外で公衆WiFiを使うときなど信頼できないネットワークのトラヒックをすべて(IPv4もIPv6も)OpenVPNで暗号化する設定を行う。
multihomeを使うところとUFWの設定で詰まった。
udp.conf
multihome
port 11194
proto udp6
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/pki/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 2001:db8:0:123::/64
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 192.168.x.0 255.255.255.0" # 自宅のNW
push "redirect-gateway def1 bypass-dhcp ipv6"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
script-security 2
client-connect "/usr/local/vpn/client-connect.sh"
tun-mtu 1450 # 回線に合わせる
mssfix 1410 # 回線に合わせる
/etc/ufw/before.rules
.
.
.
# allow forwarding for trusted network
-A ufw-before-forward -s 10.8.0.0/16 -j ACCEPT
-A ufw-before-forward -d 10.8.0.0/16 -j ACCEPT
.
.
.
COMMIT
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/16 -o enp1s0 -j MASQUERADE
# End each table with the 'COMMIT' line or these rules won't be processed
COMMIT
/etc/ufw/before6.rules
.
.
.
# OpenVPN
-A ufw6-before-forward -s 2001:db8:0:123::/64 -j ACCEPT
-A ufw6-before-forward -d 2001:db8:0:123::/64 -j ACCEPT
.
.
.
COMMIT
# OpenVPN NAT
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 2001:db8:0:123::/64 -o enp1s0 -j MASQUERADE
COMMIT