Z
Z
Zohei2017-12-03 23:07:34
openvpn
Zohei, 2017-12-03 23:07:34

What blocks FTP behind NAT through OpenVpn?

Good afternoon.
I have the following connection scheme:
1. openvpn server (VDS freebsd) ip 10.8.0.1
2. openvpn client 1 (windows XP)
3. openvpn client 2 (ubuntu linux) 10.8.0.2
I need to go via FTP from client 1 (XP) to the client 2 (ubuntu).
From FTP server to client 2 works in both passive and active modes.
5a24543560e0e381026761.jpeg
.
.
But client 1 fails to execute the LIST command to get a list of client 2 directories:

Статус:	Соединяюсь с 10.8.0.2:21...
Статус:	Соединение установлено, ожидание приглашения...
Ответ:	220 Welcome to Raspberry Pi.
Команда:	USER pi
Ответ:	331 Please specify the password.
Команда:	PASS ******
Ответ:	230 Login successful.
Статус:	Сервер не поддерживает символы не ASCII.
Статус:	Соединение установлено
Статус:	Получение списка каталогов...
Команда:	CWD /home/pi/rpi
Ответ:	250 Directory successfully changed.
Команда:	PWD
Ответ:	257 "/home/pi/rpi" is the current directory
Команда:	TYPE I
Ответ:	200 Switching to Binary mode.
Команда:	PASV
Ответ:	227 Entering Passive Mode (10,8,0,2,235,68).
Команда:	LIST
Ответ:	150 Here comes the directory listing.
Ошибка:	Превышено время ожидания соединения
Ошибка:	Не удалось получить список каталогов

openvpn server conf

port 1194
proto tcp
dev tun
askpass /usr/local/etc/openvpn/pass
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key
dh /usr/local/etc/openvpn/keys/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /usr/local/etc/openvpn/ccd
client-config-dir ccd
route 10.8.0.0 255.255.255.0
push "dhcp-option DNS 10.8.0.1"
client-to-client
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 10
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 0
openvpn client conf

client
dev tun
proto tcp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys\\ca.crt
cert keys\\client_win.crt
key keys\\client_win.key
tls-auth keys\\ta.key 1
cipher AES-256-CBC
verb 3
mute 20
auth-user-pass keys\\pass.conf
;auth-retry nointeract
auth-nocache

Sinful, I confess I haven’t mastered iptables yet, thoughtlessly copied configs from the network, tried different ones, forwarded ports:
iptables

# general rules for forwarding traffic between external interface tap0 and internal interface eth0
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
iptables -A FORWARD -i tap0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT
# NAT for active/passive FTP. 192.168.178.21 would be your internal ftp server
iptables -t nat -A PREROUTING -p tcp --dport 20 -j DNAT --to 192.168.178.21:20
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 192.168.178.21:21
iptables -t nat -A PREROUTING -p tcp --dport 1024:65535 -j DNAT --to 192.168.178.21:1024-65535
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 20 -j ACCEPT
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 21 -j ACCEPT
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 1024:65535 -j ACCEPT
# allowing active/passive FTP
iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
# should return 1
cat /proc/sys/net/ipv4/ip_forward
# otherwise
sysctl -w net.ipv4.ip_forward=1
modprobe ip_nat_ftp
lsmod | grep ip_nat_ftp
lsmod | grep ip_conntrack_ftp
# if no result then load them until next reboot, google for making it permanent depending on your OS
modprobe ip_nat_ftp
lsmod | grep ip_nat_ftp
lsmod | grep ip_conntrack_ftp
# if no result then load them until next reboot, google for making it permanent depending on your OS
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp

Give up nerves) help out)

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question