OpenVPN não pode fazer ping de dispositivos LAN

1

Eu tenho uma configuração bem parecida com isso, exceto que os clientes da LAN estão atrás de um roteador de retransmissão DHCP. O roteador mais externo encaminha o tráfego para o servidor OpenVPN na porta 1194 e eu posso conectar clientes com êxito, roteando o tráfego para o servidor VPN, através de seu próprio NAT. Meu intervalo de ip virtual de VPN é 172.31.0.0/24

                          +-------------------------+
               (public IP)|                         |
  {INTERNET}=============={     Router              |
                          |                         |
                          |         LAN switch      |
                          +------------+------------+
                                       | (192.168.5.1)
                                       |
                                       |              +-----------------------+
                                       |              |                       |
                                       |              |        OpenVPN        |  eth0: 192.168.5.96/24
                                       +--------------{eth0    server         |  tun0: 172.31.0.0/24
                                       |              |                       |
                                       |              |           {tun0}      |
                                       |              +-----------------------+
                                       |
                              +--------+-----------+
                              |     Router B       |
                              |  Other LAN clients |
                              |                    |
                              |   192.168.1.0/24   |
                              |   (internal net)   |
                              +--------------------+

Conectando-se como um cliente VPN fora da rede, posso, portanto, obter tráfego na Internet, bem como para todos os outros clientes conectados ao primeiro roteador que hospeda seu próprio DHCP. (192.168.5.0/24). Mas quando tento acessar a LAN interna dos segundo roteadores, recebo a seguinte resposta aos pings:

PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
From 172.31.0.1 icmp_seq=1 Destination Host Unreachable

O servidor OpenVPN é hospedado em uma caixa com acesso restrito para que eu possa recuperar apenas os arquivos .conf através da web ui, dos quais ele exibe apenas uma quantidade limitada de informações. A conexão do cliente me fornece as seguintes informações:

Thu Dec 29 13:36:30 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Dec 29 13:36:30 2016 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Dec 29 13:36:30 2016 Attempting to establish TCP connection with [AF_INET]<public ip>:1194 [nonblock]
Thu Dec 29 13:36:31 2016 TCP connection established with [AF_INET]<public ip>:1194
Thu Dec 29 13:36:31 2016 TCPv4_CLIENT link local: [undef]
Thu Dec 29 13:36:31 2016 TCPv4_CLIENT link remote: [AF_INET]<public ip>:1194
Thu Dec 29 13:36:31 2016 TLS: Initial packet from [AF_INET]<public ip>:1194, sid=1081d793 4873f1e6
Thu Dec 29 13:36:31 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Dec 29 13:36:32 2016 VERIFY OK: depth=1, CN=*, OU=RV320, O=*., L=*, C=*, ST=*
Thu Dec 29 13:36:32 2016 VERIFY OK: depth=0, C=*, OU=*, CN=*
Thu Dec 29 13:36:32 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Dec 29 13:36:32 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 29 13:36:32 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Dec 29 13:36:32 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 29 13:36:32 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Dec 29 13:36:32 2016 [com] Peer Connection Initiated with [AF_INET]<public ip>:1194
Thu Dec 29 13:36:35 2016 SENT CONTROL [com]: 'PUSH_REQUEST' (status=1)
Thu Dec 29 13:36:35 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 192.168.1.3,dhcp-option DNS 192.168.1.10,dhcp-option DOMAIN <company>.LOCAL,route 172.31.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 172.31.0.6 172.31.0.5'
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: route options modified
Thu Dec 29 13:36:35 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Dec 29 13:36:35 2016 ROUTE_GATEWAY <client ip>/255.255.255.240 IFACE=eth1 HWADDR=*
Thu Dec 29 13:36:35 2016 TUN/TAP device tun0 opened
Thu Dec 29 13:36:35 2016 TUN/TAP TX queue length set to 100
Thu Dec 29 13:36:35 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Dec 29 13:36:35 2016 /sbin/ip link set dev tun0 up mtu 1500
Thu Dec 29 13:36:35 2016 /sbin/ip addr add dev tun0 local 172.31.0.6 peer 172.31.0.5
Thu Dec 29 13:36:35 2016 /etc/openvpn/update-resolv-conf.sh tun0 1500 1559 172.31.0.6 172.31.0.5 init
dhcp-option DNS 192.168.1.3
dhcp-option DNS 192.168.1.10
dhcp-option DOMAIN <company>.LOCAL
Illegal option -x
Thu Dec 29 13:36:35 2016 /sbin/ip route add <public ip>/32 via <client ip>
Thu Dec 29 13:36:35 2016 /sbin/ip route add 0.0.0.0/1 via 172.31.0.5
Thu Dec 29 13:36:35 2016 /sbin/ip route add 128.0.0.0/1 via 172.31.0.5
Thu Dec 29 13:36:35 2016 /sbin/ip route add 172.31.0.0/24 via 172.31.0.5
Thu Dec 29 13:36:35 2016 Initialization Sequence Completed

Meus clientes (caixas linux) têm o ip.forwarding ativado e suas tabelas de roteamento são assim, conectadas externamente:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.31.0.5      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         <client ip>     0.0.0.0         UG    0      0        0 eth1
<public ip>  <client ip>     255.255.255.255 UGH   0      0        0 eth1
128.0.0.0       172.31.0.5      128.0.0.0       UG    0      0        0 tun0
<client ip>     0.0.0.0         255.255.255.240 U     1      0        0 eth1
172.31.0.0      172.31.0.5      255.255.255.0   UG    0      0        0 tun0
172.31.0.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Eu também tentei configurar uma rota estática como sugerido aqui link mas sem sorte.

    
por Syncretic 29.12.2016 / 14:07

0 respostas