OpenVPN 2 serwery, oddzielna lokalizacja sieci - Polskie Forum Użytkowników Debiana

OpenVPN 2 serwery, oddzielna lokalizacja sieci

ODPOWIEDZ

Posty: 3 • Strona 1 z 1

saiqard: Posty: 15; Rejestracja: 28 maja 2008, 10:18

OpenVPN 2 serwery, oddzielna lokalizacja sieci

Cytuj

Post autor: saiqard » 10 czerwca 2008, 14:10

Mam problem z konfiguracją OPENVPN.
Tworzę sieć 2 serwery w oddzielnych lokalizacjach a za każdym mała sieć lokalna.
Skonfigurowałem OPENVPN, łączy się on ze sobą bez problemu, ale nie przepuszcza on żadnego ruchu(pingi, pulpit zdalny). Nie mam pojęcia dlaczego.

Siec wygląda następująco 10.0.0.0 --> server (br0:10.0.0.210, eth0:79.190.x.xxx) --- internet --- server (eth0:79.190.y.yyy, eth1:10.0.0.240 tap0: 10.0.0.230) -->10.0.0.0

Chcę, aby komputery widziały się nawzajem tak, jak by były w jednej sieci.
Oto pliki konfiguracyjne.

Najpierw na serwerze tworze bridga a to konfig do niego:

Kod: Zaznacz cały

#!/bin/bash

###############################
#Set up Ethernet bridge on Linux
#Requires: bridge-utils
###############################
#define bridge interface
br="br0"

#define list of TAP interfaces to be bridged.
#for example tab="tap0 tap1 tap2".
tap="tap0"

#define physical ethernet interface to be bridged
#with TAP Interface(s) aboce.
eth="eth1"
br_ip="10.0.0.210"
br_netmask="255.0.0.0"
br_broadcast="10.0.0.255"

for t in $tap; do
  openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
  brctl addif $br $t
done

for t in $tap; do
  ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

VPN server:

Kod: Zaznacz cały

proto udp
dev tap0
ca /etc/openvpn/certs/cacert.pem
cert /etc/openvpn/certs/gwcert.pem
key /etc/openvpn/certs/gwkey.pem_bezhasla
dh /etc/openvpn/certs/dh1024.pem
server-bridge 10.0.0.210 255.0.0.0 10.0.0.230 10.0.0.250
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

VPN client:

Kod: Zaznacz cały

client
dev tap0
proto udp
remote 79.190.x.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/certs/cacert.pem
cert /etc/openvpn/certs/usercert.pem
key /etc/openvpn/certs/userkey.pem
comp-lzo

firewall na obu komputerach:

Kod: Zaznacz cały

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

modprobe ip_conntrack

#usuniecie wszystkich regol filtra
iptables -F
iptables -F -t nat
iptables -F -t mangle

#domyslnie przepuszczamy wszystko
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#maskowanie
iptables -t nat -A POSTROUTING -p all -s 10.0.0.0/8 -d 0/0 -j MASQUERADE

logi servera:

Kod: Zaznacz cały

Tue Jun 10 13:45:40 2008 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Tue Jun 10 13:45:40 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Jun 10 13:45:41 2008 Diffie-Hellman initialized with 1024 bit key
Tue Jun 10 13:45:41 2008 WARNING: file '/etc/openvpn/certs/gwkey.pem_bezhasla' is group or others accessible
Tue Jun 10 13:45:41 2008 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jun 10 13:45:41 2008 TUN/TAP device tap0 opened
Tue Jun 10 13:45:41 2008 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jun 10 13:45:41 2008 UDPv4 link local (bound): [undef]:1194
Tue Jun 10 13:45:41 2008 UDPv4 link remote: [undef]
Tue Jun 10 13:45:41 2008 MULTI: multi_init called, r=256 v=256
Tue Jun 10 13:45:41 2008 IFCONFIG POOL: base=10.0.0.230 size=21
Tue Jun 10 13:45:41 2008 IFCONFIG POOL LIST
Tue Jun 10 13:45:41 2008 Patryk,10.0.0.230
Tue Jun 10 13:45:41 2008 Initialization Sequence Completed
Tue Jun 10 13:47:15 2008 MULTI: multi_create_instance called
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 Re-using SSL/TLS context
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 LZO compression initialized
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 Local Options hash (VER=V4): 'f7df56b8'
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 Expected Remote Options hash (VER=V4): 'd79ca330'
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 TLS: Initial packet from 79.190.6.253:1026, sid=eb23bd03 353076ff
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 VERIFY OK: depth=1, /C=PL/ST=PL/L=Sokopowsko/O=Sanat_Sp._z_o.o./OU=Szpitalnictwo/CN=Patryk
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 VERIFY OK: depth=0, /C=PL/ST=PL/O=Sanat/OU=Szpitalnictwo/CN=Patryk
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Jun 10 13:47:15 2008 79.190.5.253:1026 [Patryk] Peer Connection Initiated with 79.190.5.253:1026
Tue Jun 10 13:47:16 2008 Patryk/79.190.5.253:1026 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jun 10 13:47:16 2008 Patryk/79.190.5.253:1026 SENT CONTROL [Patryk]: 'PUSH_REPLY,route-gateway 10.0.0.210,ping 10,ping-restart 120,ifconfig 10.0.0.230 255.0.0.0' (status=1)
Tue Jun 10 13:47:16 2008 Patryk/79.190.x.xxx:1026 MULTI: Learn: 4e:ed:52:29:58:c3 -> Patryk/79.190.y.yyy:1026

logi clienta:

Kod: Zaznacz cały

Tue Jun 10 13:47:12 2008 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Tue Jun 10 13:47:12 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Jun 10 13:47:12 2008 WARNING: No server certificate verification method has been enabled.  See [URL]http://openvpn.net/howto.html#mitm[/URL] for more info.
Enter Private Key Password:
Tue Jun 10 13:47:15 2008 WARNING: file '/etc/openvpn/certs/userkey.pem' is group or others accessible
Tue Jun 10 13:47:15 2008 LZO compression initialized
Tue Jun 10 13:47:15 2008 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jun 10 13:47:15 2008 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jun 10 13:47:15 2008 Local Options hash (VER=V4): 'd79ca330'
Tue Jun 10 13:47:15 2008 Expected Remote Options hash (VER=V4): 'f7df56b8'
Tue Jun 10 13:47:15 2008 UDPv4 link local: [undef]
Tue Jun 10 13:47:15 2008 UDPv4 link remote: 79.190.x.xxx:1194
Tue Jun 10 13:47:15 2008 TLS: Initial packet from 79.190.x.xxx:1194, sid=94fff407 26ed2ddc
Tue Jun 10 13:47:15 2008 VERIFY OK: depth=1, /C=PL/ST=PL/L=Sokopowsko/O=Sanat./OU=Szpitalnictwo/CN=Patryk
Tue Jun 10 13:47:15 2008 VERIFY OK: depth=0, /C=PL/ST=PL/O=Sanat./OU=Szpitalnictwo/CN=Patryk
Tue Jun 10 13:47:15 2008 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 10 13:47:15 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 10 13:47:15 2008 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 10 13:47:15 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 10 13:47:15 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Jun 10 13:47:15 2008 [Patryk] Peer Connection Initiated with 79.190.5.252:1194
Tue Jun 10 13:47:16 2008 SENT CONTROL [Patryk]: 'PUSH_REQUEST' (status=1)
Tue Jun 10 13:47:16 2008 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.0.0.210,ping 10,ping-restart 120,ifconfig 10.0.0.230 255.0.0.0'
Tue Jun 10 13:47:16 2008 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jun 10 13:47:16 2008 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jun 10 13:47:16 2008 OPTIONS IMPORT: route options modified
Tue Jun 10 13:47:16 2008 TUN/TAP device tap0 opened
Tue Jun 10 13:47:16 2008 ifconfig tap0 10.0.0.230 netmask 255.0.0.0 mtu 1500 broadcast 10.255.255.255
Tue Jun 10 13:47:16 2008 Initialization Sequence Completed

Proszę o pomoc. Może mam coś jeszcze dopisać w firewallu, albo dodać jakiś routing?

[ Dodano: 2008-06-13, 10:00 ]
problem rozwiazany.
Na kliecie trzeba też skonfigurować most

Redhead: Junior Member; Posty: 526; Rejestracja: 17 lipca 2007, 17:37

Cytuj

Post autor: Redhead » 25 lipca 2008, 11:09

Mam cos podobnego i jeden maly problem.
Dodalem dwa skrypty do startu, kazdy uruchamia inny plik konfiguracyjny

Kod: Zaznacz cały

failed to find GID for nobody group

Wiec dodalem grupe nobody i po restarcie mam inny błąd, tzn. zawieszanie systemu na linii

Kod: Zaznacz cały

UDPv4 link local (bound): [undef] :1194
UDPv4 link remote: [undef]

Co moze byc tego przyczyna?

TooMeeK: Posty: 85; Rejestracja: 25 lipca 2008, 12:54

Cytuj

Post autor: TooMeeK » 25 lipca 2008, 13:37

Panowie, może coś pomogę.

Ja ustawiałem OpenVPN pomiędzy sieciami (tak, żeby komputery z obu sieci widziały się wzajemnie, z takimi samymi adresami IP jak mają dotychczas):

Kod: Zaznacz cały

router1: eth1 na 10.0.0.x - eth0 zewn IP 192.168.33.100
router2: eth1 na 10.1.0.x - eth0 zewn IP 192.168.33.200

w oddzielnych lokalizacjach.
Widzą się po tym zewnętrznym IP.

Użyłem skryptów z katalogu EASY-RSA, czy jakoś tak do utworzenia certyfikatów (na jednym z serwerów to uruchomiłem). Dalej:

KONFIGURACJA VPN:
router1:~# joe /etc/openvpn/server.conf

Kod: Zaznacz cały

dev tun
local 192.168.33.100
remote 192.168.33.200
ifconfig 10.10.0.1 10.10.0.2
route 10.1.0.0 255.255.255.0 10.10.0.2
log-append /var/log/openvpn.log
 
tls-server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem

comp-lzo
daemon
verb 5
; eof

router2:~# joe /etc/openvpn/openvpn.conf

Kod: Zaznacz cały

dev tun
local 192.168.33.200
remote 192.168.33.100
ifconfig 10.10.0.2 10.10.0.1
route 10.0.0.0 255.255.255.0 10.10.0.1
log-append /var/log/openvpn.log
 
tls-client
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client1.crt
key /etc/openvpn/keys/client1.key
 
comp-lzo
daemon
verb 5
; eof

URUCHOMIENIE - testy:

Kod: Zaznacz cały

router1:~# openvpn --config /etc/openvpn/server.conf
router2:~# openvpn --config /etc/openvpn/openvpn.conf

DODANIE, BY STARTOWA£ AUTOMATYCZNIE PODCZAS £ADOWANIA SYSTEMU:

Kod: Zaznacz cały

router1:~# update-rc.d openvpn defaults 99
 Adding system startup for /etc/init.d/openvpn ...
   /etc/rc0.d/K99openvpn -> ../init.d/openvpn
   /etc/rc1.d/K99openvpn -> ../init.d/openvpn
   /etc/rc6.d/K99openvpn -> ../init.d/openvpn
   /etc/rc2.d/S99openvpn -> ../init.d/openvpn
   /etc/rc3.d/S99openvpn -> ../init.d/openvpn
   /etc/rc4.d/S99openvpn -> ../init.d/openvpn
   /etc/rc5.d/S99openvpn -> ../init.d/openvpn

Kod: Zaznacz cały

router2:~# update-rc.d openvpn defaults 99

- ewentualnie mozna usunac wpisy i dodac jeszcze raz:

Kod: Zaznacz cały

router1:~# update-rc.d -f openvpn remove
router1:~# update-rc.d -f openvpn remove

Ponieważ powyższe nie działało prawidłowo poleceniem "joe /etc/rc.local":
- dopisałem linijkę (ROUTER1):

Kod: Zaznacz cały

/usr/sbin/openvpn --config /etc/openvpn/server.conf

- dopisałem linijkę (ROUTER2):

Kod: Zaznacz cały

/usr/sbin/openvpn --config /etc/openvpn/openvpn.conf

i jest dobrze.

Pozostałe konfigi:
router1:~# joe /etc/init.d/firewall

Kod: Zaznacz cały

TCP_SERVICES="22 [b]1194" # SSH only
UDP_SERVICES="[b]1194"

Kod: Zaznacz cały

#OpenVPN virtual devices
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
# Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A OUTPUT -o tap+ -j ACCEPT
# Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT
  #Bridge interface - przekierowanie
iptables -A INPUT -i br+ -j ACCEPT
iptables -A FORWARD -i br+ -j ACCEPT

router2:~# joe /etc/init.d/firewall

Kod: Zaznacz cały

TCP_SERVICES="22 1194" # SSH only UDP_SERVICES="1194"

Kod: Zaznacz cały

# *** OpenVPN devices
   # Allow TUN interface connections to OpenVPN server
   iptables -A INPUT -i tun+ -j ACCEPT
   iptables -A OUTPUT -o tun+ -j ACCEPT
   # Allow TUN interface connections to be forwarded through other interfaces
   iptables -A FORWARD -i tun+ -j ACCEPT
   # Allow TAP interface connections to OpenVPN server
   iptables -A INPUT -i tap+ -j ACCEPT
   iptables -A OUTPUT -o tap+ -j ACCEPT
   # Allow TAP interface connections to be forwarded through other interfaces
   iptables -A FORWARD -i tap+ -j ACCEPT

router1:~# joe /etc/network/interfaces

Kod: Zaznacz cały

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
 
# The loopback network interface
auto lo
iface lo inet loopback
 
# Interfejs zewnetrzny
allow-hotplug eth0
iface eth0 inet static
        address 192.168.33.100
        netmask 255.255.0.0
        gateway 192.168.0.1
 
# Interfejs wewnetrzny
allow-hotplug eth1
iface eth1 inet static
        address 10.0.0.1
        netmask 255.255.255.0

router2:~# joe /etc/network/interfaces

Kod: Zaznacz cały

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
 
# The loopback network interface
auto lo
iface lo inet loopback
 
# Interfejs zewnętrzny
allow-hotplug eth0
#iface eth0 inet dhcp
iface eth0 inet static
        address 192.168.33.200
        netmask 255.255.0.0
        gateway 192.168.0.1
 
# Interfejs wewnętrzny
allow-hotplug eth1
#iface eth1 inet dhcp
iface eth1 inet static
        address 10.1.0.1
        netmask 255.255.255.0

ODPOWIEDZ

Posty: 3 • Strona 1 z 1

Wróć do „Serwer”