Temat: OpenVPN pomiędzy GG a BB
Mam problem - prawdopodobnie z firewallem - przy połączeniu vpn pomiędzy routerami na Gargoyle (serwer) i BB (klient). Kiedyś router klienci miałem też na GG i wszystko pracowało poprawnie. Ale teraz zainstalowałem obraz BB+Luci od Cezarego i wrzuciłem tam pliki vpn'a z GG, dodałem trochę konfiguracji w plikach i się połączyło.
Transmisja klient->server jest OK. Transmisja klient->LAN za serverem jest OK. Transmisja LAN klient -> LAN server już nie działa (Destination port unreachable). Wygląda na problem z firewallem, bo routing jest OK, ale nie potrafię sobie z nim poradzić. Może ktoś pomoże z wprawnym okiem?
root@RanczoRouter:~# uci show network
network.loopback=interface
network.loopback.ifname=lo
network.loopback.proto=static
network.loopback.ipaddr=127.0.0.1
network.loopback.netmask=255.0.0.0
network.globals=globals
network.globals.ula_prefix=fdc2:3eff:faeb::/48
network.lan=interface
network.lan.ifname=eth0
network.lan.force_link=1
network.lan.type=bridge
network.lan.proto=static
network.lan.netmask=255.255.255.0
network.lan.ip6assign=60
network.lan.ipaddr=192.168.9.1
network.wan=interface
network.wan.proto=dhcp
network.wan.auto=1
network.wan.dns=8.8.8.8 8.8.4.4
network.wan.peerdns=0
network.wan.ifname=eth2
network.wan6=interface
network.wan6.ifname=@wan
network.wan6.proto=dhcpv6
network.@switch[0]=switch
network.@switch[0].name=switch0
network.@switch[0].reset=1
network.@switch[0].enable_vlan=1
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device=switch0
network.@switch_vlan[0].vlan=1
network.@switch_vlan[0].ports=0 1 2 3 4
network.vpn=interface
network.vpn.ifname=tun0
network.vpn.proto=noneroot@RanczoRouter:~# uci show openvpn
openvpn.custom_config=openvpn
openvpn.custom_config.enabled=1
openvpn.custom_config.script_security=3
openvpn.custom_config.up=/etc/openvpn.up
openvpn.custom_config.down=/etc/openvpn.down
openvpn.custom_config.config=/etc/openvpn/grouter_client_qhikteooygdh.conf
openvpn.custom_config.enable=1
openvpn.custom_config.dev=tun
openvpn.custom_config.proto=tcproot@RanczoRouter:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood=1
firewall.@defaults[0].input=ACCEPT
firewall.@defaults[0].output=ACCEPT
firewall.@defaults[0].forward=REJECT
firewall.@zone[0]=zone
firewall.@zone[0].name=lan
firewall.@zone[0].network=lan
firewall.@zone[0].input=ACCEPT
firewall.@zone[0].output=ACCEPT
firewall.@zone[0].forward=ACCEPT
firewall.@zone[1]=zone
firewall.@zone[1].name=wan
firewall.@zone[1].network=wan wan6
firewall.@zone[1].input=REJECT
firewall.@zone[1].output=ACCEPT
firewall.@zone[1].forward=REJECT
firewall.@zone[1].masq=1
firewall.@zone[1].mtu_fix=1
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src=lan
firewall.@forwarding[0].dest=wan
firewall.@rule[0]=rule
firewall.@rule[0].name=Allow-DHCP-Renew
firewall.@rule[0].src=wan
firewall.@rule[0].proto=udp
firewall.@rule[0].dest_port=68
firewall.@rule[0].target=ACCEPT
firewall.@rule[0].family=ipv4
firewall.@rule[1]=rule
firewall.@rule[1].name=Allow-Ping
firewall.@rule[1].src=wan
firewall.@rule[1].proto=icmp
firewall.@rule[1].icmp_type=echo-request
firewall.@rule[1].family=ipv4
firewall.@rule[1].target=ACCEPT
firewall.@rule[2]=rule
firewall.@rule[2].name=Allow-DHCPv6
firewall.@rule[2].src=wan
firewall.@rule[2].proto=udp
firewall.@rule[2].src_ip=fe80::/10
firewall.@rule[2].src_port=547
firewall.@rule[2].dest_ip=fe80::/10
firewall.@rule[2].dest_port=546
firewall.@rule[2].family=ipv6
firewall.@rule[2].target=ACCEPT
firewall.@rule[3]=rule
firewall.@rule[3].name=Allow-ICMPv6-Input
firewall.@rule[3].src=wan
firewall.@rule[3].proto=icmp
firewall.@rule[3].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type router-solicitation neighbour-solicitation router-advertisement neighbour-advertisement
firewall.@rule[3].limit=1000/sec
firewall.@rule[3].family=ipv6
firewall.@rule[3].target=ACCEPT
firewall.@rule[4]=rule
firewall.@rule[4].name=Allow-ICMPv6-Forward
firewall.@rule[4].src=wan
firewall.@rule[4].dest=*
firewall.@rule[4].proto=icmp
firewall.@rule[4].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type
firewall.@rule[4].limit=1000/sec
firewall.@rule[4].family=ipv6
firewall.@rule[4].target=ACCEPT
firewall.@include[0]=include
firewall.@include[0].path=/etc/firewall.user
firewall.miniupnpd=include
firewall.miniupnpd.type=script
firewall.miniupnpd.path=/usr/share/miniupnpd/firewall.include
firewall.miniupnpd.family=any
firewall.miniupnpd.reload=1
firewall.@zone[2]=zone
firewall.@zone[2].name=vpn
firewall.@zone[2].input=ACCEPT
firewall.@zone[2].forward=ACCEPT
firewall.@zone[2].output=ACCEPT
firewall.@zone[2].network=vpn
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src=vpn
firewall.@forwarding[1].dest=wan
firewall.@rule[5]=rule
firewall.@rule[5].name=OpenVPN
firewall.@rule[5].target=ACCEPT
firewall.@rule[5].src=wan
firewall.@rule[5].dest_port=1194
firewall.@rule[5].proto=tcproot@RanczoRouter:~# cat /etc/openvpn/grouter_client_qhikteooygdh.conf
client
remote 195.xxx.xxx.xxx 1194
dev tun
proto tcp-client
status /var/openvpn/current_status
resolv-retry infinite
ns-cert-type server
topology subnet
verb 3
cipher BF-CBC
keysize 128
ca /etc/openvpn/grouter_client_qhikteooygdh_ca.crt
cert /etc/openvpn/grouter_client_qhikteooygdh.crt
key /etc/openvpn/grouter_client_qhikteooygdh.key
tls-auth /etc/openvpn/grouter_client_qhikteooygdh_ta.key 1
nobind
persist-key
persist-tun
comp-lzo