Openvpn no aws não é possível conectar-se à sub-rede

2

Eu configurei o servidor openvpn no Ubuntu 16.04 na AWS .. Eu posso conectá-lo da minha máquina localhost. Então eu posso acessar o servidor openvpn pelo seu ip privado .. Mas não consigo conectar outros ec2's na subnet.

Aqui está minha configuração

server.conf

local ip-10-253-254-87
port 1194
proto udp
dev tun
ca ca.crt
cert myvpn.crt
key myvpn.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.253.0.0 255.255.0.0"
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

keepalive 60 3600
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3

$ route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.253.254.1    0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.253.254.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0

$ sysctl -p

net.ipv4.ip_forward = 1

Log de conexão do cliente

Thu Oct 12 02:02:57 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Thu Oct 12 02:02:57 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Thu Oct 12 02:02:57 2017 WARNING: file 'rahul.key' is group or others accessible
Thu Oct 12 02:02:57 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Oct 12 02:02:57 2017 UDPv4 link local: [undef]
Thu Oct 12 02:02:57 2017 UDPv4 link remote: [AF_INET]52.221.18.132:1194
Thu Oct 12 02:02:57 2017 TLS: Initial packet from [AF_INET]52.221.18.132:1194, sid=93a5928a db252cae
Thu Oct 12 02:02:58 2017 VERIFY OK: depth=1, C=SG, ST=SG, L=Singapore, O=XXXXXX, OU=XXXXXXDataEng, CN=XXXXXX CA, name=XXXXXXStatsVpn, [email protected]
Thu Oct 12 02:02:58 2017 Validating certificate key usage
Thu Oct 12 02:02:58 2017 ++ Certificate has key usage  00a0, expects 00a0
Thu Oct 12 02:02:58 2017 VERIFY KU OK
Thu Oct 12 02:02:58 2017 Validating certificate extended key usage
Thu Oct 12 02:02:58 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Oct 12 02:02:58 2017 VERIFY EKU OK
Thu Oct 12 02:02:58 2017 VERIFY OK: depth=0, C=SG, ST=SG, L=Singapore, O=XXXXXX, OU=XXXXXXDataEng, CN=XXXXXXstatsvpn, name=XXXXXXStatsVpn, [email protected]
Thu Oct 12 02:02:58 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Oct 12 02:02:58 2017 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
Thu Oct 12 02:02:58 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Oct 12 02:02:58 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Oct 12 02:02:58 2017 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
Thu Oct 12 02:02:58 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Oct 12 02:02:58 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Oct 12 02:02:58 2017 [XXXXXXstatsvpn] Peer Connection Initiated with [AF_INET]52.221.18.132:1194
Thu Oct 12 02:03:00 2017 SENT CONTROL [XXXXXXstatsvpn]: 'PUSH_REQUEST' (status=1)
Thu Oct 12 02:03:00 2017 PUSH: Received control message: 'PUSH_REPLY,route 10.253.0.0 255.255.0.0,route 10.8.0.1,topology net30,ping 60,ping-restart 3600,ifconfig 10.8.0.6 10.8.0.5'
Thu Oct 12 02:03:00 2017 OPTIONS IMPORT: timers and/or timeouts modified
Thu Oct 12 02:03:00 2017 OPTIONS IMPORT: --ifconfig/up options modified
Thu Oct 12 02:03:00 2017 OPTIONS IMPORT: route options modified
Thu Oct 12 02:03:00 2017 ROUTE_GATEWAY 192.168.31.1/255.255.255.0 IFACE=wlp3s0 HWADDR=b4:6d:83:ce:88:12
Thu Oct 12 02:03:00 2017 TUN/TAP device tun0 opened
Thu Oct 12 02:03:00 2017 TUN/TAP TX queue length set to 100
Thu Oct 12 02:03:00 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 12 02:03:00 2017 /sbin/ip link set dev tun0 up mtu 1500
Thu Oct 12 02:03:00 2017 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Thu Oct 12 02:03:00 2017 /sbin/ip route add 10.253.0.0/16 via 10.8.0.5
Thu Oct 12 02:03:00 2017 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Thu Oct 12 02:03:00 2017 Initialization Sequence Completed

Tabela de rotas do cliente

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.31.1    0.0.0.0         UG    600    0        0 wlp3s0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.253.0.0      10.8.0.5        255.255.0.0     UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 docker0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.31.0    0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0

Ping bem-sucedido para o servidor openvpn pelo seu ip privado

$ ping 10.253.254.87
PING 10.253.254.87 (10.253.254.87) 56(84) bytes of data.
64 bytes from 10.253.254.87: icmp_seq=1 ttl=64 time=70.3 ms
64 bytes from 10.253.254.87: icmp_seq=2 ttl=64 time=70.4 ms

Problema: Não é possível fazer ping em nenhuma outra máquina na sub-rede

$ ping 10.253.2.139
PING 10.253.2.139 (10.253.2.139) 56(84) bytes of data. 

Configurar rota na tabela de rotas (aws)

10.8.0.0/24     eni-47050xxx / i-0ec7207caba88xxx     Active     No
    
por Rahul Shukla 11.10.2017 / 22:45

1 resposta

0

Você deve tentar desativar a "Verificação de origem / destino" para sua instância do Openvpn de acordo com amazon docs

    
por 04.06.2018 / 12:01

Tags