Estou tentando configurar o OpenVPN com autenticação de chave estática (em vez de TLS) na porta TCP 443; mas o cliente não pode acessar a internet pela VPN depois de se conectar ao servidor.
Aqui está minha configuração atual:
É um VPS do Debian em execução no OpenVZ com o TUN / TAP ativado.
Aqui está o arquivo de configuração:
dev tun
proto tcp-server
port 443
ifconfig 10.8.0.1 10.8.0.2
secret /etc/openvpn/static.key
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
E aqui está o script do iptables que eu apliquei também:
#!/bin/bash
# A Sample OpenVPN-aware firewall.
# vetnet0 is connected to the internet.
# eth1 is connected to a private subnet.
# Change this subnet to correspond to your private
# ethernet subnet. Home will use HOME_NET/24 and
# Office will use OFFICE_NET/24.
PRIVATE=10.0.0.0/24
# Loopback address
LOOP=127.0.0.1
# Delete old iptables rules
# and temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F
# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Prevent external packets from using loopback addr
iptables -A INPUT -i vetnet0 -s $LOOP -j DROP
iptables -A FORWARD -i vetnet0 -s $LOOP -j DROP
iptables -A INPUT -i vetnet0 -d $LOOP -j DROP
iptables -A FORWARD -i vetnet0 -d $LOOP -j DROP
# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i vetnet0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i vetnet0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i vetnet0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i vetnet0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i vetnet0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i vetnet0 -s 10.0.0.0/8 -j DROP
# Block outgoing NetBios (if you have windows machines running
# on the private subnet). This will not affect any NetBios
# traffic that flows over the VPN tunnel, but it will stop
# local windows machines from broadcasting themselves to
# the internet.
iptables -A FORWARD -p tcp --sport 137:139 -o vetnet0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o vetnet0 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o vetnet0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o vetnet0 -j DROP
# Check source address validity on packets going out to internet
iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP
# Allow local loopback
iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT
# Allow incoming pings (can be disabled)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Allow services such as www and ssh (can be disabled)
iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# Allow incoming OpenVPN packets
# Duplicate the line below for each
# OpenVPN tunnel, changing --dport n
# to match the OpenVPN UDP port.
#
# In OpenVPN, the port number is
# controlled by the --port n option.
# If you put this option in the config
# file, you can remove the leading '--'
#
# If you taking the stateful firewall
# approach (see the OpenVPN HOWTO),
# then comment out the line below.
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow packets from TUN/TAP devices.
# When OpenVPN is run in a secure mode,
# it will authenticate packets prior
# to their arriving on a tun or tap
# interface. Therefore, it is not
# necessary to add any filters here,
# unless you want to restrict the
# type of packets which can flow over
# the tunnel.
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
# Allow packets from private subnets
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
# Keep state of connections from local machine and private subnets
iptables -A OUTPUT -m state --state NEW -o vetnet0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o vetnet0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#SNAT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o vetnet0 -j SNAT --to-source <ip>
# Masquerade local subnet
#iptables -t nat -A POSTROUTING -s $PRIVATE -o vetnet0 -j MASQUERADE
Saída de iptables -L -v -n
Chain INPUT (policy DROP 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- vetnet0 * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- vetnet0 * 0.0.0.0/0 127.0.0.1
0 0 DROP all -- vetnet0 * 192.168.0.0/16 0.0.0.0/0
0 0 DROP all -- vetnet0 * 172.16.0.0/12 0.0.0.0/0
0 0 DROP all -- vetnet0 * 10.0.0.0/8 0.0.0.0/0
486 1016K ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 127.0.0.1
4 240 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
691 78432 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
1705 152K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
102 8054 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
9 756 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
40 5988 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- vetnet0 * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- vetnet0 * 0.0.0.0/0 127.0.0.1
0 0 DROP all -- vetnet0 * 192.168.0.0/16 0.0.0.0/0
0 0 DROP all -- vetnet0 * 172.16.0.0/12 0.0.0.0/0
0 0 DROP all -- vetnet0 * 10.0.0.0/8 0.0.0.0/0
0 0 DROP tcp -- * vetnet0 0.0.0.0/0 0.0.0.0/0 tcp spts:137:139
0 0 DROP udp -- * vetnet0 0.0.0.0/0 0.0.0.0/0 udp spts:137:139
0 0 DROP all -- eth1 * !10.0.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * vetnet0 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 3046 packets, 2269K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * vetnet0 0.0.0.0/0 0.0.0.0/0 tcp spts:137:139
0 0 DROP udp -- * vetnet0 0.0.0.0/0 0.0.0.0/0 udp spts:137:139
0 0 ACCEPT all -- * vetnet0 0.0.0.0/0 0.0.0.0/0 state NEW
Saída de ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12007 errors:0 dropped:0 overruns:0 frame:0
TX packets:12007 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:21446320 (20.4 MiB) TX bytes:21446320 (20.4 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.2 P-t-P:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:25189 errors:0 dropped:0 overruns:0 frame:0
TX packets:27831 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2689401 (2.5 MiB) TX bytes:18616342 (17.7 MiB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:<ip> P-t-P:<ip> Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
Saída de netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 venet0
O cliente é uma máquina com Windows 8.1 executando o OpenVPN 2.3
Aqui está o arquivo de configuração:
remote <server_ip> 443
dev tun
proto tcp-client
ifconfig 10.8.0.2 10.8.0.1
secret "C:\Program Files\OpenVPN\config\static.key"
verb 6
Ao conectar o cliente, uma conexão é criada no Windows para OpenVPN, mas não tem acesso à Internet (eu também me certifiquei de que estava no topo da lista de conexões).