openvpn envia tráfego da Internet para o servidor separado

1

Versão resumida:

Eu quero que o meu servidor openvpn aws ubuntu reencaminhe todo o tráfego de internet do cliente para outro servidor em vez de enviá-lo diretamente para si mesmo.

Versão longa:

Estou configurando um ambiente em aws e, por motivos de auditoria, todo o tráfego da Internet deve ser roteado por um gateway específico. Alguns usuários estarão se conectando à rede através do openvpn. Eu tenho a configuração do servidor openvpn e os usuários são capazes de se conectar, mas todo o seu tráfego está saindo do gateway / ip do openvpn.

I.E. quando meus clientes vão para ipcow.com eles vêem A.A.A.A onde eu quero que eles vejam B.B.B.B

Configuração de sub-rede

--------------------------------------------------
| A.A.A.A - VPN - 10.0.200.10        |           |
-------------------------------------|  Private  |
| B.B.B.B - Gateway/NAT - 10.0.0.200 |           |
--------------------------------------------------

server.conf

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push route "0.0.0.0 0.0.0.0 10.0.0.200"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

client.ovpn

client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote P.P.P.P 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3

log de conexão

Unrecognized option or missing parameter(s) in vpn.ovpn:14: block-outside-dns (2.3.10)
OpenVPN 2.3.10 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016
library versions: OpenSSL 1.0.2h  3 May 2016, LZO 2.09
Control Channel Authentication: tls-auth using INLINE static key file
Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]P.P.P.P:1194
TLS: Initial packet from [AF_INET]P.P.P.P:1194, sid=5678375f 5c54cccd
VERIFY OK: depth=1, CN=ChangeMe
Validating certificate key usage
++ Certificate has key usage  00a0, expects 00a0
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, CN=server
Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
[server] Peer Connection Initiated with [AF_INET]P.P.P.P:1194
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.0.0.0 255.255.0.0,route 0.0.0.0 0.0.0.0 10.0.0.200 0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
ROUTE_GATEWAY 192.168.42.129/255.255.255.0 IFACE=enp0s20f0u1 HWADDR=
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
/usr/bin/ip link set dev tun0 up mtu 1500
/usr/bin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
/usr/bin/ip route add P.P.P.P/32 via 192.168.42.129
/usr/bin/ip route add 0.0.0.0/1 via 10.8.0.1
/usr/bin/ip route add 128.0.0.0/1 via 10.8.0.1
/usr/bin/ip route add 10.0.0.0/16 via 10.8.0.1
/usr/bin/ip route add 0.0.0.0/0 metric 0 via 10.0.0.200
RTNETLINK answers: Network is unreachable
ERROR: Linux route add command failed: external program exited with error status: 2
Initialization Sequence Completed

Minha tentativa de adicionar uma rota 0.0.0.0/0 obviamente não funcionou.

    
por Will G 25.05.2016 / 06:38

1 resposta

1

As etapas a seguir foram necessárias para atingir meu objetivo.

  1. echo "200 VPN" > / etc / iproute2 / iproute

  2. ip route add default via 10.0.0.200 tabela vpn

  3. ip rule add da 10.8.0.0/24 lookup vpn

O que me dá o seguinte.

    
por 28.05.2016 / 06:32