[討論] OpenVPN 連到 local方法請益(已解決)
各位板上大大好,最近幫朋友測試VPN使用的軟體為OpenVPN
架構圖如下:
http://i.imgur.com/VlxCZxP.png
現在的問題在於測試都可以通,可透過OpenVPN Server上網,但是對公司的內網卻無法連
線
Phase 1
有兩張網卡
eth0 為對外獨立ip,配上eth1內網ip,本機設定static route 可ping 10.0.0.0網段
但是VPN Client卻不行 iptables設定檔如下
Phase 2
只有一張網卡eth0,ip為private ip,但防火牆有開一組public ip 對應到該private ip
所以外網可連至VPN Server,問題也是一樣...連不到內網主機
os:CentOS 7.1
有把firewalld 跟 selinux關閉
兩者使用設定檔如下
=======================================================
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
COMMIT
=============================================================
/etc/openvpn.conf
=============================================================
port 1194
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key
dh easy-rsa/keys/dh2048.pem
server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 8.8.8.8"
;duplicate-cn
keepalive 10 120
tls-auth easy-rsa/keys/ta.key 0
cipher aes-256-cbc
comp-lzo
max-clients 10
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
push "route 10.0.0.0 255.0.0.0"
=============================================================
在思考phase 1 是不是iptables 沒有forward到10.0.0.0的網段
但是加了以後也連不到內網,win 7 client 看routing table有顯示10.0.0.0
卻ping 不到該網段主機
以上再請各位大大一起討論了,感謝。
為了加快測試,所以寫了一個簡單的安裝腳本供大大們參考(還在修改中):
=============================================================
#!/bin/bash
# Insatll packages
yum install openvpn easy-rsa -y
echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf
sysctl -p
cat > /etc/sysconfig/iptables << EOA
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#開啟1194供openvpn連入
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#(option)使VPN用戶端可透過eth0連外上internet
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#加入SNAT, MASQUERADE會自動讀取eth0現在的ip地址然後做SNAT出去
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
COMMIT
EOA
systemctl disable firewalld.service
systemctl stop firewalld.service
systemctl enable iptables.service
systemctl restart iptables.service
mkdir /etc/openvpn/easy-rsa
cp -R /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
/etc/openvpn/easy-rsa/openssl.cnf
# bulid keys
cd /etc/openvpn/easy-rsa/
. ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
./pkitool client
openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key
cat > /etc/openvpn/server.conf << VPN
port 1194
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key # This file should be kept secret
dh easy-rsa/keys/dh2048.pem
server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 8.8.8.8"
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
#開啟允許多個客戶端同時連接.如果Client使用的CA的Common Name 有重複,或者說客戶
端都使用相同的CA 和keys 連接VPN,一定要打開這個選項,否則只允許一個人連接
;duplicate-cn
keepalive 10 120
tls-auth easy-rsa/keys/ta.key 0 # This file is secret #開啟tls-auth降低DDoS風
險
cipher aes-256-cbc
comp-lzo
max-clients 10
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
VPN
systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
=============================================================
--
※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 50.117.78.152
※ 文章網址: https://www.ptt.cc/bbs/MIS/M.1434715694.A.414.html
※ 編輯: juliai (50.117.78.152), 06/19/2015 20:08:45
→
06/19 20:20, , 1F
06/19 20:20, 1F
→
06/19 20:21, , 2F
06/19 20:21, 2F
→
06/19 20:48, , 3F
06/19 20:48, 3F
成功了,感謝大大
推
06/19 21:09, , 4F
06/19 21:09, 4F
不用問...朋友請我幫忙的XD
推
06/19 21:35, , 5F
06/19 21:35, 5F
感謝大大建議,不過現在只能用centos
→
06/19 21:44, , 6F
06/19 21:44, 6F
→
06/19 21:45, , 7F
06/19 21:45, 7F
→
06/19 21:46, , 8F
06/19 21:46, 8F
很討厭用fortinet的ssl vpn...還要裝一堆有的沒有的,連成功過一次
之後就都連不上了,原因不明
已解決
Phase 1
除了eth0 nat還要加入eth1的
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
forward部分也是要加入
#如有eth1連接至內網則需增加相同規則,網卡名稱需正確
-A FORWARD -i eth1 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth1 -j ACCEPT
Phase 2 的部分因為沒注意到網卡是enxxxx
把eth0換成enxxx就可以通了
兩者中間沒有動用任何設備,只有修改openvpn server
另外要注意的是vi /etc/openvpn/server.conf
# VPN Server 與client 間虛擬的網段,需完全獨立且須與iptables一致
server 192.168.0.0 255.255.255.0
#這部分跟內網網段一致即可
push "route 10.0.0.0 255.0.0.0"
之後有時間再來測試site to site
另外想問一下有沒有推薦的openvpn驗證方式,雖然用憑證感覺滿安全的
但有一點點小麻煩
※ 編輯: juliai (216.172.148.23), 06/20/2015 12:45:06
推
06/20 13:53, , 9F
06/20 13:53, 9F
MIS 近期熱門文章
PTT職涯區 即時熱門文章
