Прошу немного помочь, помоему, заблудился в двух соснах просто.
Есть домашняя сеть и сеть на даче, хочется связать их вместе через openVPN, чтобы сети за роутерами пингались.
Топология примерно такая: 10.0.0.0/24 ----------- 192.168.0.0/24 (openVPN) ---------------- 10.0.1.0/24
Первый роутер совсем древний с прошивкой Олега, выступает сервером (его адрес 10.0.0.222). Второй чуть новее.
Code:
[root@galaxy root]$ openvpn --version
OpenVPN 2.2.0 mipsel-linux [SSL] [LZO2] [EPOLL] [eurephia] built on Apr 28 2011
Конфиг:
Code:
dev tap0
mode server
proto tcp-server
port 443
ifconfig 192.168.0.1 255.255.255.0
ifconfig-pool 192.168.0.2 192.168.0.10
ifconfig-pool-persist /opt/etc/openvpn/ipp.txt
client-to-client
route 10.0.1.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
script-security 2
tls-server
dh /opt/etc/openvpn/keys/dh1024.pem
ca /opt/etc/openvpn/keys/ca.crt
cert /opt/etc/openvpn/keys/server.crt
key /opt/etc/openvpn/keys/server.key
user nobody
group nobody
comp-lzo
persist-tun
persist-key
verb 3
status /opt/var/log/openvpn/status.log
Таблицы сервера
Code:
[root@galaxy root]$ iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
286 27143 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
248 18192 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
3 144 DROP all -- any any anywhere anywhere ctstate INVALID
23 5007 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
1 122 ACCEPT all -- lo any anywhere anywhere ctstate NEW
38 5125 ACCEPT all -- br0 any anywhere anywhere ctstate NEW
1029 72708 DROP all -- any any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- tap0 any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www
0 0 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 117 packets, 6260 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 br0 anywhere anywhere
9 384 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DROP all -- !br0 vlan1 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT
0 0 DROP all -- any br0 anywhere anywhere
0 0 ACCEPT all -- tap0 any anywhere anywhere
Виртуальный интерфейс:
Code:
[root@galaxy root]$ ifconfig tap0
tap0 Link encap:Ethernet HWaddr 00:FF:29:15:1F:06
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Второй роутер выступает клиентом, его адрес 10.0.1.222.
Code:
root@dacha:~# openvpn --version
OpenVPN 2.3.1 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 24 2013
Конфиг
root@dacha:~# cat /tmp/openvpncl/openvpn.conf
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 16
management-log-cache 100
verb 3
mute 3
syslog
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
dev tap1
proto tcp-client
cipher bf-cbc
auth sha1
remote
погрызано 443
comp-lzo yes
tls-client
tun-mtu 1500
mtu-disc yes
ns-cert-type server
Интерфейс
Code:
root@dacha:~# ifconfig tap1
tap1 Link encap:Ethernet HWaddr 00:FF:EB:09:9E:C9
inet addr:192.168.0.4 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:210 errors:0 dropped:0 overruns:0 frame:0
TX packets:158 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:22513 (21.9 KiB) TX bytes:22204 (21.6 KiB)
Таблицы
Code:
root@dacha:~# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
235 21625 ACCEPT 0 -- tap1 any anywhere anywhere
669 101K logaccept 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 logdrop udp -- ppp0 any anywhere anywhere udp dpt:route
0 0 logdrop udp -- br0 any anywhere anywhere udp dpt:route
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:route
0 0 ACCEPT icmp -- ppp0 any anywhere anywhere
24 768 ACCEPT igmp -- any any anywhere anywhere
0 0 ACCEPT 0 -- lo any anywhere anywhere state NEW
1326 83843 logaccept 0 -- br0 any anywhere anywhere state NEW
9 3550 logdrop 0 -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- any tap1 anywhere anywhere
0 0 ACCEPT 0 -- tap1 any anywhere anywhere
0 0 logaccept gre -- any ppp0 10.0.1.0/24 anywhere
0 0 logaccept tcp -- any ppp0 10.0.1.0/24 anywhere tcp dpt:1723
9483 6550K lan2wan 0 -- any any anywhere anywhere
386 20352 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
9170 6527K logaccept 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 logaccept 0 -- br0 br0 anywhere anywhere
0 0 logaccept udp -- ppp0 any anywhere base-address.mcast.net/4
0 0 TRIGGER 0 -- ppp0 br0 anywhere anywhere TRIGGER type:in match:0 relate:0
313 22934 trigger_out 0 -- br0 any anywhere anywhere
303 22534 logaccept 0 -- br0 any anywhere anywhere state NEW
10 400 logdrop 0 -- any any anywhere anywhere
От этой связи я искренне ожидал следующего: сервер будет знать куда ему рутить на дачу и пропихнёт клиенту куда ему роутить в дом.
В результате имеем:
на сервере
Code:
[root@galaxy root]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.208.124.1 0.0.0.0 255.255.255.255 UH 0 0 0 vlan1
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
10.208.125.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.208.124.1 0.0.0.0 UG 0 0 0 vlan1
Code:
root@dacha:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.64.64.64 0.0.0.0 UG 0 0 0 ppp0
т.е. маршрутов нет. Я могу заходить с роутера на роутер введя его айпи из сети 192.168.0.0/24 но не пинговать их с 10.0.0.0 и 10.0.1.0 . Машины за роутерами, понятное дело, ничего не видят.
Куда копать?