1 Temat przez xury

  • xury
  • xury
  • Użytkownik
  • Nieaktywny
  • Zarejestrowany: 2010-05-18
  • Posty: 503

Temat: OpenVPN dostęp do hosta za klientem poprzez IP serwera

Próbuję dostać się do domoticza za kliientem OpenVPN według https://eko.one.pl/?p=openwrt-openvpntun
Tunel mam zestawiony i wszystko jest OK jedynie nie działa mi dostęp poprzez publiczny IP serwera OpenVPN.
Zarówno klient jak i serwer OpenVPN to routery z LEDE.
w /etc/firewall.user klienta mam:

iptables -I FORWARD -i tun0 -p tcp -d 192.168.4.241 --dport 8080 -j ACCEPT
    iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.4.241:8080

a na serwerze:

    iptables -I FORWARD -i eth1 -p tcp -d 10.8.0.3 --dport 8080 -j ACCEPT
    iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 8080 -j DNAT --to-destination 10.8.0.3:8080

Dostęp poprzez 10.8.0.3 działa.
Nie jestem biegły w iptables i myślę, że tu jest problem.
Na moim serwerze nie ma eth1.
WAN mam na eth0.2 czyli eth0.2 powinienem wpisać?

2 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 116,226

Odp: OpenVPN dostęp do hosta za klientem poprzez IP serwera

Dokładnie tak, jeżeli wanem jest eth0.2 to taki masz wpisać.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

3 Odpowiedź przez xury

  • xury
  • xury
  • Użytkownik
  • Nieaktywny
  • Zarejestrowany: 2010-05-18
  • Posty: 503

Odp: OpenVPN dostęp do hosta za klientem poprzez IP serwera

Ok. To testuję. Mam nadzieje, że nic nie padnie bo 50km będę drałował smile

4 Odpowiedź przez xury

  • xury
  • xury
  • Użytkownik
  • Nieaktywny
  • Zarejestrowany: 2010-05-18
  • Posty: 503

Odp: OpenVPN dostęp do hosta za klientem poprzez IP serwera

No i nie chce działać
na kliencie mam:

iptables -L | grep 192.168.4.241
ACCEPT     tcp  --  anywhere             192.168.4.241        tcp dpt:8080

Na serwerze:

 iptables -L | grep 8080
ACCEPT     tcp  --  anywhere             10.8.0.3             tcp dpt:8080

a po publicznym <IP serwera>:8080 nie działa.
Nmap nie pokazuje otwartego portu na WANie. Tak ma być? Czy mam jeszcze port 8080 otworzyć na serwerze?

5 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 116,226

Odp: OpenVPN dostęp do hosta za klientem poprzez IP serwera

iptables -v -L
iptables -v -L -t nat

z serwera pokaż.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

6 Odpowiedź przez xury (edytowany przez xury 2018-10-24 13:56:43)

  • xury
  • xury
  • Użytkownik
  • Nieaktywny
  • Zarejestrowany: 2010-05-18
  • Posty: 503

Odp: OpenVPN dostęp do hosta za klientem poprzez IP serwera

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2018.06.22 19:49:23 =~=~=~=~=~=~=~=~=~=~=~=
login as: root
root@'s password: 


BusyBox v1.25.1 () built-in shell (ash)

     _________
    /        /\      _    ___ ___  ___
   /  LE    /  \    | |  | __|   \| __|
  /    DE  /    \   | |__| _|| |) | _|
 /________/  LE  \  |____|___|___/|___|                      lede-project.org
 \        \   DE /
  \    LE  \    /  -----------------------------------------------------------
   \  DE    \  /    Reboot (17.01-SNAPSHOT, r3499-a006b48)
    \________\/    -----------------------------------------------------------

 -----------------------------------------------------------------------------
 |                                                                           |
 | Build time: 2017-09-01 18:40 CEST                                         |
 |                                                                           |
 | Cezary Jackiewicz (obsy), http://eko.one.pl                               |
 |                                                                           |
 -----------------------------------------------------------------------------
 | Machine: TP-Link TL-WR1043N/ND v4                                         |
 | Uptime: 0d, 00:21:49                                                      |
 | Load: 0.00 0.02 0.00                                                      |
 | Flash: total: 11.2MB, free: 7.7MB, used: 31%                              |
 | Memory: total: 58.9MB, free: 45.0MB, used: 23%                            |
 | WAN: 192.168.33.52, proto: static                                         |
 | LAN: 192.168.3.1, leases: 1                                               |
 -----------------------------------------------------------------------------
root@stromiec:~# iptables -v -L 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   10   678 ACCEPT     all  --  lo     any     anywhere             anywhere             /* !fw3 */
 8466  611K input_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for input */
 2860  353K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
 5469  242K syn_flood  tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
   57  6029 zone_lan_input  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
 3681  169K zone_wan_input  all  --  eth0.2 any     anywhere             anywhere             /* !fw3 */
    2    82 zone_vpn_input  all  --  tun0   any     anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  eth0.2 any     anywhere             10.8.0.3             tcp dpt:8080
 1071 44939 forwarding_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for forwarding */
  965 39323 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
   42  2098 zone_lan_forward  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
    0     0 zone_wan_forward  all  --  eth0.2 any     anywhere             anywhere             /* !fw3 */
   64  3518 zone_vpn_forward  all  --  tun0   any     anywhere             anywhere             /* !fw3 */
    0     0 reject     all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   10   678 ACCEPT     all  --  any    lo      anywhere             anywhere             /* !fw3 */
 6159  447K output_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for output */
 6046  438K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
    1   343 zone_lan_output  all  --  any    br-lan  anywhere             anywhere             /* !fw3 */
  112  8420 zone_wan_output  all  --  any    eth0.2  anywhere             anywhere             /* !fw3 */
    0     0 zone_vpn_output  all  --  any    tun0    anywhere             anywhere             /* !fw3 */

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination         
 3558  157K REJECT     tcp  --  any    any     anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
    7  2020 REJECT     all  --  any    any     anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3603  160K RETURN     tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
 1866 82128 DROP       all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (5 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   343 ACCEPT     all  --  any    br-lan  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   42  2098 forwarding_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for forwarding */
   42  2098 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: forwarding lan -> wan */
   42  2098 ACCEPT     all  --  any    any     anywhere             anywhere             /* !fw3: forwarding lan -> * */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   57  6029 input_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for input */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
   57  6029 zone_lan_src_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   343 output_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for output */
    1   343 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   57  6029 ACCEPT     all  --  br-lan any     anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_vpn_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    tun0    anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
   64  3518 ACCEPT     all  --  any    tun0    anywhere             anywhere             /* !fw3 */

Chain zone_vpn_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   64  3518 forwarding_vpn_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for forwarding */
   64  3518 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: forwarding vpn -> wan */
   64  3518 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: forwarding vpn -> lan */
   64  3518 zone_vpn_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: forwarding vpn -> vpn */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_vpn_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_vpn_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2    82 input_vpn_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for input */
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request /* !fw3: @rule[11] */
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:domain /* !fw3: @rule[12] */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
    2    82 zone_vpn_src_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_vpn_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_vpn_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for output */
    0     0 zone_vpn_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_vpn_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2    82 ACCEPT     all  --  tun0   any     anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    eth0.2  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
  112  8420 ACCEPT     all  --  any    eth0.2  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  any    eth0.2  anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for forwarding */
    0     0 zone_lan_dest_ACCEPT  esp  --  any    any     anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
    0     0 zone_lan_dest_ACCEPT  udp  --  any    any     anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3681  169K input_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for input */
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
    2    80 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
    0     0 ACCEPT     igmp --  any    any     anywhere             anywhere             /* !fw3: Allow-IGMP */
   57  6712 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:openvpn /* !fw3: Allow-OpenVPN-Inbound */
   57  3128 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh /* !fw3: SSH */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
 3565  159K zone_wan_src_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  112  8420 output_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for output */
  112  8420 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3565  159K reject     all  --  eth0.2 any     anywhere             anywhere             /* !fw3 */
root@stromiec:~#

i drugi:

iptables -v -L -t nat
Chain PREROUTING (policy ACCEPT 5703 packets, 261K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  eth1   any     anywhere             anywhere             tcp dpt:8080 to:10.8.0.3:8080
 5703  261K prerouting_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for prerouting */
  158 13170 zone_lan_prerouting  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
 5533  247K zone_wan_prerouting  all  --  eth0.2 any     anywhere             anywhere             /* !fw3 */
   12   639 zone_vpn_prerouting  all  --  tun0   any     anywhere             anywhere             /* !fw3 */

Chain INPUT (policy ACCEPT 76 packets, 5451 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 127 packets, 10032 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 8 packets, 1077 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3753  155K postrouting_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for postrouting */
    2   671 zone_lan_postrouting  all  --  any    br-lan  anywhere             anywhere             /* !fw3 */
 3720  153K zone_wan_postrouting  all  --  any    eth0.2  anywhere             anywhere             /* !fw3 */
   25  1322 zone_vpn_postrouting  all  --  any    tun0    anywhere             anywhere             /* !fw3 */

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   671 postrouting_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for postrouting */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  158 13170 prerouting_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for prerouting */

Chain zone_vpn_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   25  1322 postrouting_vpn_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for postrouting */
   25  1322 MASQUERADE  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_vpn_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   12   639 prerouting_vpn_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for prerouting */

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3720  153K postrouting_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for postrouting */
 3720  153K MASQUERADE  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 5533  247K prerouting_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: user chain for prerouting */

7 Odpowiedź przez xury

  • xury
  • xury
  • Użytkownik
  • Nieaktywny
  • Zarejestrowany: 2010-05-18
  • Posty: 503

Odp: OpenVPN dostęp do hosta za klientem poprzez IP serwera

Ojej chyba wiem co jest.
Zapomniałem, że serwer nie jest pierwszym routerem tylko jest zrobiony DMZ na niego.
Kiedyś robiłem sobie dostęp do routera nadrzędniego poprzez VPN, ale zapomniałem jak to się robiło.
Chyba dodawałem route.

8 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 116,226

Odp: OpenVPN dostęp do hosta za klientem poprzez IP serwera

No to sprawdź czy masz ten dmz, bo przekierowanie też musisz mieć. Na razie masz zero na licznikach, więc żaden pakiet jeszcze nie dotarł.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

9 Odpowiedź przez xury (edytowany przez xury 2018-06-22 20:18:29)

  • xury
  • xury
  • Użytkownik
  • Nieaktywny
  • Zarejestrowany: 2010-05-18
  • Posty: 503

Odp: OpenVPN dostęp do hosta za klientem poprzez IP serwera

Kurcze ale nie wiem jak dostać się na ten router zdalnie. Trzeba dodać trasę chyba?

Ok. Dostałem się do routera nadrzędnego. Dodałem trasę w cmd windowsa i poszło. DMZ było ustawione. Mam też przekierowanie na port SSH routera LEDE ustawione, bo pamiętam, że nie chciało działać przy samym DMZ.
Zrobiłem tak samo przekierowanie portu 8080 i niestety nie działa.
Ten router to jakaś porażka. DSLowy Comtrend bez dostępu do admina.
Kiedy próbuję się wbić cały czas mam connection refused.
[edit]
Ok Działa. Oczywiście mój błąd zapomniałem zmienić eth1 na eth0.2  w drugiej linijce.... Wstyd!!!
Dzięki Cezary.