Não é possível acessar a rede conectada ao servidor OpenVPN

1

O servidor VPN (Linux) está atrás de um roteador. Quero me conectar de uma rede externa ao meu servidor VPN e acessar dispositivos na rede local do servidor (e no próprio servidor).

O intervalo de endereços da rede local é 192.168.178.0/24

Encaminhei algumas portas para o meu servidor VPN também: 1194, 80, 21, 443, 1723

Eu eliminei informações anteriores porque o limite de corpo foi atingido !!

EDIT 4: Lista completa das configurações atuais: Esta é a configuração do meu servidor:

port 1194  
proto udp  
dev tap  
ca /etc/openvpn/easy-rsa/keys/ca.crt  
cert /etc/openvpn/easy-rsa/keys/VPNServer.crt  
key /etc/openvpn/easy-rsa/keys/VPNServer.key  
dh /etc/openvpn/easy-rsa/keys/dh1024.pem  
server-bridge 192.168.178.1 255.255.255.0 192.168.178.111 192.168.178.120
push "route-gateway 192.168.178.0 255.255.255.0" 
push "redirect-gateway def1 bypass-dhcp" 
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 192.168.178.1"
client-to-client  
duplicate-cn  
keepalive 10 120  
comp-lzo  
persist-key  
persist-tun  
status openvpn-status.log  
log         openvpn.log  
log-append  openvpn.log  
verb 3  

A configuração do meu cliente é assim.

port 1194
client  
dev tap  
proto udp  
remote mydyndns
resolv-retry infinite  
nobind  
persist-key  
persist-tun  
ca ca.crt  
cert client.crt    
key client.key
ns-cert-type server  
comp-lzo  
verb 3  

Minha configuração de interface para o servidor é assim:

auto lo
iface lo inet loopback

allow-hotplug eth0

auto br0
iface br0 inet static
address 192.168.178.123
netmask 255.255.255.0
gateway 192.168.178.1
bridge_ports eth0
dns-nameservers 192.168.178.1

iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

E meu rc.local

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE

E minha saída sysctl net.ipv4.ip_forward é net.ipv4.ip_forward = 1

A saída do meu registro de cliente é a seguinte:

Fri Sep 12 13:03:58 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  7 2014
Fri Sep 12 13:03:58 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Enter Management Password:
Fri Sep 12 13:03:58 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Sep 12 13:03:58 2014 Need hold release from management interface, waiting...
Fri Sep 12 13:03:59 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Sep 12 13:03:59 2014 MANAGEMENT: CMD 'state on'
Fri Sep 12 13:03:59 2014 MANAGEMENT: CMD 'log all on'
Fri Sep 12 13:03:59 2014 MANAGEMENT: CMD 'hold off'
Fri Sep 12 13:03:59 2014 MANAGEMENT: CMD 'hold release'
Fri Sep 12 13:03:59 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Sep 12 13:03:59 2014 MANAGEMENT: >STATE:1410519839,RESOLVE,,,
Fri Sep 12 13:04:00 2014 UDPv4 link local: [undef]
Fri Sep 12 13:04:00 2014 UDPv4 link remote: [AF_INET]86.103.178.165:1194
Fri Sep 12 13:04:00 2014 MANAGEMENT: >STATE:1410519840,WAIT,,,
Fri Sep 12 13:04:00 2014 MANAGEMENT: >STATE:1410519840,AUTH,,,
Fri Sep 12 13:04:00 2014 TLS: Initial packet from [AF_INET]86.103.178.165:1194, sid=bebc894c 68e04336
Fri Sep 12 13:04:02 2014 VERIFY OK: depth=1, C=DE, ST=SH, L=Kiel, OU=changeme, CN=j0chn.spdns.de, name=changeme, [email protected]
Fri Sep 12 13:04:02 2014 VERIFY OK: nsCertType=SERVER
Fri Sep 12 13:04:02 2014 VERIFY OK: depth=0, C=DE, ST=SH, L=Kiel, OU=changeme, CN=j0chn.spdns.de, name=changeme, [email protected]
Fri Sep 12 13:04:05 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 13:04:05 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 13:04:05 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 13:04:05 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 13:04:05 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Sep 12 13:04:05 2014 [j0chn.spdns.de] Peer Connection Initiated with [AF_INET]86.103.178.165:1194
Fri Sep 12 13:04:06 2014 MANAGEMENT: >STATE:1410519846,GET_CONFIG,,,
Fri Sep 12 13:04:08 2014 SENT CONTROL [j0chn.spdns.de]: 'PUSH_REQUEST' (status=1)
Fri Sep 12 13:04:08 2014 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.178.1,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 192.168.178.1,route-gateway 192.168.178.1,ping 10,ping-restart 120,ifconfig 192.168.178.112 255.255.255.0'
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: timers and/or timeouts modified
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: --ifconfig/up options modified
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: route options modified
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: route-related options modified
Fri Sep 12 13:04:08 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Sep 12 13:04:08 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Sep 12 13:04:08 2014 MANAGEMENT: >STATE:1410519848,ASSIGN_IP,,192.168.178.112,
Fri Sep 12 13:04:08 2014 open_tun, tt->ipv6=0
Fri Sep 12 13:04:08 2014 TAP-WIN32 device [Ethernet 2] opened: \.\Global\{4DD19686-B673-493E-99DB-23F3D1AF7239}.tap
Fri Sep 12 13:04:08 2014 TAP-Windows Driver Version 9.21 
Fri Sep 12 13:04:08 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.178.112/255.255.255.0 on interface {4DD19686-B673-493E-99DB-23F3D1AF7239} [DHCP-serv: 192.168.178.0, lease-time: 31536000]
Fri Sep 12 13:04:08 2014 Successful ARP Flush on interface [25] {4DD19686-B673-493E-99DB-23F3D1AF7239}
Fri Sep 12 13:04:13 2014 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Fri Sep 12 13:04:13 2014 C:\WINDOWS\system32\route.exe ADD 86.103.178.165 MASK 255.255.255.255 192.168.42.129
Fri Sep 12 13:04:13 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Fri Sep 12 13:04:13 2014 Route addition via IPAPI succeeded [adaptive]
Fri Sep 12 13:04:13 2014 C:\WINDOWS\system32\route.exe ADD 192.168.42.129 MASK 255.255.255.255 192.168.42.129 IF 24
Fri Sep 12 13:04:13 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Fri Sep 12 13:04:13 2014 Route addition via IPAPI succeeded [adaptive]
Fri Sep 12 13:04:13 2014 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.178.1
Fri Sep 12 13:04:13 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and     dwForwardType=4
Fri Sep 12 13:04:13 2014 Route addition via IPAPI succeeded [adaptive]
Fri Sep 12 13:04:13 2014 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.178.1
Fri Sep 12 13:04:13 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri Sep 12 13:04:13 2014 Route addition via IPAPI succeeded [adaptive]
Fri Sep 12 13:04:13 2014 Initialization Sequence Completed
Fri Sep 12 13:04:13 2014 MANAGEMENT: >STATE:1410519853,CONNECTED,SUCCESS,192.168.178.112,86.103.178.165

Editar 5: O novo log do servidor.

Fri Sep 12 17:15:07 2014 MULTI: multi_create_instance called
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Re-using SSL/TLS context
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 LZO compression initialized
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Local Options hash (VER=V4): 'f7df56b8'
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 Expected Remote Options hash (VER=V4): 'd79ca330'
Fri Sep 12 17:15:07 2014 109.47.193.65:62284 TLS: Initial packet from [AF_INET]109.47.193.65:62284, sid=c07bdc21 48d01394
Fri Sep 12 17:15:08 2014 109.47.193.65:62284 VERIFY OK: depth=1, /C=DE/ST=SH/L=Kiel/OU=changeme/CN=j0chn.spdns.de/name=changeme/ema$
Fri Sep 12 17:15:08 2014 109.47.193.65:62284 VERIFY OK: depth=0, /C=DE/ST=SH/L=Kiel/OU=changeme/CN=j0chns/name=changeme/emailAddres$
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Sep 12 17:15:09 2014 109.47.193.65:62284 [j0chns] Peer Connection Initiated with [AF_INET]109.47.193.65:62284
Fri Sep 12 17:15:09 2014 j0chns/109.47.193.65:62284 MULTI_sva: pool returned IPv4=192.168.178.111, IPv6=bccd:800:8ced:200:14c2:700:$
Fri Sep 12 17:15:11 2014 j0chns/109.47.193.65:62284 PUSH: Received control message: 'PUSH_REQUEST'
Fri Sep 12 17:15:11 2014 j0chns/109.47.193.65:62284 send_push_reply(): safe_cap=960
Fri Sep 12 17:15:11 2014 j0chns/109.47.193.65:62284 SENT CONTROL [j0chns]: 'PUSH_REPLY,route-gateway 192.168.178.1,redirect-gateway$
Fri Sep 12 17:15:11 2014 j0chns/109.47.193.65:62284 MULTI: Learn: 00:ff:4d:d1:96:86 -> j0chns/109.47.193.65:62284
Fri Sep 12 17:18:14 2014 MULTI: multi_create_instance called
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Re-using SSL/TLS context
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 LZO compression initialized
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Local Options hash (VER=V4): 'f7df56b8'
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Expected Remote Options hash (VER=V4): 'd79ca330'
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 TLS: Initial packet from [AF_INET]86.103.178.165:57350, sid=25abeaaa 58473451
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 VERIFY OK: depth=1, /C=DE/ST=SH/L=Kiel/OU=changeme/CN=j0chn.spdns.de/name=changeme/em$
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 VERIFY OK: depth=0, /C=DE/ST=SH/L=Kiel/OU=changeme/CN=j0chns/name=changeme/emailAddre$
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Sep 12 17:18:14 2014 86.103.178.165:57350 [j0chns] Peer Connection Initiated with [AF_INET]86.103.178.165:57350
Fri Sep 12 17:18:14 2014 j0chns/86.103.178.165:57350 MULTI_sva: pool returned IPv4=192.168.178.112, IPv6=bccd:800:8ced:200:14c2:700$
Fri Sep 12 17:18:17 2014 j0chns/86.103.178.165:57350 PUSH: Received control message: 'PUSH_REQUEST'
Fri Sep 12 17:18:17 2014 j0chns/86.103.178.165:57350 send_push_reply(): safe_cap=960
Fri Sep 12 17:18:17 2014 j0chns/86.103.178.165:57350 SENT CONTROL [j0chns]: 'PUSH_REPLY,route-gateway 192.168.178.1,redirect-gatewa$
Fri Sep 12 17:18:18 2014 j0chns/86.103.178.165:57350 MULTI: Learn: 00:ff:4d:d1:96:86 -> j0chns/86.103.178.165:57350

e outra edição:
Eu aumentei o nível de verbosidade de 3 para 9 e obtive novas informações:

Sat Sep 13 17:36:11 2014 us=76111 TLS State Error: No TLS state for client  [AF_INET]86.103.202.242:55140, opcode=6
Sat Sep 13 17:36:11 2014 us=76308 GET INST BY REAL: 86.103.202.242:55140 [failed]  

Talvez isso possa ajudar!?

    
por j0chn 09.09.2014 / 21:27

1 resposta

0

Seu arquivo de cliente está faltando o endereço IP do servidor remoto e a indicação da porta na qual entrar em contato com o próprio servidor. Em outras palavras, você está faltando:

 port 1194
 remote IP.ADDRESS.OF.SERVER

Além disso, não entendo por que você está usando a sub-rede 10.8.0.0/24 para seus clientes. Você já escolheu uma interface tap para um OpenVPN em ponte (boa escolha, torna o acesso a todos os PCs na LAN muito mais fácil, sem custo adicional), portanto não há razão para usar uma sub-rede distinta. Seu arquivo do servidor deve conter as instruções

 server-bridge 192.168.178.1 255.255.255.0 192.168.178.111 192.168.178.120
 push "route-gateway 192.168.178.1"
 push "redirect-gateway def1 bypass-dhcp"
 push "dhcp-option DNS 192.168.178.1"
 push "dhcp-option DNS 208.67.222.222"

A primeira instrução instrui o servidor a desenhar endereços IP para clientes remotos no pool 192.168.178. (111-120). Apenas certifique-se de que o servidor DHCP em sua LAN não esteja tentando usar esses endereços, e nesse caso você terá que escolher um pool diferente para o pool OpenVPN. As outras declarações são óbvias.

Por último, não deve haver necessidade de definir rotas separadas, além das declarações acima.

EDITAR:

você precisa alterar o iptables e fazer uma ponte no servidor.

  1. Altere seu arquivo / etc / netorking / interfaces para ficar assim:

    auto lo  iface lo inet loopback

    auto br0  iface br0 inet estática     endereço 192.168.178.123     netmask 255.255.255.0     gateway 192.168.178.1     bridge_ports eth0     dns-nameservers 192.168.178.1

    iface eth0 inet manual     up ifconfig $ IFACE 0.0.0.0 up     conjunto de links ip $ IFACE promisc on     baixo conjunto de ligação ip $ IFACE promisc off     para baixo ifconfig $ IFACE para baixo

Reinicialize o servidor para que isso entre em vigor. Verifique se o servidor está conectado corretamente à internet. Em seguida, altere as regras do iptables da seguinte forma:

 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT  
 iptables -t nat –A POSTROUTING -o br0 -j MASQUERADE

Inicie o servidor OpenVPN e adicione a interface tap0 à ponte,

 sudo brctl addif br0 tap0

Agora tente conectar-se a partir do cliente.

EDIT 2:

Esta regra do iptables

 iptables -t nat -A POSTROUTING -j MASQUERADE

deve ser

 iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE

Além disso, use tap0 em vez de tocar no arquivo conf do servidor. Reinicie e me avise, pls.

    
por 10.09.2014 / 16:19