OpenWRT: encaminhar tráfego para o espaço de endereços IP não privados por meio de VPN

Question

OpenWRT: encaminhar tráfego para o espaço de endereços IP não privados por meio de VPN

#1 resposta do (1 votos)
#2 resposta do (1 votos)

4

Estou executando um roteador OpenWRT que estabelece uma conexão VPN via OpenVPN e roteia todo o tráfego pela VPN. O roteador OpenWRT está atrás de outro roteador, que estabelece a conexão com a Internet. Isso tudo funciona bem, mas agora eu gosto de acessar outros dispositivos na rede privada, mas não conectado ao roteador OpenWRT.

A configuração de rede é assim:

Um roteador de internet que estabelece conexão com a Internet e fornece uma rede em 192.168.178.0/24. O endereço IP é 192.168.178.1.
Um roteador vpn executando o OpenWRT que é conectado via cabo lan com roteador de internet. Está fornecendo uma rede em 192.168.1.0/24. O endereço IP é 192.168.1.1. Ele estabelece uma conexão VPN com um servidor na Internet e direciona todo o tráfego de sua rede privada (192.168.1.0/24) por meio de VPN.

O objetivo:

Um dispositivo conectado ao roteador vpn deve ter acesso a um dispositivo na rede do roteador da internet. Por exemplo, uma impressora de rede conectada via lan ao roteador de internet com o endereço ip 192.168.178.2 deve ser utilizável de um dispositivo conectado ao roteador vpn com o endereço IP 192.168.1.2.

Eu configurei o roteador OpenWRT com UCI (interface de configuração unificada). A configuração parece com a seguinte:

/ etc / config / network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd6a:fb7c:0d05::/48'

config interface 'lan'
    option ifname 'eth0.1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option macaddr 'f8:1a:67:5a:a6:22'

config interface 'wan'
    option ifname 'eth0.2'
    option macaddr 'f8:1a:67:5a:a6:25'
    option netmask '255.255.255.0'
    option proto 'dhcp'
    option type 'bridge'

config interface 'wan6'
    option ifname '@wan'
    option proto 'dhcpv6'

config interface 'IPredator'
    option ifname 'tun1337'
    option proto 'none'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0t 2 3 4 5'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0t 1'

/ etc / config / firewall

config defaults
    option syn_flood    1
    option input        ACCEPT
    option output       ACCEPT
    option forward      REJECT
# Uncomment this line to disable ipv6 rules
#   option disable_ipv6 1

config zone
    option name     lan
    list   network      'lan'
    option input        ACCEPT
    option output       ACCEPT
    option forward      REJECT

config zone
    option name     wan
    list   network      'wan'
    list   network      'wan6'
    option input        ACCEPT
    option output       ACCEPT
    option forward      REJECT

config zone
    option name         ipr
    option input        REJECT
    option output       ACCEPT
    option forward      REJECT
    option masq     1
    option mtu_fix      1
    list   network      'IPredator'

config forwarding
    option src      lan
    option dest     ipr

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
    option name     Allow-DHCP-Renew
    option src      wan
    option proto        udp
    option dest_port    68
    option target       ACCEPT
    option family       ipv4

# Allow IPv4 ping
config rule
    option name     Allow-Ping
    option src      wan
    option proto        icmp
    option icmp_type    echo-request
    option family       ipv4
    option target       ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
    option name     Allow-DHCPv6
    option src      wan
    option proto        udp
    option src_ip       fe80::/10
    option src_port     547
    option dest_ip      fe80::/10
    option dest_port    546
    option family       ipv6
    option target       ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
    option name     Allow-ICMPv6-Input
    option src      wan
    option proto    icmp
    list icmp_type      echo-request
    list icmp_type      echo-reply
    list icmp_type      destination-unreachable
    list icmp_type      packet-too-big
    list icmp_type      time-exceeded
    list icmp_type      bad-header
    list icmp_type      unknown-header-type
    list icmp_type      router-solicitation
    list icmp_type      neighbour-solicitation
    list icmp_type      router-advertisement
    list icmp_type      neighbour-advertisement
    option limit        1000/sec
    option family       ipv6
    option target       ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
    option name     Allow-ICMPv6-Forward
    option src      wan
    option dest     *
    option proto        icmp
    list icmp_type      echo-request
    list icmp_type      echo-reply
    list icmp_type      destination-unreachable
    list icmp_type      packet-too-big
    list icmp_type      time-exceeded
    list icmp_type      bad-header
    list icmp_type      unknown-header-type
    option limit        1000/sec

    option family       ipv6
    option target       ACCEPT

# include a file with users custom iptables rules
config include
    option path /etc/firewall.user

** ifconfig -a **

root@OpenWrt:~# ifconfig -a
br-lan    Link encap:Ethernet  HWaddr F8:1A:67:5A:A6:22  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::fa1a:67ff:fe5a:a622/64 Scope:Link
          inet6 addr: fd6a:fb7c:d05::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:93532 errors:0 dropped:0 overruns:0 frame:0
          TX packets:115912 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:56145012 (53.5 MiB)  TX bytes:123691502 (117.9 MiB)

br-wan    Link encap:Ethernet  HWaddr F8:1A:67:5A:A6:25  
          inet addr:192.168.178.20  Bcast:192.168.178.255  Mask:255.255.255.0
          inet6 addr: fe80::fa1a:67ff:fe5a:a625/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:115908 errors:0 dropped:0 overruns:0 frame:0
          TX packets:92434 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:130982133 (124.9 MiB)  TX bytes:16794507 (16.0 MiB)

eth0      Link encap:Ethernet  HWaddr 00:04:9F:EF:01:01  
          inet6 addr: fe80::204:9fff:feef:101/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:205419 errors:0 dropped:0 overruns:0 frame:0
          TX packets:203843 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:192549225 (183.6 MiB)  TX bytes:137710000 (131.3 MiB)
          Base address:0x4000 

eth0.1    Link encap:Ethernet  HWaddr 00:04:9F:EF:01:01  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:89286 errors:0 dropped:0 overruns:0 frame:0
          TX packets:111404 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:55392304 (52.8 MiB)  TX bytes:120099623 (114.5 MiB)

eth0.2    Link encap:Ethernet  HWaddr 00:04:9F:EF:01:01  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:115908 errors:0 dropped:0 overruns:0 frame:0
          TX packets:92434 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:130982133 (124.9 MiB)  TX bytes:16794507 (16.0 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:12 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2232 (2.1 KiB)  TX bytes:2232 (2.1 KiB)

tun1337   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:46.246.43.203  P-t-P:46.246.43.203  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:114743 errors:0 dropped:0 overruns:0 frame:0
          TX packets:91993 errors:0 dropped:351 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:121822466 (116.1 MiB)  TX bytes:55995093 (53.4 MiB)

wlan0     Link encap:Ethernet  HWaddr F8:1A:67:5A:A6:24  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:122 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:22643 (22.1 KiB)

wlan1     Link encap:Ethernet  HWaddr F8:1A:67:5A:A6:23  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4244 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4750 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:812112 (793.0 KiB)  TX bytes:3727774 (3.5 MiB)

route

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         anon-43-1.vpn.i 128.0.0.0       UG    0      0        0 tun1337
default         192.168.178.1   0.0.0.0         UG    0      0        0 br-wan
46.246.43.0     *               255.255.255.0   U     0      0        0 tun1337
46.246.43.130   192.168.178.1   255.255.255.255 UGH   0      0        0 br-wan
128.0.0.0       anon-43-1.vpn.i 128.0.0.0       UG    0      0        0 tun1337
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.178.0   *               255.255.255.0   U     0      0        0 br-wan

iptables -L

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  403  172K delegate_input  all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  358  169K delegate_forward  all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  317 84722 delegate_output  all  --  any    any     anywhere             anywhere            

Chain delegate_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  358  169K forwarding_rule  all  --  any    any     anywhere             anywhere             /* user chain for forwarding */
  340  167K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
   18  2048 zone_lan_forward  all  --  br-lan any     anywhere             anywhere            
    0     0 zone_wan_forward  all  --  br-wan any     anywhere             anywhere            
    0     0 zone_ipr_forward  all  --  tun1337 any     anywhere             anywhere            
    0     0 reject     all  --  any    any     anywhere             anywhere            

Chain delegate_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
  403  172K input_rule  all  --  any    any     anywhere             anywhere             /* user chain for input */
  145 13909 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    5   268 syn_flood  tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
   11   766 zone_lan_input  all  --  br-lan any     anywhere             anywhere            
  243  157K zone_wan_input  all  --  br-wan any     anywhere             anywhere            
    4   208 zone_ipr_input  all  --  tun1337 any     anywhere             anywhere            

Chain delegate_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    lo      anywhere             anywhere            
  317 84722 output_rule  all  --  any    any     anywhere             anywhere             /* user chain for output */
  129 27577 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 zone_lan_output  all  --  any    br-lan  anywhere             anywhere            
  186 56993 zone_wan_output  all  --  any    br-wan  anywhere             anywhere            
    2   152 zone_ipr_output  all  --  any    tun1337  anywhere             anywhere            

Chain forwarding_ipr_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_ipr_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_ipr_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   208 REJECT     tcp  --  any    any     anywhere             anywhere             reject-with tcp-reset
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   268 RETURN     tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain zone_ipr_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   20  2200 ACCEPT     all  --  any    tun1337  anywhere             anywhere            

Chain zone_ipr_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_ipr_rule  all  --  any    any     anywhere             anywhere             /* user chain for forwarding */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* Accept port forwards */
    0     0 zone_ipr_src_REJECT  all  --  any    any     anywhere             anywhere            

Chain zone_ipr_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   208 input_ipr_rule  all  --  any    any     anywhere             anywhere             /* user chain for input */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* Accept port redirections */
    4   208 zone_ipr_src_REJECT  all  --  any    any     anywhere             anywhere            

Chain zone_ipr_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   152 output_ipr_rule  all  --  any    any     anywhere             anywhere             /* user chain for output */
    2   152 zone_ipr_dest_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain zone_ipr_src_REJECT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   208 reject     all  --  tun1337 any     anywhere             anywhere            

Chain zone_lan_dest_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    br-lan  anywhere             anywhere            

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination       
 pkts bytes target     prot opt in     out     source               destination         
   18  2048 forwarding_lan_rule  all  --  any    any     anywhere             anywhere             /* user chain for forwarding */
   18  2048 zone_ipr_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* forwarding lan -> ipr */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* Accept port forwards */
    0     0 zone_lan_src_REJECT  all  --  any    any     anywhere             anywhere            

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   11   766 input_lan_rule  all  --  any    any     anywhere             anywhere             /* user chain for input */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* Accept port redirections */
   11   766 zone_lan_src_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_lan_rule  all  --  any    any     anywhere             anywhere             /* user chain for output */
    0     0 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   11   766 ACCEPT     all  --  br-lan any     anywhere             anywhere            

Chain zone_lan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  br-lan any     anywhere             anywhere            

Chain zone_wan_dest_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  186 56993 ACCEPT     all  --  any    br-wan  anywhere             anywhere            

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wan_rule  all  --  any    any     anywhere             anywhere             /* user chain for forwarding */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* Accept port forwards */
    0     0 zone_wan_src_REJECT  all  --  any    any     anywhere             anywhere            

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  243  157K input_wan_rule  all  --  any    any     anywhere             anywhere             /* user chain for input */
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:bootpc /* Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request /* Allow-Ping */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* Accept port redirections */
  243  157K zone_wan_src_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  186 56993 output_wan_rule  all  --  any    any     anywhere             anywhere             /* user chain for output */
  186 56993 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain zone_wan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  243  157K ACCEPT     all  --  br-wan any     anywhere             anywhere            

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  br-wan any     anywhere             anywhere

Não estou tão acostumado com a configuração de rede. Então eu realmente aprecio sua ajuda.

networking openvpn routing openwrt

por jelhan 22.02.2014 / 14:08

2 respostas

1

Tudo o que você precisa fazer é adicionar a rota seguinte à tabela de roteamento do OpenWRT,

  ip ro add 192.168.78.0/24 via 192.168.78.1 dev your_WAN_interface

onde your_WAN_interface significa NIC da interface WAN do roteador OpenWRT. Também você irá seguir a regra do iptables:

  iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.78.0/24 -j MASQUERADE

por 23.02.2014 / 15:01

Tags networking openvpn routing openwrt

Como abrir arquivos com dois-pontos em seus nomes no Windows? Estranho erro temporário "Acesso negado" ao acessar arquivos criptografados

score 1 · Accepted Answer

Primeiro, embora eu não esteja familiarizado com a UCI, o OpenWrt Wiki informa me pode acomodar regras iptables manuais usando um arquivo externo. Você já definiu um: '/etc/firewall.user', então a solução que você mencionou em seu comentário ainda pode ser viável.

Suas rotas permitem que a sub-rede 192.168.178.0/24 seja acessada bem, assumindo que a interface que seu roteador usa para isso é na verdade 'br-wan' e você não conseguiu copiar o último caractere para sua pergunta. Parece ser um problema de firewall.

A saída de iptables -L mostra algo peculiar. As regras que permitem o tráfego da LAN para a VPN são:

Chain FORWARD (policy DROP)
delegate_forward  all  --  anywhere             anywhere   

Chain delegate_forward (1 references)
zone_lan_forward  all  --  anywhere             anywhere     

Chain zone_lan_forward (1 references)
zone_ipr_dest_ACCEPT  all  --  anywhere             anywhere             /* forwarding lan -> ipr */

Chain zone_ipr_dest_ACCEPT (2 references)
ACCEPT     all  --  anywhere             anywhere

O sinalizador '--verbose' deve ter certeza, mas com base nos comentários e nomes dessas cadeias, parece que essas regras se aplicam apenas ao tráfego encaminhado para a interface 'tun1337'. Seu iptables não tem regras equivalentes para 'br-wan'. O tráfego encaminhado para a sub-rede do roteador da Internet é eventualmente rejeitado.

Para fazer isso sem adicionar regras manualmente, acrescente as seguintes linhas ao '/ etc / config / firewall':

config forwarding
    option src      lan
    option dest     wan

O tráfego por trás do roteador OpenWrt deve agora chegar à sub-rede 192.168.178.0/24, mas não haverá resposta; as máquinas atrás do roteador de internet não sabem rotear pacotes com um destino no intervalo 192.168.1.0/24. A maneira mais fácil de resolver esse problema é fazer com que o roteador OpenWrt realize NAT. Usando o iptables:

iptables -t nat -A POSTROUTING -i br-lan -i br-wan -j MASQUERADE

Meu palpite seria uma regra semelhante criada automaticamente inserindo a linha option masq 1 na configuração da zona wan em '/ etc / config / firewall'.

Existem algumas desvantagens em usar o NAT. Todo o tráfego encaminhado dessa forma aparecerá para as máquinas que estão atrás do roteador da Internet para ter 192.168.178.20 como fonte. Além disso, você precisará configurar a porta para iniciar conexões a partir do lado da WAN do roteador OpenWrt.

Evitar o NAT exigirá mais alterações no firewall e na tabela de roteamento no roteador da Internet. Você precisaria adicionar a rota '192.168.1.0/24 via 192.168.178.20'. Se o roteador não permitir que a tabela de roteamento seja configurada manualmente, você deverá adicioná-los às máquinas na sub-rede 192.168.178.0/24 individualmente. Além disso, as linhas a seguir teriam que ser anexadas ao '/ etc / config / firewall' no roteador OpenWrt:

config forwarding
    option src      wan
    option dest     lan