Re: openvpn nao pinga rede interna ! help

[Alex Paulo Laner <rootsh@noisemakers.org>]

Anderson,

Tem um roteamento maluco.

10.32.1.1       0.0.0.0         255.255.255.255 UH        0 0          0 eth1
10.32.1.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         10.32.1.1       0.0.0.0         UG        0 0          0 eth0

Não era para ter o roteamento 10.32.1.1/255.255.255.0 na eth1 e nein na eth0

Dá uma olhada nisso.

Alex Paulo Laner aka rootsh

On Mon, Mar 1, 2010 at 5:05 PM, Anderson Bertling <andersonbertling@gmail.com> wrote:

opa me voltou isso

Destino         Roteador        MáscaraGen.    Opções   MSS Janela  irtt Iface
10.32.2.2       0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.32.1.1       0.0.0.0         255.255.255.255 UH        0 0          0 eth1
10.32.1.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.32.2.0       10.32.2.2       255.255.255.0   UG        0 0          0 tun0
123.123.123.0   0.0.0.0         255.255.255.0   U         0 0          0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth1
0.0.0.0         10.32.1.1       0.0.0.0         UG        0 0          0 eth0

e no log me volta isso

Mon Mar  1 17:01:31 2010 us=719177 sumaster/123.123.123.186:1194 UDPv4 WRITE [114] to 123.123.123.186:1194: P_CONTROL_V1 kid=0 [ ] pid=32 DATA len=100
Mon Mar  1 17:01:31 2010 us=719674 sumaster/123.123.123.186:1194 UDPv4 WRITE [100] to 123.123.123.186:1194: P_CONTROL_V1 kid=0 [ ] pid=33 DATA len=86
Mon Mar  1 17:01:31 2010 us=720306 sumaster/123.123.123.186:1194 UDPv4 READ [22] from 123.123.123.186:1194: P_ACK_V1 kid=0 [ 32 ]
Mon Mar  1 17:01:31 2010 us=722208 sumaster/123.123.123.186:1194 UDPv4 READ [22] from 123.123.123.186:1194: P_ACK_V1 kid=0 [ 33 ]
Mon Mar  1 17:01:32 2010 us=717034 sumaster/123.123.123.186:1194 UDPv4 READ [125] from 123.123.123.186:1194: P_DATA_V1 kid=0 DATA len=124
Mon Mar  1 17:01:32 2010 us=717261 sumaster/123.123.123.186:1194 TUN WRITE [84]
Mon Mar  1 17:01:33 2010 us=717220 sumaster/123.123.123.186:1194 UDPv4 READ [125] from 123.123.123.186:1194: P_DATA_V1 kid=0 DATA len=124
Mon Mar  1 17:01:33 2010 us=717404 sumaster/123.123.123.186:1194 TUN WRITE [84]

2010/3/1 Alex Paulo Laner <rootsh@noisemakers.org>

Anderson,

Primeiramente não precisa dessa regra no firewall

iptables -A POSTROUTING -t nat -s 10.32.1.0/24 -o tun0 -j MASQUERADE

E no server.conf não vejo necessidade dessas linhas.

route-up "route delete -net 10.32.1.0/24"
route-up "route add -net 10.32.1.0/24 tun0"push "

default-gateway 10.32.1.1"

Depois disso mandar um netstat -rn para ver roteamento.

Alex Paulo Laner aka rootsh

On Mon, Mar 1, 2010 at 4:46 PM, Anderson Bertling <andersonbertling@gmail.com> wrote:

ola alguem sabe o que pode estar acontecendo p nao pingar p dentro da rede ?

2010/3/1 Anderson Bertling <andersonbertling@gmail.com>

Boa tarde !!!!!

estou com problemas para rodar uma openvpn, pelo que li ela esta uns 90% funcionando. mas nao consigo pingar nenhuma maquina da rede interna !  segue minha configuração para ajudar a entender p problema


server.conf

dev     tun
mode    server
proto udp
tls-server
client-to-client
dh      keys/dh1024.pem
ca      keys/ca.crt
cert    keys/server.crt
key     keys/server.key
duplicate-cn
server 10.32.2.0 255.255.255.0 # IP range clients
route-up "route delete -net 10.32.1.0/24"
route-up "route add -net 10.32.1.0/24 tun0"
push "route 10.32.1.0 255.255.255.0" # add route to protected network
push "dhcp-option DNS 10.32.1.14"
push "default-gateway 10.32.1.1"
port 1194
user nobody
group nogroup
comp-lzo
ping 60
ping-restart 45
ping-timer-rem
persist-tun
persist-key
verb 6
log-append      /var/log/openvpn/openvpn.log
status          /var/log/openvpn/status.log
plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
#plugin /usr/lib/openvpn/openvpn-auth-pam.so common-password
client-cert-not-required
username-as-common-name
############################################################
firewall.sh

#!/bin/bash
echo 1
iptables -F
iptables -F INPUT
iptables -F OUTPUT
echo nat
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
echo 1 >  /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo tun
iptables -A FORWARD -i tun0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -A POSTROUTING -t nat -s 10.32.1.0/24 -o eth0 -j MASQUERADE
iptables -A POSTROUTING -t nat -s 10.32.1.0/24 -o tun0 -j MASQUERADE
#################################################################
Client.conf

dev tun
tls-client
ca keys/ca.crt
remote  123.123.123.126
port  1194
pull
auth-user-pass
comp-lzo
ping  60
ping-restart 45
ping-timer-rem
persist-tun
persist-key
verb 6
log-append      /var/log/openvpn/openvpn.log
status          /var/log/openvpn/status.log
########################################################
possuo 2 interfaces de rede  no servidor eth0 = 10.32.1.0 que é a rede real
e a eth1= 123.123.123.0 por onde vai entrar a conexão.


Att

Anderson Bertling

--
Att

Anderson Bertling

--
Att

Anderson Bertling