Temat: openvpn forwarding konfiguracja
Witam,
Proszę o pomoc w skonfigurowaniu sieci i openvpn. założenia:
- Klient(PC) łączy się z serwerem VPN i widzi wszystkie urządzania z puli 10.8.0.0/16
- Poszczególne urządzenia(router z openwrt i modemem) łączą się z serwerem i mają przydzielone IP po nazwie z CN, i jako dodatkowe zabezpieczenie, te urządzenia nie mogą 'widzieć' innych klientów.
- Do routerów podpięte są urządzenia z dwóch różnych sieci tj. 10.10.15.0/24 i 192.168.10.0/24. Adres routera 10.10.15.1 i rozdaje IP z tej samej podsieci tymczasowym użytkownikom. Na Drugiej sieci(192.168.10.0/24) jest urządzenie o adresie 192.168.10.150.
Efekt finalny ma być taki że klient(PC) po połączeniu się z VPN wpisuje w adres przeglądarki np 10.10.85.39:80 i otwiera mu się w przeglądarce strona z urządzenia 192.168.10.150.
Próbowałem to zrobić wg instrukcji "OpenWrt - konfiguracja serwera OpenVPN w trybie TUN" z przykładem "Dostęp do kamery za klientem"
Niestety nie potrafię osiągnąć tego co wyżej.
Moja konfiguracja na tą chwilę.
Serwer vpn:
bash-5.0# cat /etc/openvpn/openvpn.conf
server 10.8.0.0 255.255.0.0
verb 3
key
ca
cert
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun
client-config-dir /etc/openvpn/ccd
topology subnet
proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log
user nobody
group nogroup
comp-lzo no
### Route Configurations Below
route 192.168.254.0 255.255.255.0
### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.0.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)nmap wykonany z serwer vpn:
Nmap scan report for 10.8.85.39
Host is up (0.035s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp filtered http
443/tcp open https
8080/tcp filtered http-proxyiptables:
bash-5.0# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 5 packets, 346 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 5 packets, 346 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1206 packets, 53089 bytes)
pkts bytes target prot opt in out source destination
1 69 DOCKER_OUTPUT all -- * * 0.0.0.0/0 127.0.0.11
Chain POSTROUTING (policy ACCEPT 1207 packets, 53158 bytes)
pkts bytes target prot opt in out source destination
1 69 DOCKER_POSTROUTING all -- * * 0.0.0.0/0 127.0.0.11
0 0 MASQUERADE all -- * eth0 10.10.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * eth0 192.168.254.0/24 0.0.0.0/0
Chain DOCKER_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 127.0.0.11 tcp dpt:53 to:127.0.0.11:46055
1 69 DNAT udp -- * * 0.0.0.0/0 127.0.0.11 udp dpt:53 to:127.0.0.11:58556
Chain DOCKER_POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT tcp -- * * 127.0.0.11 0.0.0.0/0 tcp spt:46055 to::53
0 0 SNAT udp -- * * 127.0.0.11 0.0.0.0/0 udp spt:58556 to::53Klient 10.8.85.39:
ifconfig
root@MiFi:~# ifconfig
br-lan Link encap:Ethernet HWaddr 0C:80:63:97:61:78
inet addr:192.168.10.151 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::e80:63ff:fe97:6178/64 Scope:Link
inet6 addr: fd94:1ee2:1196::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1661 errors:0 dropped:0 overruns:0 frame:0
TX packets:1965 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:109466 (106.9 KiB) TX bytes:143902 (140.5 KiB)
eth0 Link encap:Ethernet HWaddr 0C:80:63:97:61:78
inet6 addr: fe80::e80:63ff:fe97:6178/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23315 errors:0 dropped:0 overruns:0 frame:0
TX packets:3536 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1586258 (1.5 MiB) TX bytes:673351 (657.5 KiB)
Interrupt:5
eth0.1 Link encap:Ethernet HWaddr 0C:80:63:97:61:78
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1661 errors:0 dropped:0 overruns:0 frame:0
TX packets:1965 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:109466 (106.9 KiB) TX bytes:143902 (140.5 KiB)
eth0.2 Link encap:Ethernet HWaddr 0C:80:63:97:61:79
inet6 addr: fe80::e80:63ff:fe97:6179/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:786 (786.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:52853 errors:0 dropped:0 overruns:0 frame:0
TX packets:52853 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4281992 (4.0 MiB) TX bytes:4281992 (4.0 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.85.39 P-t-P:10.8.85.39 Mask:255.255.0.0
inet6 addr: fe80::ea65:470:ff9b:6c2f/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1276 errors:0 dropped:0 overruns:0 frame:0
TX packets:1055 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:59850 (58.4 KiB) TX bytes:47832 (46.7 KiB)
wwan0 Link encap:Ethernet HWaddr 58:2C:80:13:92:63
inet addr:.................... Bcast:....................... Mask:255.255.255.248
inet6 addr: fe80::5a2c:80ff:fe13:9263/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:55651 errors:0 dropped:0 overruns:0 frame:0
TX packets:61305 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4684193 (4.4 MiB) TX bytes:7178023 (6.8 MiB)root@MiFi:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd94:1ee2:1196::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.10.15.1'
config interface 'lan_sip'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.10.151'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '0c:80:63:97:61:79'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
config interface 'wan'
option apn 'internet'
option device '/dev/cdc-wdm0'
option proto 'ncm'root@MiFi:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'lan_bop'
option name 'lan_bop'
list network 'lan_sip'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
#list device 'tun+'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config zone 'vpn'
option network 'vpn0'
option output 'ACCEPT'
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config forwarding 'vpn_forwarding_lan_out'
option dest 'vpn'
option src 'lan'
config forwarding 'vpn_forwarding_lan'
option dest 'lan'
option src 'vpn'
config redirect
option target 'DNAT'
option src 'vpn'
option proto 'tcp'
option src_dport '80'
option dest_ip '192.168.10.151'
option dest_port '80'
option dest 'lan_bop'
option name 'red_80'
config rule
option enabled '1'
option target 'ACCEPT'
option src 'vpn'
option proto 'tcp'
option dest_port '80'
option name 'AllowWANWeb'
config route 'net1'
option interface 'vpn'
option target '192.168.10.0'
option netmask '255.255.255.0'
option gateway '10.8.85.39'
config rule
option name 'Accept_vpn_to_151_80'
option src 'vpn'
#option src_ip '192.168.1.2'
#option src_mac '00:11:22:33:44:55'
#option src_port '80'
option dest 'lan_bop'
option dest_ip '192.168.10.150'
option dest_port '80'
option proto 'tcp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'root@MiFi:~# cat /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
iptables -I FORWARD -i tun0 -p tcp -d 1 --dport 8080 -j ACCEPT
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.2.2:8080
#iptables -I FORWARD -i tun0 -p tcp -d 192.168.10.151 --dport 80 -j ACCEPT
#iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.151:80
iptables -I FORWARD -i tun0 -p tcp -d 192.168.10.150 --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.150:80iptables
root@MiFi:~# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 1223 packets, 54524 bytes)
pkts bytes target prot opt in out source destination
7 324 DNAT tcp -- tun0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.10.150:80
6 264 DNAT tcp -- tun0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:192.168.2.2:8080
1223 54524 prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
24 1752 zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_lan_bop_prerouting all -- br-lan_sip * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_prerouting all -- wwan0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_prerouting all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
1199 52772 zone_vpn_prerouting all -- tun0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain INPUT (policy ACCEPT 999 packets, 43972 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 89 packets, 7016 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2 packets, 88 bytes)
pkts bytes target prot opt in out source destination
96 7324 postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain */
2 88 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_lan_bop_postrouting all -- * br-lan_sip 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
94 7236 zone_wan_postrouting all -- * wwan0 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_postrouting all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_vpn_postrouting all -- * tun0 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain postrouting_lan_bop_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_bop_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_bop_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_lan_bop_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan_bop postrouting rule chain */
Chain zone_lan_bop_prerouting (1 references)
pkts bytes target prot opt in out source destination
0 0 prerouting_lan_bop_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan_bop prerouting rule chain */
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
2 88 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
24 1752 prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */
Chain zone_vpn_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom vpn postrouting rule chain */
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_vpn_prerouting (1 references)
pkts bytes target prot opt in out source destination
1199 52772 prerouting_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom vpn prerouting rule chain */
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* !fw3: red_80 */ to:192.168.10.151:80
Chain zone_wan_postrouting (2 references)
pkts bytes target prot opt in out source destination
94 7236 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */
94 7236 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_prerouting (2 references)
pkts bytes target prot opt in out source destination
0 0 prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */