[Not Solved]
Feb 12, 2020, 11:56 PM
(This post was last modified: Feb 13, 2020, 10:43 AM by kacaukacau.)
My current VPS (Ubuntu 18.04) has IPv6 support, so using the guide for Ubuntu 16.04, it'll still go through IPv6 and exposes my IP. So the workaround now I did was commenting out the IPv6 address in /etc/netplan/01-netcfg.yaml to not assign an IPv6 address.
Now I'm trying to make it work even with IPv6, so following the old guide, I added ip6tables rules in the iptables.sh script (please help me check if there are any errors):
But the routing.sh, I don't know how should I grep the proper IPv6 $GATEWAYIP, and how should I add the commands for IPv6 (I guess for every command just duplicate them with ip -6... ?).
And also 9999-vpn.conf. Help is very much appreciated!
Now I'm trying to make it work even with IPv6, so following the old guide, I added ip6tables rules in the iptables.sh script (please help me check if there are any errors):
Quote:#! /bin/bash
# Modified version by HTPC Guides – http://www.htpcguides.com
export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="xxx.xxx.xxx.xxx"
export LOCALIP6="xxxx:xxxx:xxxx:xxxx::"
export NETIF="eth0"
# flushes all the iptables rules, if you have other rules to use then add them into the script
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
ip6tables -F -t nat
ip6tables -F -t mangle
ip6tables -F -t filter
# mark packets from $VPNUSER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
ip6tables -t mangle -A OUTPUT -j CONNMARK --restore-mark
ip6tables -t mangle -A OUTPUT ! --dest $LOCALIP6 -m owner --uid-owner $VPNUSER -j$
ip6tables -t mangle -A OUTPUT --dest $LOCALIP6 -p udp --dport 53 -m owner --uid-o$
ip6tables -t mangle -A OUTPUT --dest $LOCALIP6 -p tcp --dport 53 -m owner --uid-o$
ip6tables -t mangle -A OUTPUT ! --src $LOCALIP6 -j MARK --set-mark 0x1
ip6tables -t mangle -A OUTPUT -j CONNMARK --save-mark
# allow responses
iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
# block everything incoming on $INTERFACE to prevent accidental exposing of ports
iptables -A INPUT -i $INTERFACE -j REJECT
ip6tables -A INPUT -i $INTERFACE -j REJECT
# let $VPNUSER access lo and $INTERFACE
iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
ip6tables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
ip6tables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
# all packets on $INTERFACE needs to be masqueraded
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
ip6tables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
# reject connections from predator IP going over $NETIF
iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
ip6tables -A OUTPUT ! --src $LOCALIP6 -o $NETIF -j REJECT
# Start routing script
/etc/openvpn/routing.sh
exit 0
But the routing.sh, I don't know how should I grep the proper IPv6 $GATEWAYIP, and how should I add the commands for IPv6 (I guess for every command just duplicate them with ip -6... ?).
And also 9999-vpn.conf. Help is very much appreciated!