[openvpn] subnet achter de client bereiken - Netwerken

zaterdag 29 november 2014 14:13

Acties:

Topicstarter

Hallo allemaal,

Ik ben bezig met OpenVPN en heb als doel om de apparaten die achter het NAT van de client zitten te bereiken vanuit de server.

Server :
Debian VPS
eth0 inet addr:185.x.x.62 Bcast:185.x.x.255
tun0 inet addr:10.8.0.1 P-t-P:10.8.0.2

Client :
WNR3500LV2 met Tomato
br0 inet addr:192.168.1.1 Bcast:192.168.1.255 (IP range van de devices die ik wil bereiken)
tun0 inet addr:10.8.0.6 P-t-P:10.8.0.5

Client config :

code:

dev tun
persist-tun
persist-key
cipher none
auth SHA1
remote bla1194 udp
tls-client
client
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
verb 4
redirect-gateway def1

Server config :

code:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
client-to-client
duplicate-cn
keepalive 10 120
cipher none        
status openvpn-status.log
log         openvpn.log
verb 4
route 192.168.1.0 255.255.255.0

in ccd staat de file client met het volgende :

code:

1 2	iroute 192.168.1.0 255.255.255.0 iroute 172.19.3.0 255.255.255.0

Ik kan vanaf 192.168.1.1 naar 10.8.0.1 pingen

een traceroute vanaf de client naar 8.8.8.8 gaat ook netjes via 10.8.0.1 :

code:

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
 1  10.8.0.1 (10.8.0.1)  13.043 ms  13.586 ms  13.014 ms
 2  84.22.97.1 (84.22.97.1)  15.212 ms  15.053 ms  11.669 ms
 3  164.138.24.54 (164.138.24.54)  14.143 ms  22.181 ms  13.248 ms
 4  164.138.24.32 (164.138.24.32)  12.765 ms  12.566 ms  13.312 ms

Wat ik echter wil gaat niet, en dat is vanaf de server 192.168.1.1 pingen.
Iemand enig idee waarom niet ?

I've GoT a solution

zaterdag 29 november 2014 14:17

Acties:

CyBeR

💩

Gebruiken die hosts jouw vpn client als router? Zo nee, ofwel stel dat in ofwel stel in dat je vpn client verkeer vanaf de server naar 't lokale subnet NAT.

All my posts are provided as-is. They come with NO WARRANTY at all.

zaterdag 29 november 2014 14:20

Acties:

roelke

Topicstarter

Clients krijgen een 192.168.1.x IP adres.
De test die ik op moment gedaan heb zijn allemaal gedaan vanaf 192.168.1.1 (de Tomato router) hierop draait ook de openVPN client.

I've GoT a solution

zaterdag 29 november 2014 14:22

Acties:

Thralas

Lijkt me handig als je de routing tables ook even laat zien.

zaterdag 29 november 2014 14:23

Acties:

CyBeR

💩

En eventuele firewall rules.

All my posts are provided as-is. They come with NO WARRANTY at all.

zaterdag 29 november 2014 14:33

Acties:

roelke

Topicstarter

Server :

code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 178K   32M ACCEPT     all  --  any    any     anywhere             anywhere
28472 2307K fail2ban-ssh  tcp  --  any    any     anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
16666 5218K ACCEPT     all  --  any    any     anywhere             anywhere
   30  2390 ACCEPT     all  --  any    tun+    anywhere             anywhere
   28  3008 ACCEPT     all  --  tun+   any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 192K   33M ACCEPT     all  --  any    any     anywhere             anywhere

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     103.41.124.12        anywhere
23796 1999K RETURN     all  --  any    any     anywhere             anywhere

code:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         hlm1-pod9-vc9-v 0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
185.24.221.0    *               255.255.255.0   U     0      0        0 eth0
192.168.1.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0

Client :

code:

Chain INPUT (policy DROP 626 packets, 79104 bytes)
 pkts bytes target     prot opt in     out     source               destination
   16  4164 DROP       all  --  any    any     anywhere             anywhere            state I                                                                                                      NVALID
15887 2877K ACCEPT     all  --  any    any     anywhere             anywhere            state R                                                                                                      ELATED,ESTABLISHED
    6   432 shlimit    tcp  --  any    any     anywhere             anywhere            tcp dpt                                                                                                      :ssh state NEW
   38  2567 ACCEPT     all  --  lo     any     anywhere             anywhere
 5409  486K ACCEPT     all  --  br0    any     anywhere             anywhere
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt                                                                                                      s:33434:33534
    2   664 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt                                                                                                      :bootps dpt:bootpc
    0     0 ACCEPT     all  --  eth0   any     anywhere             10.8.0.0/24

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 7827  946K ACCEPT     all  --  any    tun+    anywhere             anywhere
    8   798 ACCEPT     all  --  tun+   any     anywhere             anywhere
 274K  213M            all  --  any    any     anywhere             anywhere            account                                                                                                      : network/netmask: 192.168.1.0/255.255.255.0 name: lan
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere
   14   560 DROP       all  --  any    any     anywhere             anywhere            state I                                                                                                      NVALID
 4512  232K TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp fla                                                                                                      gs:SYN,RST/SYN TCPMSS clamp to PMTU
 267K  212M ACCEPT     all  --  any    any     anywhere             anywhere            state R                                                                                                      ELATED,ESTABLISHED
    0     0 wanin      all  --  vlan2  any     anywhere             anywhere
 5928  900K wanout     all  --  any    vlan2   anywhere             anywhere
 6389  928K ACCEPT     all  --  br0    any     anywhere             anywhere
    0     0 ACCEPT     all  --  eth0   any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 19476 packets, 10M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain shlimit (1 references)
 pkts bytes target     prot opt in     out     source               destination
    6   432            all  --  any    any     anywhere             anywhere            recent:                                                                                                       SET name: shlimit side: source
    0     0 DROP       all  --  any    any     anywhere             anywhere            recent:                                                                                                       UPDATE seconds: 60 hit_count: 4 name: shlimit side: source

Chain wanin (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain wanout (1 references)
 pkts bytes target     prot opt in     out     source               destination

code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.19.3.1      *               255.255.255.255 UH    0      0        0 vlan2
172.19.3.0      *               255.255.255.0   U     0      0        0 vlan2
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         172.19.3.1      0.0.0.0         UG    0      0        0 vlan2

[ Voor 25% gewijzigd door roelke op 29-11-2014 14:59 ]

I've GoT a solution

zaterdag 29 november 2014 14:44

Acties:

CyBeR

💩

firewall moet je even met -v doen

All my posts are provided as-is. They come with NO WARRANTY at all.

zaterdag 29 november 2014 14:59

Acties:

roelke

Topicstarter

ik heb mijn vorige post aangepast

I've GoT a solution