Eu tenho um ambiente onde eu tenho um servidor OpenVPN (Linux) e alguns clientes OpenVPN (Windows e Linux). Todos esses hosts (servidor e clientes) estão conectados à Internet, eles não estão conectados uns aos outros na LAN.
A idéia é ter o cliente windows usando o cliente linux como gateway (e não o servidor OpenVPN). Eu quero conseguir isso, empurrando "route-gateway 10.8.0.200" e "redirecionamento-gateway def1" para o cliente windows. Uma vez que SNAT (ou MASQUERADE) esteja habilitado no gateway Linux (10.8.0.200), e o sinalizador de encaminhamento de IP sysctl estiver definido como verdadeiro, ele deve ser capaz de atuar como gateway, certo?
Mas não consigo fazer isso. Vou explicar em suma minha configuração e mostrar onde está errado.
-
10.8.0.1 : Servidor OpenVPN (Linux)
-
10.8.0.200 : gateway, cliente OpenVPN (Linux)
-
10.8.0.2 : Cliente OpenVPN (Windows)
- Networkmask: 255.255.255.0
Layout de rede:
############
+---------------------------+ INTERNET +--------------------------+
| #####+###### |
| | +-------+-------+
| | | 9.10.11.12 |
| | ++---------------++
| | | DSL Modem Router|
| | +--------+--------+
| | |
+---+---+ +---+---+ +---+---+
| eth0 | | eth0 | | LAN |
+---+-------+---+ +---+-------+---+ +---+-------+---+
| 5.6.7.8 | | 1.2.3.4 | | 10.0.2.15 |
+--+---------------+--+ +--+---------------+--+ +--+---------------+--+
| Linux | | Linux | | Windows |
| OpenVPN | | OpenVPN | | OpenVPN |
| Client | | Server | | Client |
+--+---------------+--+ +--+---------------+--+ +--+---------------+--+
| 10.8.0.200 | | 10.8.0.1 | | 10.8.0.2 |
+---+-------+---+ +---+-------+---+ +---+-------+---+
| tun1 | | tun0 | |tun/tap|
+---+---+ +---+---+ +---+---+
| | |
+--------------------------------+--------------------------------+
Configuração de rede:
10.8.0.1 rotas:
[email protected]:/# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 1.2.3.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
1.2.3.0 * 255.255.254.0 U 0 0 0 eth0
10.8.0.200 rotas:
[email protected]:/# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 5.6.7.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 * 255.255.255.0 U 0 0 0 tun1
5.6.7.0 * 255.255.254.0 U 0 0 0 eth0
10.8.0.2 rotas:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.2.2 10.0.2.15 266
0.0.0.0 128.0.0.0 10.8.0.200 10.8.0.2 20
10.0.2.0 255.255.255.0 On-link 10.0.2.15 266
10.0.2.15 255.255.255.255 On-link 10.0.2.15 266
10.0.2.255 255.255.255.255 On-link 10.0.2.15 266
10.8.0.0 255.255.255.0 On-link 10.8.0.2 276
10.8.0.2 255.255.255.255 On-link 10.8.0.2 276
10.8.0.255 255.255.255.255 On-link 10.8.0.2 276
107.191.51.248 255.255.255.255 10.0.2.2 10.0.2.15 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 10.8.0.200 10.8.0.2 20
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.2.15 266
224.0.0.0 240.0.0.0 On-link 10.8.0.2 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.0.2.15 266
255.255.255.255 255.255.255.255 On-link 10.8.0.2 276
===========================================================================
Configurações do OpenVPN:
10.8.0.1 (Configuração do OpenVPN Server):
/etc/openvpn/server.conf:
mode server
tls-server
topology subnet
push "topology subnet"
dev tun0
local 1.2.3.4
port 1194
proto udp
client-to-client
max-clients 200
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
ifconfig 10.8.0.1 255.255.255.0
ifconfig-pool 10.8.0.2 10.8.0.199 255.255.255.0
client-config-dir /etc/openvpn/clients
keepalive 10 60
comp-lzo yes
push "comp-lzo yes"
user nobody
group nogroup
persist-key
persist-tun
status status.log
verb 3
mute 20
/ etc / openvpn / clients / linclient:
ifconfig-push 10.8.0.200 255.255.255.0
/ etc / openvpn / clients / winclient:
push "route-gateway 10.8.0.200"
push "redirect-gateway def1"
10.8.0.200 (OpenVPN Client) configuração:
/etc/openvpn/linclient.conf:
remote 1.2.3.4 1194
client
dev tun1
ca ca.crt
cert linclient.crt
key linclient.key
tls-auth ta.key 1
remote-cert-tls server
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status status.log
verb 3
mute 20
10.8.0.2 (configuração OpenVPN Client):
C: \ Arquivos de programas \ OpenVPN \ config \ winclient \ winclient.ovpn:
remote 1.2.3.4 1194
client
dev tun
ca ca.crt
cert winclient.crt
key winclient.key
tls-auth ta.key 1
remote-cert-tls server
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status status.log
verb 3
mute 20
Quando faço pings do cliente Windows para o servidor OpenVPN (10.8.0.1):
No Windows:
C: \ Windows \ system32 > ping 10.8.0.1
Pinging 10.8.0.1 with 32 bytes of data:
Reply from 10.8.0.1: bytes=32 time=119ms TTL=64
Reply from 10.8.0.1: bytes=32 time=120ms TTL=64
Reply from 10.8.0.1: bytes=32 time=120ms TTL=64
Reply from 10.8.0.1: bytes=32 time=119ms TTL=64
Ping statistics for 10.8.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 119ms, Maximum = 120ms, Average = 119ms
No servidor OpenVPN (10.8.0.1):
[email protected]:/# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
16:46:12.316295 IP 10.8.0.2 > 10.8.0.1: ICMP echo request, id 1, seq 3930, length 40
16:46:12.316316 IP 10.8.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 3930, length 40
16:46:13.333982 IP 10.8.0.2 > 10.8.0.1: ICMP echo request, id 1, seq 3931, length 40
16:46:13.333994 IP 10.8.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 3931, length 40
16:46:14.344666 IP 10.8.0.2 > 10.8.0.1: ICMP echo request, id 1, seq 3932, length 40
16:46:14.344678 IP 10.8.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 3932, length 40
16:46:15.356811 IP 10.8.0.2 > 10.8.0.1: ICMP echo request, id 1, seq 3933, length 40
16:46:15.356824 IP 10.8.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 3933, length 40
Quando eu faço pings do cliente Windows para o cliente OpenVPN, o 'gateway' (10.8.0.200):
No Windows:
C: \ Windows \ system32 > ping 10.8.0.200
Pinging 10.8.0.200 with 32 bytes of data:
Reply from 10.8.0.200: bytes=32 time=226ms TTL=64
Reply from 10.8.0.200: bytes=32 time=226ms TTL=64
Reply from 10.8.0.200: bytes=32 time=225ms TTL=64
Reply from 10.8.0.200: bytes=32 time=225ms TTL=64
Ping statistics for 10.8.0.200:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 225ms, Maximum = 226ms, Average = 225ms
No cliente OpenVPN, o 'gateway' (10.8.0.200):
[email protected]:~# tcpdump -i tun1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes
18:48:13.694836 IP 10.8.0.2 > 10.8.0.200: ICMP echo request, id 1, seq 3934, length 40
18:48:13.694862 IP 10.8.0.200 > 10.8.0.2: ICMP echo reply, id 1, seq 3934, length 40
18:48:14.706081 IP 10.8.0.2 > 10.8.0.200: ICMP echo request, id 1, seq 3935, length 40
18:48:14.706093 IP 10.8.0.200 > 10.8.0.2: ICMP echo reply, id 1, seq 3935, length 40
18:48:15.722542 IP 10.8.0.2 > 10.8.0.200: ICMP echo request, id 1, seq 3936, length 40
18:48:15.722555 IP 10.8.0.200 > 10.8.0.2: ICMP echo reply, id 1, seq 3936, length 40
18:48:16.732037 IP 10.8.0.2 > 10.8.0.200: ICMP echo request, id 1, seq 3937, length 40
18:48:16.732049 IP 10.8.0.200 > 10.8.0.2: ICMP echo reply, id 1, seq 3937, length 40
Quando faço pings do cliente Windows para a Internet (8.8.8.8):
No Windows:
C:\Windows\system32>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
Control-C
^C
No servidor OpenVPN (10.8.0.1):
[email protected]:/# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
16:49:55.077094 IP 10.8.0.2 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 3938, length 40
16:49:59.844689 IP 10.8.0.2 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 3939, length 40
16:50:04.896020 IP 10.8.0.2 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 3940, length 40
16:50:09.938695 IP 10.8.0.2 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 3941, length 40
No cliente OpenVPN, o 'gateway' (10.8.0.200):
[email protected]:~# tcpdump -i tun1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
Mais configurações em 10.8.0.200:
Ip forward:
[email protected]:~# cat /proc/sys/net/ipv4/ip_forward
1
* filtros iptables:
[email protected]:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 1752 packets, 142K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1496 packets, 184K bytes)
pkts bytes target prot opt in out source destination
* nat iptables:
[email protected]:~# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 7 packets, 1603 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
E por último, um tracert no windows:
C:\Windows\system32>tracert 10.8.0.1
Tracing route to 10.8.0.1 over a maximum of 30 hops
1 119 ms 119 ms 120 ms 10.8.0.1
Trace complete.
C:\Windows\system32>tracert 10.8.0.200
Tracing route to 10.8.0.200 over a maximum of 30 hops
1 226 ms 226 ms 225 ms 10.8.0.200
Trace complete.
C:\Windows\system32>tracert 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 119 ms 119 ms 119 ms 10.8.0.1
2 * * * Request timed out.
3 * * * Request timed out.
4 ^C
Minha pergunta:
Como uso o host do cliente Linux OpenVPN como gateway para o host do cliente Windows OpenVPN?