Túnel OpenVPN não funciona para sub-redes depois de algum tempo

1

bem, isso soa estranho, eu tenho um servidor OpenVPN com 2 clientes, 1 cliente funciona bem, o segundo sai depois de 1 dia.

O servidor é 10.7.2.1, o cliente 1 10.7.2.2 (não funciona) e o cliente 2 10.7.2.3.

As redes internas de cada uma delas são:

servidor (10.7.2.1):
10.0.96.0/24

client 1 (10.7.2.2):
10.21.0.0/24
192.168.0.0/24

client 2 (10.7.2.3):
10.22.0.0/24

Então, depois do dia, é impossível fazer o ping de 192.168.0.3 para 10.0.96.253:

ping 10.0.96.253
PING 10.0.96.253 (10.0.96.253) 56(84) bytes of data.
^C
--- 10.0.96.253 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7590ms

Tenho certeza de que os pacotes estão roteados corretamente:

10.0.96.0/24 via 10.7.2.1 dev tun1 
10.7.2.0/24 dev tun1  proto kernel  scope link  src 10.7.2.2 
10.22.0.0/24 via 10.7.2.1 dev tun1 

e também pode verificar via tcpdump:

[Interface:eth0:]    10:41:37.446320 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 4, length 64
[Interface:tun1:]    10:41:37.446332 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 4, length 64
[Interface:eth0:]    10:41:38.446967 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 5, length 64
[Interface:tun1:]    10:41:38.446983 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 5, length 64

tun1 é a interface de rede no cliente 1.

32: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none 
    inet 10.7.2.2/24 brd 10.7.2.255 scope global tun1
       valid_lft forever preferred_lft forever

Ao fazer um tcpdump no lado do servidor, nada aparece!

MAS funciona se eu fizer o ping direto do cliente:

ping 10.0.96.253
PING 10.0.96.253 (10.0.96.253) 56(84) bytes of data.
64 bytes from 10.0.96.253: icmp_seq=1 ttl=63 time=31.8 ms
64 bytes from 10.0.96.253: icmp_seq=2 ttl=63 time=31.3 ms
64 bytes from 10.0.96.253: icmp_seq=3 ttl=63 time=32.9 ms
64 bytes from 10.0.96.253: icmp_seq=4 ttl=63 time=31.7 ms
64 bytes from 10.0.96.253: icmp_seq=5 ttl=63 time=32.2 ms
64 bytes from 10.0.96.253: icmp_seq=6 ttl=63 time=38.4 ms
64 bytes from 10.0.96.253: icmp_seq=7 ttl=63 time=32.8 ms
^C
--- 10.0.96.253 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6008ms
rtt min/avg/max/mdev = 31.331/33.060/38.428/2.264 ms

Também visível no tcpdump

[Interface:tun1:]    10:44:41.828197 IP 10.7.2.2 > 10.0.96.253: ICMP echo request, id 51791, seq 5, length 64
[Interface:tun1:]    10:44:41.860386 IP 10.0.96.253 > 10.7.2.2: ICMP echo reply, id 51791, seq 5, length 64

Após uma reconexão do openvpn via systemctl, reinicie o openvpn @ samba e ele funcionará novamente!

Novamente de 192.168.0.3 a 10.0.96.253:

ping 10.0.96.253
PING 10.0.96.253 (10.0.96.253) 56(84) bytes of data.
64 bytes from 10.0.96.253: icmp_seq=1 ttl=62 time=33.9 ms
64 bytes from 10.0.96.253: icmp_seq=2 ttl=62 time=31.4 ms
64 bytes from 10.0.96.253: icmp_seq=3 ttl=62 time=32.0 ms
64 bytes from 10.0.96.253: icmp_seq=4 ttl=62 time=32.9 ms
^C
--- 10.0.96.253 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3275ms
rtt min/avg/max/mdev = 31.496/32.589/33.915/0.947 ms

e o tcpdump correspondente:

[Interface:eth0:]    10:47:25.230275 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 31580, seq 4, length 64
[Interface:tun1:]    10:47:25.230301 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 31580, seq 4, length 64
[Interface:tun1:]    10:47:25.262723 IP 10.0.96.253 > 192.168.0.3: ICMP echo reply, id 31580, seq 4, length 64
[Interface:eth0:]    10:47:25.262739 IP 10.0.96.253 > 192.168.0.3: ICMP echo reply, id 31580, seq 4, length 64

O segundo cliente não mostra esse comportamento. Então eu estou completamente perplexo e não sei onde procurar, alguém tem alguma idéia do que eu poderia fazer?

Configuração do servidor:

port                  1194
proto                 udp
dev                   tun
ca                    samba.ca.crt
cert                  samba.crt
key                   samba.key
dh                    samba.dh.pem
server                10.7.2.0 255.255.255.0
ifconfig-pool-persist samba.ipp.txt
route                 10.0.96.0 255.255.255.0
route                 192.168.0.0 255.255.255.0 10.7.2.2
route                 10.21.0.0 255.255.255.0 10.7.2.2
route                 10.22.0.0 255.255.255.0 10.7.2.3
topology              subnet
mode                  server

client-to-client

client-config-dir     samba.ccd
ccd-exclusive         samba.ccd
comp-lzo
persist-key
persist-tun
status                samba.openvpn-status.log
log-append            /var/log/samba.openvpn.log
verb                  4
keepalive             10 120

Versão do OpenVPN do servidor:

OpenVPN 2.3.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug  4 2015

Configuração do cliente:

client
dev              tun
proto            udp
remote           xx.xx.xx.xx 1194
resolv-retry     infinite
nobind
persist-key
persist-tun
ca               samba.ca.crt
cert             samba.crt
key              samba.key
comp-lzo
verb             4
status           samba.openvpn-status.log
log-append       /var/log/samba.openvpn.log

CCD do cliente:

client-to-client
iroute 10.21.0.0 255.255.255.0
iroute 192.168.0.0 255.255.255.0
push "route 10.0.96.0 255.255.255.0"
push "route 10.22.0.0 255.255.255.0"

Versão do OpenVPN do cliente:

OpenVPN 2.3.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug  4 2015
    
por Thomas Rosenstein 05.01.2016 / 11:58

0 respostas