[Linux-Biella] OpenVPN
andrea ferraris
andrea.ferraris a gmail.com
Mar 17 Feb 2009 10:30:30 CET
Grazie della risposta.
2009/2/17 leonardo buffa <leonardo.buffa a bilug.linux.it>:
> On Mon, 16 Feb 2009 22:11:27 +0100
> Andrea Ferraris <andrea.ferraris a gmail.com> wrote:
>
>> E' la prima volta che ci provo e ho un problema, apparentemente di
>> routing. Il tunnel crittato fra le due macchine si instaura, tanto che
>> da una riesco a pingare il device tun dell'altra e viceversa.
>>
>> Il problema e` quando dal vpn client cerco di arrivare all'ip interno
>> (DMZ) del gw del vpn server, da cui poi dovrebbe proseguire per una
>> LAN interna. Se faccio un traceroute dal vpn client all'ip interno del
>> gateway del vpn server i pacchetti arrivano fino all'interfaccia tun
>> del vpn server ma poi non proseguono oltre.
>>
>> Ho abilitato l'ip_forwarding su entrambe le macchine.
>
> non sarebbe una cattiva idea postare il file di conf sia del server sia
> del client
$ cat /etc/openvpn/client.conf
client
dev tun
proto udp
remote 88.253.178.244 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
tls-auth ta.key 1
cipher BF-CBC
comp-lzo
verb 4
mute 20
$ cat /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.222.0 255.255.255.240"
push "redirect-gateway"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher BF-CBC # Blowfish (default)
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4
mute 20
Server:
ops a vpn1:~$ ifconfig
eth1 Link encap:Ethernet HWaddr 00:08:02:c6:1d:04
inet addr:192.168.222.12 Bcast:192.168.222.15 Mask:255.255.255.240
inet6 addr: fe80::208:2ff:fec6:1d04/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2191 errors:0 dropped:0 overruns:0 frame:0
TX packets:2470 errors:0 dropped:0 overruns:0 carrier:2
collisions:2 txqueuelen:1000
RX bytes:228667 (223.3 KB) TX bytes:259849 (253.7 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:17 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:680 (680.0 B) TX bytes:204 (204.0 B)
ops a vpn1:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.222.0 0.0.0.0 255.255.255.240 U 0 0 0 eth1
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
0.0.0.0 192.168.222.1 0.0.0.0 UG 100 0 0 eth1
ops a vpn1:~$ ip route show
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
192.168.222.0/28 dev eth1 proto kernel scope link src 192.168.222.12
10.8.0.0/24 via 10.8.0.2 dev tun0
default via 192.168.222.1 dev eth1 metric 100
Client:
ops a vpn2:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:e0:4c:77:7f:aa
inet addr:192.168.5.2 Bcast:192.168.5.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:4cff:fe77:7faa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:468 (468.0 B)
Interrupt:16 Base address:0x8000
eth1 Link encap:Ethernet HWaddr 00:08:02:be:40:21
inet addr:105.99.211.98 Bcast:105.99.211.103 Mask:255.255.255.248
inet6 addr: fe80::208:2ff:febe:4021/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1474 errors:0 dropped:0 overruns:0 frame:0
TX packets:940 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:129404 (126.3 KB) TX bytes:112966 (110.3 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.10 P-t-P:10.8.0.9 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:204 (204.0 B) TX bytes:680 (680.0 B)
ops a vpn2:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
88.253.178.244 105.99.211.97 255.255.255.255 UGH 0 0 0 eth1
10.8.0.1 10.8.0.9 255.255.255.255 UGH 0 0 0 tun0
10.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
105.99.211.96 0.0.0.0 255.255.255.248 U 0 0 0 eth1
192.168.222.0 10.8.0.9 255.255.255.240 UG 0 0 0 tun0
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
ops a vpn2:~$ ip route show
88.253.178.244 via 105.99.211.97 dev eth1
10.8.0.1 via 10.8.0.9 dev tun0
10.8.0.9 dev tun0 proto kernel scope link src 10.8.0.10
105.99.211.96/29 dev eth1 proto kernel scope link src 94.81.211.98
192.168.222.0/28 via 10.8.0.9 dev tun0
192.168.5.0/24 dev eth0 proto kernel scope link src 192.168.5.2
88.253.178.244 e` l'indirizzo pubblico nattato da un firewall su
192.168.222.12 del server vpn.
Dal client
ops a vpn2:~$ tcptraceroute 192.168.222.1
Selected device tun0, address 10.8.0.10, port 48227 for outgoing packets
Tracing the path to 192.168.222.1 on TCP port 80 (www), 30 hops max
1 10.8.0.1 81.209 ms 88.464 ms 90.547 ms
e poi solo asterischi.
Saluti
--
Andrea Ferraris
---
it seemed like a good idea at the time
Brian Kernighan
Maggiori informazioni sulla lista
Linux