cliente para cliente https no OpenVPN no CentOS 7

Question

cliente para cliente https no OpenVPN no CentOS 7

0

No OpenVPN hospedado no Centos 7 abaixo, por que o windows_client definido abaixo de https no centos_vm1_client definido abaixo?

O problema parece isolado para a configuração do centos_vm1_client , como mostrado abaixo.

RESULTADOS ACTUAIS: Um aplicativo da Web está sendo executado em port 8080 de centos_vm1_client . Outro aplicativo da Web está sendo executado em port 3020 de windows_client . Mas os dois clientes não conseguem http em toda a rede para os aplicativos uns dos outros , a menos que os firewalls de cada cliente estejam desativados. Cada firewall parece estar bloqueando http de tráfego para aplicativos hospedados em seu própria máquina de outros clientes no OpenVPN.

Os endereços de rede dos dois aplicativos em execução são:

http : // 10.8.3.1:8080 (isso está hospedado no centos_vm1_client )

http : // 10.8.4.1:3020 (isso está hospedado no windows_client )

Cada aplicativo pode ser acessado internamente em sua própria máquina. No entanto, os firewalls das respectivas máquinas cliente precisam ser desativados para que possam ser acessados pela rede OpenVPN.

Ambos os clientes podem pingar uns aos outros.

CONFIG PARA O OpenVPN:

Para melhorar a capacidade de leitura, dividi a configuração nas três seções a seguir, incluindo o servidor, o centos_vm1_client e o windows_client .

Configuração do servidor

No servidor, /etc/openvpn/server.conf é:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
route 10.8.3.0 255.255.255.0
route 10.8.4.0 255.255.255.0
client-config-dir ccd
client-to-client
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

/etc/openvpn/ccd/centos_vm1_client é:

ifconfig-push 10.8.3.1 10.8.3.2

/etc/openvpn/ccd/windows_client é:

ifconfig-push 10.8.4.1 10.8.4.2

Além disso, openvpn-status.log contém o seguinte:

OpenVPN CLIENT LIST
Updated,Thu Jun 16 22:14:15 2016
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
centos_vm1_client,(same.ip.4.both.clients):52631,15302,15463,Thu Jun 16 21:46:55 2016
windows_client,(same.ip.4.both.clients):61393,48696,16526,Thu Jun 16 21:46:24 2016
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.3.1,centos_vm1_client,(same.ip.4.both.clients):52631,Thu Jun 16 21:51:54 2016
10.8.4.1,windows_client,(same.ip.4.both.clients):61393,Thu Jun 16 21:51:54 2016
GLOBAL STATS
Max bcast/mcast queue length,1
END

Note que ambos os clientes têm o mesmo endereço IP real porque centos_vm _client is running in VirtualBox within the Windows host that is also windows_client '. Mas isso não deve importar, porque o arquivo acima usa as portas para diferenciá-las.

Também no servidor, a configuração do firewalld é:

[root@hostname ccd]# firewall-cmd --list-all
public (default, active)
  interfaces: enp3s0
  sources: 
  services: dhcpv6-client http imaps openvpn smtp ssh
  ports: 
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules: 

[root@hostname ccd]# firewall-cmd --zone=internal --list-all
internal (active)
  interfaces: tun0
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="10.8.3.0/24" service name="https" accept
    rule family="ipv4" source address="10.8.0.0/24" service name="https" accept
    rule family="ipv4" source address="10.8.4.0/24" service name="https" accept
[root@hostname ccd]#

Os registros a seguir indicam que nada foi registrado no servidor quando as solicitações HTTP foram feitas entre dois clientes da VPN (observe que os logs do cliente para as solicitações são mostrados separadamente na seção do cliente):

[root@servername ~]# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@servername ~]# tcpdump -i tunO
tcpdump: tunO: No such device exists
(SIOCGIFHWADDR: No such device)
[root@servername ~]#

centos_vm1_client Config

E no centos_vm1_client , o seguinte é o client.ovpn :

client
dev tun
proto udp
remote server.ip.addr 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca /etc/openvpn/ca.crt
cert /etc/openvpn/centos_vm1_client.crt
key /etc/openvpn/centos_vm1_client.key

No centos_vm1_client , o Firewalld config é:

[root@localhost ~]# firewall-cmd --zone=internal --add-interface=tun0
success
[root@localhost ~]# firewall-cmd --get-active-zones
internal
  interfaces: tun0
public
  interfaces: enp0s3
[root@localhost ~]# firewall-cmd --zone=internal --add-interface=tun0 --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# systemctl restart firewalld.service
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --get-active-zones
internal
  interfaces: tun0
public
  interfaces: enp0s3
[root@localhost ~]# firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: enp0s3
  sources: 
  services: dhcpv6-client mdns openvpn ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

[root@localhost ~]# firewall-cmd --zone=internal --list-all
internal (active)
  interfaces: tun0
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="10.8.4.0/24" service name="https" accept
[root@localhost ~]#

No centos_vm1_client , os resultados de ip route são:

[user@localhost ~]$ ip route
default via 10.0.2.2 dev enp0s3  proto static  metric 100 
10.0.2.0/24 dev enp0s3  proto kernel  scope link  src 10.0.2.15  metric 100 
10.8.0.0/24 via 10.8.3.2 dev tun0 
10.8.3.0/24 via 10.8.3.2 dev tun0 
10.8.3.2 dev tun0  proto kernel  scope link  src 10.8.3.1 
10.8.4.0/24 via 10.8.3.2 dev tun0 
xxx.xxx.xxx.0/24 dev virbr0  proto kernel  scope link  src xxx.xxx.xxx.1 
[user@localhost ~]$

O centos_vm1_client relatou os seguintes resultados quando http de chamadas foram feitas na rede para aplicativos da web que estavam confirmados para serem executados internamente em 10.8.4.1:3020 e em 10.8.3.1:8080 .

Primeiro, iniciamos o tcpdump com o seguinte comando:

[root@localhost ~]# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes

Em seguida, tentamos um HTTP : // 10.8.3.1:8080 de windows_client to centos_vm1_client na rede e FAILED, deixando os seguintes logs no centos_vm1_client :

12:11:18.621836 IP 10.8.4.1.53128 > localhost.localdomain.webcache: Flags [S], seq 2802547164, win 8192, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
12:11:18.621887 IP localhost.localdomain > 10.8.4.1: ICMP host localhost.localdomain unreachable - admin prohibited, length 60
12:11:18.873136 IP 10.8.4.1.53129 > localhost.localdomain.webcache: Flags [S], seq 1706704746, win 8192, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
12:11:18.873179 IP localhost.localdomain > 10.8.4.1: ICMP host localhost.localdomain unreachable - admin prohibited, length 60
12:11:21.731132 IP 10.8.4.1.53128 > localhost.localdomain.webcache: Flags [S], seq 2802547164, win 8192, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
12:11:21.731255 IP localhost.localdomain > 10.8.4.1: ICMP host localhost.localdomain unreachable - admin prohibited, length 60
12:11:21.866466 IP 10.8.4.1.53129 > localhost.localdomain.webcache: Flags [S], seq 1706704746, win 8192, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
12:11:21.866495 IP localhost.localdomain > 10.8.4.1: ICMP host localhost.localdomain unreachable - admin prohibited, length 60
12:11:27.625046 IP 10.8.4.1.53128 > localhost.localdomain.webcache: Flags [S], seq 2802547164, win 8192, options [mss 1369,nop,nop,sackOK], length 0
12:11:27.625092 IP localhost.localdomain > 10.8.4.1: ICMP host localhost.localdomain unreachable - admin prohibited, length 56
12:11:27.886785 IP 10.8.4.1.53129 > localhost.localdomain.webcache: Flags [S], seq 1706704746, win 8192, options [mss 1369,nop,nop,sackOK], length 0
12:11:27.886829 IP localhost.localdomain > 10.8.4.1: ICMP host localhost.localdomain unreachable - admin prohibited, length 56
12:11:39.870134 IP 10.8.4.1.53132 > localhost.localdomain.webcache: Flags [S], seq 3081435540, win 8192, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
12:11:39.870176 IP localhost.localdomain > 10.8.4.1: ICMP host localhost.localdomain unreachable - admin prohibited, length 60
12:11:42.877622 IP 10.8.4.1.53132 > localhost.localdomain.webcache: Flags [S], seq 3081435540, win 8192, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
12:11:42.877667 IP localhost.localdomain > 10.8.4.1: ICMP host localhost.localdomain unreachable - admin prohibited, length 60
12:11:48.869914 IP 10.8.4.1.53132 > localhost.localdomain.webcache: Flags [S], seq 3081435540, win 8192, options [mss 1369,nop,nop,sackOK], length 0
12:11:48.869952 IP localhost.localdomain > 10.8.4.1: ICMP host localhost.localdomain unreachable - admin prohibited, length 56

Em seguida, para ver o que acontece quando HTTP do centos_vm1_client para o windows_client , solicitamos http : // 10.8.4.1:3020 do centos_vm1-client e obtivemos os seguintes registros além do conteúdo veiculado com êxito:

12:15:42.497915 IP localhost.localdomain.58283 > 10.8.4.1.stm_pproc: Flags [S], seq 318103706, win 29200, options [mss 1460,sackOK,TS val 7596906 ecr 0,nop,wscale 7], length 0
12:15:42.661689 IP 10.8.4.1.stm_pproc > localhost.localdomain.58283: Flags [S.], seq 256535699, ack 318103707, win 8192, options [mss 1369,nop,wscale 8,sackOK,TS val 873011 ecr 7596906], length 0
12:15:42.661732 IP localhost.localdomain.58283 > 10.8.4.1.stm_pproc: Flags [.], ack 1, win 229, options [nop,nop,TS val 7597070 ecr 873011], length 0
12:15:42.662227 IP localhost.localdomain.58283 > 10.8.4.1.stm_pproc: Flags [P.], seq 1:284, ack 1, win 229, options [nop,nop,TS val 7597070 ecr 873011], length 283
12:15:42.837922 IP 10.8.4.1.stm_pproc > localhost.localdomain.58283: Flags [P.], seq 1:156, ack 284, win 259, options [nop,nop,TS val 873028 ecr 7597070], length 155
12:15:42.838045 IP localhost.localdomain.58283 > 10.8.4.1.stm_pproc: Flags [.], ack 156, win 237, options [nop,nop,TS val 7597246 ecr 873028], length 0
12:15:42.850318 IP 10.8.4.1.stm_pproc > localhost.localdomain.58283: Flags [P.], seq 156:1513, ack 284, win 259, options [nop,nop,TS val 873028 ecr 7597070], length 1357
12:15:42.850374 IP localhost.localdomain.58283 > 10.8.4.1.stm_pproc: Flags [.], ack 1513, win 260, options [nop,nop,TS val 7597258 ecr 873028], length 0
12:15:42.856458 IP 10.8.4.1.stm_pproc > localhost.localdomain.58283: Flags [P.], seq 1513:2236, ack 284, win 259, options [nop,nop,TS val 873028 ecr 7597070], length 723
12:15:42.856485 IP localhost.localdomain.58283 > 10.8.4.1.stm_pproc: Flags [.], ack 2236, win 281, options [nop,nop,TS val 7597264 ecr 873028], length 0
12:15:42.870287 IP 10.8.4.1.stm_pproc > localhost.localdomain.58283: Flags [.], seq 2236:3593, ack 284, win 259, options [nop,nop,TS val 873028 ecr 7597070], length 1357
12:15:42.870324 IP localhost.localdomain.58283 > 10.8.4.1.stm_pproc: Flags [.], ack 3593, win 303, options [nop,nop,TS val 7597278 ecr 873028], length 0
12:15:42.874214 IP 10.8.4.1.stm_pproc > localhost.localdomain.58283: Flags [P.], seq 3593:4284, ack 284, win 259, options [nop,nop,TS val 873028 ecr 7597070], length 691
12:15:42.874253 IP localhost.localdomain.58283 > 10.8.4.1.stm_pproc: Flags [.], ack 4284, win 325, options [nop,nop,TS val 7597282 ecr 873028], length 0
12:15:43.016107 IP 10.8.4.1.stm_pproc > localhost.localdomain.58283: Flags [.], seq 4284:5641, ack 284, win 259, options [nop,nop,TS val 873045 ecr 7597246], length 1357
12:15:43.016133 IP localhost.localdomain.58283 > 10.8.4.1.stm_pproc: Flags [.], ack 5641, win 347, options [nop,nop,TS val 7597424 ecr 873045], length 0
12:15:43.041399 IP 10.8.4.1.stm_pproc > localhost.localdomain.58283: Flags [P.], seq 5641:6998, ack 284, win 259, options [nop,nop,TS val 873047 ecr 7597258], length 1357
12:15:43.041478 IP localhost.localdomain.58283 > 10.8.4.1.stm_pproc: Flags [.], ack 6998, win 370, options [nop,nop,TS val 7597449 ecr 873047], length 0
12:15:43.044012 IP localhost.localdomain.58284 > 10.8.4.1.stm_pproc: Flags [S], seq 1476720458, win 29200, options [mss 1460,sackOK,TS val 7597452 ecr 0,nop,wscale 7], length 0
12:15:43.048582 IP 10.8.4.1.stm_pproc > localhost.localdomain.58283: Flags [.], seq 6998:8355, ack 284, win 259, options [nop,nop,TS val 873047 ecr 7597258], length 1357
12:15:43.048607 IP localhost.localdomain.58283 > 10.8.4.1.stm_pproc: Flags [.], ack 8355, win 393, options [nop,nop,TS val 7597456 ecr 873047], length 0
12:15:43.048617 IP 10.8.4.1.stm_pproc > localhost.localdomain.58283: Flags [P.], seq 8355:8453, ack 284, win 259, options [nop,nop,TS val 873047 ecr 7597258], length 98
12:15:43.048621 IP localhost.localdomain.58283 > 10.8.4.1.stm_pproc: Flags [.], ack 8453, win 393, options [nop,nop,TS val 7597456 ecr 873047], length 0
12:15:43.049757 IP 10.8.4.1.stm_pproc > localhost.localdomain.58283: Flags [FP.], seq 8453:8675, ack 284, win 259, options [nop,nop,TS val 873048 ecr 7597264], length 222
12:15:43.050073 IP localhost.localdomain.58283 > 10.8.4.1.stm_pproc: Flags [F.], seq 284, ack 8676, win 414, options [nop,nop,TS val 7597458 ecr 873048], length 0
12:15:43.209451 IP 10.8.4.1.stm_pproc > localhost.localdomain.58284: Flags [S.], seq 2241172971, ack 1476720459, win 8192, options [mss 1369,nop,wscale 8,sackOK,TS val 873066 ecr 7597452], length 0
12:15:43.209534 IP localhost.localdomain.58284 > 10.8.4.1.stm_pproc: Flags [.], ack 1, win 229, options [nop,nop,TS val 7597618 ecr 873066], length 0
12:15:43.209724 IP localhost.localdomain.58284 > 10.8.4.1.stm_pproc: Flags [P.], seq 1:298, ack 1, win 229, options [nop,nop,TS val 7597618 ecr 873066], length 297
12:15:43.215041 IP 10.8.4.1.stm_pproc > localhost.localdomain.58283: Flags [.], ack 285, win 259, options [nop,nop,TS val 873067 ecr 7597458], length 0
12:15:43.415631 IP 10.8.4.1.stm_pproc > localhost.localdomain.58284: Flags [P.], seq 1:137, ack 298, win 259, options [nop,nop,TS val 873086 ecr 7597618], length 136
12:15:43.415662 IP localhost.localdomain.58284 > 10.8.4.1.stm_pproc: Flags [.], ack 137, win 237, options [nop,nop,TS val 7597824 ecr 873086], length 0
12:15:43.427471 IP 10.8.4.1.stm_pproc > localhost.localdomain.58284: Flags [P.], seq 137:1494, ack 298, win 259, options [nop,nop,TS val 873086 ecr 7597618], length 1357
12:15:43.427559 IP localhost.localdomain.58284 > 10.8.4.1.stm_pproc: Flags [.], ack 1494, win 260, options [nop,nop,TS val 7597835 ecr 873086], length 0
12:15:43.427578 IP 10.8.4.1.stm_pproc > localhost.localdomain.58284: Flags [P.], seq 1494:2217, ack 298, win 259, options [nop,nop,TS val 873086 ecr 7597618], length 723
12:15:43.427586 IP localhost.localdomain.58284 > 10.8.4.1.stm_pproc: Flags [.], ack 2217, win 281, options [nop,nop,TS val 7597836 ecr 873086], length 0
12:15:43.440385 IP 10.8.4.1.stm_pproc > localhost.localdomain.58284: Flags [.], seq 2217:3574, ack 298, win 259, options [nop,nop,TS val 873086 ecr 7597618], length 1357
12:15:43.440426 IP localhost.localdomain.58284 > 10.8.4.1.stm_pproc: Flags [.], ack 3574, win 303, options [nop,nop,TS val 7597848 ecr 873086], length 0
12:15:43.448490 IP 10.8.4.1.stm_pproc > localhost.localdomain.58284: Flags [P.], seq 3574:4265, ack 298, win 259, options [nop,nop,TS val 873086 ecr 7597618], length 691
12:15:43.448552 IP localhost.localdomain.58284 > 10.8.4.1.stm_pproc: Flags [.], ack 4265, win 325, options [nop,nop,TS val 7597856 ecr 873086], length 0
12:15:43.585894 IP 10.8.4.1.stm_pproc > localhost.localdomain.58284: Flags [FP.], seq 4265:5461, ack 298, win 259, options [nop,nop,TS val 873103 ecr 7597824], length 1196
12:15:43.586082 IP localhost.localdomain.58284 > 10.8.4.1.stm_pproc: Flags [F.], seq 298, ack 5462, win 347, options [nop,nop,TS val 7597994 ecr 873103], length 0
12:15:43.591603 IP localhost.localdomain.58285 > 10.8.4.1.stm_pproc: Flags [S], seq 939617885, win 29200, options [mss 1460,sackOK,TS val 7598000 ecr 0,nop,wscale 7], length 0
12:15:43.758163 IP 10.8.4.1.stm_pproc > localhost.localdomain.58284: Flags [.], ack 299, win 259, options [nop,nop,TS val 873120 ecr 7597994], length 0
12:15:43.759163 IP 10.8.4.1.stm_pproc > localhost.localdomain.58285: Flags [S.], seq 1974508644, ack 939617886, win 8192, options [mss 1369,nop,wscale 8,sackOK,TS val 873120 ecr 7598000], length 0
12:15:43.759188 IP localhost.localdomain.58285 > 10.8.4.1.stm_pproc: Flags [.], ack 1, win 229, options [nop,nop,TS val 7598167 ecr 873120], length 0
12:15:43.759366 IP localhost.localdomain.58285 > 10.8.4.1.stm_pproc: Flags [P.], seq 1:295, ack 1, win 229, options [nop,nop,TS val 7598167 ecr 873120], length 294
12:15:43.934556 IP 10.8.4.1.stm_pproc > localhost.localdomain.58285: Flags [P.], seq 1:119, ack 295, win 259, options [nop,nop,TS val 873138 ecr 7598167], length 118
12:15:43.934579 IP localhost.localdomain.58285 > 10.8.4.1.stm_pproc: Flags [.], ack 119, win 229, options [nop,nop,TS val 7598343 ecr 873138], length 0
12:15:43.934866 IP localhost.localdomain.58285 > 10.8.4.1.stm_pproc: Flags [F.], seq 295, ack 119, win 229, options [nop,nop,TS val 7598343 ecr 873138], length 0
12:15:43.935886 IP 10.8.4.1.stm_pproc > localhost.localdomain.58285: Flags [F.], seq 119, ack 295, win 259, options [nop,nop,TS val 873138 ecr 7598167], length 0
12:15:43.935909 IP localhost.localdomain.58285 > 10.8.4.1.stm_pproc: Flags [.], ack 120, win 229, options [nop,nop,TS val 7598344 ecr 873138], length 0
12:15:44.095536 IP 10.8.4.1.stm_pproc > localhost.localdomain.58285: Flags [.], ack 296, win 259, options [nop,nop,TS val 873155 ecr 7598343], length 0

Em seguida, digitamos systemctl stop firewalld na solicitação centos_vm1_client e uma http : // 10.3.8.1 do windows_client forneceu os seguintes tcpdump logs no centos_vm1_client , embora não atendam ao aplicativo web.

12:48:49.977901 IP 10.8.4.1.53438 > localhost.localdomain.http: Flags [S], seq 4069290925, win 8192, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
12:48:49.977915 IP localhost.localdomain.http > 10.8.4.1.53438: Flags [R.], seq 0, ack 4069290926, win 0, length 0
12:48:50.227069 IP 10.8.4.1.53439 > localhost.localdomain.http: Flags [S], seq 4064160567, win 8192, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
12:48:50.227094 IP localhost.localdomain.http > 10.8.4.1.53439: Flags [R.], seq 0, ack 4064160568, win 0, length 0
12:48:50.639496 IP 10.8.4.1.53438 > localhost.localdomain.http: Flags [S], seq 4069290925, win 8192, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
12:48:50.639519 IP localhost.localdomain.http > 10.8.4.1.53438: Flags [R.], seq 0, ack 1, win 0, length 0
12:48:50.886327 IP 10.8.4.1.53439 > localhost.localdomain.http: Flags [S], seq 4064160567, win 8192, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
12:48:50.886344 IP localhost.localdomain.http > 10.8.4.1.53439: Flags [R.], seq 0, ack 1, win 0, length 0
12:48:51.296978 IP 10.8.4.1.53438 > localhost.localdomain.http: Flags [S], seq 4069290925, win 8192, options [mss 1369,nop,nop,sackOK], length 0
12:48:51.297008 IP localhost.localdomain.http > 10.8.4.1.53438: Flags [R.], seq 0, ack 1, win 0, length 0
12:48:51.560846 IP 10.8.4.1.53439 > localhost.localdomain.http: Flags [S], seq 4064160567, win 8192, options [mss 1369,nop,nop,sackOK], length 0
12:48:51.560864 IP localhost.localdomain.http > 10.8.4.1.53439: Flags [R.], seq 0, ack 1, win 0, length 0
12:48:51.731854 IP 10.8.4.1.53440 > localhost.localdomain.http: Flags [S], seq 2195075404, win 8192, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
12:48:51.731869 IP localhost.localdomain.http > 10.8.4.1.53440: Flags [R.], seq 0, ack 2195075405, win 0, length 0
12:48:52.390736 IP 10.8.4.1.53440 > localhost.localdomain.http: Flags [S], seq 2195075404, win 8192, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
12:48:52.390836 IP localhost.localdomain.http > 10.8.4.1.53440: Flags [R.], seq 0, ack 1, win 0, length 0
12:48:53.065199 IP 10.8.4.1.53440 > localhost.localdomain.http: Flags [S], seq 2195075404, win 8192, options [mss 1369,nop,nop,sackOK], length 0
12:48:53.065220 IP localhost.localdomain.http > 10.8.4.1.53440: Flags [R.], seq 0, ack 1, win 0, length 0

Em seguida, com o firewall centos_vm1_client parado, fizemos uma solicitação http : // 10.3.8.1:8080 do windows_client (observe a porta incluída dessa vez) e obtivemos os seguintes tcpdump logs no centos_vm1_client , enquanto COM SUCESSO SERVINDO O APP .

12:49:27.145136 IP 10.8.4.1.53443 > localhost.localdomain.webcache: Flags [S], seq 890722974, win 8192, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0
12:49:27.145158 IP localhost.localdomain.webcache > 10.8.4.1.53443: Flags [S.], seq 3938412689, ack 890722975, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
12:49:27.324240 IP 10.8.4.1.53443 > localhost.localdomain.webcache: Flags [.], ack 1, win 256, length 0
12:49:27.344614 IP 10.8.4.1.53443 > localhost.localdomain.webcache: Flags [P.], seq 1:288, ack 1, win 256, length 287
12:49:27.344630 IP localhost.localdomain.webcache > 10.8.4.1.53443: Flags [.], ack 288, win 237, length 0
12:49:27.400622 IP localhost.localdomain.webcache > 10.8.4.1.53443: Flags [P.], seq 1:599, ack 288, win 237, length 598
12:49:27.400674 IP localhost.localdomain.webcache > 10.8.4.1.53443: Flags [P.], seq 599:1390, ack 288, win 237, length 791
12:49:27.572795 IP 10.8.4.1.53443 > localhost.localdomain.webcache: Flags [.], ack 1390, win 256, length 0
12:49:27.635251 IP 10.8.4.1.53443 > localhost.localdomain.webcache: Flags [P.], seq 288:689, ack 1390, win 256, length 401
12:49:27.635309 IP localhost.localdomain.webcache > 10.8.4.1.53443: Flags [.], ack 689, win 245, length 0
12:49:27.635377 IP 10.8.4.1.53444 > localhost.localdomain.webcache: Flags [S], seq 804293060, win 8192, options [mss 1369,nop,wscale 8,nop,nop,sackOK], length 0

NENHUMA das solicitações acima gerou registros de tcpdump em execução no servidor ao mesmo tempo. Os (falta de) logs são mostrados na seção do servidor.

windows_client Config

No windows_client , o client.ovpn é:

client
dev tun
proto udp
remote ip.addr.of.server 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca C:\path\to\ca.crt
cert C:\path\to\windows_client.crt
key C:\path\to\windows_client.key

Em windows_client , os resultados de route print são:

C:\WINDOWS\system32>route print
=======================================================================
Interface List
 35...00 ff f7 f0 72 b2 ......TAP-Windows Adapter V9
 13...ac fd ce 11 8a 7e ......Microsoft Wi-Fi Direct Virtual Adapter
 12...ac fd ce 11 8a 7d ......Intel(R) Dual Band Wireless-AC 7260
  5...ac fd ce 11 8a 81 ......Bluetooth Device (Personal Area Network)
  3...3c a8 2a a5 04 a3 ......Realtek PCIe GBE Family Controller
  9...0a 00 27 00 00 09 ......VirtualBox Host-Only Ethernet Adapter
  1...........................Software Loopback Interface 1
  6...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  7...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 10...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
=======================================================================

IPv4 Route Table
=======================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
      0.0.0.0          0.0.0.0        10.1.10.1      10.1.10.248     25
    10.1.10.0    255.255.255.0         On-link       10.1.10.248    281
  10.1.10.248  255.255.255.255         On-link       10.1.10.248    281
  10.1.10.255  255.255.255.255         On-link       10.1.10.248    281
     10.8.0.0    255.255.255.0         10.8.4.2         10.8.4.1     20
     10.8.3.0    255.255.255.0         10.8.4.2         10.8.4.1     20
     10.8.4.0    255.255.255.0         10.8.4.2         10.8.4.1     20
     10.8.4.0  255.255.255.252         On-link          10.8.4.1    276
     10.8.4.1  255.255.255.255         On-link          10.8.4.1    276
     10.8.4.3  255.255.255.255         On-link          10.8.4.1    276
    127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
    127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
 192.xxx.xx.0    255.255.255.0         On-link      192.xxx.xx.1    266
 192.xxx.xx.1  255.255.255.255         On-link      192.xxx.xx.1    266
 192.xxx.xx.255  255.255.255.255         On-link      192.xxx.xx.1    266
    224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
    224.0.0.0        240.0.0.0         On-link      192.xxx.xx.1    266
    224.0.0.0        240.0.0.0         On-link       10.1.10.248    281
    224.0.0.0        240.0.0.0         On-link          10.8.4.1    276
255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
255.255.255.255  255.255.255.255         On-link      xxx.xxx.xx.1    266
255.255.255.255  255.255.255.255         On-link       10.1.10.248    281
255.255.255.255  255.255.255.255         On-link          10.8.4.1    276
=======================================================================
Persistent Routes:
  None

IPv6 Route Table
=======================================================================
//skipping because I cannot tell which are public versus private

O windows_client tem o Firewall do Windows e o Avast Antivirus instalados. No entanto, para fins de teste, o Firewall do Windows e o Avast Active Protection Shields são desativados para manter esse problema focado no lado do Linux.

Então, o que precisa ser alterado para que o aplicativo que está sendo executado na porta 8080 do centos_vm1_client esteja acessível quando o navegador da web windows_client estiver direcionado para https : // 10.8.3.1:8080 sem precisar desativar o firewall?

vpn openvpn centos rhel

por FarmHand 16.06.2016 / 21:40

0 respostas

Tags vpn openvpn centos rhel

Relação geral referente a FS - LV o kernel desinstalado não pode inicializar mais