Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander Sklyarov2013-07-31 19:08:36
linux
Alexander Sklyarov, 2013-07-31 19:08:36

Openvpn and multiple networks

Given:

Network on the server
auto eth0
iface eth0 inet static #DMZ
address 172.17.0.15
netmask 255.255.255.0
gateway 172.17.0.1
dns-nameservers 8.8.8.8
post-up iptables-restore < /etc/iptables.up.rules
auto eth1
iface eth1 inet static #LAN
address 192.168.0.248
netmask 255.255.254.0

iptables on the server
*filter
:INPUT ACCEPT [1686:236913]
:FORWARD ACCEPT [902:97103]
:OUTPUT ACCEPT [582:97191]
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT

COMMIT
*nat
:PREROUTING ACCEPT [530:58069]
:INPUT ACCEPT [65:7234]
:OUTPUT ACCEPT [72:4464]
:POSTROUTING ACCEPT [72:4464]
-A POSTROUTING -o eth0 -j MASQUERADE (в DMZ клиентам нужно заглядывать)
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT

openvpn.conf on the server
local 172.17.0.15
port 1194
proto udp
dev tun0
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 192.168.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
push «route 192.168.0.0 255.255.255.0»
push «route 172.17.100.0 255.255.255.0»

keepalive 10 120
#comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4
mute 20
client-to-client
route 192.168.4.0 255.255.255.0
route 192.168.3.0 255.255.255.0


Client 1 openvpn.conf
remote 21X.XXX.XXX.XXX 1194
client
dev tun
proto udp
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/parsrv.crt
key /etc/openvpn/parsrv.key
#comp-lzo
verb 3
mute 20


1. The server has access to the network 192.168.4.0/24
2. The clients behind the VPN have access to the network 192.168.0.0/23
3. The clients from the network behind the openvpn server (who hang out behind the eth1 interface) have access only to 192.168. .i.e. only to it, only on the tun0 interface)

For eth1, the hardware gateway serving the network 192.168.0.0/23
has a route on it (for reliability)
192.168.10.0/24 192.168.0.248
192.168.3.0/24 192.168.0.248
192.168.4.0 /24 192.168.0.248
route -n on the server
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.17.0.1 0.0.0.0 UG 100 0 0 eth0
172.17.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.254.0 U 0 0 0 eth1
192.168.3.0 192.168.10.2 255.255.255.0 UG 0 0 0 tun0
192.168.4.0 192.168.10.2 255.255.255.0 UG 0 0 0 tun0
192.168.10.0 192.168.10.2 255.255.255.0 UG 0 0 0 tun0
192.168.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0


ping from the server
ping 192.168.4.1
PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
64 bytes from 192.168.4.1: icmp_req=1 ttl=64 time=59.3 ms
64 bytes from 192.168.4.1: icmp_req=2 ttl=64 time=57.7 ms


tcpdump on server when ping 192.168.4.1 from client
Клиент за eth1 пингует 192.168.4.1
tcpdump -i eth1 src 192.168.1.42
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
19:51:49.287200 ARP, Request who-has 192.168.4.1 tell 192.168.1.42, length 46

Притом на tun0 тихо как в танке


I have already tried everything I could think of, and just got confused in the combinations.
What needs to be corrected so that the Client from behind the server could reach other networks for vpn?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
S
smartlight, 2013-07-31
@smartlight

Draw a diagram so it will be easier to understand where the routes are missing.
I'm 90% sure it's them.

Report
T
tocha4, 2013-07-31
@tocha4

It is important to pay attention to the return route. Its absence is a common mistake.

Report
A
alz, 2013-08-01
@alz

What network mask is registered on your client (192.168.1.42)? It is confusing that ARP request is visible in tcpdump, i.e. the client thinks that he and the host 192.168.4.1 are on the same ethernet network

Report
M
merlin-vrn, 2013-08-01
@merlin-vrn

The “server” option turns OpenVPN itself into a separate router, as it were. Those. in it inside it becomes necessary to configure routes.
In general, start by drawing a diagram, and draw the OpenVPN process as a router, and accordingly take into account that it also has a routing table and what it should be like.

Similar questions
C
chief2020-05-04 17:27:41
What is the best way to set up a home server? 15Reply
I
Ivan2020-05-04 18:24:26
What questions would you ask a novice Linux administrator in an interview? 6Reply
K
keks0002018-03-10 03:30:43
Who knows how to find out the version of Linux? 4Reply
V
vlarkanov2018-03-10 09:46:01
Linux Mint Cinnamon: how to use three monitors? 0Reply
A
Alexey Pustoutov2018-03-10 14:19:55
Symfony doesn't see path to twig template after creating new bundle? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question