Scribd
Upload
4 views2 pages

Shell

The document outlines a series of steps to configure a firewall and OpenVPN settings. It includes disabling a default LAN rule, adding specific firewall rules for HTTP and DNS, creating a DNS host override, configuring NAT mapping, and setting up an OpenVPN server with user credentials. Additionally, it provides instructions for exporting the VPN client configuration file for user access.

Uploaded by

sambarrny
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
4 views2 pages

Shell

The document outlines a series of steps to configure a firewall and OpenVPN settings. It includes disabling a default LAN rule, adding specific firewall rules for HTTP and DNS, creating a DNS host override, configuring NAT mapping, and setting up an OpenVPN server with user credentials. Additionally, it provides instructions for exporting the VPN client configuration file for user access.

Uploaded by

sambarrny
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

# 1.

Disable the default “allow LAN to any” rule


TRACKER=$(curlp GET "firewall/rule" '' \
| jq -r '.data[] | select(.interface=="lan" and .description=="Default allow LAN
to any") | .tracker')
if [[ -n "$TRACKER" ]]; then
curlp PUT firewall/rule \
"{\"tracker\":${TRACKER},\"disabled\":true}"
fi

# 2. Add LAN → HTTP (TCP/80) at top of the rule set


curlp POST firewall/rule '{
"interface": "lan",
"action": "pass",
"protocol": "tcp",
"source_net": "lan",
"destination": "any",
"destination_port": "80",
"description": "Allow LAN → HTTP",
"top": true
}'

# 3. Add LAN → DNS (UDP/53) at top


curlp POST firewall/rule '{
"interface": "lan",
"action": "pass",
"protocol": "udp",
"source_net": "lan",
"destination": "any",
"destination_port": "53",
"description": "Allow LAN → DNS",
"top": true
}'

# 4. Create DNS Host Override for [Link] → [Link]


curlp POST dns/hostOverride '{
"host": "www",
"domain": "[Link]",
"ip": "[Link]",
"descr": "IIS Server1"
}'

# 5. Configure 1:1 NAT mapping external [Link] → internal [Link]


curlp POST nat/one_to_one '{
"external": "[Link]",
"internal": "[Link]",
"descr": "1:1 NAT for Server1"
}'

# 6. Allow WAN → Server1 HTTP (TCP/80)


curlp POST firewall/rule '{
"interface": "wan",
"action": "pass",
"protocol": "tcp",
"destination": "[Link]",
"destination_port": "80",
"description": "Allow WAN → Server1 HTTP",
"top": true
}'
# 7. Install OpenVPN Client Export package (one-time)
ssh admin@${PFS_HOST} [Link] <<'EOF'
install_pkg openvpn-client-export
write_config
EOF

# 8. Create a new CA for OpenVPN


curlp POST openvpn/ca '{
"descr": "ExamLabCA",
"lifetime": 3650,
"country": "US",
"state": "State",
"city": "City",
"org": "Contoso",
"email": "admin@[Link]"
}'
CA_UUID=$(curlp GET openvpn/ca '' | jq -r '.data[] | select(.descr=="ExamLabCA")
| .uuid')

# 9. Create the OpenVPN Remote Access server


curlp POST openvpn/server '{
"mode": "remote_access",
"protocol": "udp",
"local_port": 1194,
"description": "ExamLabVPN",
"crypto": { "server_certificate": "'"${CA_UUID}"'" },
"tunnel_network": "[Link]/24",
"redirect_gateway": true
}'

# 10. Create a VPN user


curlp POST openvpn/user '{
"username": "vpnuser",
"password": "vpnpass",
"cn": "vpnuser",
"cert_ref": "'"${CA_UUID}"'"
}'

# 11. Export the .ovpn for vpnuser


curlp GET "openvpn/client_export?user=vpnuser" '' \
| jq -r '.data[0].config' > /root/[Link]

# 12. Reminder to download the client config


echo "Download your VPN profile via SCP: ${PFS_HOST}:/root/[Link]"

You might also like