[rlug] Reguli iptables pentru openvpn

Catalin Soare Fri, 22 Jan 2016 06:35:24 -0800

Salut,

Ma tot chinui de cateva zile sa-mi fac un server OpenVPN pe Debian 8
si nu-mi merge decat partial.


OpenVPN-ul l-am configurat, ma pot conecta la el pe baza de
certificat, cu 2 clienti diferiti.
Problema care o am si nu reusesc sa-i dau de cap (nu am experienta cu
asta) e partea de rutare.
Adica, dupa ce ma conectez, nu pot accesa reteaua de dupa server
(192.168.0.x), ci doar 10.8.0.0.

Am incercat foarte multe combinatii de reguli pe iptables, dar se pare
ca nimic nu vrea sa-mi mearga.

server.conf arata cam asa:
----------------------------
port 1194
proto udp
dev tun
topology subnet
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
client-config-dir ccd
route 192.168.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.0.251"
push "dhcp-option DNS 8.8.4.4"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
----------------------------


Iar, in iptables am urmatoarele:
----------------------------
*filter
:INPUT ACCEPT [9569:1312821]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14988:18349747]
-A FORWARD -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth0 -o eth0 -m conntrack --ctstate
NEW -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -i tun0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -d 192.168.0.0/24 -i tun0 -o eth0 -m
conntrack --ctstate NEW -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [527:60687]
:INPUT ACCEPT [297:44000]
:OUTPUT ACCEPT [17:1003]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
----------------------------

Scuze daca e prea lung mailul, incerc sa dau cat mai multe detalii, nu
mi-e clar daca e ok sa trimit atasamente pe lista sau nu.

Multumesc,


-- 
Regards,
Catalin Soare
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug

[rlug] Reguli iptables pentru openvpn

Raspunde prin e-mail lui