bem, isso soa estranho, eu tenho um servidor OpenVPN com 2 clientes, 1 cliente funciona bem, o segundo sai depois de 1 dia.
O servidor é 10.7.2.1, o cliente 1 10.7.2.2 (não funciona) e o cliente 2 10.7.2.3.
As redes internas de cada uma delas são:
servidor (10.7.2.1):
10.0.96.0/24
client 1 (10.7.2.2):
10.21.0.0/24
192.168.0.0/24
client 2 (10.7.2.3):
10.22.0.0/24
Então, depois do dia, é impossível fazer o ping de 192.168.0.3 para 10.0.96.253:
ping 10.0.96.253
PING 10.0.96.253 (10.0.96.253) 56(84) bytes of data.
^C
--- 10.0.96.253 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7590ms
Tenho certeza de que os pacotes estão roteados corretamente:
10.0.96.0/24 via 10.7.2.1 dev tun1
10.7.2.0/24 dev tun1 proto kernel scope link src 10.7.2.2
10.22.0.0/24 via 10.7.2.1 dev tun1
e também pode verificar via tcpdump:
[Interface:eth0:] 10:41:37.446320 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 4, length 64
[Interface:tun1:] 10:41:37.446332 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 4, length 64
[Interface:eth0:] 10:41:38.446967 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 5, length 64
[Interface:tun1:] 10:41:38.446983 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 20316, seq 5, length 64
tun1 é a interface de rede no cliente 1.
32: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.7.2.2/24 brd 10.7.2.255 scope global tun1
valid_lft forever preferred_lft forever
Ao fazer um tcpdump no lado do servidor, nada aparece!
MAS funciona se eu fizer o ping direto do cliente:
ping 10.0.96.253
PING 10.0.96.253 (10.0.96.253) 56(84) bytes of data.
64 bytes from 10.0.96.253: icmp_seq=1 ttl=63 time=31.8 ms
64 bytes from 10.0.96.253: icmp_seq=2 ttl=63 time=31.3 ms
64 bytes from 10.0.96.253: icmp_seq=3 ttl=63 time=32.9 ms
64 bytes from 10.0.96.253: icmp_seq=4 ttl=63 time=31.7 ms
64 bytes from 10.0.96.253: icmp_seq=5 ttl=63 time=32.2 ms
64 bytes from 10.0.96.253: icmp_seq=6 ttl=63 time=38.4 ms
64 bytes from 10.0.96.253: icmp_seq=7 ttl=63 time=32.8 ms
^C
--- 10.0.96.253 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6008ms
rtt min/avg/max/mdev = 31.331/33.060/38.428/2.264 ms
Também visível no tcpdump
[Interface:tun1:] 10:44:41.828197 IP 10.7.2.2 > 10.0.96.253: ICMP echo request, id 51791, seq 5, length 64
[Interface:tun1:] 10:44:41.860386 IP 10.0.96.253 > 10.7.2.2: ICMP echo reply, id 51791, seq 5, length 64
Após uma reconexão do openvpn via systemctl, reinicie o openvpn @ samba e ele funcionará novamente!
Novamente de 192.168.0.3 a 10.0.96.253:
ping 10.0.96.253
PING 10.0.96.253 (10.0.96.253) 56(84) bytes of data.
64 bytes from 10.0.96.253: icmp_seq=1 ttl=62 time=33.9 ms
64 bytes from 10.0.96.253: icmp_seq=2 ttl=62 time=31.4 ms
64 bytes from 10.0.96.253: icmp_seq=3 ttl=62 time=32.0 ms
64 bytes from 10.0.96.253: icmp_seq=4 ttl=62 time=32.9 ms
^C
--- 10.0.96.253 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3275ms
rtt min/avg/max/mdev = 31.496/32.589/33.915/0.947 ms
e o tcpdump correspondente:
[Interface:eth0:] 10:47:25.230275 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 31580, seq 4, length 64
[Interface:tun1:] 10:47:25.230301 IP 192.168.0.3 > 10.0.96.253: ICMP echo request, id 31580, seq 4, length 64
[Interface:tun1:] 10:47:25.262723 IP 10.0.96.253 > 192.168.0.3: ICMP echo reply, id 31580, seq 4, length 64
[Interface:eth0:] 10:47:25.262739 IP 10.0.96.253 > 192.168.0.3: ICMP echo reply, id 31580, seq 4, length 64
O segundo cliente não mostra esse comportamento. Então eu estou completamente perplexo e não sei onde procurar, alguém tem alguma idéia do que eu poderia fazer?
Configuração do servidor:
port 1194
proto udp
dev tun
ca samba.ca.crt
cert samba.crt
key samba.key
dh samba.dh.pem
server 10.7.2.0 255.255.255.0
ifconfig-pool-persist samba.ipp.txt
route 10.0.96.0 255.255.255.0
route 192.168.0.0 255.255.255.0 10.7.2.2
route 10.21.0.0 255.255.255.0 10.7.2.2
route 10.22.0.0 255.255.255.0 10.7.2.3
topology subnet
mode server
client-to-client
client-config-dir samba.ccd
ccd-exclusive samba.ccd
comp-lzo
persist-key
persist-tun
status samba.openvpn-status.log
log-append /var/log/samba.openvpn.log
verb 4
keepalive 10 120
Versão do OpenVPN do servidor:
OpenVPN 2.3.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 4 2015
Configuração do cliente:
client
dev tun
proto udp
remote xx.xx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca samba.ca.crt
cert samba.crt
key samba.key
comp-lzo
verb 4
status samba.openvpn-status.log
log-append /var/log/samba.openvpn.log
CCD do cliente:
client-to-client
iroute 10.21.0.0 255.255.255.0
iroute 192.168.0.0 255.255.255.0
push "route 10.0.96.0 255.255.255.0"
push "route 10.22.0.0 255.255.255.0"
Versão do OpenVPN do cliente:
OpenVPN 2.3.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 4 2015