Ïðîáëåìû ñ OpenVPN. Ïðîøó ïîìîùè!

**pux** · 07-03-2012, 01:24

Â÷åðà òîëüêî ïðèøëîñü çàìîðî÷èòüñÿ, ïîêà çàìåòêè åùå ïîä ðóêîé..

Íà ðîóòåðå âûïîëíÿåì êîìàíäû:
# mkdir /tmp/local/opt
# mount -o bind /usr/local/opt /opt
# ipkg.sh update; ipkg.sh install opkg; opkg update; opkg install openvpn

Ñîçäàåì ôàéëèêè:

(1) /opt/etc/openvpn/server.conf

Code:

proto		tcp-server
dev		tun0
port		443
ifconfig	10.8.0.2 10.8.0.1
keepalive	10 120
secret		static.key

(2) /usr/local/sbin/post-boot

Code:

#!/bin/sh
# keep opkg repository in flash memory
mount -o bind /usr/local/opt /opt
# OpenVPN
/sbin/insmod tun
/opt/bin/openvpn --daemon --cd /opt/etc/openvpn --config server.conf

(3) /usr/local/sbin/post-firewall

Code:

#!/bin/sh
vpnPort=443
vpnProto=tcp
vpnDevice=tun0
iptables -P INPUT    DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p $vpnProto --dport $vpnPort --tcp-flags FIN,SYN,RST,ACK SYN	-j BRUTE        
iptables -A INPUT -p $vpnProto --dport $vpnPort		-j ACCEPT 
iptables -I INPUT	-i $vpnDevice	-j ACCEPT
iptables -I FORWARD	-i $vpnDevice	-j ACCEPT
iptables -I FORWARD	-o $vpnDevice	-j ACCEPT
iptables -I OUTPUT	-o $vpnDevice	-j ACCEPT

(4) /opt/etc/openvpn/static.key
(ãåíåðèðóåòñÿ íà ñåðâåðå èëè íà êëèåíòå êîìàíäîé
# openvpn --genkey --secret static.key
ñîäåðæèìîå êîïèïàñòèòñÿ ÷åðåç ssh áåç âñÿêèõ scp)

óñòàíàâëèâàåì ïðàâà íà ôàéëû:
# chmod 0755 "/usr/local/sbin/post-boot"
# chmod 0755 "/usr/local/sbin/post-firewall"

ïèøåì ñäåëàííîå âî ôëåø è ïåðåãðóæàåìñÿ ñ ìîëèòâîé:
# flashfs save && flashfs commit && flashfs enable
# reboot

êîíôèã äëÿ êëèåíòà:

Code:

proto		tcp-client
dev		tun0
port		443
ifconfig	10.8.0.1 10.8.0.2
secret		static.key
redirect-gateway
remote		213.24.76.23

Íþàíñû:
(1) ôàåðâîëîì ïðèêðûë OpenVPN îò áðóòôîðñà;
(2) ïèøó ëîã â ñèñëîã, ÷òîáû íå ïàðèòüñÿ ñ ðîòàöèåé, è ÷òîáû ïðîùå áûëî ãëÿíóòü ÷åðåç âåá-èíòåðôåéñ;
(3) åñëè õî÷åòñÿ óïðàâëÿòü îòäåëüíûì ñêðèïòîì â /opt/etc/init.d/ , òî íóæíî èñêàòü rc.unslung .

PS: Ñïàñèáî çà íîâûé ðåïîçèòîðèé!
PPS: ïîïðàâëåíî.

**Spartach** · 07-03-2012, 05:12

Originally Posted by pux

Â÷åðà òîëüêî ïðèøëîñü çàìîðî÷èòüñÿ, ïîêà çàìåòêè åùå ïîä ðóêîé..

Ýòî äåëàòü íå íóæíî:

Code:

mkdir /dev/net
mknod /dev/net/tun c 10 200

Ñêðèïò çàïóñêà äåëàåò ìíîãî ïîëåçíûõ âåùåé â ÷àñòíîñòè

Code:

/sbin/insmod tun

åñëè ìîäóëü íå áûë çàãðóæåí.
Ïëþñ ïðîâåðêà íà íàëè÷èå çàïóùåííûõ ïðîöåññîâ ïðè îñòàíîâêè è ðåñòàðòå (stop/start).

**vaxon** · 16-03-2012, 19:41

Óñòàíîâëåíà ïðîøèâêà 1.9.2.7-rtn.3976
Óñòàíîâèë íà USB ôëåøêó openvpn_2.2.0-1_mipsel.ipk

Äîñòóï ê VPN ðàáîòàåò ñ ðîóòåðà íîðìàëüíî.

Çàïóñêàþ íà ðîóòåðå iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
äëÿ òîãî ÷òîáû ìîæíî áûëî èç ëîêàëüíîé ñåòêè ÷åðåç ðóòåð äîñòóï â VPN ïîëó÷èòü.

Ïîñëå ýòîãî ping èç ëîêàëüíîé ñåòêè â VPN ïðîõîäèò áåç ïðîáëåì, íî ëþáîå îáðàùåíèå ïî ssh/telnet ïðèâîäèò ê ïåðåçàãðóçêè ðîóòåðà.

Ïîõîæå ïðîáëåìà ãäå-òî â masquerading tcp + tun

Êòî-íèáóäü ñòàëêèâàëñÿ ñ ïîäîáíûì?

Ñïàñèáî,
Â.

**VicSer** · 16-03-2012, 19:55

Originally Posted by vaxon

Ïîõîæå ïðîáëåìà ãäå-òî â masquerading tcp + tun

Êòî-íèáóäü ñòàëêèâàëñÿ ñ ïîäîáíûì?

Ïîïðîáóéòå îòêëþ÷èòü Fast nat:

Code:

nvram set misc_fastnat_x=0
nvram commit && reboot

**vaxon** · 16-03-2012, 21:06

Originally Posted by VicSer

Ïîïðîáóéòå îòêëþ÷èòü Fast nat:

Code:

nvram set misc_fastnat_x=0
nvram commit && reboot

Îãðîìíîå ñïàñèáî! Ïîìîãëî!

Èíòåðåñíî ýòî ïîôèêñèëè â íîâûõ âåðñèÿõ ÿäðà?

Åùå ðàç áîëüøîå ñïàñèáî!

Â.

Originally Posted by vaxon

Îãðîìíîå ñïàñèáî! Ïîìîãëî!

Èíòåðåñíî ýòî ïîôèêñèëè â íîâûõ âåðñèÿõ ÿäðà?

ß ñíà÷àëà ïîäóìàë, ÷òî ýòî ëèíóêñîâàÿ ôè÷à èç êîììüþíèòè. Îêàçàëîñü, fast nat - ýòî áðîàäêîìîâêèé õàê.

Â.

**pux** · 18-03-2012, 04:20

Ïîäòâåðæäàþ, áûëà ðîâíî òàêàÿ æå ôèãíÿ. Îòêëþ÷åíèå fast nat òàêæå ïîìîãëî. VicSer, áëàãîäàðþ çà íàâîäêó.

**wig** · 18-06-2012, 13:29

Originally Posted by staticroute

÷òîáû çàðàáîòàë openvpn êàê êëèåíò, íåîáõîäèìî äîáàâèòü ñîîòâåòñòâóþùèå ïðàâèëà iptables
è äîáàâèòü íóæíûå ïîäñåòêè â ðîóòèíã (÷òî ïî èäåå äîëæåí äåëàòü server push-åì).

â /usr/local/sbin/post-firewall äîáàâüòå:

Code:

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

è äîáàâüòå â client.conf:

Code:

dev tun0

íó ÷òî, íèêòî åù¸ íå ïðîâåðÿë?

ñïàñèáî, ýòî ÿ êàê ðàç ñîîáðàçèë!
À âîò ñ ðóòèíãîì - íåò èäåé.
Ïîëíîñòüþ çàäà÷à
Åñòü èíòåðôåéñû
br0 ëîêàëêà 192.168.1.0
vlan2 WAN 192.168.2.0 ñ ãåéòîì 192.168.2.1 Îíî default gateway
tun0 ñ îáñòâåííî òóíåëü, openvpn client, íàçîâåì IPtun.0 c ãåòéîì êàê âîäèòñÿ IPtun.1
Çàäà÷êà
âñå ÷òî íå 192.168.õ.õ çàðóòèòü â tun0, ïðè ýòîì äåôîëò ãåéò (vlan2) îñòàâèòü ïðåæíèì.
×òîá åñëè tun0 îòâàëèòñÿ (÷òî áûâàåò), âñå ñàìî âåðíóëîñü íà îáû÷íóþ ñõåìó
Íå ïîäñêàæåòå ðåøåíèå?
Ãäå òî âèäåë äà íèêàê íàéòè íå ìîãó

**staticroute** · 18-06-2012, 13:32

Originally Posted by wig

ñïàñèáî, ýòî ÿ êàê ðàç ñîîáðàçèë!
À âîò ñ ðóòèíãîì - íåò èäåé.
Ïîëíîñòüþ çàäà÷à
Åñòü èíòåðôåéñû
br0 ëîêàëêà 192.168.1.0
vlan2 WAN 192.168.2.0 ñ ãåéòîì 192.168.2.1 Îíî default gateway
tun0 ñ îáñòâåííî òóíåëü, openvpn client, íàçîâåì IPtun.0 c ãåòéîì êàê âîäèòñÿ IPtun.1
Çàäà÷êà
âñå ÷òî íå 192.168.õ.õ çàðóòèòü â tun0, ïðè ýòîì äåôîëò ãåéò (vlan2) îñòàâèòü ïðåæíèì.
×òîá åñëè tun0 îòâàëèòñÿ (÷òî áûâàåò), âñå ñàìî âåðíóëîñü íà îáû÷íóþ ñõåìó
Íå ïîäñêàæåòå ðåøåíèå?
Ãäå òî âèäåë äà íèêàê íàéòè íå ìîãó

×òî êîíêðåòíî âû õîòèòå âîîáùå? Ó âàñ Openvpn êëèåíò öåïëÿåòñÿ ó èíòåðíåò-óçëó ÿ òàê ïîíèìàþ? (188.õõ.õõ)

Êàêàÿ ïîäñåòü ó tun0 èíòåðôåéñà? Îáúÿñíèòå ïî-÷åëîâå÷åñêè.

**wig** · 18-06-2012, 14:33

Originally Posted by staticroute

×òî êîíêðåòíî âû õîòèòå âîîáùå? Ó âàñ Openvpn êëèåíò öåïëÿåòñÿ ó èíòåðíåò-óçëó ÿ òàê ïîíèìàþ? (188.õõ.õõ)

Äà, âñå ïðàâèëüíî

Originally Posted by staticroute

Êàêàÿ ïîäñåòü ó tun0 èíòåðôåéñà? Îáúÿñíèòå ïî-÷åëîâå÷åñêè.

inet addr:10.114.232.41 Bcast:10.127.255.255 Mask:255.240.0.0
Òîëüêî îí íå tun0 à tap0
È route table âûãëÿäèò òàê
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.1 * 255.255.255.255 UH 0 0 0 vlan2
188.xx.xx.xx 192.168.2.1 255.255.255.255 UGH 0 0 0 vlan2
192.168.2.0 * 255.255.255.0 U 0 0 0 vlan2
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
10.112.0.0 * 255.240.0.0 U 0 0 0 tap0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default localhost 128.0.0.0 UG 0 0 0 tap0
128.0.0.0 localhost 128.0.0.0 UG 0 0 0 tap0
default 192.168.2.1 0.0.0.0 UG 0 0 0 vlan2

È òåïåðü íàäî âñå, ÷òî íå 192.168.0.0 255.255.0.0 çàðóòèòü íà tap0
×òîáû ñåòêà íà br0 ïîëüçîâàëà èíåò ÷åðåç VPN (tap0)

**staticroute** · 18-06-2012, 14:50

Originally Posted by wig

Äà, âñå ïðàâèëüíî

inet addr:10.114.232.41 Bcast:10.127.255.255 Mask:255.240.0.0
Òîëüêî îí íå tun0 à tap0
È route table âûãëÿäèò òàê
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.1 * 255.255.255.255 UH 0 0 0 vlan2
188.xx.xx.xx 192.168.2.1 255.255.255.255 UGH 0 0 0 vlan2
192.168.2.0 * 255.255.255.0 U 0 0 0 vlan2
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
10.112.0.0 * 255.240.0.0 U 0 0 0 tap0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default localhost 128.0.0.0 UG 0 0 0 tap0
128.0.0.0 localhost 128.0.0.0 UG 0 0 0 tap0
default 192.168.2.1 0.0.0.0 UG 0 0 0 vlan2

È òåïåðü íàäî âñå, ÷òî íå 192.168.0.0 255.255.0.0 çàðóòèòü íà tap0
×òîáû ñåòêà íà br0 ïîëüçîâàëà èíåò ÷åðåç VPN (tap0)

äîáàâüòå â client.conf:

Code:

pull

Êàêîé IP àäðåñ âíóòðåííèé OpenVPN ñåðâåðà ? (10.114.232.1 ?)
íà ñåðâåðå OpenVPN äîëæíî áûòü â êîíôèãå:

Code:

push "redirect-gateway def1"
push "route-gateway 10.114.232.1"
push "dhcp-option DNS 10.114.232.1"

**wig** · 18-06-2012, 15:15

Originally Posted by staticroute

äîáàâüòå â client.conf:

Code:

pull

Êàêîé IP àäðåñ âíóòðåííèé OpenVPN ñåðâåðà ? (10.114.232.1 ?)
íà ñåðâåðå OpenVPN äîëæíî áûòü â êîíôèãå:

Code:

push "redirect-gateway def1"
push "route-gateway 10.114.232.1"
push "dhcp-option DNS 10.114.232.1"

Àäðåñ èìåííî òàêîé.
Íî âîò ýòîãî ÿ íå ìîãó íè ñäåëàòü, íè ïðîâåðèòü, òàê êàê VPN ñåðâåð íå ìîé, îí îò hideme.ru. Èëè îò russianproxy.ru
Âîò è ïûòàþñü ÷åðåç route
Âñå ýòî - âîéíóøêà ñ ïðîáëåìàìè éîòû.
Õðåí ñ íèìè, ñ òîððåíòàìè.
Òóò ïî ðàáîòå UDP-øíèûå ïðîäóêòû òîëêîì íå ðàáîòàþò, svn òîëêîì íå ðàáîòàåò.

PS: pull â client.conf íå âëèÿåò, ðóòèíãîâàÿ òàáëèöà òà æå

**staticroute** · 18-06-2012, 16:52

Originally Posted by wig

Àäðåñ èìåííî òàêîé.
Íî âîò ýòîãî ÿ íå ìîãó íè ñäåëàòü, íè ïðîâåðèòü, òàê êàê VPN ñåðâåð íå ìîé, îí îò hideme.ru. Èëè îò russianproxy.ru
Âîò è ïûòàþñü ÷åðåç route
Âñå ýòî - âîéíóøêà ñ ïðîáëåìàìè éîòû.
Õðåí ñ íèìè, ñ òîððåíòàìè.
Òóò ïî ðàáîòå UDP-øíèûå ïðîäóêòû òîëêîì íå ðàáîòàþò, svn òîëêîì íå ðàáîòàåò.

PS: pull â client.conf íå âëèÿåò, ðóòèíãîâàÿ òàáëèöà òà æå

çíà÷èò íàäî ïðîñòî â client.conf èëè client.ovpn äîáàâèòü:

Code:

redirect-gateway def1
route-gateway 10.114.232.1
dhcp-option DNS 10.114.232.1

ïîñëåäíÿÿ îïöèÿ â ñëó÷àå, åñëè òàì åñòü òàêæå DNS ñåðâèñ, åñëè íåòó, òî âïèñàòü âðó÷íóþ 8.4.4.4, 8.8.8.8 â êà÷åñòâå äíñ.

**wig** · 18-06-2012, 17:01

Originally Posted by staticroute

çíà÷èò íàäî ïðîñòî â client.conf èëè client.ovpn äîáàâèòü:

Code:

redirect gateway def1
route-gateway 10.114.232.1
dhcp-option DNS 10.114.232.1

ïîñëåäíÿÿ îïöèÿ â ñëó÷àå, åñëè òàì åñòü òàêæå DNS ñåðâèñ, åñëè íåòó, òî âïèñàòü âðó÷íóþ 8.4.4.4, 8.8.8.8 â êà÷åñòâå äíñ.

èç openvpn.log
Options error: Unrecognized option or missing parameter(s) in openvpn.conf:45: redirect (2.2.2)

OpenVPN 2.2.2 mipsel-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 1 2012
Íà âñÿêèé ñëó÷àé firewall îòêëþ÷èë, ÷òîá íå ìåøàëñÿ.
DNS âïèñàí â client.conf
#DNS server to use
dhcp-option DNS 8.8.8.8

**staticroute** · 18-06-2012, 17:17

Originally Posted by wig

èç openvpn.log
Options error: Unrecognized option or missing parameter(s) in openvpn.conf:45: redirect (2.2.2)

OpenVPN 2.2.2 mipsel-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 1 2012
Íà âñÿêèé ñëó÷àé firewall îòêëþ÷èë, ÷òîá íå ìåøàëñÿ.
DNS âïèñàí â client.conf
#DNS server to use
dhcp-option DNS 8.8.8.8

ïîïðàâèë '-' çàáûë.

**wig** · 18-06-2012, 17:43

Originally Posted by staticroute

ïîïðàâèë '-' çàáûë.

openvpn çàâåëñÿ, íî èç br0 íè÷åãî íè â lan2 (wan) â tap0 íå ïîïàäàåò, êëèåíòñêèé êîìï ïîäêëþ÷åííûé ê br0 òåðÿåò èíåò
firewall îòêëþ÷åí, ïîñåìó íè÷åãî íå ìåøàåò ïàêåòàì åõàòü â tap0
Â ëîãå vpn âñå â ïîðÿäêå:
/sbin/ifconfig tap0 10.114.232.41 netmask 255.240.0.0 mtu 1500 broadcast 10.127.255.255
/sbin/route add -net 188.64.x.x netmask 255.255.255.255 gw 192.168.2.1
/sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.114.192.1
/sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.114.192.1

Èç ðóòåðà traceroute
traceroute to rbc.ru (194.67.32.20), 30 hops max, 38 byte packets
1 localhost (10.114.192.1) 77.601 ms 36.704 ms 115.051 ms
2 h1net188-64-x-x.h1host.ru (188.64.x.x) 36.425 ms h1net188-64-x-y.h1host.ru (188.64.x.y) 47.630 ms h1net188-64-x-x.h1host.ru (188.64.x.x) 106.865 ms

Ò.å. èçíóòðè ðóòåðà - âñå êëàññíî, à èç br0 - íåò
À íàäî ÷òîá èç br0 â tap0 õîäèëî.

Thread: Ïðîáëåìû ñ OpenVPN. Ïðîøó ïîìîùè!

Thread Tools

Rate This Thread

Display

WL500gP OpenVPN + masquerade = ïåðåçàãðóçêà ðîóòåðà

Similar Threads

OpenVPN â ñîñòàâå ïðîøèâêè îò ýíòóçèàñòîâ

Óïðàâëåíèå UPS ïðè ïîìîùè apcupsd è nut

Îòïðàâêà SMS-îïîâåùåíèé ïðè ïîìîùè Google

HowTo install OpenVPN server

Use openvpn on WL500g

Tags for this Thread

Posting Permissions