Skip to content

VPN

VPN

Proxy VPN detection test

Palo Alto Global Protect

Disable Pre-login
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-quick-configs/remote-access-vpn-with-pre-logon.html#

Nebula

https://theorangeone.net/posts/nebula-intro/

Create Certificate:

>>> ./nebula-cert ca -name "My Shiny Nebula Mesh Network"

Create Certificate For new nodes:

>>> ./nebula-cert sign -name "lighthouse" -ip "192.168.98.1/24"
>>> ./nebula-cert sign -name "banshee" -ip "192.168.98.2/24"
>>> ./nebula-cert sign -name "locutus" -ip "192.168.98.3/24"

Configuring Nebula Server:

#
# This is Ars Technica's sample Nebula config file.
#

pki:
  # every node needs a copy of the CA certificate,
  # and its own certificate and key, ONLY.
  #
  ca: /opt/nebula/ca.crt
  cert: /opt/nebula/lighthouse.crt
  key: /opt/nebula/lighthouse.key

static_host_map:
 # how to find one or more lighthouse nodes
 # you do NOT need every node to be listed here!
 #
 # format "Nebula IP": ["public IP or hostname:port"]
 # 
 "192.168.98.1": ["nebula.arstechnica.com:4242"]

lighthouse:
  interval: 60

  # if you're a lighthouse, say you're a lighthouse
  #
  am_lighthouse: true

  hosts:
    # If you're a lighthouse, this section should be EMPTY
    # or commented out. If you're NOT a lighthouse, list 
    # lighthouse nodes here, one per line, in the following
    # format:
    #
    # - "192.168.98.1"

listen:
  # 0.0.0.0 means "all interfaces," which is probably what you want
  #
  host: 0.0.0.0
  port: 4242

# "punchy" basically means "send frequent keepalive packets"
# so that your router won't expire and close your NAT tunnels.
#
punchy: true

# "punch_back" allows the other node to try punching out to you,
# if you're having trouble punching out to it. Useful for stubborn
# networks with symmetric NAT, etc.
#
punch_back: true

tun:
  # sensible defaults. don't monkey with these unless
  # you're CERTAIN you know what you're doing.
  #
  dev: nebula1
  drop_local_broadcast: false
  drop_multicast: false
  tx_queue: 500
  mtu: 1300
  routes:

logging:
  level: info
  format: text

# you NEED this firewall section.
#
# Nebula has its own firewall in addition to anything
# your system has in place, and it's all default deny.
#
# So if you don't specify some rules here, you'll drop
# all traffic, and curse and wonder why you can't ping
# one node from another.
# 
firewall:
  conntrack:
    tcp_timeout: 120h
    udp_timeout: 3m
    default_timeout: 10m
    max_connections: 100000

# since everything is default deny, all rules you
# actually SPECIFY here are allow rules.
#
  outbound:
    - port: any
      proto: any
      host: any

  inbound:
    - port: any
      proto: any
      host: any

Configuring Network Client:

Tailscale

ZeroTeir