN-VPS/openvpn-iptables-routing.html

Updated: 05/13/2018


Things you will need

  1. KVM VPS
  2. PFsense ( located internal of your network )
  3. Time around 10 - 20 min

Selecting the correct VPS

I have tested this setup on many providers. I would suggest the following 2 company's OVH and RamNode. You will want to use a KVM vps openvz will not work for the following setup.

OVH vps

RamNode


Lets get started

I'm using Debian 9.0 minimal x86.

Let's start by installing openvpn.

apt-get install openvpn && apt-get install screen

Now create the shared key.

openvpn --genkey --secret /etc/openvpn/static.key

Now we will make the openvpn config file.

nano /etc/openvpn/server.conf
dev tun
port 443
ifconfig 10.0.8.1 10.0.8.2

cipher AES-128-CBC
comp-lzo

secret /etc/openvpn/static.key

user nobody
group nogroup

# routes
route 10.0.8.0 255.255.255.0
route 192.168.1.0 255.255.255.0

Optinal Changes You may change the following options to make the config work for you.

Port You can change this to what ever port you wish to use.

ifconfig 10.0.8.1 10.0.8.2 change the following to any network that is not being used.

route 10.0.8.0 255.255.255.0 change to match the network used in ifconfig

route 192.168.1.0 255.255.255.0 change to match the network that you will open ports for (you may add more than one if you have multiple networks to open ports for)


Setup all in one auto start file

nano startvpn.sh

#!/bin/bash
service openvpn stop
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
######################| PORTS TO OPEN |######################
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 32400 -j ACCEPT
#####################################################################
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -A FORWARD --in-interface tun0 -j ACCEPT
######################| Redirect Port To Host |######################
##| WEB SERVER | ##
iptables -t nat -A PREROUTING -p tcp --dport 80 --in-interface eth0 -j DNAT --to 192.168.1.22
iptables -t nat -A PREROUTING -p tcp --dport 443 --in-interface eth0 -j DNAT --to 192.168.1.22
iptables -t nat -A POSTROUTING -p tcp -m tcp --dport 80 --out-interface tun0 -j SNAT --to 10.0.8.1
iptables -t nat -A POSTROUTING -p tcp -m tcp --dport 443 --out-interface tun0 -j SNAT --to 10.0.8.1
##| Plex SERVER |##
iptables -t nat -A PREROUTING -p tcp --dport 32400 --in-interface eth0 -j DNAT --to 192.168.1.10
iptables -t nat -A POSTROUTING -p tcp -m tcp --dport 25565 --out-interface tun0 -j SNAT --to 10.0.8.1
#######################################################################
iptables -t nat -A POSTROUTING --out-interface eth0 -j SNAT --to 123.123.123.123
sysctl -w net.ipv4.ip_forward=1
screen -dmS openvpn openvpn --config /etc/openvpn/server.conf

Changes To Be Made

PORTS TO OPEN you will need to make a list of ports that you wish to open (TCP or UDP) I have port 22 / 80 / 443 / 32400 open on my connection. Here is an example of a TCP and UDP rule.

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 9872 -j ACCEPT

Redirect Port To Host you will need to make a list here for ports to hosts that you wish to redirect to. below I have specified that port 80 and 443 be open to 192.168.1.22. Here is an example of a TCP and UDP redirect you must always have the POSTROUTING lines for each port that is opened.

- TCP
iptables -t nat -A PREROUTING -p tcp --dport 80 --in-interface eth0 -j DNAT --to 192.168.1.22
iptables -t nat -A POSTROUTING -p tcp -m tcp --dport 80 --out-interface tun0 -j SNAT --to 10.0.8.1
- UDP
iptables -t nat -A PREROUTING -p udp --dport 9872 --in-interface eth0 -j DNAT --to 192.168.1.20
iptables -t nat -A POSTROUTING -p udp -m udp --dport 9872 --out-interface tun0 -j SNAT --to 10.0.8.1

–out-interface ( 123.123.123.123 ) Change 123.123.123 to you VPS external ipv4 address.

Optinal Changes

Make changes to the following if you made changes to the OpenVPN server config section.

If you made changes to ifconfig 10.0.8.1 10.0.8.2 then you must change SNAT –to 10.0.8.1 on each line.

If you made changes to route 192.168.1.0 255.255.255.0 then you must change DNAT –to 192.168.1.20 on each line to the correct network.

….

now let's make the file executable.

chmod +x startvpn.sh

Lets Setup Pfsense

VPN → OpenVPN → Clients

Server Mode: Peer to Peer ( Shared Key )
Protocol: UDP on IPv4 only
Device Mode: tun - Layer 3 Tunnel Mode
Interface: LAN
Server host or address: 123.123.123.123
Server port: 443
Auto generate: [ untick ]
Shared Key: paste contents of shared key file generated on the VPS
Encryption algorithm: AES-128-CBC (128 bit key, 128 bit block)
IPv4 Tunnel Network: 10.0.8.0/24
Compression: LZO Compression [Legacy style, comp-lzo yes]
Click [SAVE]

Lets start the connection

On the VPS

./startvpn.sh

To see if the server is up run:

screen -r

You should see something like

Sun May 13 23:14:46 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Sun May 13 23:14:46 2018 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Sun May 13 23:14:46 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Sun May 13 23:14:46 2018 WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
Sun May 13 23:14:46 2018 WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
Sun May 13 23:14:46 2018 TUN/TAP device tun0 opened
Sun May 13 23:14:46 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun May 13 23:14:46 2018 /sbin/ip link set dev tun0 up mtu 1500
Sun May 13 23:14:46 2018 /sbin/ip addr add dev tun0 local 10.0.9.1 peer 10.0.9.2
Sun May 13 23:14:46 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun May 13 23:14:46 2018 UDPv4 link local (bound): [AF_INET][undef]:443
Sun May 13 23:14:46 2018 UDPv4 link remote: [AF_UNSPEC]
Sun May 13 23:14:46 2018 GID set to nogroup
Sun May 13 23:14:46 2018 UID set to nobody
Sun May 13 23:14:55 2018 Peer Connection Initiated with [AF_INET]321.321.321.321:40759
Sun May 13 23:14:56 2018 Initialization Sequence Completed

On PFsense

Status -> OpenVPN

You should see:

NAME | STATUS | CONNECTED SINCE | LOCAL ADDRESS | VIRTUAL ADDRESS | REMOTE HOST | BYTES SENT/RECIVED
RamNODE | UDP4 | up |	Sun May 13 22:14:57 2018 | 192.168.1.1:28965 | 10.0.9.2 | 167.88.117.12:443 | 416 B / 480 B

If PFsense does not auto connect you might need to restart the connection.

You are now ready to go! If you have any issue please try and ping each host form one another.