Como usar um host de cliente Linux OpenVPN como gateyway para um host do cliente Windows OpenVPN?

3

Eu tenho um ambiente onde eu tenho um servidor OpenVPN (Linux) e alguns clientes OpenVPN (Windows e Linux). Todos esses hosts (servidor e clientes) estão conectados à Internet, eles não estão conectados uns aos outros na LAN.

A idéia é ter o cliente windows usando o cliente linux como gateway (e não o servidor OpenVPN). Eu quero conseguir isso, empurrando "route-gateway 10.8.0.200" e "redirecionamento-gateway def1" para o cliente windows. Uma vez que SNAT (ou MASQUERADE) esteja habilitado no gateway Linux (10.8.0.200), e o sinalizador de encaminhamento de IP sysctl estiver definido como verdadeiro, ele deve ser capaz de atuar como gateway, certo?

Mas não consigo fazer isso. Vou explicar em suma minha configuração e mostrar onde está errado.

  • 10.8.0.1 : Servidor OpenVPN (Linux)
  • 10.8.0.200 : gateway, cliente OpenVPN (Linux)
  • 10.8.0.2 : Cliente OpenVPN (Windows)
  • Networkmask: 255.255.255.0

Layout de rede:

                                       ############                                      
           +---------------------------+ INTERNET +--------------------------+           
           |                           #####+######                          |           
           |                                |                        +-------+-------+   
           |                                |                        |   9.10.11.12  |   
           |                                |                       ++---------------++  
           |                                |                       | DSL Modem Router|  
           |                                |                       +--------+--------+  
           |                                |                                |           
       +---+---+                        +---+---+                        +---+---+       
       |  eth0 |                        |  eth0 |                        |  LAN  |       
   +---+-------+---+                +---+-------+---+                +---+-------+---+   
   |    5.6.7.8    |                |    1.2.3.4    |                |   10.0.2.15   |   
+--+---------------+--+          +--+---------------+--+          +--+---------------+--+
|        Linux        |          |        Linux        |          |       Windows       |
|       OpenVPN       |          |       OpenVPN       |          |       OpenVPN       |
|        Client       |          |        Server       |          |        Client       |
+--+---------------+--+          +--+---------------+--+          +--+---------------+--+
   |   10.8.0.200  |                |    10.8.0.1   |                |    10.8.0.2   |   
   +---+-------+---+                +---+-------+---+                +---+-------+---+   
       |  tun1 |                        |  tun0 |                        |tun/tap|       
       +---+---+                        +---+---+                        +---+---+       
           |                                |                                |           
           +--------------------------------+--------------------------------+           

Configuração de rede:

10.8.0.1 rotas:

[email protected]:/# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         1.2.3.1         0.0.0.0         UG    0      0        0 eth0
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
1.2.3.0         *               255.255.254.0   U     0      0        0 eth0

10.8.0.200 rotas:

[email protected]:/# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         5.6.7.1         0.0.0.0         UG    0      0        0 eth0
10.8.0.0        *               255.255.255.0   U     0      0        0 tun1
5.6.7.0         *               255.255.254.0   U     0      0        0 eth0

10.8.0.2 rotas:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.2.2        10.0.2.15    266
          0.0.0.0        128.0.0.0       10.8.0.200         10.8.0.2     20
         10.0.2.0    255.255.255.0         On-link         10.0.2.15    266
        10.0.2.15  255.255.255.255         On-link         10.0.2.15    266
       10.0.2.255  255.255.255.255         On-link         10.0.2.15    266
         10.8.0.0    255.255.255.0         On-link          10.8.0.2    276
         10.8.0.2  255.255.255.255         On-link          10.8.0.2    276
       10.8.0.255  255.255.255.255         On-link          10.8.0.2    276
   107.191.51.248  255.255.255.255         10.0.2.2        10.0.2.15     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        128.0.0.0        128.0.0.0       10.8.0.200         10.8.0.2     20
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         10.0.2.15    266
        224.0.0.0        240.0.0.0         On-link          10.8.0.2    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link         10.0.2.15    266
  255.255.255.255  255.255.255.255         On-link          10.8.0.2    276
===========================================================================

Configurações do OpenVPN:

10.8.0.1 (Configuração do OpenVPN Server):

/etc/openvpn/server.conf:

mode server
tls-server
topology subnet
push "topology subnet"

dev tun0
local 1.2.3.4
port 1194
proto udp

client-to-client
max-clients 200

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0

ifconfig 10.8.0.1 255.255.255.0
ifconfig-pool 10.8.0.2 10.8.0.199 255.255.255.0
client-config-dir /etc/openvpn/clients

keepalive 10 60

comp-lzo yes
push "comp-lzo yes"

user nobody
group nogroup

persist-key
persist-tun

status status.log
verb 3
mute 20

/ etc / openvpn / clients / linclient:

ifconfig-push 10.8.0.200 255.255.255.0

/ etc / openvpn / clients / winclient:

push "route-gateway 10.8.0.200"
push "redirect-gateway def1"

10.8.0.200 (OpenVPN Client) configuração:

/etc/openvpn/linclient.conf:

remote 1.2.3.4 1194
client

dev tun1

ca ca.crt
cert linclient.crt
key linclient.key
tls-auth ta.key 1

remote-cert-tls server

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status status.log
verb 3
mute 20

10.8.0.2 (configuração OpenVPN Client):

C: \ Arquivos de programas \ OpenVPN \ config \ winclient \ winclient.ovpn:

remote 1.2.3.4 1194
client

dev tun

ca ca.crt
cert winclient.crt
key winclient.key
tls-auth ta.key 1

remote-cert-tls server

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status status.log
verb 3
mute 20

Quando faço pings do cliente Windows para o servidor OpenVPN (10.8.0.1):

No Windows:

C: \ Windows \ system32 > ping 10.8.0.1

Pinging 10.8.0.1 with 32 bytes of data:
Reply from 10.8.0.1: bytes=32 time=119ms TTL=64
Reply from 10.8.0.1: bytes=32 time=120ms TTL=64
Reply from 10.8.0.1: bytes=32 time=120ms TTL=64
Reply from 10.8.0.1: bytes=32 time=119ms TTL=64

Ping statistics for 10.8.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 119ms, Maximum = 120ms, Average = 119ms

No servidor OpenVPN (10.8.0.1):

[email protected]:/# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
16:46:12.316295 IP 10.8.0.2 > 10.8.0.1: ICMP echo request, id 1, seq 3930, length 40
16:46:12.316316 IP 10.8.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 3930, length 40
16:46:13.333982 IP 10.8.0.2 > 10.8.0.1: ICMP echo request, id 1, seq 3931, length 40
16:46:13.333994 IP 10.8.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 3931, length 40
16:46:14.344666 IP 10.8.0.2 > 10.8.0.1: ICMP echo request, id 1, seq 3932, length 40
16:46:14.344678 IP 10.8.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 3932, length 40
16:46:15.356811 IP 10.8.0.2 > 10.8.0.1: ICMP echo request, id 1, seq 3933, length 40
16:46:15.356824 IP 10.8.0.1 > 10.8.0.2: ICMP echo reply, id 1, seq 3933, length 40

Quando eu faço pings do cliente Windows para o cliente OpenVPN, o 'gateway' (10.8.0.200):

No Windows:

C: \ Windows \ system32 > ping 10.8.0.200

Pinging 10.8.0.200 with 32 bytes of data:
Reply from 10.8.0.200: bytes=32 time=226ms TTL=64
Reply from 10.8.0.200: bytes=32 time=226ms TTL=64
Reply from 10.8.0.200: bytes=32 time=225ms TTL=64
Reply from 10.8.0.200: bytes=32 time=225ms TTL=64

Ping statistics for 10.8.0.200:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 225ms, Maximum = 226ms, Average = 225ms

No cliente OpenVPN, o 'gateway' (10.8.0.200):

[email protected]:~# tcpdump -i tun1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes
18:48:13.694836 IP 10.8.0.2 > 10.8.0.200: ICMP echo request, id 1, seq 3934, length 40
18:48:13.694862 IP 10.8.0.200 > 10.8.0.2: ICMP echo reply, id 1, seq 3934, length 40
18:48:14.706081 IP 10.8.0.2 > 10.8.0.200: ICMP echo request, id 1, seq 3935, length 40
18:48:14.706093 IP 10.8.0.200 > 10.8.0.2: ICMP echo reply, id 1, seq 3935, length 40
18:48:15.722542 IP 10.8.0.2 > 10.8.0.200: ICMP echo request, id 1, seq 3936, length 40
18:48:15.722555 IP 10.8.0.200 > 10.8.0.2: ICMP echo reply, id 1, seq 3936, length 40
18:48:16.732037 IP 10.8.0.2 > 10.8.0.200: ICMP echo request, id 1, seq 3937, length 40
18:48:16.732049 IP 10.8.0.200 > 10.8.0.2: ICMP echo reply, id 1, seq 3937, length 40

Quando faço pings do cliente Windows para a Internet (8.8.8.8):

No Windows:

C:\Windows\system32>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 8.8.8.8:
    Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
Control-C
^C

No servidor OpenVPN (10.8.0.1):

[email protected]:/# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
16:49:55.077094 IP 10.8.0.2 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 3938, length 40
16:49:59.844689 IP 10.8.0.2 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 3939, length 40
16:50:04.896020 IP 10.8.0.2 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 3940, length 40
16:50:09.938695 IP 10.8.0.2 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 3941, length 40

No cliente OpenVPN, o 'gateway' (10.8.0.200):

[email protected]:~# tcpdump -i tun1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

Mais configurações em 10.8.0.200:

Ip forward:

[email protected]:~# cat /proc/sys/net/ipv4/ip_forward
1

* filtros iptables:

[email protected]:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 1752 packets, 142K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1496 packets, 184K bytes)
 pkts bytes target     prot opt in     out     source               destination

* nat iptables:

[email protected]:~# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 7 packets, 1603 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

E por último, um tracert no windows:

C:\Windows\system32>tracert 10.8.0.1

Tracing route to 10.8.0.1 over a maximum of 30 hops

  1   119 ms   119 ms   120 ms  10.8.0.1

Trace complete.

C:\Windows\system32>tracert 10.8.0.200

Tracing route to 10.8.0.200 over a maximum of 30 hops

  1   226 ms   226 ms   225 ms  10.8.0.200

Trace complete.

C:\Windows\system32>tracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1   119 ms   119 ms   119 ms  10.8.0.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4  ^C

Minha pergunta:

Como uso o host do cliente Linux OpenVPN como gateway para o host do cliente Windows OpenVPN?

    
por nwguy 26.08.2014 / 19:01

1 resposta

1

Eu não acho que você pode fazer isso facilmente com as interfaces tun.

O uso de outro computador como seu gateway funciona enviando quadros endereçados a ele na camada abaixo de IP, com esses quadros contendo pacotes IP endereçados a algum outro destino. O roteador ("gateway") saberá então que precisa encaminhar os pacotes IP para o destino real.

Com tun, não há camada abaixo de IP. Não há como escolher um membro específico de uma sub-rede baseada em tun para receber seu pacote IP que não está endereçado a ele. O que eu acho que acontece é que o seu servidor OpenVPN simplesmente não encaminha os pacotes IP endereçados para 8.8.8.8 para o cliente Linux, porque por que deveria? Não sabe que o cliente é especial.

Poderia ser possível fazer o que você deseja usando a diretriz "iroute" do OpenVPN de forma criativa, mas acho que seria melhor ter uma das soluções a seguir:

  1. Mude de tun para tocar em todos os lugares.
  2. Estabeleça um sub-túnel de 10.8.0.2 a 10.8.0.200 usando uma sessão separada do OpenVPN (ou seja, um túnel em um túnel) e defina a rota padrão para apontar através dela.
por 29.08.2014 / 16:04