Re: soucis avec openvpn / android - [SOLVED]
On Tue, 19 Mar 2013 10:30:15 +0100
Bzzz <lazyvirus@gmx.com> wrote:
Bon, j'ai fini par trouver: PB de MTU (n'ayant pas d'accès
root, je ne sais pas ce qui est utilisé par FreeMobile,
mais le souvenir d'un article me soufflait que celui de la
3g était < à celui de la 2g, confirmé).
Donc pour ceux que ça intéresse, voilà la conf kivabien
et qui fonctionne nickel avec Feat VPN (mode routed
et tun0 obligatoire puisque tél non-rooté).
NB: Si on ne fait qu'accéder à un/des svr http dans le LAN,
supprimer la compression lzo et laisser le svr http le
faire (plus efficace)
LAN............: 192.168.1.0/24
DNS du LAN.....: 192.168.1.25
LAN domain.....: mydomain (suffixe du domaine du LAN)
Clients Android: 172.16.0.0/24
Nom DynDNS web : myinternetdydnsname
==================== SVR
# listen on? (optional)
local 192.168.1.25
port 1194
proto udp
# Routed mode only use tun devices
dev tun0
ca /etc/openvpn/SSL/ca.crt
cert /etc/openvpn/SSL/server.crt
key /etc/openvpn/SSL/server.key
dh /etc/openvpn/SSL/dh2048.pem
# Get rid of MiM attacks
tls-auth /etc/openvpn/SSL/ta.key 0
tls-server yes
# IP class A : 10.0.0.0 to 10.255.255.255 => /8
# IP class B : 172.16.0.0 to 172.31.255.255 => /12
# IP class C : 192.168.0.0 to 192.168.255.255 => /16
server 172.16.0.0 255.255.255.0
# Keep clients IP addresses to reuse the same next time
ifconfig-pool-persist ipp.txt
# 1350 IS MANDATORY FOR FreeMobile 3G (WCDMA)
# NB: 1450 fits for FreeMobile 2g ONLY
tun-mtu 1350
# For the whole LAN to be reachable by clients
push "route 192.168.1.0 255.255.255.0"
# Tell clients to redirect any network activity into the tunnel
push "redirect-gateway def1 bypass-dhcp"
# My LAN DNS
push "dhcp-option DNS 192.168.1.25"
# My LAN domain suffix
push "dhcp-option DOMAIN mydomain"
# For clients to "talk" to others
;client-to-client yes
# DEPENDS ON (!):
mode server
# Keep connection alive (divide svr time by 2 for clients))
keepalive 10 120
push "keepalive 10 60"
# Ciphers
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
cipher BF-CBC
# Compression
comp-lzo yes
push "comp-lzo yes"
# Jettison root privileges when started
user nobody
group nogroup
# Restart faster (but what about security???)
persist-key yes
persist-tun yes
# Avoids reconnection errors
# (requires client to sign off, non-existing otherwise)
push "explicit-exit-notify 3"
# Logs: log:recreate log file each time
# log-append: append to log file
status-version 2
status /etc/openvpn/LOGS/openvpn-status.log 5
;log /etc/openvpn/LOGS/openvpn.log
log-append /etc/openvpn/LOGS/openvpn.log
# Log verbosity (0-9)
verb 3
# Iptables scripts: on/off
# MUST BE ≥ 2 to execute external scripts
script-security 3
up /etc/openvpn/IPTABLES.sh
# CAUTION: STOP SCRIPT IS *NEVER* EXECUTES IN DAEMON MODE,
# *ONLY* IF OVPN IS RUN THROUGH INETD!
down /etc/openvpn/WIPE_IPTABLES.sh
==================== CLIENT
client
dev tun
proto udp
remote myinternetdydnsname 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
tls-auth ta.key 1
tls-client yes
comp-lzo yes
verb 3
==================== /etc/openvpn/IPTABLES.sh
#!/bin/sh
#-------------
# Cleansing
iptables -F -v
iptables -F -v -t nat
#-------------
# VPN traffic in/out LAN/Anywhere
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.17.17.0/24 -o eth0 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE
==================== /etc/openvpn/WIPE_IPTABLES.sh
#!/bin/sh
#------------
iptables -F -v
iptables -F -v -t nat
--
<s3th> je sens un manque de sexe la
<flo> non aucun rapport
<s3th> c'est ce que je dis
Reply to: