1 (edytowany przez nicox 2021-05-04 07:39:39)

Temat: openvpn forwarding konfiguracja

Witam,
Proszę o pomoc w skonfigurowaniu sieci i openvpn. założenia:
- Klient(PC) łączy się z serwerem VPN i widzi wszystkie urządzania z puli 10.8.0.0/16
- Poszczególne urządzenia(router z openwrt i modemem) łączą się z serwerem i mają przydzielone IP po nazwie z CN, i jako dodatkowe zabezpieczenie, te urządzenia nie mogą 'widzieć' innych klientów.
- Do routerów podpięte są urządzenia z dwóch różnych sieci tj. 10.10.15.0/24 i 192.168.10.0/24. Adres routera 10.10.15.1 i rozdaje IP z tej samej podsieci tymczasowym użytkownikom. Na Drugiej sieci(192.168.10.0/24) jest urządzenie o adresie 192.168.10.150.


Efekt finalny ma być taki że klient(PC) po połączeniu się z VPN wpisuje w adres przeglądarki np 10.10.85.39:80 i otwiera mu się w przeglądarce strona z urządzenia 192.168.10.150.

Próbowałem to zrobić wg instrukcji "OpenWrt - konfiguracja serwera OpenVPN w trybie TUN" z przykładem "Dostęp do kamery za klientem"
Niestety nie potrafię osiągnąć tego co wyżej.

Moja konfiguracja na tą chwilę.
Serwer vpn:

bash-5.0# cat /etc/openvpn/openvpn.conf
server 10.8.0.0 255.255.0.0
verb 3
key
ca 
cert 
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

client-config-dir /etc/openvpn/ccd
topology subnet

proto udp

# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
comp-lzo no

### Route Configurations Below
route 192.168.254.0 255.255.255.0

### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"

ifconfig

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.0.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

nmap wykonany z serwer vpn:

Nmap scan report for 10.8.85.39
Host is up (0.035s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
53/tcp   open     domain
80/tcp   filtered http
443/tcp  open     https
8080/tcp filtered http-proxy

iptables:

bash-5.0# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 5 packets, 346 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 5 packets, 346 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1206 packets, 53089 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    69 DOCKER_OUTPUT  all  --  *      *       0.0.0.0/0            127.0.0.11

Chain POSTROUTING (policy ACCEPT 1207 packets, 53158 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    69 DOCKER_POSTROUTING  all  --  *      *       0.0.0.0/0            127.0.0.11
    0     0 MASQUERADE  all  --  *      eth0    10.10.0.0/16         0.0.0.0/0
    0     0 MASQUERADE  all  --  *      eth0    192.168.254.0/24     0.0.0.0/0

Chain DOCKER_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            127.0.0.11           tcp dpt:53 to:127.0.0.11:46055
    1    69 DNAT       udp  --  *      *       0.0.0.0/0            127.0.0.11           udp dpt:53 to:127.0.0.11:58556

Chain DOCKER_POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       tcp  --  *      *       127.0.0.11           0.0.0.0/0            tcp spt:46055 to::53
    0     0 SNAT       udp  --  *      *       127.0.0.11           0.0.0.0/0            udp spt:58556 to::53


Klient 10.8.85.39:
ifconfig

root@MiFi:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 0C:80:63:97:61:78
          inet addr:192.168.10.151  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::e80:63ff:fe97:6178/64 Scope:Link
          inet6 addr: fd94:1ee2:1196::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1661 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1965 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:109466 (106.9 KiB)  TX bytes:143902 (140.5 KiB)

eth0      Link encap:Ethernet  HWaddr 0C:80:63:97:61:78
          inet6 addr: fe80::e80:63ff:fe97:6178/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23315 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3536 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1586258 (1.5 MiB)  TX bytes:673351 (657.5 KiB)
          Interrupt:5

eth0.1    Link encap:Ethernet  HWaddr 0C:80:63:97:61:78
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1661 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1965 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:109466 (106.9 KiB)  TX bytes:143902 (140.5 KiB)

eth0.2    Link encap:Ethernet  HWaddr 0C:80:63:97:61:79
          inet6 addr: fe80::e80:63ff:fe97:6179/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:786 (786.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:52853 errors:0 dropped:0 overruns:0 frame:0
          TX packets:52853 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4281992 (4.0 MiB)  TX bytes:4281992 (4.0 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.85.39  P-t-P:10.8.85.39  Mask:255.255.0.0
          inet6 addr: fe80::ea65:470:ff9b:6c2f/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1276 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1055 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:59850 (58.4 KiB)  TX bytes:47832 (46.7 KiB)

wwan0     Link encap:Ethernet  HWaddr 58:2C:80:13:92:63
          inet addr:....................  Bcast:.......................  Mask:255.255.255.248
          inet6 addr: fe80::5a2c:80ff:fe13:9263/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:55651 errors:0 dropped:0 overruns:0 frame:0
          TX packets:61305 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4684193 (4.4 MiB)  TX bytes:7178023 (6.8 MiB)
root@MiFi:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd94:1ee2:1196::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.10.15.1'

config interface 'lan_sip'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.10.151'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '0c:80:63:97:61:79'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'

config interface 'wan'
        option apn 'internet'
        option device '/dev/cdc-wdm0'
        option proto 'ncm'
root@MiFi:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'lan_bop'
        option name 'lan_bop'
        list network 'lan_sip'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        #list device 'tun+'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config zone 'vpn'
        option network 'vpn0'
        option output 'ACCEPT'
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config forwarding 'vpn_forwarding_lan_out'
        option dest 'vpn'
        option src 'lan'

config forwarding 'vpn_forwarding_lan'
        option dest 'lan'
        option src 'vpn'

config redirect
        option target 'DNAT'
        option src 'vpn'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.10.151'
        option dest_port '80'
        option dest 'lan_bop'
        option name 'red_80'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'vpn'
        option proto 'tcp'
        option dest_port '80'
        option name 'AllowWANWeb'

config route 'net1'
        option interface 'vpn'
        option target '192.168.10.0'
        option netmask '255.255.255.0'
        option gateway '10.8.85.39'

config rule
        option  name            'Accept_vpn_to_151_80'
        option  src             'vpn'
        #option src_ip          '192.168.1.2'
        #option src_mac         '00:11:22:33:44:55'
        #option src_port        '80'
        option  dest            'lan_bop'
        option  dest_ip         '192.168.10.150'
        option  dest_port       '80'
        option  proto           'tcp'
        option  target          'ACCEPT'

config include
        option path '/etc/firewall.user'
root@MiFi:~# cat /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

iptables -I FORWARD -i tun0 -p tcp -d 1 --dport 8080 -j ACCEPT
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.2.2:8080

#iptables -I FORWARD -i tun0 -p tcp -d 192.168.10.151 --dport 80 -j ACCEPT
#iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.151:80

iptables -I FORWARD -i tun0 -p tcp -d 192.168.10.150 --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.150:80

iptables

root@MiFi:~#  iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 1223 packets, 54524 bytes)
 pkts bytes target     prot opt in     out     source               destination
    7   324 DNAT       tcp  --  tun0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.10.150:80
    6   264 DNAT       tcp  --  tun0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 to:192.168.2.2:8080
 1223 54524 prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom prerouting rule chain */
   24  1752 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_lan_bop_prerouting  all  --  br-lan_sip *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_prerouting  all  --  wwan0  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_prerouting  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 1199 52772 zone_vpn_prerouting  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain INPUT (policy ACCEPT 999 packets, 43972 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 89 packets, 7016 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 2 packets, 88 bytes)
 pkts bytes target     prot opt in     out     source               destination
   96  7324 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom postrouting rule chain */
    2    88 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_lan_bop_postrouting  all  --  *      br-lan_sip  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
   94  7236 zone_wan_postrouting  all  --  *      wwan0   0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_postrouting  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_vpn_postrouting  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain postrouting_lan_bop_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan_bop_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_lan_bop_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 postrouting_lan_bop_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan_bop postrouting rule chain */

Chain zone_lan_bop_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 prerouting_lan_bop_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan_bop prerouting rule chain */

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2    88 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan postrouting rule chain */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
   24  1752 prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan prerouting rule chain */

Chain zone_vpn_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 postrouting_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom vpn postrouting rule chain */
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_vpn_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1199 52772 prerouting_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom vpn prerouting rule chain */
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* !fw3: red_80 */ to:192.168.10.151:80

Chain zone_wan_postrouting (2 references)
 pkts bytes target     prot opt in     out     source               destination
   94  7236 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan postrouting rule chain */
   94  7236 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_prerouting (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan prerouting rule chain */