Temat: openvpn - tap - vlan - brak internetu po połączenie z vpn - klient ?
Od początku: na początku utworzyłem dwie oddzielne sieci vlan,
pierwsza pod sieć domową gdzie internet jest z 10.0.0.27
druga: pod vpn w trybie tap, tak aby dhcp przychodziło z serwera vpn (jest ok),
Ogółem vpn działa prawidłowo, otrzymuje adresy z sieci lokalnej serwera vpn, ale po zestawieniu VPN przestaje działać internet na 'lan'.
Co może być tego przyczyną?
network:
config interface 'lan'
option ifname 'eth1.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.2.1'
option dns '192.168.2.1'
config interface 'lan2'
option ifname 'eth1.2 tap0'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.110'
dhcp:
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'lan2'
option interface 'lan2'
option start '100'
option limit '150'
option leasetime '12h'
firewall:
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward REJECT
config zone
option name lan2
list network 'lan2'
option input ACCEPT
option output ACCEPT
option forward REJECT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
#config zone
# option name 'VPN_client'
# option input 'ACCEPT'
# option forward 'REJECT'
# option output 'ACCEPT'
# option network 'VPN_client'
#config forwarding
# option dest 'lan'
# option src 'VPN_client'
#config forwarding
# option dest 'VPN_client'
# option src 'lan'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
config forwarding
option src lan
option dest wan
config forwarding
option src lan2
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
# allow IPsec/ESP and ISAKMP passthrough
#config rule
# option src wan
# option dest lan
# option protocol esp
# option target ACCEPT
#config rule
# option src wan
# option dest lan
# option src_port 500
# option dest_port 500
# option proto udp
# option target ACCEPT
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
informacje przed połączeniem wyglądają następująco (dane z routera)
root@OpenWrt:~# traceroute wp.pl
traceroute to wp.pl (212.77.98.9), 30 hops max, 38 byte packets
1 10.0.0.27 (10.0.0.27) 0.412 ms 0.235 ms 0.217 ms
2 clj-9.netdrive.pl (185.24.26.9) 0.496 ms 0.416 ms 0.419 ms
3 212.109.148.6 (212.109.148.6) 1.025 ms 0.724 ms 0.715 ms
4 TASK-COM.ix.rtr.pionier.gov.pl (212.191.226.16) 8.999 ms 9.177 ms 8.976 ms
5 213.192.64.234 (213.192.64.234) 9.015 ms 9.018 ms 9.086 ms
6 kom-wp-gw.task.gda.pl (213.192.64.26) 16.699 ms 105.568 ms 16.868 ms
7 rtr4.rtr-int-2.adm.wp-sa.pl (212.77.96.77) 16.808 ms 17.129 ms 17.101 ms
root@OpenWrt:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.27 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan2
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
root@OpenWrt:~# brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.c46e1f941f0c no eth1.1
br-lan2 7fff.c46e1f941f0c no eth1.2
root@OpenWrt:~# ifconfig
br-lan Link encap:Ethernet HWaddr C4:6E:1F:94:1F:0C
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::c66e:1fff:fe94:1f0c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7120 errors:0 dropped:0 overruns:0 frame:0
TX packets:13448 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1671978 (1.5 MiB) TX bytes:14598995 (13.9 MiB)
br-lan2 Link encap:Ethernet HWaddr C4:6E:1F:94:1F:0C
inet addr:192.168.1.110 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::c66e:1fff:fe94:1f0c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:2298 (2.2 KiB)
eth0 Link encap:Ethernet HWaddr C4:6E:1F:94:1F:0B
inet addr:10.0.0.219 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::c66e:1fff:fe94:1f0b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23455 errors:0 dropped:25 overruns:0 frame:0
TX packets:6669 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15925093 (15.1 MiB) TX bytes:1678781 (1.6 MiB)
Interrupt:4
eth1 Link encap:Ethernet HWaddr C4:6E:1F:94:1F:0C
inet6 addr: fe80::c66e:1fff:fe94:1f0c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7416 errors:0 dropped:0 overruns:0 frame:0
TX packets:13454 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1909732 (1.8 MiB) TX bytes:14653151 (13.9 MiB)
Interrupt:5
eth1.1 Link encap:Ethernet HWaddr C4:6E:1F:94:1F:0C
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7408 errors:0 dropped:0 overruns:0 frame:0
TX packets:13432 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1775609 (1.6 MiB) TX bytes:14597339 (13.9 MiB)
eth1.2 Link encap:Ethernet HWaddr C4:6E:1F:94:1F:0C
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:1498 (1.4 KiB)
po połączeniu z vpn wygląda to następująco (dane z routera)
root@OpenWrt:~# traceroute wp.pl
traceroute to wp.pl (212.77.98.9), 30 hops max, 38 byte packets
1 192.168.1.1 (192.168.1.1) 61.914 ms 43.741 ms 38.682 ms
2 192.168.0.1 (192.168.0.1) 38.671 ms 56.487 ms 40.159 ms
3 172.18.21.17 (172.18.21.17) 79.826 ms 97.744 ms 87.621 ms
4 172.18.40.67 (172.18.40.67) 91.979 ms 77.906 ms 79.550 ms
5 172.18.40.41 (172.18.40.41) 79.590 ms 172.18.40.42 (172.18.40.42) 99.488 ms 97.010 ms
6 172.18.40.6 (172.18.40.6) 79.119 ms 98.314 ms 172.18.40.2 (172.18.40.2) 79.664 ms
tutaj jak widać nie przechodzi już przez internet z "10.0.0.27" tylko idzie przez 192.168.1.1 (router) i 192.168.0.1 (modem)
logi po połączeniu:
Tue Apr 19 13:23:10 2016 authpriv.info dropbear[1307]: Child connection from 192.168.2.240:60399
Tue Apr 19 13:23:13 2016 authpriv.notice dropbear[1307]: Password auth succeeded for 'root' from 192.168.2.240:60399
Tue Apr 19 13:23:24 2016 kern.notice kernel: [ 311.520000] EXT4-fs (sda1): error count since last fsck: 6
Tue Apr 19 13:23:24 2016 kern.notice kernel: [ 311.520000] EXT4-fs (sda1): initial error at time 1461059011: ext4_lookup:1437: inode 77811
Tue Apr 19 13:23:24 2016 kern.notice kernel: [ 311.530000] EXT4-fs (sda1): last error at time 1461059029: ext4_lookup:1437: inode 77811
Tue Apr 19 13:28:28 2016 authpriv.info dropbear[1374]: Child connection from 192.168.2.240:60405
Tue Apr 19 13:28:30 2016 authpriv.notice dropbear[1374]: Password auth succeeded for 'root' from 192.168.2.240:60405
Tue Apr 19 13:30:46 2016 kern.info kernel: [ 753.060000] device tap0 entered promiscuous mode
Tue Apr 19 13:30:46 2016 kern.info kernel: [ 753.070000] br-lan2: port 2(tap0) entered forwarding state
Tue Apr 19 13:30:46 2016 kern.info kernel: [ 753.070000] br-lan2: port 2(tap0) entered forwarding state
Tue Apr 19 13:30:46 2016 daemon.notice netifd: Network device 'tap0' link is up
Tue Apr 19 13:30:48 2016 kern.info kernel: [ 755.070000] br-lan2: port 2(tap0) entered forwarding state
log z vpn:
Tue Apr 19 13:30:40 2016 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 6 2015
Tue Apr 19 13:30:40 2016 library versions: OpenSSL 1.0.2f 28 Jan 2016, LZO 2.08
Tue Apr 19 13:30:40 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Apr 19 13:30:40 2016 WARNING: file '/vpn/tomato_org/client.key' is group or others accessible
Tue Apr 19 13:30:40 2016 Socket Buffers: R=[163840->131072] S=[163840->131072]
Tue Apr 19 13:30:40 2016 UDPv4 link local: [undef]
Tue Apr 19 13:30:40 2016 UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
Tue Apr 19 13:30:42 2016 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=4c85ad13 79d36a41
Tue Apr 19 13:30:42 2016 VERIFY OK: depth=1, C=PL, ST=lubuskie, L=ZielonaGora, O=VPN OPENWRT, OU=MyOrganizationalUnit, CN=VPN OPENWRT CA, name=EasyRSA, emailAddress=andrewxxx
Tue Apr 19 13:30:42 2016 VERIFY OK: depth=0, C=PL, ST=lubuskie, L=ZielonaGora, O=VPN OPENWRT, OU=MyOrganizationalUnit, CN=server, name=EasyRSA, emailAddress=andrewxxx
Tue Apr 19 13:30:44 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 19 13:30:44 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 19 13:30:44 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 19 13:30:44 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 19 13:30:44 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Apr 19 13:30:44 2016 [server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Tue Apr 19 13:30:46 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Apr 19 13:30:46 2016 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,route-gateway 192.168.1.1,redirect-gateway def1,route-gateway dhcp,ping 10,ping-restart 120'
Tue Apr 19 13:30:46 2016 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 19 13:30:46 2016 OPTIONS IMPORT: route options modified
Tue Apr 19 13:30:46 2016 OPTIONS IMPORT: route-related options modified
Tue Apr 19 13:30:46 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Apr 19 13:30:46 2016 TUN/TAP device tap0 opened
Tue Apr 19 13:30:46 2016 TUN/TAP TX queue length set to 100
Tue Apr 19 13:30:46 2016 /sbin/route add -net xx.xx.xx.xx netmask 255.255.255.255 gw 10.0.0.27
Tue Apr 19 13:30:46 2016 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.1.1
Tue Apr 19 13:30:46 2016 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.1.1
Tue Apr 19 13:30:46 2016 Initialization Sequence Completed
gdzie jest błąd ?