openvpn conectando, mas agora trabalhando

0

Eu tenho uma configuração openvpn funcional, que copiei de uma máquina para outra (é claro que a máquina original está DESLIGADA). O cliente se conecta ao servidor (o servidor não foi alterado), configura o IP e o roteamento, mas é possível que nada funcione.

LAN do servidor 192.168.123.0

LAN do cliente 192.168.1.0

IP do cliente OpenVPN 192.168.123.253

openvpn /etc/openvpn/client.conf 
Tue Nov  8 09:50:53 2016 OpenVPN 2.3.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 17 2016
Tue Nov  8 09:50:53 2016 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08
Tue Nov  8 09:50:53 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Nov  8 09:50:53 2016 Control Channel Authentication: using '/etc/openvpn/client/ta.key' as a OpenVPN static key file
Tue Nov  8 09:50:53 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov  8 09:50:53 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov  8 09:50:54 2016 Attempting to establish TCP connection with [AF_INET]XXX:XX940 [nonblock]
Tue Nov  8 09:50:55 2016 TCP connection established with [AF_INET]XXX:XX940
Tue Nov  8 09:50:55 2016 TCPv4_CLIENT link local: [undef]
Tue Nov  8 09:50:55 2016 TCPv4_CLIENT link remote: [AF_INET]XXX:XXXXX940
Tue Nov  8 09:50:55 2016 VERIFY OK: depth=1, C=DE, ST=Bayern, L=Munich, O=nothing, OU=private, CN=private, name=private, emailAddress=XXXX
Tue Nov  8 09:50:55 2016 VERIFY OK: depth=0, C=DE, ST=Bayern, L=Munich, O=nothing, OU=private, CN=server, name=private, emailAddress=XXX
Tue Nov  8 09:50:55 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov  8 09:50:55 2016 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
Tue Nov  8 09:50:55 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov  8 09:50:55 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov  8 09:50:55 2016 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
Tue Nov  8 09:50:55 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov  8 09:50:55 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Tue Nov  8 09:50:55 2016 [server] Peer Connection Initiated with [AF_INET]84.56.32.58:11940
Tue Nov  8 09:50:57 2016 TUN/TAP device tap0 opened
Tue Nov  8 09:50:57 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Nov  8 09:50:57 2016 /bin/ip link set dev tap0 up mtu 1500
Tue Nov  8 09:50:57 2016 /bin/ip addr add dev tap0 192.168.123.253/24 broadcast 192.168.123.255
Tue Nov  8 09:50:57 2016 Initialization Sequence Completed

também no cliente, o ip está configurado corretamente e é pingável

ifconfig
br0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
    inet 192.168.1.2  netmask 255.255.255.0  broadcast 192.168.1.255
    inet6 fe80::c43:1ff:fea0:26de  prefixlen 64  scopeid 0x20<link>
    ether 0e:43:01:a0:26:de  txqueuelen 1000  (Ethernet)
    RX packets 107244  bytes 65503139 (62.4 MiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 7740  bytes 2854919 (2.7 MiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet6 fe80::325a:3aff:fe0d:49e1  prefixlen 64  scopeid 0x20<link>
    ether 30:5a:3a:0d:49:e1  txqueuelen 1000  (Ethernet)
    RX packets 45013  bytes 7253888 (6.9 MiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 69966  bytes 62536816 (59.6 MiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
    inet 127.0.0.1  netmask 255.0.0.0
    inet6 ::1  prefixlen 128  scopeid 0x10<host>
    loop  txqueuelen 1  (Lokale Schleife)
    RX packets 1737  bytes 155991 (152.3 KiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 1737  bytes 155991 (152.3 KiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet 192.168.123.253  netmask 255.255.255.0  broadcast 192.168.123.255
    inet6 fe80::30ff:6bff:fe1f:8503  prefixlen 64  scopeid 0x20<link>
    ether 32:ff:6b:1f:85:03  txqueuelen 100  (Ethernet)
    RX packets 1060  bytes 51338 (50.1 KiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 377  bytes 39122 (38.2 KiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

~ # route
Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
default         wan.localnet      0.0.0.0         UG    13     0        0 br0
loopback        0.0.0.0         255.0.0.0       U     0      0        0 lo
loopback        localhost       255.0.0.0       UG    0      0        0 lo
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.123.0   0.0.0.0         255.255.255.0   U     0      0        0 tap0

 ~ # ping 192.168.123.253
PING 192.168.123.253 (192.168.123.253) 56(84) bytes of data.
64 bytes from 192.168.123.253: icmp_seq=1 ttl=64 time=0.245 ms
--- 192.168.123.253 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms

 ~ # ping 192.168.123.150
PING 192.168.123.150 (192.168.123.150) 56(84) bytes of data.
--- 192.168.123.150 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1074ms

Agora, meu problema é que tudo funciona bem se eu tentar essa configuração na máquina A, mas não na Máquina B. Apenas um ponto diferente nas configurações de rede é que na máquina B, a interface TAP0 já está funcionando a partir da rede scripts (esta máquina também hospeda 3 VMs que usam a bridge)

    
por Sebastian Heyn 08.11.2016 / 10:05

1 resposta

0

No arquivo de configuração do cliente na máquina B, altere esta declaração

 dev tap0

para

dev tap1

um reinício do OpenVPN. Além disso, lembre-se de que, se você não instruir seu hipervisor a usar a interface virtual do OpenVPN ( tap1 ), suas VMs não serão roteadas através do OpenVPN. Eu não sei exatamente o que você deseja ...

    
por 08.11.2016 / 10:33